All Products
Search
Document Center

Alibaba Cloud Linux:Release notes for Alibaba Cloud Linux 3

Last Updated:Feb 21, 2024

This topic describes the release notes for Alibaba Cloud Linux 3 images and provides links to the relevant references. The release notes are ordered by release date, from the latest to the earliest.

Background information

  • Unless otherwise stated, the released updates apply to all Alibaba Cloud regions where Elastic Compute Service (ECS) is available.

  • Most instance families support Alibaba Cloud Linux 3 images. However, some Alibaba Cloud Linux 3 images are supported only by specific instance families. Some instance families can use only specific public images:

    Arm images whose ID contains _arm64_ are supported by Alibaba Cloud Arm-based instances.

2023

Alibaba Cloud Linux 3.2104 U9

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U9

aliyun_3_9_x64_20G_alibase_20231219.vhd

2023-12-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-16.1.al8.x86_64.

  • Updates: For more information, see Updates.

aliyun_3_9_arm64_20G_alibase_20231219.vhd

2023-12-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-16.1.al8.aarch64.

  • Updates: For more information, see Updates.

aliyun_3_9_x64_20G_uefi_alibase_20231219.vhd

2023-12-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI version base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-16.1.al8.x86_64.

  • Updates: For more information, see Updates.

Updates

Security updates

Software package name

CVE ID

Software package version

kernel

  • CVE-2022-3108

  • CVE-2022-3114

  • CVE-2022-3424

  • CVE-2022-36280

  • CVE-2022-3903

  • CVE-2022-39188

  • CVE-2022-41850

  • CVE-2022-42432

  • CVE-2022-4379

  • CVE-2022-4382

  • CVE-2022-45887

  • CVE-2023-0045

  • CVE-2023-0160

  • CVE-2023-0458

  • CVE-2023-0459

  • CVE-2023-0615

  • CVE-2023-1078

  • CVE-2023-1206

  • CVE-2023-1382

  • CVE-2023-1670

  • CVE-2023-1829

  • CVE-2023-1855

  • CVE-2023-1859

  • CVE-2023-1989

  • CVE-2023-1990

  • CVE-2023-2002

  • CVE-2023-2006

  • CVE-2023-20569

  • CVE-2023-20593

  • CVE-2023-20928

  • CVE-2023-20938

  • CVE-2023-2124

  • CVE-2023-2156

  • CVE-2023-2162

  • CVE-2023-2177

  • CVE-2023-2194

  • CVE-2023-22995

  • CVE-2023-2483

  • CVE-2023-26607

  • CVE-2023-28327

  • CVE-2023-2860

  • CVE-2023-2985

  • CVE-2023-3006

  • CVE-2023-30772

  • CVE-2023-3090

  • CVE-2023-31083

  • CVE-2023-31084

  • CVE-2023-31085

  • CVE-2023-3111

  • CVE-2023-3117

  • CVE-2023-31248

  • CVE-2023-3161

  • CVE-2023-3212

  • CVE-2023-3220

  • CVE-2023-32269

  • CVE-2023-3268

  • CVE-2023-33288

  • CVE-2023-3358

  • CVE-2023-35001

  • CVE-2023-3567

  • CVE-2023-35788

  • CVE-2023-35823

  • CVE-2023-35824

  • CVE-2023-35825

  • CVE-2023-35828

  • CVE-2023-35829

  • CVE-2023-3609

  • CVE-2023-3610

  • CVE-2023-3611

  • CVE-2023-3772

  • CVE-2023-3773

  • CVE-2023-3776

  • CVE-2023-3812

  • CVE-2023-3863

  • CVE-2023-4004

  • CVE-2023-4015

  • CVE-2023-40283

  • CVE-2023-4128

  • CVE-2023-4132

  • CVE-2023-4147

  • CVE-2023-4155

  • CVE-2023-42753

  • CVE-2023-42754

  • CVE-2023-42755

  • CVE-2023-4563

  • CVE-2023-4623

  • CVE-2023-4921

5.10.134-16.1.al8

java-1.8.0-openjdk

  • CVE-2022-40433

  • CVE-2023-22067

  • CVE-2023-22081

1.8.0.392.b08-4.0.3.al8

java-11-openjdk

CVE-2023-22081

11.0.21.0.9-2.0.3.al8

mariadb

  • CVE-2022-32081

  • CVE-2022-32082

  • CVE-2022-32084

  • CVE-2022-32089

  • CVE-2022-32091

  • CVE-2022-38791

  • CVE-2022-47015

  • CVE-2023-5157

10.5.22-1.0.1.al8

open-vm-tools

  • CVE-2023-34058

  • CVE-2023-34059

12.2.5-3.al8.1

bind

CVE-2023-3341

9.11.36-8.al8.2

dmidecode-doc

CVE-2023-30630

3.3-5.0.2.al8

frr

CVE-2023-38802

7.5.1-8.0.1.al8

ghostscript

  • CVE-2023-28879

  • CVE-2023-38559

  • CVE-2023-4042

  • CVE-2023-43115

9.54.0-14.al8

glibc

CVE-2023-4911

2.32-1.12.al8

grafana

  • CVE-2023-39325

  • CVE-2023-44487

7.5.15-5.0.1

libvpx

  • CVE-2023-44488

  • CVE-2023-5217

1.7.0-10.0.1.al8

linux-firmware

CVE-2023-20593

20230404-117.git2e92a49f.al8

ncurses

CVE-2023-29491

6.1-10.20180224.0.1.al8

nghttp2

CVE-2023-44487

1.33.0-4.0.1.al8.1

  • qemu-kvm

  • seabios

  • CVE-2022-40284

  • CVE-2023-3354

