Amazon Linux 2023 EC2 インスタンスの初回起動時にセキュリティアップデートは実行されますか
困っていること
Amazon Linux 2023 を利用予定です。
cloud-init の挙動により、セキュリティアップデートのインストールは実行されますか。
Q: 初回起動時に非常に重要なセキュリティアップデートの自動インストールを無効にするにはどうすればよいですか?
Amazon Linux AMI は、初回起動時に、「緊急」または「重要」 と評価されたユーザースペースのセキュリティ更新をパッケージリポジトリからインストールし、SSH などのサービスが開始される前にインストールします。
どう対応すればいいの?
Amazon Linux 1 及び 2 までとは異なり Amazon Linux 2023 ではインスタンスの初回起動時にセキュリティアップデートのインストールは実行されません。
Amazon Linux 2023 では deterministic upgrading という方式が採用されており、全ての Amazon Linux 2023 の AMI は参照先のリポジトリが固定されています。
Using cloud-init
In AL2023, cloud-init manages the package repository. By default, in earlier versions of Amazon Linux, cloud-init installed security updates. This isn't the default for AL2023. The new deterministic upgrading features for updating releasever at launch describe the AL2023 way to enable package updates at launch. For more information, see Manage package and operating system updates in AL2023 and Deterministic upgrades for stability.
With the deterministic upgrades through versioned repositories feature, every AL2023 AMI by default is locked to a specific repository version. You can use deterministic upgrades to achieve greater consistency among package versions and updates. Each release, major or minor, includes a specific repository version.
New with AL2023, deterministic upgrading by default is enabled. This is an improvement over the manual, incremental method of locking that's used in AL2 and other earlier versions.
なお、Amazon Linux 1 や Amazon Linux 2 では cloud.cfg にデフォルトで repo_upgrade: security と設定されていたため、インスタンス初回起動時に自動セキュリティ更新が動作する仕様です。
このため、自動的にアップデートが実行さないようにするには、repo_upgrade: none と修正してください。
sh-4.2$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2026-06-30"
sh-4.2$ cat /etc/cloud/cloud.cfg
# WARNING: Modifications to this file may be overridden by files in
# /etc/cloud/cloud.cfg.d
users:
- default
disable_root: true
ssh_pwauth: false
mount_default_fields: [~, ~, 'auto', 'defaults,nofail', '0', '2']
resize_rootfs: noblock
resize_rootfs_tmp: /dev
ssh_deletekeys: true
ssh_genkeytypes: ~
syslog_fix_perms: ~
datasource_list: [ Ec2, None ]
repo_upgrade: security
repo_upgrade_exclude:
- kernel
- nvidia*
- cuda*
# Might interfere with ec2-net-utils
network:
config: disabled
cloud_init_modules:
- migrator
- bootcmd
- write-files
- write-metadata
- amazonlinux_repo_https
- growpart
- resizefs
- set-hostname
- update-hostname
- update-etc-hosts
- rsyslog
- users-groups
- ssh
- resolv-conf
cloud_config_modules:
- disk_setup
- mounts
- locale
- set-passwords
- yum-configure
- yum-add-repo
- package-update-upgrade-install
- timezone
- disable-ec2-metadata
- runcmd
cloud_final_modules:
- scripts-per-once
- scripts-per-boot
- scripts-per-instance
- scripts-user
- ssh-authkey-fingerprints
- keys-to-console
- phone-home
- final-message
- power-state-change
system_info:
# This will affect which distro class gets used
distro: amazon
distro_short: amzn
default_user:
name: ec2-user
lock_passwd: true
gecos: EC2 Default User
groups: [wheel, adm, systemd-journal]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
shell: /bin/bash
paths:
cloud_dir: /var/lib/cloud
templates_dir: /etc/cloud/templates
ssh_svcname: sshd
mounts:
- [ ephemeral0, /media/ephemeral0 ]
- [ swap, none, swap, sw, "0", "0" ]
# vim:syntax=yaml
sh-4.2$
一方で、Amazon Linux 2023 では repo_upgrade オプションは使用できない仕様でした。
sh-5.2$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023.9.20251208"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
VENDOR_NAME="AWS"
VENDOR_URL="https://aws.amazon.com/"
SUPPORT_END="2029-06-30"
sh-5.2$ cat /etc/cloud/cloud.cfg
# The top level settings are used as module
# and system configuration.
# A set of users which may be applied and/or used by various modules
# when a 'default' entry is found it will reference the 'default_user'
# from the distro configuration specified below
users:
- default
# If this is set, 'root' will not be able to ssh in and they
# will get a message to login instead as the default $user
disable_root: true
mount_default_fields: [~, ~, 'auto', 'defaults,nofail', '0', '2']
resize_rootfs: noblock
resize_rootfs_tmp: /dev
ssh_pwauth: false
# This will cause the set+update hostname module to not operate (if true)
preserve_hostname: false
# If you use datasource_list array, keep array items in a single line.
# If you use multi line array, ds-identify script won't read array items.
# Example datasource config
# datasource:
# Ec2:
# metadata_urls: [ 'blah.com' ]
# timeout: 5 # (defaults to 50 seconds)
# max_wait: 10 # (defaults to 120 seconds)
# The modules that run in the 'init' stage
cloud_init_modules:
- migrator
- seed_random
- bootcmd
- write-files
- write-metadata
- growpart
- resizefs
- disk_setup
- mounts
- set_hostname
- update_hostname
- update_etc_hosts
- ca-certs
- rsyslog
- selinux
- users-groups
- ssh
# The modules that run in the 'config' stage
cloud_config_modules:
- ssh-import-id
- keyboard
- locale
- set-passwords
- yum-variables
- yum-add-repo
- ntp
- timezone
- disable-ec2-metadata
- runcmd
# The modules that run in the 'final' stage
cloud_final_modules:
- package-update-upgrade-install
- write-files-deferred
- puppet
- chef
- mcollective
- salt-minion
- reset_rmc
- refresh_rmc_and_interface
- rightscale_userdata
- scripts-vendor
- scripts-per-once
- scripts-per-boot
- scripts-per-instance
- scripts-user
- ssh-authkey-fingerprints
- keys-to-console
- install-hotplug
- phone-home
- final-message
- power-state-change
# System and/or distro specific settings
# (not accessible to handlers/transforms)
system_info:
# This will affect which distro class gets used
distro: amazon
# Default user name + that default users groups (if added/used)
default_user:
name: ec2-user
lock_passwd: True
gecos: EC2 Default User
groups: [wheel, adm, systemd-journal]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
shell: /bin/bash
# Other config here will be given to the distro class and/or path classes
paths:
cloud_dir: /var/lib/cloud/
templates_dir: /etc/cloud/templates/
ssh_svcname: sshd
sh-5.2$
