AL2023 kernel changes from AL2
AL2023 brings the 6.1 kernel, as well as many configuration changes to further optimize Amazon Linux for the cloud. For most users, these changes should be completely transparent.
IPv4 TTL
The TTL for IPv4 is configured via sysctl, with the default
values being present in /etc/sysctl.d/00-defaults.conf. This
value can be customized through the usual sysctl methods. For
more information, see the sysctl man page.
AL2 set the net.ipv4.ip_default_ttl value to to 255, while
AL2023 sets it to 127. This brings Amazon Linux defaults in line with other
major Linux distributions. It is not recommended to change this default
without a demonstrated need to.
Security focused kernel config changes
CONFIG option |
AL2/4.14/aarch64 | AL2/4.14/x86_64 | AL2/5.10/aarch64 | AL2/5.10/x86_64 | AL2023/6.1/aarch64 | AL2023/6.1/x86_64 |
|---|---|---|---|---|---|---|
| CONFIG_BUG_ON_DATA_CORRUPTION |
n
|
y
|
n
|
y
|
y
|
y
|
| CONFIG_DEFAULT_MMAP_MIN_ADDR |
4096
|
4096
|
4096
|
4096
|
65536
|
65536
|
| CONFIG_DEVMEM |
n
|
y
|
n
|
y
|
n
|
n
|
| CONFIG_DEVPORT |
n
|
y
|
n
|
y
|
n
|
n
|
| CONFIG_FORTIFY_SOURCE |
n
|
y
|
n
|
y
|
y
|
y
|
| CONFIG_HARDENED_USERCOPY_FALLBACK | N/A | N/A |
y
|
y
|
N/A | N/A |
| CONFIG_INIT_ON_ALLOC_DEFAULT_ON | N/A | N/A |
n
|
n
|
n
|
n
|
| CONFIG_INIT_ON_FREE_DEFAULT_ON | N/A | N/A |
n
|
n
|
n
|
n
|
| CONFIG_IOMMU_DEFAULT_DMA_STRICT | N/A | N/A | N/A | N/A |
n
|
n
|
| CONFIG_LDISC_AUTOLOAD |
y
|
y
|
y
|
y
|
n
|
n
|
| CONFIG_SCHED_CORE | N/A | N/A | N/A | N/A | N/A |
y
|
| CONFIG_SCHED_STACK_END_CHECK |
n
|
y
|
n
|
y
|
y
|
y
|
| CONFIG_SECURITY_DMESG_RESTRICT |
n
|
n
|
n
|
n
|
y
|
y
|
| CONFIG_SECURITY_SELINUX_DISABLE |
y
|
y
|
y
|
y
|
n
|
n
|
| CONFIG_SHUFFLE_PAGE_ALLOCATOR | N/A | N/A |
y
|
y
|
y
|
y
|
| CONFIG_SLAB_FREELIST_HARDENED |
n
|
y
|
y
|
y
|
y
|
y
|
| CONFIG_SLAB_FREELIST_RANDOM |
n
|
n
|
y
|
y
|
y
|
y
|
x86-64 Specific Security focused kernel config changes
CONFIG option |
AL2/4.14/x86_64 | AL2/5.10/x86_64 | AL2023/6.1/x86_64 |
|---|---|---|---|
| CONFIG_AMD_IOMMU |
y
|
y
|
y
|
| CONFIG_AMD_IOMMU_V2 |
m
|
m
|
y
|
| CONFIG_RANDOMIZE_MEMORY | N/A |
y
|
y
|
aarch64 (ARM/Graviton) Specific Security focused kernel config changes
CONFIG option |
AL2/4.14/aarch64 | AL2/5.10/aarch64 | AL2023/6.1/aarch64 |
|---|---|---|---|
| CONFIG_ARM64_PTR_AUTH | N/A |
y
|
y
|
| CONFIG_ARM64_PTR_AUTH_KERNEL | N/A | N/A |
y
|
| CONFIG_ARM64_SW_TTBR0_PAN |
y
|
y
|
y
|
/dev/mem, /dev/kmem and /dev/port
Amazon Linux 2023 disables /dev/mem, and /dev/port
(CONFIG_DEVMEM and CONFIG_DEVPORT) completely,
building on the restrictions already in place in AL2.
The /dev/kmem code was completely removed from Linux in the 5.13
kernel, and while it was disabled in AL2, it is now not applicable to AL2023.