  • 6.2.0-33.0.2.al8

  • 1.16.0-4.al8

tracker-miners

CVE-2023-5557

3.1.2-4.0.1.al8

Software package updates

Software package name

Version

ca-certificates

2023.2.60_v7.0.306

firewalld

0.9.11

java-1.8.0-openjdk

1.8.0.392.b08

java-11-openjdk

11.0.21.0.9

libbpf

0.6.0

lz4

1.9.4

mariadb

10.5.22

nmstate

2.2.15

nspr

4.35.0

nss

3.90.0

open-vm-tools

12.2.5

openscap

1.3.8

scap-security-guide

0.1.69

sos

4.6.0

xz

5.4.4

Important updates

Kernel updates

  • New features

    • Core scheduling is supported.

      The core scheduling security feature that is released by the upstream community is backported. This feature allows trusted processes only in the same group to run on the hyper threads of the same physical core. This feature is incompatible with group identity. Do not enable the features at the same time. This feature is disabled by default. To enable this feature, run the sysctl -w kernel.sched_core=1 command.

    • The extended Berkeley Packet Filter (eBPF) trampoline feature is supported on the Arm 64-bit architecture.

      The eBPF trampoline feature is backported on the Arm 64-bit architecture to support the Berkeley Packet Filter (BPF) struct_ops feature. Take note that because the BPF fentry series features are not backported on the Arm64 platform, the BPF fentry series features are unavailable.

    • The Multi-Generational Least Recently Used (MGLRU) feature is supported.

      The MGLRU feature supports memory page reclaim with improved performance. This way, the speed and accuracy of memory reclaim in big data scenarios are increased, and E2E performance is improved.

    • Batch translation lookaside buffer (TLB) flushing is supported.

      The batch migration feature uses batch TLB flushing and page copying during memory page migration to improve the performance of kernel page migration operations.

      The current batch migration feature is a refactored version that is optimized from the previous version in the kernel based on the upstream code. The main changes: The batch_migrate parameter is removed from cmdline, the /sys/kernel/mm/migrate/batch_migrate_enabled interface is removed, and batch migration becomes the default configuration used during page migration.

      The /sys/kernel/mm/migrate/dma_migration_min_pages interface is added. Default value: 32. This interface is only for scenarios where the DMA page copy feature is enabled. The DMA page copy feature is used only when the /sys/kernel/mm/migrate/dma_migrate_enabled parameter is set to enabled and the number of migrate pages reaches the /sys/kernel/mm/migrate/dma_migration_min_pages value.

    • The cachestat feature is backported.

      The cachestat system call is introduced in the kernel, which allows you to view detailed page cache statistics about a specified file.

    • Arm 64 kernel-mode RAS events are enhanced.

      The abilities of recovering from RAS errors in different scenarios are supported, such as copy_{from/to}_user, {get/put}_user, Copy On Write (COW), and pagecache read.

    • The in-house SMC-D loopback feature is supported.

      The Shared Memory Communication-Direct Memory Access (SMC-D) loopback feature is introduced to accelerate TCP communication between local processes and between containers.

    • The in-house page table binding feature is supported and provides cross-die statistics on page tables.

      The ability of binding page tables to cores can allocate the page tables of QoS-sensitive services to the current NUMA node as much as possible when the memory is insufficient. This feature helps reduce the memory access latency and implement faster and more efficient memory access.

    • The in-house code multi-copy feature is enhanced.

      The ability of using an asynchronous task to make another attempt if multiple copies of the code do not take effect on process startup. The memory.duptext_nodes kernel interface is added to limit the duptext memory allocation nodes.

    • The in-house kfence enhancements are added.

      • The in-house kfence enhancement feature is added on the Arm 64-bit architecture. This feature can flexibly and dynamically enable or disable kfence to fully capture memory pollution problems, which facilitates online detection and offline debugging.

