Amazon Linux 2 FAQs

Q. What is Amazon Linux 2?

Amazon Linux 2 is an Amazon Linux operating system that provides modern application environment with the latest enhancements from the Linux community and offers long-term support. In addition to Amazon Machine Images (AMI) and container image formats, Amazon Linux 2 is available as a virtual machine image for on-premises development and testing, enabling you to easily develop, test, and certify your applications right from your local development environment.

Q. When will support for Amazon Linux 2 end?

Amazon Linux 2 end of support date (End of Life, or EOL) has been extended by two years from 2023-06-30 to 2025-06-30 to provide customers with ample time to migrate to the next version.

Q. What are the differences between Amazon Linux 2 and Amazon Linux 2023?

Please refer to the documentation to learn more about the major differences between these distributions.

Q. What are the benefits of using Amazon Linux 2?

Similar to Amazon Linux AMI, Amazon Linux 2 supports the latest Amazon Elastic Compute Cloud (Amazon EC2) instance features and includes packages that enable easy integration with AWS. It is optimized for use in Amazon EC2 with a latest and tuned Linux kernel version. As a result, many customer workloads perform better on Amazon Linux 2. Amazon Linux 2 offers will be supported until June 30, 2025 with security and maintenance updates. Amazon Linux 2 is available as on-prem virtual machine images allowing local development and test.

Q. Which workloads or use cases are supported with Amazon Linux 2?

Amazon Linux 2 is suited for a wide variety of virtualized and containerized workloads such as databases, data analytics, line-of-business applications, web and desktop applications, and more in production contexts. It is also available for use on EC2 Bare Metal Instances as both a bare metal OS and a virtualization host.

Q. What are the core components of Amazon Linux 2?

The core components of Amazon Linux 2 are:

1. A Linux kernel tuned for performance on Amazon EC2.
2. A set of core packages including systemd, GCC 7.3, Glibc 2.26, Binutils 2.29.1 that receive Long Term Support (LTS) from AWS.
3. An extras channel for rapidly evolving technologies that are likely to be updated frequently and outside the Long Term Support (LTS) model.

Q. How is Amazon Linux 2 different from Amazon Linux AMI?
The primary differences between Amazon Linux 2 and Amazon Linux AMI are:

1. Amazon Linux 2 offers long-term support until June 30, 2025.
2. Amazon Linux 2 is available as virtual machine images for on-premises development and testing.
3. Amazon Linux 2 provides the systemd service and systems manager as opposed to System V init system in Amazon Linux AMI.
4. Amazon Linux 2 comes with an updated Linux kernel, C library, compiler, and tools.
5. Amazon Linux 2 provides the ability to install additional software packages through the extras mechanism.

Q. How can I get started with using Amazon Linux 2 on AWS?

AWS provides an Amazon Machine Image (AMI) for Amazon Linux 2 that you can use to launch an instance from the Amazon EC2 console, AWS SDK, and CLI. Refer to Amazon Linux documentation for more details.

Q. Are there any costs associated with running Amazon Linux 2 in Amazon EC2?

No, there is no additional charge for running Amazon Linux 2. Standard Amazon EC2 and AWS charges apply for running Amazon EC2 instances and other services.

Q. Which Amazon EC2 instance types does Amazon Linux 2 support?

Amazon Linux 2 supports all Amazon EC2 instance types that support HVM AMIs. Amazon Linux 2 does not support older instances that require paravirtualization (PV) functionality.

Q. Does Amazon Linux 2 support 32-bit applications and libraries?

Yes, Amazon Linux 2 supports 32-bit applications and libraries. If you are running on a version of Amazon Linux 2 that was launched before 10/04/2018, you can run “yum upgrade” to get the full 32-bit support.  

Q. Does Amazon Linux 2 come with a Graphical User Interface (GUI) desktop?
Yes, the MATE desktop environment is provided as an extra in Amazon Linux 2. Amazon Workspaces provides cloud Amazon Linux 2 based cloud desktops with a GUI. You can learn more here .

Q. Can I view the source code for Amazon Linux 2 components?

Yes. The yumdownloader --source tool in Amazon Linux 2 provides source code access for many components.

