Exploring Amazon Linux 2023 as a Replacement for CentOS 7
Table of Contents
- Introduction
- Release Cadence & Support
- Amazon Linux AMIs & Container Images
- Amazon Linux, Fedora & CentOS
- Versioned Package Repos, Locked Repo Versions & Deterministic Upgrades
- Patching & Updating AL2023
- Common Packages & Software
- DNF, not YUM
- SELinux in AL2023
- AL2023 vs AL2 (or CentOS 7)
- On-Prem & Cross-Cloud Support
- Miscellaneous Tools & Agents
- Conclusion
- About the Author ✍🏻
Introduction
With CentOS 7 going out of support in June 2024, many of us are looking for viable alternatives. The stakes are even higher if you’re using CentOS at an enterprise scale, as a base operating system for hundreds or even thousands of virtual machines hosting business critical applications across your organization.
If you’re an AWS shop like us, Amazon Linux 2023 (AL2023) looks like a promising alternative to CentOS. AL2023 is the successor to Amazon Linux 2. This article explores Amazon Linux 2023 from the perspective of standardizing & operationalizing it at an enterprise scale.
Release Cadence & Support
Starting with AL2023, a new major version of Amazon Linux will be released every 2 years: AL2023, AL2025, AL2027 & so on. Each release gets 2 years of standard support with quarterly minor version updates & 3 years of maintenance support with security updates & critical bug fixes.
Amazon Linux AMIs & Container Images
A new AMI is published for every major/minor/security release of Amazon Linux. In addition to this standard AMI, a minimal AMI & container image is also published.
Subscribe to the official SNS topic to receieve notifications when new AMIs are released:
arn:aws:sns:us-east-1:137112412989:amazon-linux-2023-ami-updates
Amazon Linux, Fedora & CentOS
Amazon Linux is partly based on the upstream Fedora Linux distribution, so if you’re familiar with other RPM-based operating systems, onboarding AL2023 should be relatively easy. However, note that Amazon will add/replace some packages from other non-Fedora upstreams, with some components even resembling CentOS Stream 9.
Versioned Package Repos, Locked Repo Versions & Deterministic Upgrades
Every new Amazon Linux AMI is released with its own corresponding package repositories. An AMI & its repo are tightly coupled. You can however, decouple them if needed.
By default, AL2023 AMIs & container images are locked to a specific version of the package repositories & they don’t auto-update on launch, giving you full control over package updates.
To fetch package updates from a repo version newer than the one your instance is currently using, run dnf --releasever=version update
. After this, the new release version becomes the default release version that DNF uses for all future activities.
Patching & Updating AL2023
Since each AMI is coupled to its package repo, it will eventually stop getting updates. You can however, point an existing AL2023 EC2 to newer AL2023 repos to get updates.
If possible, it’s better to launch new instances with latest AMIs & move your application to it, which is much easier to automate if you manage your infrastructure with something like Terraform or CloudFormation.
Kernel live patching is supported, for upto 3 months after an AMI release, after which, you must update to a newer kernel.
Here are some common DNF commands:
- Install a package with
dnf install package
- Check for package updates with
dnf check-update
- Check for security updates with
dnf check-update --security
- Update all packages with
dnf update
- Check for new repo versions with
dnf check-release-update
- Check for & add new repos with:
dnf repolist all
dnf config-manager --add-repo URL
dnf config-manager --enable repo
Common Packages & Software
AL2023 includes AWS CLI, SSM & Kinesis agents & CloudFormation utils & uses Corretto as its default JDK. Several popular database engines & programming language runtimes are included as well.
OpenSSH version is 8.7, which disables the ssh-rsa
key exchange algorithm & OpenSSL version is 3. Depending on your application’s use of SSL, you might need to peruse & act upon certain items in the OpenSSL 1.1.1 migration guide.
DNF, not YUM
DNF, the successor to YUM, is the default package manager. YUM is still available but only as a symlink to DNF. If you have legacy scripts, they should mostly work since DNF is very similar to YUM in its usage. Many DNF commands are the same & with the same options as YUM commands. If you’re new to DNF, see Changes in DNF CLI compared to YUM.
SELinux in AL2023
In AL2023, SELinux is enabled & permissive by default, so permission denials are logged but not enforced, unless you switch to enforcing mode from permissive mode.