      • The feature of immediate downtime is added to trigger downtime as soon as a memory issue is detected, to help developers better analyze problems in a debugging environment. You can enable this feature by specifying the boot cmdline "kfence.fault=panic" or echo panic > /sys/module/kfence/parameters/fault parameter. The default value is report, which indicates that the system only displays logs without downtime.

    • The in-house control interface is provided for memcg Transparent Huge Pages (THPs).

      The memcg THP control interface is used to prohibit the application of a specified memcg THP.

    • The in-house Assess CPU (ACPU) is supported.

      The ACPU can count the peer HT idle time of a task during the runtime and provide per-cgroup statistics, which can be used to evaluate the hardware resource competition on shared CPUs during the task runtime.

    • The in-house HT-aware-quota feature is supported.

      The computing power stabilization solution based on Completely Fair Scheduler (CFS) bandwidth control and core scheduling can calibrate quotas by checking whether the HT peer is idle in hybrid deployment scenarios. This way, tasks can obtain relatively stable computing power in each scheduling cycle. The solution is suitable for compute-intensive tasks.

    • In-house group identity 2.0 is supported.

      The SCHED_IDLE feature is provided for cgroups. You can set the cpu.idle property of a cgroup to use the SCHED_IDLE scheduling policy for the cgroup. This feature is suitable for batch management of offline tasks.

  • Behavior changes

    • The module signature feature is added.

      Signatures are added to kernel modules to help developers identify and reject unsigned kernel modules.

    • By default, Spectre-BHB and Variant 4 vulnerability fixes are disabled on the Arm 64-bit architecture.

      By default, on the Arm 64-bit architecture, the nospectre_bhb ssbd=force-off parameter is added to cmdline to disable Spectre-BHB and Variant4 fixes to improve performance.

    • Trust Domain Extension (TDX) guest-related configurations are added to support TDX confidential virtual machine (VM) scenarios.

New software package features

  • Provision of erofs-utils-1.7.1 by using software repositories

    The erofs-utils tool is used to create, check, and compress Enhanced Read-Only File System (EROFS). This tool supports compression algorithms such as LZ4, Lempel–Ziv–Markov chain algorithm (LZMA), and DEFLATE, and supports tar-to-erofs format conversion.

  • Provision of stress-ng-0.15.00 by using software repositories

  • Provision of alibaba-cloud-compiler-13.0.1.4 by using software repositories

    Alibaba Cloud Compiler is a C/C++ compiler developed by Alibaba Cloud. Alibaba Cloud Compiler is developed based on the open source version from the Clang/LLVM-13 community and inherits all options and parameters supported in the open source version. In addition, Alibaba Cloud Compiler is deeply optimized based on the Alibaba Cloud infrastructure and provides unique features and optimizations to make the C/C++ compiler better for Alibaba Cloud users.

  • glibc is patched to support GB18030-2022 coding.

  • Dragonwell17 is updated to 17.0.9.0.10.9. In the just-in-time compilation (JIT) compiler, inlining performance is improved, and the judgment logic of inline based on the number of absolute calls is removed.

  • Dragonwell8 is updated to 8.15.16.372. Multiple coroutines can wait for the read and write events of the same socket, and bugs in the okhttp scenario are fixed.

  • Provision of plugsched-1.3 by using software repositories

    Plugsched is an SDK that supports the live update of the Linux kernel scheduler. Plugsched is intended for kernel scheduler developers. You can install plugsched to develop scheduler modules.

  • Sysak is updated to 2.2.0. The application observation feature is added to support the metric observation and diagnosis of MySQL and Java applications. The metrics related to container monitoring and cluster monitoring are added. The local monitoring feature is added.

  • Keentune is updated to 2.3.0. x264/265-related scripts are updated to support the latest FFmpeg. The issue of binding errors of Transmit Packet Steering (XPS) and Receive Packet Steering (RPS) is resolved. The default eRDMA settings in profile are updated.

  • The software chain of the Intel QuickAssist (QAT), Dynamic Load Balancer (DLB), and In-Memory Analytics Accelerator (IAA) is updated. The QAT driver bug is fixed. The DLB driver is upgraded. User-mode bugfixes are added in QAT and IAA. The unified management solution for cross-architecture accelerator user-mode direct memory access (DMA) memory is added.

  • Shared Memory Communication (SMC) tools are updated. The smc-ebpf command is added to control the effective range of smc_run based on the port granularity. The control mode supports blacklists, whitelists, and intelligent scheduling.

Fixed issues

  • The following issue is resolved: If RPM packages such as kernel-modules-extra and kernel-modules-internal are not automatically installed when the kernel is updated, the netfilter-related features are unavailable.

  • The following issue is resolved: The /proc/sys/kernel/sched_group_identity_enabled interface sometimes fails to shut down because the group identity reference count is incorrect during cgroup creation or deletion.