Q. Why is Python 2.7 still part of Amazon Linux 2?

We will continue to provide critical security patches for Python 2 as per our LTS commitment for Amazon Linux 2 core packages (until June, 2025) even though the upstream Python community declared Python 2.7 End Of Life in January 2020.

Q. Should I migrate my code to Python 3 and away from Python 2.7?

We strongly recommend our customers install Python 3 on their Amazon Linux 2 systems and migrate their code and applications to Python 3.

Q. Is Amazon Linux 2 moving away from Python 2.7?

There are no plans to change the default Python interpreter. It is our intention to retain Python 2.7 as the default for the lifetime of Amazon Linux 2. We will backport security fixes to our Python 2.7 packages as needed.

Q. Why does Amazon Linux 2 not switch away from Python 2.7 for the 'yum' package manager, or move to DNF, which is Python 3 based?

During a LTS release of the Operating System, the risk of making fundamental changes to, replacing, or adding another package manager is extremely high. Thus, in planning our Python 3 migration for Amazon Linux, we made the decision to do this across a major release boundary rather than within Amazon Linux 2. This is an approach shared by other RPM based Linux distributions, even ones without LTS commitments.

Q. How is kernel 5.10 different from kernel 4.14?

Kernel 5.10 brings a number of features and performance improvements - including optimizations for Intel Ice Lake processors and Graviton 2 powering the latest generation EC2 instances. 

From a security standpoint, customers benefit from WireGuard VPN that helps setup an effective virtual private network with low attack surface and allows encryption with less overhead. Kernel 5.10 also brings a kernel lockdown feature to prevent unauthorized modification of the kernel image and a number of BPF improvements, including the CO-RE (Compile Once - Run Everywhere).

Customers with intensive input-output operations will benefit from better write performance, safer sharing of io_uring rings between processes for faster input-output operations, and support of the new exFAT system for better compatibility with storage devices. With the addition of MultiPath TCP (MPTCP), customers with several network interfaces can combine all available network paths to increase throughput and reduce network failures.

Q. What is included in the Long Term Support for Amazon Linux 2?

Long-term support for Amazon Linux 2 only applies to core packages and includes:
1) AWS will provide security updates and bug fixes for all packages in core until June 30, 2025.
2) AWS will maintain user-space Application Binary Interface (ABI) compatibility for the following packages in core:

elfutils-libelf, glibc, glibc-utils, hesiod, krb5-libs, libgcc, libgomp, libstdc++, libtbb.so, libtbbmalloc.so, libtbbmalloc_proxy.so, libusb, libxml2, libxslt, pam, audit-libs, audit-libs-python, bzip2-libs, c-ares, clutter, cups-libs, cyrus-sasl-gssapi, cyrus-sasl-lib, cyrus-sasl-md5, dbus-glib, dbus-libs, elfutils-libs, expat, fuse-libs, glib2, gmp, gnutls, httpd, libICE, libSM, libX11, libXau, libXaw, libXext, libXft, libXi, libXinerama, libXpm, libXrandr, libXrender, libXt, libXtst, libacl, libaio, libatomic, libattr, libblkid, libcap-ng, libdb, libdb-cxx, libgudev1, libhugetlbfs, libnotify, libpfm, libsmbclient, libtalloc, libtdb, libtevent, libusb, libuuid, ncurses-libs, nss, nss-sysinit, numactl, openssl, p11-kit, papi, pcre, perl, perl-Digest-SHA, perl-Time-Piece, perl-libs, popt, python, python-libs, readline, realmd, ruby, scl-utils, sqlite, systemd-libs, systemtap, tcl, tcp_wrappers-libs, xz-libs, and zlib

3) AWS will provide Application Binary Interface (ABI) compatibility for all other packages in core unless providing such compatibility is not possible for reasons beyond AWS’s control.

Q. Does Amazon Linux 2 maintain kernel-space ABI compatibility?
No, Amazon Linux 2 does not maintain kernel-space ABI compatibility. If there is a change in the upstream Linux kernel that breaks ABI stability, then your applications that rely on third-party kernel drivers may require additional modifications.

Q. Does AWS backport security fixes for Amazon Linux 2?
Yes. Amazon routinely takes fixes out of the most recent version of upstream software packages and applies it to the version of the package in Amazon Linux 2. During this process, Amazon isolates the fix from any other changes, ensures that the fixes do not introduce unwanted side effects, and then applies the fixes.

