# Deterministic upgrades through versioned repositories on AL2023
**Note**
By default, your AL2023 instance doesn't automatically receive additional critical and important security updates at launch. Your instance initially contains the updates that were available in the version of AL2023 and the chosen AMI.
## Control the updates received from major and minor releases
With AL2023, you can ensure consistency between package versions and updates across your environment. You can also ensure consistency for multiple instances of the same Amazon Machine Image (AMI). With the deterministic upgrades through versioned repositories feature, which is turned on by default, you can apply updates based on a schedule that meets your specific needs.
Whenever we release new package updates, there's a new version to lock to, and new AMIs that lock to that version.
AL2023 locks to a specific version of your repository. This is supported for both major or minor versions. The AL2023 AMI, exposed through our SSM parameters, is always the latest version. It has the most up-to-date packages and updates, including critical and important security updates.
If you launch an instance from an existing AMI, updates aren't automatically applied. Any additional packages that are installed as part of your provisioning map to the repository version of the existing AMI.
With this feature, you're in charge of ensuring consistency among package versions and updates across your environment. This is particularly the case if you're launching multiple instances from the same AMI. You can apply updates based on a schedule that meets your needs. You can also apply a specific set of updates on launch because these can also be locked to a specific repository version.
## Differences between minor and major version upgrades
Major version releases of AL2023 include large-scale updates and might add, delete, or update packages. To ensure compatibility, upgrade your instance to a new major version only after you test your application on that version.
Minor version releases of AL2023 include feature and security updates, but don't include package changes. This ensures that Linux features and the system library API stay available on new versions. Testing your application before updating isn't necessary.
## Knowing when updates are available
In order to apply an update, you need to know that one is available, and then know how to deploy the update.
For building derived AMIs when new AL2023 AMIs are released, [EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/) can automatically build, patch, and test AMIs. To trigger your own AMI building pipelines, or to use the base AMIs, you can [Receive notifications on new updates](receive-update-notification.md).
For patching in-place, you can use tools such as [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html) to orchestrate applying updates across a fleet.
For other public AMIs based on AL2023, the providers of those AMIs may have their own release schedule and notification methods. When using derived AMIs or container images, check the documentation from the publisher as to when updates are released.
The changes in each release are documented in the [AL2023 release notes](https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html). Security updates are published on [Amazon Linux Security Center (ALAS)](https://alas.aws.amazon.com).
## Control the package updates available from the AL2023 repositories
When we publish a new version of the AL2023 repositories, all previous versions are still available. By default, the plugin for managing repository versions locks to the same version that was used to build the AMI. If you want to control package updates, follow these steps.
1. Discover available repository versions by running the following command.
```
$ sudo dnf check-release-update
```
1. Select a version by running the following command.
```
$ sudo dnf upgrade --releasever=version
```
This command starts an update using `dnf` from your current Amazon Linux release version to the release version that's specified in the command line. A list of the package updates is presented by `dnf`. Before the update is processed, you must confirm the update. After the update is complete, the new release version becomes the default release version that `dnf` uses for all future activities.
For more information, see [Manage package and operating system updates in AL2023](managing-repos-os-updates.md).
# Deterministic updates via instance replacement
The [Deterministic upgrades through versioned repositories on AL2023](deterministic-upgrades.md) feature of Amazon Linux 2023 makes instance replacement an easy way to deterministically and safely roll out updated versions of AL2023. Deterministic updates mean that as a new version is progressively rolled out, if any issue is found, it's simple to revert to the previous AMI while determining the cause of the issue.
Using instance replacement rather than patching in-place means that updates are more deterministic and predictable as launching new capacity can be a well tested code-path with clear A and B states. Each of the before and after states can be well tested in a CI/CD system before deployment starts.
When doing in-place patching, there are a lot of intermediary states between before and after applying updates, which is harder to test for all combinations of states.
An OS update strategy of using instance replacement with deterministic updates fits well into blue/green, wave, and phase based deployment models.