Image updates

  • Container images

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest

      Note

      After a new version is released, you can no longer specify the latest parameter to obtain version 3.9 of images.

  • Virtual machine images

    • The rpmdb format is switched to the sqlite format by default.

    • By default, the KeenTune service is installed and disabled.

    • By default, the NFS-server service is disabled.

Known issues

  • The kdump service may fail to work properly on ecs.g6r.large instances due to the memory size. You can adjust the crash parameters such as 0M-2G:0M,2G-128G:256M, and 128G-:384M to prevent the kdump service failure.

  • In Network File System Version 3 (NFSv3) file systems, the S permission can be added to files. In special cases, after the owner of a file is changed, the S permission of the belonging group is missing.

    The fix for this problem is 2d8ae8c417 ("db nfsd: use vfs setgid helper"). However, the code of the auxiliary function and kernel version 5.10 required for the fix have changed greatly. This issue is not fixed yet.

  • After you replace TCP with SMC, the netperf test may exit unexpectedly.

    SMC uses a fixed-size ring buffer, and the remaining space in the ring buffer may be less than the amount of data specified by send() during the sending process. In this case, SMC returns the number of bytes that can be sent, which is generally less than the user-specified amount in send(). This behavior is considered abnormal and the netperf test exits. The upstream maintainers recommend to maintain the existing design to prevent the connection stalled issue. This issue is not fixed yet.

Alibaba Cloud Linux 3.2104 U8

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U8

aliyun_3_arm64_20G_alibase_20230731.vhd

2023-07-31

  • The Alibaba Cloud Linux 3.2104 64-bit LTS for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-15.al8.aarch64.

  • Updates: For more information, see Updates.

aliyun_3_x64_20G_alibase_20230727.vhd

2023-07-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-15.al8.x86_64.

  • Updates: For more information, see Updates.

aliyun_3_x64_20G_qboot_alibase_20230727.vhd

2023-07-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is released.

  • This image is derived from the aliyun_3_x64_20G_alibase_20230727.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The kernel version is updated to 5.10.134-15.al8.x86_64.

aliyun_3_x64_20G_uefi_alibase_20230727.vhd

2023-07-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20230727.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The boot mode is changed to Unified Extensible Firmware Interface (UEFI), and only the UEFI mode is supported.

  • The kernel version is updated to 5.10.134-15.al8.x86_64.