AL2023 vs AL2 (or CentOS 7)
If you’re coming from AL2, you should know that:
- SELinux was disabled in AL2 but is enabled in AL2023
- OpenSSL was v1.1.1 in AL2 but is v3 in AL2023
- EC2 instance metadata service (IMDS) v2 is required by AL2023
- The IMDS API IP doesn’t change: 169.254.169.254
- AL2 used GP2 EBS volumes by default & AL2023 uses GP3 EBS volume by default
- The default package manager was YUM in AL2 but is DNF in AL2023
- The default JDK was OpenJDK in AL2 but is Corretto in AL2023
- AWS CLI was v1 in AL2 but is v2 in AL2023
- AL2 was highly compatible with CentOS 7, so many EPEL7 packages worked on AL2
- AL2023 doesn’t support EPEL or EPEL-like repositories!
- If you’re unfamiliar with EPEL, see Extra Packages for Enterprise Linux
cloud-init
installed security updates in AL2, but not in AL2023- AL2 had the
lsb_release
command; AL2023 doesn’t- If your app calls
lsb_release
to determine OS info, start using/etc/os-release
instead
- If your app calls
For even more details, see Comparing Amazon Linux 2 and Amazon Linux 2023
On-Prem & Cross-Cloud Support
Most enterprises have some (unavoidable) footprint in on-prem data centers & other clouds. If you’re looking to be consistent across all your Linux virtual machines everywhere, AL2023 images are available for use outside of AWS. However, note that these are not covered by AWS support plans when used outside AWS.
Miscellaneous Tools & Agents
This section is a collection of some common third-party tools & agents we’ve tested & found to be working well on Amazon Linux 2023. If your organization uses any of these tools, install instructions are included! 😊
Datadog Agent
- AL2023 is supported out-of-the-box
- Install instructions are available in the Datadog console:
DD_API_KEY=... DD_SITE="datadoghq.com" bash -c "$(curl -L \
https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"
CloudHealth Agent
- Amazon Linux 2014+ is supported
- Install instructions available in the app:
wget -O install_cht_perfmon.sh \
https://s3.amazonaws.com/remote-collector/agent/v28/install_cht_perfmon.sh
sudo sh install_cht_perfmon.sh 28 ...UUID... aws
Sumo Logic Collector
Install instructions: https://help.sumologic.com/docs/send-data/installed-collectors/linux
wget -O SumoCollector.rpm \
https://collectors.sumologic.com/rest/download/rpm/64
rpm -i SumoCollector.rpm
# Configure /opt/SumoCollector/config/user.properties
service collector start
HashiCorp Consul
Install instructions: https://developer.hashicorp.com/consul/downloads
(switch to the Amazon Linux tab & use dnf
instead of yum
)
dnf install dnf-utils shadow-utils
dnf config-manager --add-repo \
https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
dnf install consul
export CONSUL_HTTP_ADDR=...
export CONSUL_HTTP_TOKEN=...
consul kv get ...
HashiCorp Vault
Install instructions: https://developer.hashicorp.com/vault/downloads
(switch to the Amazon Linux tab & use dnf
instead of yum
)
dnf install dnf-utils shadow-utils
dnf config-manager --add-repo \
https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
dnf install vault
export VAULT_ADDR=...
export VAULT_TOKEN=...
vault kv get ...
Conclusion
In this article, we explored how Amazon Linux 2023 differs from CentOS 7 & Amazon Linux 2, in order to understand what it would take to adopt AL2023 at an enterprise scale & steps required, if any, to migrate applications from CentOS 7 to AL2023.
For more general information on AL2023, see Amazon Linux 2023 FAQs.
About the Author ✍🏻
Harish KM is a Principal DevOps Engineer at QloudX & a top-ranked AWS Ambassador since 2020. 👨🏻💻
With over a decade of industry experience as everything from a full-stack engineer to a cloud architect, Harish has built many world-class solutions for clients around the world! 👷🏻♂️
With over 20 certifications in cloud (AWS, Azure, GCP), containers (Kubernetes, Docker) & DevOps (Terraform, Ansible, Jenkins), Harish is an expert in a multitude of technologies. 📚
These days, his focus is on the fascinating world of DevOps & how it can transform the way we do things! 🚀