# Using Deterministic upgrades through versioned repositories
**Topics**
+ [Using a deterministic upgraded system](#using-a-deterministic-upgraded-system)
+ [Selective update of a deterministic upgraded system](#deterministic-upgrade-selective-update)
+ [Using persistent override with deterministic upgrade](#deterministic-upgrade-override-persist)
## Using a deterministic upgraded system
**Note**
The default behavior of the package manager has changed from AL2.
Deterministic upgrades are a powerful way to ensure all changes to production environments can be fully tested before wide deployment. Each new AL2023 AMI is locked to a particular version of AL2023. This provides deterministic behavior of what versions of OS packages are installed when launching the specific AMI. In-place updates can be to a specific release version, ensuring deterministic behavior across a fleet. As you move to new AMIs or in-place update versions, you can test each one in your CI/CD pipeline, catching any potential issues before deploying to production environments.
You can use tools such as [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html) to orchestrate applying updates across a fleet. For building derived AMIs when new AL2023 AMIs are released, [EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/) can automatically build, patch, and test AMIs, or you can [Receive notifications on new updates](receive-update-notification.md) to know when new base AMIs are available, or to trigger your own AMI building pipelines.
For information on restricting updates to those from a particular advisory, see [Applying security updates in-place](security-inplace-update.md)
For patching in-place, you can use the `dnf` package manager. When you run the `dnf upgrade` command, the system checks for upgrades in the repository that the `releasever` variable specifies. A valid `releasever` is either *latest* or a date-stamped version such as *2023.10.20260330*.
You can change the value of `releasever` using one of the following methods. These methods are listed in descending system priority. This means that method 1 overrides methods 2 and 3, and method 2 overrides method 3.
1. The value in the command line flag, `--releasever=latest`, if it's used.
1. The value that's specified in the override variable file, `/etc/dnf/vars/releasever`, if it's set.
1. The currently installed version of the `system-release` package.
In the following example, the version is *2023.0.20230210*:
```
$ rpm -q system-release
system-release-2023.0.20230210-0.amzn2023.noarch
```
In a newly installed system, the override variable is not present. No upgrades are available because the system is locked to the installed version of `system-release`.
```
$ cat /etc/dnf/vars/releasever
cat: /etc/dnf/vars/releasever: No such file or directory
```
```
$ sudo dnf upgrade
Last metadata expiration check: 0:00:02 ago on Wed 15 Feb 2023 06:14:12 PM UTC.
Dependencies resolved.
Nothing to do.
Complete!
```
You can get packages of a specific version by using the `releasever` flag to provide the version that you want.
```
$ rpm -q system-release
system-release-2023.0.20230222-0.amzn2023.noarch
```
```
$ sudo dnf upgrade --releasever=2023.0.20230329
Amazon Linux 2023 repository 26 MB/s | 12 MB 00:00
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
kernel aarch64 6.1.21-1.45.amzn2023 amazonlinux 26 M
Upgrading:
amazon-linux-repo-s3 noarch 2023.0.20230329-0.amzn2023 amazonlinux 18 k
ca-certificates noarch 2023.2.60-1.0.amzn2023.0.1 amazonlinux 828 k
cloud-init noarch 22.2.2-1.amzn2023.1.7 amazonlinux 1.1 M
... [ list edited for clarity ]
system-release noarch 2023.0.20230329-0.amzn2023 amazonlinux 29 k
... [ list edited for clarity ]
vim-data noarch 2:9.0.1403-1.amzn2023.0.1 amazonlinux 25 k
vim-minimal aarch64 2:9.0.1403-1.amzn2023.0.1 amazonlinux 753 k
Transaction Summary
================================================================================
Install 1 Package
Upgrade 42 Packages
Total download size: 56 M
```
Because the `--releasever` option overrides both `system-release` and `/etc/dnf/vars/releasever`, the result of this upgrade is the following:
1. The upgrade replaces all installed packages that changed between the previous and new versions.
1. The upgrade locks the system to the repository for the new version of `system-release`.
By always specifying what `releasever` (i.e. AL2023 release) to update to, you have a deterministic set of changes across a fleet. You launched version *A*, updated to *B*, and then updated to *C*.