Updates

Security updates

Software package name

CVE ID

Software package version

ctags

CVE-2022-4515

5.8-23.0.1.al8

gssntlmssp

  • CVE-2023-25563

  • CVE-2023-25564

  • CVE-2023-25565

  • CVE-2023-25566

  • CVE-2023-25567

1.2.0-1.0.1.al8

libtar

  • CVE-2021-33643

  • CVE-2021-33644

  • CVE-2021-33645

  • CVE-2021-33646

1.2.20-17.0.1.al8

device-mapper-multipath

CVE-2022-41973

0.8.4-37.0.1.al8

postgresql-jdbc

CVE-2022-41946

42.2.14-2.al8

freerdp

  • CVE-2022-39282

  • CVE-2022-39283

  • CVE-2022-39316

  • CVE-2022-39317

  • CVE-2022-39318

  • CVE-2022-39319

  • CVE-2022-39320

  • CVE-2022-39347

  • CVE-2022-41877

2.2.0-10.0.1.al8

tigervnc

  • CVE-2022-4283

  • CVE-2022-46340

  • CVE-2022-46341

  • CVE-2022-46342

  • CVE-2022-46343

  • CVE-2022-46344

1.12.0-15.al8

xorg-x11-server

  • CVE-2022-3550

  • CVE-2022-3551

  • CVE-2022-4283

  • CVE-2022-46340

  • CVE-2022-46341

  • CVE-2022-46342

  • CVE-2022-46343

  • CVE-2022-46344

  • CVE-2023-0494

1.20.11-15.0.1.al8

poppler

CVE-2022-38784

20.11.0-6.0.1.al8

wayland

CVE-2021-3782

1.21.0-1.al8

net-snmp

  • CVE-2022-44792

  • CVE-2022-44793

5.8-27.0.1.al8

dhcp

  • CVE-2022-2928

  • CVE-2022-2929

4.3.6-49.0.1.al8

python-mako

CVE-2022-40023

1.0.6-14.al8

curl

CVE-2023-27535

7.61.1-30.0.2.al8.2

  • go-toolset

  • golang

  • CVE-2023-29402

  • CVE-2023-29403

  • CVE-2023-29404

  • CVE-2023-29405

  • 1.19.10-1.al8

  • 1.19.10-1.0.1.al8

dnsmasq

CVE-2023-28450

2.79-27.al8

qt5

CVE-2022-25255

5.15.3-1.0.1.al8

autotrace

CVE-2022-32323

0.31.1-55.al8

bind

CVE-2023-2828

9.11.36-8.al8.1

  • libnbd

  • libtpms

  • libvirt

  • nbdkit

  • qemu-kvm

  • supermin

  • virt-v2v

  • CVE-2021-46790

  • CVE-2022-3165

  • CVE-2022-30784

  • CVE-2022-30786

  • CVE-2022-30788

  • CVE-2022-30789

  • CVE-2023-1018

  • libnbd-1.6.0-5.0.1.al8

  • libtpms-0.9.1-2.20211126git1ff6fe1f43.al8

  • libvirt-8.0.0-20.al8

  • nbdkit-1.24.0-5.al8

  • qemu-kvm-6.2.0-32.0.1.al8

  • supermin-5.2.1-2.0.2.al8

  • virt-v2v-1.42.0-22.al8

mysql

  • CVE-2022-21594

  • CVE-2022-21599

  • CVE-2022-21604

  • CVE-2022-21608

  • CVE-2022-21611

  • CVE-2022-21617

  • CVE-2022-21625

  • CVE-2022-21632

  • CVE-2022-21633

  • CVE-2022-21637

  • CVE-2022-21640

  • CVE-2022-39400

  • CVE-2022-39408

  • CVE-2022-39410

  • CVE-2023-21836

  • CVE-2023-21863

  • CVE-2023-21864

  • CVE-2023-21865

  • CVE-2023-21867

  • CVE-2023-21868

  • CVE-2023-21869

  • CVE-2023-21870

  • CVE-2023-21871

  • CVE-2023-21873

  • CVE-2023-21874

  • CVE-2023-21875

  • CVE-2023-21876

  • CVE-2023-21877

  • CVE-2023-21878

  • CVE-2023-21879

  • CVE-2023-21880

  • CVE-2023-21881

  • CVE-2023-21882

  • CVE-2023-21883

  • CVE-2023-21887

  • CVE-2023-21912

  • CVE-2023-21917

8.0.32-1.0.2.al8

ruby

  • CVE-2021-33621

  • CVE-2023-28755

  • CVE-2023-28756

2.7.8-139.0.1.al8

kernel

  • CVE-2021-33061

  • CVE-2021-3759

  • CVE-2022-3606

  • CVE-2022-36280

  • CVE-2022-3707

  • CVE-2022-39188

  • CVE-2022-4095

  • CVE-2022-41849

  • CVE-2022-42432

  • CVE-2022-4379

  • CVE-2022-4382

  • CVE-2022-4662

  • CVE-2022-4744

  • CVE-2022-47521

  • CVE-2022-47929

  • CVE-2023-0045

  • CVE-2023-0386

  • CVE-2023-0458

  • CVE-2023-0459

  • CVE-2023-0461

  • CVE-2023-0590

  • CVE-2023-0597

  • CVE-2023-1073

  • CVE-2023-1074

  • CVE-2023-1075

  • CVE-2023-1076

  • CVE-2023-1077

  • CVE-2023-1078

  • CVE-2023-1079

  • CVE-2023-1095

  • CVE-2023-1118

  • CVE-2023-1281

  • CVE-2023-1380

  • CVE-2023-1382

  • CVE-2023-1611

  • CVE-2023-1670

  • CVE-2023-1829

  • CVE-2023-1855

  • CVE-2023-1859

  • CVE-2023-1989

  • CVE-2023-1990

  • CVE-2023-2002

  • CVE-2023-20928

  • CVE-2023-20938

  • CVE-2023-2124

  • CVE-2023-2162

  • CVE-2023-2177

  • CVE-2023-2194

  • CVE-2023-2269

  • CVE-2023-22995

  • CVE-2023-23000

  • CVE-2023-23004

  • CVE-2023-2483

  • CVE-2023-25012

  • CVE-2023-26545

  • CVE-2023-26607

  • CVE-2023-28327

  • CVE-2023-28466

  • CVE-2023-2985

  • CVE-2023-30456

  • CVE-2023-30772

  • CVE-2023-3117

  • CVE-2023-31248

  • CVE-2023-31436

  • CVE-2023-3220

  • CVE-2023-32233

  • CVE-2023-32269

