Touching Amazon Linux 2022 (preview version)

Home
BLOG
Linux server, Work diary blog, Small tricks and small stories, anecdote
Touching Amazon Linux-2022 (preview version)...

anecdote
2022.01.21

I touched Amazon Linux-2022 (preview version).

My name is Mita, and I joined the Tokyo team as a server engineer in October 2021.

As a quick reminder, a preview version of Amazon Linux 2022 (henceforth AL2022) was released in November 2021.
This is not news that we can ignore, as we use AWS (Amazon Web Services) as the infrastructure foundation for our own "learningBOX" service.
Since the support for Amazon Linux 2 (AL2) expires on June 30, 2023, it is certain that there will be a need to build or switch to AL2022 in the near future.

Since December, I have been working on AL2022 in between other tasks, and I have found some differences between AL2022 and AL2, as well as some points where I got stuck in the configuration process, which I would like to describe below.

Click here for table of contents

SELinux enabled by default
Adding an encryption policy
The crontab command is missing.
summary

SELinux enabled by default

Disabled by default in AL2(Disabled).Enabled for AL2022(Enforcing).
When I tried disabling SELinux by following the steps below, the server appeared to be running normally on the AWS management console, but I was unable to make SSH connections to the server.

# vim /etc/selinux/config
SELINUX=disabled

# reboot

/etc/selinux/configIf you follow the instructions, you will be able to start the server with SELinux disabled.

# grubby -update-kernel ALL -args selinux=0
# reboot

If you do not want to force SELinux (i.e., do not reject it but make it spit out logs), you can start the server in Permissive mode using the following method.

# vim /etc/selinux/config
SELINUX=permissive

# grubby -update-kernel ALL -args enforcing=0
# reboot

SElinux is recommended to be enabled to reduce damage in the event of an unauthorized intrusion, but we want to make sure that the existing services work in the AL2022 environment first, so we are testing with it disabled.
However, I would like to get used to the SELinux settings before I start using the AL2022 in earnest.

Adding an encryption policy

This is.RedHat's documentationwas helpful.

An attempt to retrieve a package with the wget command failed with the following error.

GnuTLS: One of the involved algorithms has insufficient security level.
Unable to establish a connection via SSL.

AL2022 adds a "System-wide encryption policy", and this policy level is DEFAULT by default.
In this case, SHA-1 was mixed in the signature algorithm returned by the TLS handshake with the other server, and the connection could not be established because it was trapped by this policy level.

We just want to get one package file that we've been using so far.
This time, we temporarily lowered the policy level to deal with the problem.

# update-crypto-policies -show
DEFAULT

# update-crypto-policies -set LEGACY
# update-crypto-policies -show
LEGACY

After retrieving the file, revert to the settings
# update-crypto-policies -set DEFAULT
# update-crypto-policies -show

It is best if the other server does not return SHA-1, but in this case, we compromised.
In AL2, the update-crypto-policies command did not exist in the first place, so we would like to build and operate AL2022 with the policy level in mind.

The crontab command is missing.

I tried to use crontab as usual to set up cron, but the command does not exist.
I was surprised because this was my first experience, but it works if you install it normally.

Comparison of installed packages

AL2
$ rpm -qa | grep cron
cronie-1.4.11-23.amzn2.x86_64
cronie-anacron-1.4.11-23.amzn2.x86_64
crontabs-1.11-6.20121102git.amzn2.noarch

AL2022
$ rpm -qa | grep cron
crontabs-1.11-24.20190603git.amzn2022.noarch

Install
$ sudo yum install cronie-noanacron
$ rpm -qa | grep cron
crontabs-1.11-24.20190603git.amzn2022.noarch
cronie-noanacron-1.5.7-1.amzn2022.x86_64
cronie-1.5.7-1.amzn2022.x86_64

service activation
$ sudo systemctl start crond

Automatic startup confirmation
$ sudo systemctl is-enabled crond
enabled

summary

In addition to the points listed above, there are other points that are different from AL2 and that I am having a hard time setting up, but I would like to tell you about them when I have a chance.

Since AL2022 is still a preview version, there is a good chance that more changes will be added before the official release.
However, I would like to focus on learning, verifying, and preparing for the inevitable, such as adding encryption policies and enabling SELinux.

Thank you for reading.