## Selective update of a deterministic upgraded system
**Note**
We recommend that all updates in a new release are installed rather than selecting specific updates. Only applying part of an update to the OS should be an exception to standard practice of taking the whole update.
You might want to install selected packages from a recent release, while leaving the system locked to the original release version.
You can use `dnf check-update` to identify the packages that you want to upgrade.
```
$ sudo dnf check-update --releasever=latest --security
Amazon Linux 2023 repository 13 MB/s | 10 MB 00:00
Last metadata expiration check: 0:00:02 ago on Wed 15 Feb 2023 02:52:21 AM UTC.
bind-libs.aarch64 32:9.16.27-1.amzn2023.0.1 amazonlinux
bind-license.noarch 32:9.16.27-1.amzn2023.0.1 amazonlinux
bind-utils.aarch64 32:9.16.27-1.amzn2023.0.1 amazonlinux
cryptsetup.aarch64 2.4.3-2.amzn2023.0.1 amazonlinux
cryptsetup-libs.aarch64 2.4.3-2.amzn2023.0.1 amazonlinux
curl-minimal.aarch64 7.85.0-1.amzn2023.0.1 amazonlinux
glibc.aarch64 2.34-40.amzn2023.0.2 amazonlinux
glibc-all-langpacks.aarch64 2.34-40.amzn2023.0.2 amazonlinux
glibc-common.aarch64 2.34-40.amzn2023.0.2 amazonlinux
glibc-locale-source.aarch64 2.34-40.amzn2023.0.2 amazonlinux
gmp.aarch64 1:6.2.1-2.amzn2023.0.1 amazonlinux
gnupg2-minimal.aarch64 2.3.7-1.amzn2023.0.2 amazonlinux
gzip.aarch64 1.10-5.amzn2023.0.1 amazonlinux
kernel.aarch64 6.1.12-17.42.amzn2023 amazonlinux
kernel-tools.aarch64 6.1.12-17.42.amzn2023 amazonlinux
libarchive.aarch64 3.5.3-2.amzn2023.0.1 amazonlinux
libcurl-minimal.aarch64 7.85.0-1.amzn2023.0.1 amazonlinux
libsepol.aarch64 3.4-3.amzn2023.0.2 amazonlinux
libsolv.aarch64 0.7.22-1.amzn2023.0.1 amazonlinux
libxml2.aarch64 2.9.14-1.amzn2023.0.1 amazonlinux
logrotate.aarch64 3.20.1-2.amzn2023.0.2 amazonlinux
lua-libs.aarch64 5.4.4-3.amzn2023.0.1 amazonlinux
lz4-libs.aarch64 1.9.4-1.amzn2023.0.1 amazonlinux
openssl.aarch64 1:3.0.5-1.amzn2023.0.3 amazonlinux
openssl-libs.aarch64 1:3.0.5-1.amzn2023.0.3 amazonlinux
pcre2.aarch64 10.40-1.amzn2023.0.1 amazonlinux
pcre2-syntax.noarch 10.40-1.amzn2023.0.1 amazonlinux
rsync.aarch64 3.2.6-1.amzn2023.0.2 amazonlinux
vim-common.aarch64 2:9.0.475-1.amzn2023.0.1 amazonlinux
vim-data.noarch 2:9.0.475-1.amzn2023.0.1 amazonlinux
vim-enhanced.aarch64 2:9.0.475-1.amzn2023.0.1 amazonlinux
vim-filesystem.noarch 2:9.0.475-1.amzn2023.0.1 amazonlinux
vim-minimal.aarch64 2:9.0.475-1.amzn2023.0.1 amazonlinux
xz.aarch64 5.2.5-9.amzn2023.0.1 amazonlinux
xz-libs.aarch64 5.2.5-9.amzn2023.0.1 amazonlinux
zlib.aarch64 1.2.11-32.amzn2023.0.3 amazonlinux
```
Install the packages that you want to upgrade. Use `sudo dnf upgrade --releasever=latest` and the package names to ensure that the `system-release` package remains unchanged.