  • CVE-2023-3268

  • CVE-2023-33288

  • CVE-2023-35001

  • CVE-2023-35788

  • CVE-2023-35825

5.10.134-15.al8

webkit2gtk3

  • CVE-2023-32435

  • CVE-2023-32439

2.38.5-1.0.1.al8.5

libssh

  • CVE-2023-1667

  • CVE-2023-2283

0.9.6-7.al8

open-vm-tools

CVE-2023-20867

12.1.5-2.al8

grafana

  • CVE-2022-2880

  • CVE-2022-27664

  • CVE-2022-39229

  • CVE-2022-41715

7.5.15-4.0.2.al8

grafana-pcp

CVE-2022-27664

3.2.0-3.0.1.al8

frr

CVE-2022-37032

7.5.1-7.0.1.al8

sqlite

CVE-2020-24736

3.26.0-18.al8

git-lfs

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2022-41717

3.2.0-2.0.1.al8

sysstat

CVE-2022-39377

11.7.3-9.0.1.al8

python3

CVE-2023-24329

3.6.8-51.0.1.al8.1

c-ares

CVE-2023-32067

1.13.0-6.al8.2

cups-filters

CVE-2023-24805

1.20.0-29.0.1.al8.2

webkit2gtk3

  • CVE-2023-28204

  • CVE-2023-32373

2.38.5-1.0.1.al8.4

delve

go-toolset

golang

CVE-2023-24540

delve-1.9.1-1.0.1.al8

go-toolset-1.19.9-1.al8

golang-1.19.9-1.0.1.al8

kernel

  • CVE-2022-47929

  • CVE-2023-0386

  • CVE-2023-1075

  • CVE-2023-1380

  • CVE-2023-26545

  • CVE-2023-28466

  • CVE-2023-30456

  • CVE-2023-32233

5.10.134-14.1.al8

git

  • CVE-2023-22490

  • CVE-2023-23946

  • CVE-2023-25652

  • CVE-2023-25815

  • CVE-2023-29007

2.39.3-1.1.al8

apr-util

CVE-2022-25147

1.6.1-6.2.al8.1

webkit2gtk3

CVE-2023-2203

2.38.5-1.0.1.al8.3

edk2

  • CVE-2022-4304

  • CVE-2022-4450

  • CVE-2023-0215

  • CVE-2023-0286

20220126gitbb1bba3d77-4.al8

mingw-expat

CVE-2022-40674

2.4.8-2.al8

Software package updates

Software package name

Version

at

at-3.1.20-12.0.1.al8

audit

audit-3.0.7-2.0.1.al8.2

authselect

authselect-1.2.6-1.al8

bind

bind-9.11.36-8.al8.1

checkpolicy

checkpolicy-2.9-1.2.al8

cloud-utils-growpart

cloud-utils-growpart-0.33-0.0.1.al8

container-selinux

container-selinux-2.189.0-1.al8

coreutils

coreutils-8.30-13.al8

crypto-policies

crypto-policies-20221215-1.gitece0092.al8

cups

cups-2.2.6-51.0.1.al8

dbus

dbus-1.12.8-24.0.1.al8

ding-libs

ding-libs-0.6.1-40.al8

dnf

dnf-4.7.0-16.0.1.al8

dnf-plugins-core

dnf-plugins-core-4.0.21-14.1.al8

dracut

dracut-049-223.git20230119.al8

elfutils

elfutils-0.188-3.0.1.al8

emacs

emacs-27.2-8.0.3.al8.1

expat

expat-2.2.5-11.al8

file

file-5.33-24.al8

freetype

freetype-2.10.4-9.al8

fuse

fuse-2.9.7-16.al8

gmp

gmp-6.2.0-10.0.1.al8

gnupg2

gnupg2-2.2.20-3.al8

graphite2

graphite2-1.3.10-10.2.al8

grub2

grub2-2.02-148.0.1.al8

harfbuzz

harfbuzz-1.7.5-3.2.al8

hwdata

hwdata-0.314-8.16.al8

iproute

iproute-5.18.0-1.al8

iptables

iptables-1.8.4-24.0.1.al8

kernel

kernel-5.10.134-15.al8

kernel-hotfix-13383560-5.10.134-15

kernel-hotfix-13383560-5.10.134-15-1.0-20230724161633.al8

kexec-tools

kexec-tools-2.0.25-5.0.1.al8

kmod

kmod-25-19.0.2.al8

kpatch

kpatch-0.9.7-2.0.1.al8

libarchive

libarchive-3.5.3-4.al8

libffi

libffi-3.1-24.0.1.al8

libteam

libteam-1.31-4.0.1.al8

libuser

libuser-0.62-25.0.1.al8

libxml2

libxml2-2.9.7-16.0.1.al8

linux-firmware

linux-firmware-20230404-114.git2e92a49f.al8

logrotate

logrotate-3.14.0-6.0.1.al8

NetworkManager

NetworkManager-1.40.16-1.0.1.al8

nfs-utils

nfs-utils-2.3.3-59.0.2.al8

nftables

nftables-0.9.3-26.al8

oddjob

oddjob-0.34.7-3.0.1.al8

openssh

openssh-8.0p1-17.0.2.al8

openssl-pkcs11

openssl-pkcs11-0.4.10-3.0.1.al8

pam

pam-1.3.1-25.0.1.al8

pciutils

pciutils-3.7.0-3.0.1.al8

python-linux-procfs

python-linux-procfs-0.7.1-1.al8

python-rpm-generators

python-rpm-generators-5-8.al8

python-slip

python-slip-0.6.4-13.al8

rng-tools

rng-tools-6.15-3.0.1.al8

rpcbind

rpcbind-1.2.5-10.0.1.al8

rpm

rpm-4.14.3-26.0.1.al8

rsyslog

rsyslog-8.2102.0-13.al8

selinux-policy

selinux-policy-3.14.3-117.0.1.al8

setools

setools-4.3.0-3.al8

setup

setup-2.12.2-9.0.1.al8

sg3_utils

sg3_utils-1.44-6.0.1.al8

shared-mime-info

shared-mime-info-2.1-5.0.1.al8

sssd

sssd-2.8.2-2.0.1.al8

tpm2-tss

tpm2-tss-2.3.2-4.0.2.al8

unbound

unbound-1.16.2-5.al8

util-linux

util-linux-2.32.1-42.0.1.al8

virt-what

virt-what-1.25-3.al8

wget

wget-1.19.5-11.0.1.al8

which

which-2.21-18.0.1.al8

xfsprogs

xfsprogs-5.0.0-10.0.6.al8

Important updates

  • Kernel updates

    • Community tracking

      • Devlink supports subfunction management.