This option is one of the Kernel Self Protection Project Recommended Settings
FORTIFY_SOURCE
AL2023 enables CONFIG_FORTIFY_SOURCE on all supported
architectures. This feature is a security hardening feature. Where the
compiler can determine and validate the buffer sizes, this feature can
detect buffer overflows in common string and memory functions.
This option is one of the Kernel Self Protection Project Recommended Settings
Line Discipline autoload (CONFIG_LDISC_AUTOLOAD)
The AL2023 kernel will not automatically load line disciplines, such as by software using the TIOCSETD ioctl,
unless the request comes from a process with the CAP_SYS_MODULE permissions.
This option is one of the Kernel Self Protection Project Recommended Settings
dmesg access for unprivileged users (CONFIG_SECURITY_DMESG_RESTRICT)
By default, AL2023 does not allow unprivileged users
access to dmesg.
This option is one of the Kernel Self Protection Project Recommended Settings
SELinux selinuxfs disable
AL2023 disables the deprecated CONFIG_SECURITY_SELINUX_DISABLE kernel
option, which enabled a runtime method of disabling SELinux prior to policy being loaded.
This option is one of the Kernel Self Protection Project Recommended Settings
Other kernel configuration changes
CONFIG option |
AL2/4.14/aarch64 | AL2/4.14/x86_64 | AL2/5.10/aarch64 | AL2/5.10/x86_64 | AL2023/6.1/aarch64 | AL2023/6.1/x86_64 |
|---|---|---|---|---|---|---|
| CONFIG_HZ |
100
|
250
|
100
|
250
|
100
|
100
|
| CONFIG_NR_CPUS |
4096
|
8192
|
4096
|
8192
|
4096
|
8192
|
| CONFIG_PANIC_ON_OOPS |
y
|
n
|
y
|
n
|
y
|
y
|
| CONFIG_PANIC_ON_OOPS_VALUE |
1
|
0
|
1
|
0
|
1
|
1
|
| CONFIG_PPP |
m
|
m
|
m
|
m
|
n
|
n
|
| CONFIG_SLIP |
m
|
m
|
m
|
m
|
n
|
n
|
| CONFIG_XEN_PV | N/A |
y
|
N/A |
n
|
N/A |
n
|
CONFIG_HZ
AL2023 sets CONFIG_HZ to 100 on both x86-64 and aarch64 platforms.
CONFIG_NR_CPUS
AL2023 sets CONFIG_NR_CPUS to a number closer to the maximum number of CPU cores found
in Amazon EC2.
Panic on OOPS
The AL2023 kernel will panic when it oopses. This feature is
equivalent to booting with oops=panic on the kernel
command line.
A kernel oops is where the kernel has detected an internal error which may affect the further reliability of the system.
PPP and SLIP Support
AL2023 does not support the PPP or SLIP protocols.
Xen PV Guest Support
AL2023 does not support running as a Xen PV guest.
Kernel Filesystem support
There have been several changes in the file systems that the kernel in AL2 will support mounting, along with changes in the partitioning schemes that the kernel will parse.
CONFIG option |
AL2/4.14/aarch64 | AL2/4.14/x86_64 | AL2/5.10/aarch64 | AL2/5.10/x86_64 | AL2023/6.1/aarch64 | AL2023/6.1/x86_64 |
|---|---|---|---|---|---|---|
| CONFIG_AFS_FS |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_AF_RXRPC |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_BSD_DISKLABEL |
y
|
y
|
y
|
y
|
n
|
n
|
| CONFIG_CRAMFS |
m
|
m
|
m
|
m
|
n
|
n
|
| CONFIG_CRAMFS_BLOCKDEV | N/A | N/A |
y
|
n
|
N/A | N/A |
| CONFIG_DM_CLONE | N/A | N/A |
n
|
n
|
n
|
n
|
| CONFIG_DM_ERA |
m
|
n
|
m
|
n
|
n
|
n
|
| CONFIG_DM_INTEGRITY |
n
|
m
|
n
|
m
|
m
|
m
|
| CONFIG_DM_LOG_WRITES |
n
|
n
|
m
|
m
|
m
|
m
|
| CONFIG_DM_SWITCH |
m
|
n
|
m
|
n
|
n
|
n
|
| CONFIG_DM_VERITY |
m
|
n
|
m
|
n
|
n
|
n
|
| CONFIG_ECRYPT_FS |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_EXFAT_FS | N/A | N/A |
m
|
m
|
m
|
m
|
| CONFIG_EXT2_FS |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_EXT3_FS |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_GFS2_FS |
m
|
m
|
m
|
m
|
n
|
n
|
| CONFIG_HFSPLUS_FS |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_HFS_FS |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_JFS_FS |
n
|
n
|
n
|
n
|
n
|
n
|
| CONFIG_LDM_PARTITION |
n
|
y
|
n
|
y
|
n
|
n
|
| CONFIG_MAC_PARTITION |
n
|
y
|
n
|
y
|
n
|
n
|
| CONFIG_NFS_V2 |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_NTFS_FS |
n
|
m
|
n
|
n
|
n
|
n
|
| CONFIG_ROMFS_FS |
n
|
m
|
n
|
m
|
n
|
n
|
| CONFIG_SOLARIS_X86_PARTITION |
n
|
y
|
n
|
y
|
n
|
n
|
| CONFIG_SQUASHFS_ZSTD |
n
|
y
|
n
|
y
|
y
|
y
|
| CONFIG_SUN_PARTITION |
n
|
y
|
n
|
y
|
n
|
n
|
Andrew File System support (AFS)
The kernel is no longer built with support for the afs file system.