```
$ sudo dnf upgrade --releasever=latest openssl openssl-libs
Last metadata expiration check: 0:01:28 ago on Wed 15 Feb 2023 02:52:21 AM UTC.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Upgrading:
openssl aarch64 1:3.0.5-1.amzn2023.0.3 amazonlinux 1.1 M
openssl-libs aarch64 1:3.0.5-1.amzn2023.0.3 amazonlinux 2.1 M
Transaction Summary
================================================================================
Upgrade 2 Packages
Total download size: 3.2 M
```
**Note**
Using `sudo dnf upgrade --releasever=latest` updates all packages, including `system-release`. Then, the version remains locked to the new `system-release` unless you set the persistent override.
## Using persistent override with deterministic upgrade
**Note**
With deterministic updates, you can integrate OS changes into your CI/CD pipeline. Disabling deterministic updates removes the ability to test before deploying.
Instead of adding `--releasever=latest`, you can use persistent override to *unlock* the system by setting the variable value to *latest*. By always using `latest`, this reverts the behavior of AL2023 to the AL2 update model, where any call to the package manager will *always* look at the latest release, and is not locked to any specific version of the OS.
**Warning**
By unlocking the package manager by using a persistent override of deterministic updates, you take the risk discovering any possible incompatibility between your application and an OS update in production.
While incompatibilites *are* rare, with an OS update you are integrating new code changes into your environment, integration tests can prevent deploying code changes that have a negative impact on production environments.
```
$ echo latest | sudo tee /etc/dnf/vars/releasever
latest
```
```
$ sudo dnf upgrade
Last metadata expiration check: 0:03:36 ago on Wed 15 Feb 2023 02:52:21 AM UTC.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
kernel aarch64 6.1.73-45.135.amzn2023 amazonlinux 24 M
Upgrading:
acl aarch64 2.3.1-2.amzn2023.0.1 amazonlinux 72 k
alternatives aarch64 1.15-2.amzn2023.0.1 amazonlinux 36 k
amazon-ec2-net-utils noarch 2.3.0-1.amzn2023.0.1 amazonlinux 16 k
at aarch64 3.1.23-6.amzn2023.0.1 amazonlinux 60 k
attr aarch64 2.5.1-3.amzn2023.0.1 amazonlinux 59 k
audit aarch64 3.0.6-1.amzn2023.0.1 amazonlinux 249 k
audit-libs aarch64 3.0.6-1.amzn2023.0.1 amazonlinux 116 k
aws-c-auth-libs aarch64 0.6.5-6.amzn2023.0.2 amazonlinux 79 k
aws-c-cal-libs aarch64 0.5.12-7.amzn2023.0.2 amazonlinux 34 k
aws-c-common-libs aarch64 0.6.14-6.amzn2023.0.2 amazonlinux 119 k
aws-c-compression-libs aarch64 0.2.14-5.amzn2023.0.2 amazonlinux 22 k
aws-c-event-stream-libs aarch64 0.2.7-5.amzn2023.0.2 amazonlinux 47 k
aws-c-http-libs aarch64 0.6.8-6.amzn2023.0.2 amazonlinux 147 k
aws-c-io-libs aarch64 0.10.12-5.amzn2023.0.6 amazonlinux 109 k
aws-c-mqtt-libs aarch64 0.7.8-7.amzn2023.0.2 amazonlinux 61 k
aws-c-s3-libs aarch64 0.1.27-5.amzn2023.0.3 amazonlinux 54 k
aws-c-sdkutils-libs aarch64 0.1.1-5.amzn2023.0.2 amazonlinux 26 k
aws-checksums-libs aarch64 0.1.12-5.amzn2023.0.2 amazonlinux 50 k
awscli-2 noarch 2.7.8-1.amzn2023.0.4 amazonlinux 7.3 M
basesystem noarch 11-11.amzn2023.0.1 amazonlinux 7.8 k
bash aarch64 5.1.8-2.amzn2023.0.1 amazonlinux 1.6 M
bash-completion noarch 1:2.11-2.amzn2023.0.1 amazonlinux 292 k
bc aarch64 1.07.1-14.amzn2023.0.1 amazonlinux 120 k