        A subfunction is a lightweight function that is deployed on a parent Peripheral Component Interconnect (PCI) function. Compared with a PCI Express (PCIe) Virtual Function (VF), a subfunction is more lightweight and shares resources with its parent PCI function. A subfunction provides all networking-related resources, such as transmit queues, receive queues, and completion queues. A subfunction serves as a complete network interface controller (NIC) in Linux. This update allows you to use devlink to manage subfunctions on NICs. You can use devlink together with drivers to create, destroy, or query subfunctions on NICs.

      • IO_uring Non-Volatile Memory Express (NVMe) passthrough is supported.

        In access to storage devices, the overheads of a complex storage stack have a significant impact on latency and IOPS. As storage devices become faster, the proportion of overheads that are introduced by the software stack increases. When you access NVMe disks, you must traverse through multiple abstraction layers, including file system, block layer, and NVMe driver. This update backports the io_uring uring_cmd feature, which was introduced in mainline Linux kernel 5.19. The feature passes the actual file operations to the kernel by using io_uring. This way, the operations are not parsed at the io_uring layer and are sent directly to the NVMe driver layer, bypassing the file system layer and block layer. Additionally, to support this feature, io_uring is introduced to support CQE32 and NVMe character device creation.

      • Fine-grained permissions control is supported for NVMe and Small Computer System Interface (SCSI) persistent reservations.

        Before the update, performing persistent reservations required the CAP_SYS_ADMIN permission, which prevented the use of persistent reservations in specific non-privileged scenarios (such as containers). After the update, persistent reservations can be performed by non-privileged processes that have write permissions on block storage devices but do not have the CAP_SYS_ADMIN permission. This allows persistent reservations to be used in more scenarios.

      • The IOPS throttling of large I/O block sizes is optimized.

        In Linux kernel 5.10, IOPS throttling may not work as expected in scenarios that involve large I/O block sizes such as 1 MB. This is primarily due to the mishandling of split large I/O block sizes initiated by IOPS throttling of block throttle. This phenomenon is more apparent in I/O buffering scenarios where buffers are first stored in page caches and then written back. In these scenarios, large I/O block sizes are often generated. This issue is optimized in mainline kernel 5.18. This update optimizes the IOPS throttling of large I/O block sizes by using backported patches from the mainline kernel and fixes the vulnerability of repeatedly calculating bits per second (BPS).

      • Hash BPF maps are backported from the community for the lookup_and_delete_elem operation, and bloom filter maps are supported.

        • Before the update, the lookup_and_delete_elem operation only supports queue and stack maps. After the update, hash maps are supported.

        • Bloom filter maps are supported to help you efficiently find sets.

      • The CPU and memory hot-swapping feature for QEMU Arm 64 that is used as the virtual machine guest operating system.

        • The vCPU quantity can be hot-updated in the guest OS by running the virsh setvcpus command.

        • The CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE configuration is enabled by default to prevent the memhp_default_online_type configuration from being set to offline. This way, hot-plugged memory is automatically available for use, eliminating hot-plugging failures caused by insufficient memory that results from creating page descriptors.

      • The Hardware P-State (HWP) IO boost feature is supported for all Intel chips.

        The HWP IO boost technology enhances IO performance. In the previous kernel versions, HWP IO boost was enabled only for certain Skylake platforms and enterprise servers. This patch removes the CPU type check to enable HWP IO boost for all CPUs by default.