Q. Do the long-term support policies apply to extras topics?
The contents of extras topics are exempt from the Amazon Linux policy on long-term support and binary compatibility. Extras topics provide access to a curated list of rapidly evolving technologies and are likely to be updated frequently. When new versions of packages in extras topics are released, support will be provided only for the most current packages. Over time, these technologies will continue to mature and stabilize and may eventually be added to the Amazon Linux 2 "core" repositories to which the Amazon Linux 2 Long Term Support policies apply.

Q. Will additional Amazon Linux 2 builds be provided after the LTS builds are released?
Yes. New builds will point to the same repositories and include the cumulative set of security and feature updates to prevent the need to apply outstanding updates.

Q. Where can I get updates for Amazon Linux 2?
Updates for Amazon Linux 2 are provided with a pre-configured repository hosted in each AWS region. On the initial launch of a new instance, Amazon Linux attempts to install any user space security updates that are rated critical or important. You can also enable or disable automatic installation of critical and important security patches at the time of instance launch.

Q. How can I automate security patching on Amazon Linux 2 at scale?

AWS Systems Manager Patch Manager works with Amazon Linux 2 to automate the process of patching Amazon Linux 2 instances at scale. Patch Manager can scan for missing patches, or scan and install missing patches to large groups of instances. Systems Manager Patch Manager can also be used to install patches for non-security updates.

Q. What premium support options are available for Amazon Linux 2?
Support for Amazon Linux 2 use on Amazon Web Services (AWS) is included through subscriptions to AWS Support.

AWS Support does not currently cover the on-premises use of Amazon Linux 2. The Amazon Linux 2 forum and Amazon Linux 2 documentation are the primary sources of support for the on-premises use of Amazon Linux 2. You can post questions, report bugs, and feature requests on the Amazon Linux 2 forums.

Q. Can I perform a rolling upgrade from Amazon Linux 2 LTS Candidate 2 to the LTS version of Amazon Linux 2?
Yes, a rolling upgrade from Amazon Linux 2 LTS Candidate 2 to Amazon Linux 2 is possible. However, changes in the final LTS build that may cause breakage of your application. We recommend that you test your application on a fresh installation of Amazon Linux 2 first before migrating.

Q. Will AWS support Amazon Linux AMI going forward?

Yes. To facilitate migration to Amazon Linux 2, AWS will provide security updates for the last version of Amazon Linux and container image until December 31, 2020. You can also use all your existing support channels such as AWS Premium Support and Amazon Linux Discussion Forum to continue to submit support requests.

Q. Is Amazon Linux 2 backward compatible with the existing version of Amazon Linux AMI?
Due to the inclusion of components such as systemd in Amazon Linux 2, your applications running on the current version of Amazon Linux may require additional changes to run on Amazon Linux 2.

Q. Can I perform an in-place upgrade from an existing version of Amazon Linux AMI to Amazon Linux 2?
No, an in-place upgrade from the existing Amazon Linux image to Amazon Linux 2 is not supported. We recommend that you test your application on a fresh installation of Amazon Linux 2 first before migrating.

Q. Can I perform a rolling upgrade on instances running Amazon Linux AMI to Amazon Linux 2?
No, your instances running Amazon Linux will not be upgraded to Amazon Linux 2 with rolling upgrade mechanisms. Therefore, there is no disruption to your existing applications. Refer to Amazon Linux documentation and migration tooling for more details.

Q. Which on-premises virtualization platforms does Amazon Linux 2 run on?
Amazon Linux 2 virtual machine images are currently available for KVM, Microsoft Hyper-V, Oracle VM VirtualBox, and VMware ESXi virtualization platforms for development and testing use. We are pursuing certification for these virtualization platforms.

Q. How can I get started with using Amazon Linux 2 virtual machine image in my local dev environment?
A virtual machine image for each supported hypervisor is available for download. After downloading the image, follow the Amazon Linux documentation to get started.

Q. Are there any costs associated with running Amazon Linux 2 on-premises?
No, there is no additional charge for running Amazon Linux 2 on-premises.