AL2 did not ship with user-space support for afs.
cramfs support
The kernel is no longer built with support for the cramfs file system.
The successor in AL2023 is the squashfs file system.
BSD disklabel support
The kernel is no longer built with support for BSD disk labels. If reading volumes with BSD disk labels is required, various BSDs can be launched.
Device Mapper changes
There have been several changes to the Device Mapper targets configured in the AL2023 kernel.
eCryptFs support
The ecryptfs file system has been deprecated in Amazon Linux.
The user-space components of ecryptfs were present in AL1,
removed in AL2, and AL2023 no longer builds the kernel with ecryptfs
support.
exFAT
Support for the exFAT file system was added in the 5.10 kernel in AL2.
It was not present at AL2 launch with a 4.14 kernel. AL2023 continues to support
the exFAT file system.
The ext2, ext3, and ext4 file systems
AL2023 ships with the CONFIG_EXT4_USE_FOR_EXT2 option,
which means that the ext4 file system code will be used to read legacy ext2 file systems.
CONFIG_GFS2_FS
The kernel is no longer built with CONFIG_GFS2_FS.
Apple Extended HFS file system support (HFS+)
In AL2, only the x86-64 kernels were built with the hfsplus
file system support. The AL2 5.15 kernel does not include hfsplus support
on any architecture. In AL2023, we complete the deprecation of hfsplus support
in Amazon Linux.
HFS file system support
In AL2, only the x86-64 kernels were built with the hfs
file system support. The AL2 5.15 kernel does not include hfs support
on any architecture. In AL2023, we complete the deprecation of hfs support
in Amazon Linux.
JFS file system support
Older AL2 x86-64 kernels were built with jfs
file system support. The AL2 5.15 kernel does not include jfs support
on any architecture. Neither AL1 or AL2 shipped with JFS userspace.
In AL2023, we complete the deprecation of jfs support in Amazon Linux.
The upstream Linux kernel is
considering the removal of JFSJFS file system, you should migrate it
to another file system. In 2024, JFS was removed from all current Amazon Linux kernels.
Windows Logical Disk Manager (Dynamic Disk) support (CONFIG_LDM_PARTITION)
AL2023 no longer supports Windows 2000, Windows XP, or Windows Vista dynamic disks with MS-DOS style partitions. This code did not ever support the newer GPT based dynamic disks introduced with Windows Vista.
Macintosh partition map support
AL2023 no longer supports the classic Macintosh partition map. Modern macOS versions will create modern GPT partition tables by default over this older type.
NFSv2 support
AL2023 no longer supports NFSv2, but continues to support NFSv3, NFSv4, NFSv4.1, and NFSv4.2. We recommend that you migrate to NFSv3 or newer.
NTFS (CONFIG_NTFS_FS)
The ntfs3 code replaced ntfs for accessing NTFS
file systems on Amazon Linux as of the 5.10 kernel in AL2. AL2023 no longer
includes the ntfs code, and relies exclusively on the ntfs3
code for accessing NTFS file systems.
romfs file system
The squashfs file system is the successor of the romfs
file system in Amazon Linux, and the AL2023 kernel is no longer built with support
for romfs.
Solaris x86 hard disk partition format
AL2023 no longer supports the Solaris x86 hard disk partition format.
squashfszstd compression
AL2023 adds support for zstd compressed squashfs file systems
on all supported architectures.
Sun partition table support
AL2023 no longer includes support for the Sun partition table format (CONFIG_SUN_PARTITION).