bind-libs aarch64 32:9.16.27-1.amzn2023.0.1 amazonlinux 1.2 M
bind-license noarch 32:9.16.27-1.amzn2023.0.1 amazonlinux 14 k
bind-utils aarch64 32:9.16.27-1.amzn2023.0.1 amazonlinux 206 k
binutils aarch64 2.38-20.amzn2023.0.3 amazonlinux 4.6 M
boost-filesystem aarch64 1.75.0-4.amzn2023.0.1 amazonlinux 55 k
boost-system aarch64 1.75.0-4.amzn2023.0.1 amazonlinux 14 k
boost-thread aarch64 1.75.0-4.amzn2023.0.1 amazonlinux 54 k
bzip2 aarch64 1.0.8-6.amzn2023.0.1 amazonlinux 53 k
bzip2-libs aarch64 1.0.8-6.amzn2023.0.1 amazonlinux 44 k
c-ares aarch64 1.17.2-1.amzn2023.0.1 amazonlinux 107 k
ca-certificates noarch 2021.2.50-1.0.amzn2023.0.3 amazonlinux 343 k
checkpolicy aarch64 3.4-3.amzn2023.0.1 amazonlinux 345 k
chkconfig aarch64 1.15-2.amzn2023.0.1 amazonlinux 162 k
chrony aarch64 4.2-7.amzn2023.0.4 amazonlinux 314 k
cloud-init noarch 22.2.2-1.amzn2023.1.7 amazonlinux 1.1 M
cloud-utils-growpart aarch64 0.31-8.amzn2023.0.2 amazonlinux 31 k
coreutils aarch64 8.32-30.amzn2023.0.2 amazonlinux 1.1 M
coreutils-common aarch64 8.32-30.amzn2023.0.2 amazonlinux 2.0 M
cpio aarch64 2.13-10.amzn2023.0.1 amazonlinux 269 k
cracklib aarch64 2.9.6-27.amzn2023.0.1 amazonlinux 83 k
cracklib-dicts aarch64 2.9.6-27.amzn2023.0.1 amazonlinux 3.6 M
crontabs noarch 1.11-24.20190603git.amzn2023.0.1
amazonlinux 19 k
crypto-policies noarch 20230128-1.gitdfb10ea.amzn2023.0.1
amazonlinux 61 k
crypto-policies-scripts noarch 20230128-1.gitdfb10ea.amzn2023.0.1
amazonlinux 81 k
...
Installing dependencies:
amazon-linux-repo-cdn noarch 2023.0.20230210-0.amzn2023 amazonlinux 16 k
xxhash-libs aarch64 0.8.0-3.amzn2023.0.1 amazonlinux 32 k
Installing weak dependencies:
amazon-chrony-config noarch 4.2-7.amzn2023.0.4 amazonlinux 14 k
gawk-all-langpacks aarch64 5.1.0-3.amzn2023.0.1 amazonlinux 207 k
Transaction Summary
================================================================================
Install 5 Packages
Upgrade 413 Packages
Total download size: 199 M
```
**Note**
If you used the override variable `/etc/dnf/vars/releasever`, use the following command to restore the default locking behavior by erasing the override value.
```
$ sudo rm /etc/dnf/vars/releasever
```
The use of a persistent override to using `latest` rather than a specfiic version is akin to the default behavior of AL2. There are services that build AMIs based on AL2 which disable this behavior, and lock to specific package versions like you get by default on AL2023.
Rather than disabling deterministic updates, we recommend replacing instances with ones launched from a new AMI. If instance replacement is not an option, we recommend using tools such as [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html) to orchestrate applying updates across a fleet. [EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/) can also automatically build, patch, and test your own AMIs derived from AL2023 base images. You can also [Receive notifications on new updates](receive-update-notification.md) which can be used to trigger your own AMI building pipelines.
Using `latest` in a pre-production environment, and then deploying to production using `latest` does *not* provide protection from any issue between an OS update and your application. A new AL2023 release can be at any point in time, and thus all uses of `latest` in production carry risk.