Q. Is an AWS account required for running Amazon Linux 2 on-premises?
No, there is no need for an AWS account to run Amazon Linux 2 on-premises.

Q. What are the minimum systems requirement for running Amazon Linux 2?
At a minimum, Amazon Linux 2 needs a 64-bit virtual machine with 512 MB of memory, 1 virtual CPU, and an emulated BIOS.

Q. Will on-prem VM images of Amazon Linux 2 get security updates from AWS?
Yes, AWS will provide security updates and bug fixes for all packages in core until June 30, 2025. Additionally, AWS will maintain user-space Application Binary Interface (ABI) compatibility for the following packages in core .

Q. Can I get paid support for on-premises VM images of Amazon Linux 2 from AWS Support?
No, at this time AWS Support does not offer paid support for Amazon Linux 2 VMs running on-premises. Community support through the Amazon Linux 2 forums is the primary source of support for answering questions and resolving issues originating from on-premises use. Amazon Linux 2 documentation provides guidance to get your Amazon Linux 2 virtual machines and containers operational, configuring the OS, and installing applications.

Q. How does Amazon Linux assess CVEs?

Amazon Linux assesses Common Vulnerabilities and Exposures (CVEs) discovered through their internal process, evaluates the potential risk to their products, and take actions such as issuing a security update or advisory. CVEs are given a Common Vulnerability Scoring System (CVSS) score, which is a standard method for scoring and ranking the severity of vulnerabilities. The primary source for CVE data is the National Vulnerability Database (NVD). Amazon Linux also gathers security intelligence from other sources, such as vendor advisories, and reports from customers and researchers.

Learn more >>

Q: Why does a security scanner report an unfixed CVE in an Amazon Linux package when an Amazon Linux Security Advisory claims the CVE to be fixed in that version?

Amazon Linux, like most Linux distributions, routinely backports security fixes to stable package versions vended in its repositories. When these packages are updated with a backport, the Amazon Linux security bulletin for the particular issue will list the specific package version(s) in which the issue is fixed for Amazon Linux. Security scanners that rely on versioning from a project’s authors sometimes won’t pick up that a given CVE fix has been applied in an older version. Customers can refer to Amazon Linux Security Center (ALAS) for updates regarding security issues and fixes.

Q. How does Amazon Linux communicate the severity of a security issue?

Amazon Linux Security communicates security advisories that affect Amazon Linux products on Amazon Linux Security Center (ALAS). Security advisories typically include Advisory ID, severity of the issue, CVE ID, advisory overview, affected packages, and issue correction. CVEs referenced in the advisory will have a CVSS score (we use CVSSv3 scores but CVEs older than 2018 may have a CVSSv2 score) and vector for the affected packages. The score is a decimal value between 0-10, with the higher scores indicating a more severe vulnerability. Amazon Linux aligns with the open framework CVSSv3 calculator score to determine the base metric. The rating is how we communicate the severity of security issues to our customers. Customers can combine these ratings with the key characteristics of their environment for a more appropriate risk assessment.

Q. How can customers stay up-to-date on security advisories from Amazon Linux?

Amazon Linux offers human and machine consumable security advisories, in which customer can subscribe to our RSS feeds or configure scanning tools to parse HTML. Feeds for our products can be found here:

Amazon Linux 1 / Amazon Linux 1 RSS
Amazon Linux 2 / Amazon Linux 2 RSS
Amazon Linux 2023 / Amazon Linux 2023 RSS
 

Q. What is Amazon Linux extras?

Extras is a mechanism in Amazon Linux 2 to enable the consumption of new versions of application software on a stable operating system that is supported until June 30, 2025. Extras help alleviate the compromise between the stability of the OS and freshness of available software. For example, now you can install newer versions of MariaDB on a stable operating system supported for five years. Examples of extras include Ansible 2.4.2, memcached 1.5, nginx 1.12, Postgresql 9.6, MariaDB 10.2, Go 1.9, Redis 4.0, R 3.4, Rust 1.22.1.

Q. How does Amazon Linux extras work?
Extras provide topics to select software bundles. Each topic contains all the dependencies required for the software to install and function on Amazon Linux 2. For example, Rust is an extras topic in the curated list provided by Amazon. It provides the toolchain and runtimes for Rust, the systems programming language. This topic includes the cmake build system for Rust, cargo - the rust package manager, and the LLVM based compiler toolchain for Rust. The packages associated with each topic are consumed with the well-known yum installation process.

