Exploring Amazon Linux 2023 as a Replacement for CentOS 7

Table of Contents

Introduction

With CentOS 7 going out of support in June 2024, many of us are looking for viable alternatives. The stakes are even higher if you’re using CentOS at an enterprise scale, as a base operating system for hundreds or even thousands of virtual machines hosting business critical applications across your organization.

If you’re an AWS shop like us, Amazon Linux 2023 (AL2023) looks like a promising alternative to CentOS. AL2023 is the successor to Amazon Linux 2. This article explores Amazon Linux 2023 from the perspective of standardizing & operationalizing it at an enterprise scale.

Release Cadence & Support

Starting with AL2023, a new major version of Amazon Linux will be released every 2 years: AL2023, AL2025, AL2027 & so on. Each release gets 2 years of standard support with quarterly minor version updates & 3 years of maintenance support with security updates & critical bug fixes.

Amazon Linux AMIs & Container Images

A new AMI is published for every major/minor/security release of Amazon Linux. In addition to this standard AMI, a minimal AMI & container image is also published.

Subscribe to the official SNS topic to receieve notifications when new AMIs are released:

arn:aws:sns:us-east-1:137112412989:amazon-linux-2023-ami-updates

Amazon Linux, Fedora & CentOS

Amazon Linux is partly based on the upstream Fedora Linux distribution, so if you’re familiar with other RPM-based operating systems, onboarding AL2023 should be relatively easy. However, note that Amazon will add/replace some packages from other non-Fedora upstreams, with some components even resembling CentOS Stream 9.

Versioned Package Repos, Locked Repo Versions & Deterministic Upgrades

Every new Amazon Linux AMI is released with its own corresponding package repositories. An AMI & its repo are tightly coupled. You can however, decouple them if needed.

By default, AL2023 AMIs & container images are locked to a specific version of the package repositories & they don’t auto-update on launch, giving you full control over package updates.

To fetch package updates from a repo version newer than the one your instance is currently using, run dnf --releasever=version update. After this, the new release version becomes the default release version that DNF uses for all future activities.

Patching & Updating AL2023

Since each AMI is coupled to its package repo, it will eventually stop getting updates. You can however, point an existing AL2023 EC2 to newer AL2023 repos to get updates.

If possible, it’s better to launch new instances with latest AMIs & move your application to it, which is much easier to automate if you manage your infrastructure with something like Terraform or CloudFormation.

Kernel live patching is supported, for upto 3 months after an AMI release, after which, you must update to a newer kernel.

Here are some common DNF commands:

  • Install a package with dnf install package
  • Check for package updates with dnf check-update
  • Check for security updates with dnf check-update --security
  • Update all packages with dnf update
  • Check for new repo versions with dnf check-release-update
  • Check for & add new repos with:
    • dnf repolist all
    • dnf config-manager --add-repo URL
    • dnf config-manager --enable repo

Common Packages & Software

AL2023 includes AWS CLI, SSM & Kinesis agents & CloudFormation utils & uses Corretto as its default JDK. Several popular database engines & programming language runtimes are included as well.

OpenSSH version is 8.7, which disables the ssh-rsa key exchange algorithm & OpenSSL version is 3. Depending on your application’s use of SSL, you might need to peruse & act upon certain items in the OpenSSL 1.1.1 migration guide.

DNF, not YUM

DNF, the successor to YUM, is the default package manager. YUM is still available but only as a symlink to DNF. If you have legacy scripts, they should mostly work since DNF is very similar to YUM in its usage. Many DNF commands are the same & with the same options as YUM commands. If you’re new to DNF, see Changes in DNF CLI compared to YUM.

SELinux in AL2023

In AL2023, SELinux is enabled & permissive by default, so permission denials are logged but not enforced, unless you switch to enforcing mode from permissive mode.