Q. How do I install a software package from Amazon Linux extras repository?
Available packages can be listed with the amazon-linux-extras command in the Amazon Linux 2 shell. Packages from extras can be installed with the “sudo amazon-linux-extras install ” command.

Example: $ sudo amazon-linux-extras install rust1

See Amazon Linux documentation for more details on getting started with Amazon Linux Extras.

Q. Will packages in extras be moved to “core” with Long Term Support?
Over time, rapidly evolving technologies in extras will continue to mature and stabilize and may be added to the Amazon Linux 2 "core" to which the Long Term Support policies apply.

Q. Which third-party applications are supported to run on Amazon Linux 2?

Amazon Linux 2 has a rapidly growing community of Independent Software Vendors (ISVs) including Chef, Puppet, Vertica, Trend Micro, Hashicorp, Datadog, Weaveworks, Aqua Security, Tigera, SignalFX, and more.

A complete list of supported ISV applications is available on the Amazon Linux 2 page

To get your application certified with Amazon Linux 2, contact us.

Q. What is Kernel Live Patching in Amazon Linux 2?

Kernel Live Patching in Amazon Linux 2 is a feature that enables applying security and bug fixes to a running Linux Kernel without the need to reboot. Live patches for the Amazon Linux Kernel are delivered to the existing package repositories for Amazon Linux 2, and can be applied using regular yum commands such as ‘yum update —security’ when the feature has been activated.

Q. What are the use cases for Kernel Live Patching in Amazon Linux 2?

The use cases targeted by Kernel Live Patching in Amazon Linux 2 include:

• Emergency patching to address high-severity security vulnerabilities and data corruption bugs without service downtime.
• Applying OS updates without waiting for long-running tasks to complete, users to log-out, or for scheduled reboot time-slots to apply security updates.
• Expediting roll out of security patches by eliminating rolling reboots required in highly available systems

Q. When does AWS provide kernel live patches?

AWS typically will provide kernel live patches to fix CVEs, which are rated as critical and important by AWS, for the default Amazon Linux 2 Kernel. The Amazon Linux Security Advisory ratings of critical and important generally map to the Common Vulnerability Scoring System (CVSS) score of 7 and higher. Additionally, AWS will also provide kernel live patches for select bug fixes to address system stability issues, and potential data corruption issues. There may be a small number of issues that do not receive kernel live patches despite their severity because of technical limitations. For example, fixes that change assembly code or modify function signatures may not receive kernel live patches. Kernels in Amazon Linux 2 Extras and any third-party software that are not built and served by AWS will not receive kernel live patches.

Q. Are there any charges attached with using Kernel Live Patching in Amazon Linux 2?

We provide kernel live patches for Amazon Linux 2 at no cost.

Q. How do I use Kernel Live Patching in Amazon Linux 2?

Kernel live patches are provided by Amazon and can be consumed with the yum package manager and utilities in Amazon Linux 2 and AWS Systems Manager Patch Manager. Each kernel live patch is provided as an RPM package. Kernel Live Patching is currently disabled by default in Amazon Linux 2. You can use the available yum plugin to enable and disable Kernel Live Patching. You can then use the existing workflows in the yum utility to apply security patches including kernel live patches. In addition, the kpatch command line utility can be used to enumerate, apply and enable/disable kernel live patches.

• ‘sudo yum install -y yum-plugin-kernel-livepatch’ installs the yum plugin for the kernel live patching capability on Amazon Linux.
• ‘sudo yum kernel-livepatch enable -y’ enables the plugin.
• ‘sudo systemctl enable kpatch.service’ enables kpatch service, the kernel live patching infrastructure used in Amazon Linux.
• ‘sudo amazon-linux-extras enable livepatch’ adds the kernel live patch repository endpoints.
• ‘yum check-update kernel’ displays the list of available kernels to update.
• ‘yum updateinfo list’ lists available security updates.
• ‘sudo yum update --security’ installs available patches which includes kernel live patches available as security fixes.
• ‘kpatch list’ to list all loaded kernel live patches.