AL2023 vs AL2 (or CentOS 7)

If you’re coming from AL2, you should know that:

  • SELinux was disabled in AL2 but is enabled in AL2023
  • OpenSSL was v1.1.1 in AL2 but is v3 in AL2023
  • EC2 instance metadata service (IMDS) v2 is required by AL2023
    • The IMDS API IP doesn’t change: 169.254.169.254
  • AL2 used GP2 EBS volumes by default & AL2023 uses GP3 EBS volume by default
  • The default package manager was YUM in AL2 but is DNF in AL2023
  • The default JDK was OpenJDK in AL2 but is Corretto in AL2023
  • AWS CLI was v1 in AL2 but is v2 in AL2023
  • AL2 was highly compatible with CentOS 7, so many EPEL7 packages worked on AL2
  • cloud-init installed security updates in AL2, but not in AL2023
  • AL2 had the lsb_release command; AL2023 doesn’t
    • If your app calls lsb_release to determine OS info, start using /etc/os-release instead

For even more details, see Comparing Amazon Linux 2 and Amazon Linux 2023

On-Prem & Cross-Cloud Support

Most enterprises have some (unavoidable) footprint in on-prem data centers & other clouds. If you’re looking to be consistent across all your Linux virtual machines everywhere, AL2023 images are available for use outside of AWS. However, note that these are not covered by AWS support plans when used outside AWS.

Miscellaneous Tools & Agents

This section is a collection of some common third-party tools & agents we’ve tested & found to be working well on Amazon Linux 2023. If your organization uses any of these tools, install instructions are included! 😊

Datadog Agent

DD_API_KEY=... DD_SITE="datadoghq.com" bash -c "$(curl -L \
https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"

CloudHealth Agent

wget -O install_cht_perfmon.sh \
https://s3.amazonaws.com/remote-collector/agent/v28/install_cht_perfmon.sh

sudo sh install_cht_perfmon.sh 28 ...UUID... aws

Sumo Logic Collector

Install instructions: https://help.sumologic.com/docs/send-data/installed-collectors/linux

wget -O SumoCollector.rpm \
https://collectors.sumologic.com/rest/download/rpm/64

rpm -i SumoCollector.rpm

# Configure /opt/SumoCollector/config/user.properties

service collector start

HashiCorp Consul

Install instructions: https://developer.hashicorp.com/consul/downloads

(switch to the Amazon Linux tab & use dnf instead of yum)

dnf install dnf-utils shadow-utils

dnf config-manager --add-repo \
https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo

dnf install consul

export CONSUL_HTTP_ADDR=...
export CONSUL_HTTP_TOKEN=...
consul kv get ...

HashiCorp Vault

Install instructions: https://developer.hashicorp.com/vault/downloads

(switch to the Amazon Linux tab & use dnf instead of yum)

dnf install dnf-utils shadow-utils

dnf config-manager --add-repo \
https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo

dnf install vault

export VAULT_ADDR=...
export VAULT_TOKEN=...
vault kv get ...

Conclusion

In this article, we explored how Amazon Linux 2023 differs from CentOS 7 & Amazon Linux 2, in order to understand what it would take to adopt AL2023 at an enterprise scale & steps required, if any, to migrate applications from CentOS 7 to AL2023.

For more general information on AL2023, see Amazon Linux 2023 FAQs.

About the Author ✍🏻

Harish KM is a Principal DevOps Engineer at QloudX & a top-ranked AWS Ambassador since 2020. 👨🏻‍💻

With over a decade of industry experience as everything from a full-stack engineer to a cloud architect, Harish has built many world-class solutions for clients around the world! 👷🏻‍♂️

With over 20 certifications in cloud (AWS, Azure, GCP), containers (Kubernetes, Docker) & DevOps (Terraform, Ansible, Jenkins), Harish is an expert in a multitude of technologies. 📚

These days, his focus is on the fascinating world of DevOps & how it can transform the way we do things! 🚀

Leave a Reply

Your email address will not be published. Required fields are marked *