Q. Does AWS Systems Manager Patch Manager support live patching?

Yes. You can use AWS SSM Patch Manager to automate applying kernel live patches without the need of an immediate reboot when the patch is available as a live patch. Visit the SSM Patch Manager documentation to get started.

Q. Where can I get details on security patches provided via Kernel Live Patching?

AWS publishes details on kernel live patches to fix security vulnerabilities on the Amazon Linux Security Center.

Q. Are there any restrictions to using Kernel Live Patching?

While applying a kernel live patch in Amazon Linux 2, you cannot simultaneously perform hibernation, or use advanced debugging tools such as SystemTap, kprobes, eBPF based tools and access ftrace output files used by the kernel live patching infrastructure.

Q. How do I remediate issues that may occur while applying kernel live patches to Amazon Linux 2?

If you encounter issues with a kernel live patch, disable the patch and inform AWS Support, or Amazon Linux Engineering through an AWS Forums post.

Q. Does Kernel Live Patching in Amazon Linux 2 remove the need for reboots for applying security patches entirely?

Kernel Live Patching in Amazon Linux 2 does not remove the need for OS reboots entirely but provides significant relief from reboots to fix important and critical security issues outside planned maintenance windows. Each Linux Kernel in Amazon Linux 2 will receive live patches roughly for up to 3 months after the release of an Amazon Linux Kernel. After each 3-month duration, the OS needs to be rebooted into the latest Amazon Linux Kernel to continue to receive kernel live patches.

Q. What EC2 instances and on-premises environments is Kernel Live Patching with Amazon Linux 2 supported on?

Kernel Live Patching in Amazon Linux 2 is supported on all x86_64 (AMD/Intel 64 bit) platforms that Amazon Linux 2 is supported on. This includes all HVM EC2 instances, VMware Cloud on AWS, VMware ESXi, VirtualBox, KVM, Hyper-V, and KVM. ARM-based platforms are currently unsupported.

Q. Will AWS continue to provide regular (“non-live”) patches for OS updates that come with kernel live patches?

Yes, AWS will continue to provide regular patches for all OS updates. As a general rule, both regular and kernel live patches will be provided at the same time.

Q. What happens if a reboot is performed on Amazon Linux 2 systems that have been kernel live patched?

By default, when a reboot is performed, kernel live patches are replaced with regular “non-live” patch equivalents. You can also perform reboots without replacing kernel live patches with regular patches. See Amazon Linux 2 Kernel Live Patching documentation for details.

Q. Does Kernel Live Patching affect the ABI compatibility of Amazon Linux 2?

Kernel Live Patching in Amazon Linux 2 does not change the kernel ABI compatibility of Amazon Linux 2.

Q. How can I get premium support for issues that may be encountered while applying kernel live patches?

Business and Enterprise plans for AWS Support includes premium support for all capabilities of Amazon Linux including Kernel Live Patching. AWS only supports kernel live patches provided by AWS and recommends contacting your vendor for issues with third-party kernel live patching solutions. AWS also recommends that you use only one kernel live patching solution on Amazon Linux 2.

Q. How will kernel live patches be indicated in the Amazon Linux Security Center?

A dedicated row in Amazon Linux Security Center listings will appear for each kernel live patch. The entry will have an identification such as “ALASLIVEPATCH-<datestamp>", and the package name will appear as "kernel-livepatch-<kernel-version>".

Q. How long does an Amazon Linux Kernel receive live patches for?

A kernel version will get live patches for roughly 3 months. Amazon Linux will provide kernel live patches for the last 6 kernels released. Please note that Kernel Live Patching will be supported only on the default kernel released in Amazon Linux 2. The next generation Kernel in the Extras will not receive kernel live patches.

To find out whether the current Linux Kernel continue to receive live patches or not, and when that support window ends, use the following yum command:

‘yum kernel-livepatch supported’

Q. What are the supported yum workflows for Kernel Live Patching?

The kernel live patching yum plugin supports all workflows that are normally supported in the yum package management utility. E.g. ‘yum update’, ‘yum update kernel’, ‘yum update —security’, ‘yum update all’.

Q. Are kernel live patches signed?

The kernel live patch RPMs are signed via GPG keys. However, the kernel modules are currently not signed.