      • The HugeTLB Vmemmap Optimization (HVO) feature is backported from the community.

        The HVO technique reduces the vmemmap space occupied by large pages. Specifically, this technique maps all virtual addresses of a struct page for a large page in vmemmap to the same physical address to release the physical memory occupied by the struct page.

      • The memcg Least Recently Used (LRU) lock feature is backported.

        In scenarios that require a global LRU lock, this feature replaces the global LRU lock with locks that are specific to the memcg where the involved pages reside. These scenarios include page movement, memcg movement, and swap-in and swap-out scenarios. This update reduces contention caused by the global LRU lock and improves performance by 50% in scenarios where multiple memcgs are involved.

      • Linux kernels can run on Intel Trust Domain Extensions (TDX) guests.

        Linux kernels can run on Intel TDX guests to provide various features such as memory encryption, memory integrity protection, CPU register protection, and remote attestation of the trusted environment.

      • Performance Monitoring Unit (PMN) capabilities are enabled on Emerald Rapids (EMR) platforms.

        • EMR CPU IDs are added to PMU drivers, enabling PMN capabilities on EMR platforms.

        • The Array Built-in-Self-Test (BIST) support is added to In Field Scan (IFS). IFS is a feature that runs circuit level tests on each CPU core to detect issues that are not caught by error correction code (ECC) checks.

    • In-house features

      • Shared Memory Communication over RDMA (SMC-R) can help TCP network applications transparently use Remote Direct Memory Access (RDMA) to obtain network communication services with high bandwidth and low latency.

        SMC is a high-performance kernel network stack that is contributed by IBM to the upstream Linux. SMC-R can help TCP network applications transparently use RDMA to obtain network communication services with high bandwidth and low latency. ANCK resolves a large number of stability issues based on the upstream foundation, supports the default use of SMCv2 and SMCv2.1 protocol negotiation, and incorporates features such as max_link, max_conn, and Alibaba Vendor ID. It optimizes the number of link connections, supports Receive Queue (RQ) throttling, and supports the RDMA Write With Immediate operation. ANCK has added various diagnostic information, supports the use of the SMC protocol stack through the PF_INET protocol family, and supports transparent replacement through Berkeley Packet Filter (BPF).

      • The cache consistency in FUSE is enhanced, and a data collection interface is added.

        • A debugging interface is added to sysfs to display all requests that are sent to the userspace daemon and wait to be processed in a specific FUSE file system.

        • A data collection interface is added to sysfs to count and display the number and processing time of various requests for a specific FUSE file system.

        • Cache consistency in cache (cache=always|auto) mode is enhanced to apply to distributed file system backends that rely on strong consistency, such as NFS.

          1. A userspace daemon can notify the FUSE client to invalidate all directory entries (dentries) within a directory.

          2. The Close-To-Open (CTO) cache consistency model is implemented. The model implements flush-on-close and invalidate-on-open semantics on both data and metadata.

          3. The cache consistency model is enhanced in FUSE failover mode.

      • TAR files can be directly mounted in EROFS, and non-compressed 4k-block EROFS images can be mounted on Arm64 platform that use 16K or 64K pages.

        • Non-compressed 4k-block EROFS images can be mounted on Arm64 platforms that use 16K or 64K pages.

        • TAR files can be used as data sources. You can use EROFS metadata to mount and access the data in the TAR files.

      • Cross-namespace propagation of FUSE mount points is supported.

        FUSE mount points can be propagated from non-privileged sidecar containers to application containers, providing a solution for FUSE-based remote storage in cloud-native scenarios.

      • Memory bloat issues that are caused by THP are resolved.

        THP enhances performance but may also lead to memory bloat issues. Memory bloat can trigger out of memory (OOM) errors. For example, if an application that requests 8 KiB of memory (two 4-KiB pages) is assigned a THP, the THP consists of two 4-KiB pages that the application requests and 510 4-KiB pages that are filled with zeros, known as zero pages. As a result, OOM errors may occur due to the increase of Resident Set Size (RSS) memory usage.

        THP zero subpages reclaim (ZSR) is proposed to solve memory bloat issues. THP ZSR is a mechanism that splits THPs into subpages and reclaims zero subpages to prevent OOM errors that are caused by memory bloat.

  • System configuration updates

    • The value of tcp_max_tw_buckets is reset to 5000.

    • The default character set for mounting VFAT file systems is reset to ISO-8859-1.

  • Software package feature updates

    • aliyun_cli is integrated by default.

    • container-selinux is integrated by default.

    • The anolis-epao-release package is added. Alibaba Cloud Linux 3 can now access packages from the Anolis OS epao repository to install AI and other applications.

Fixed issues

  • The issue that rngd.service failed to start in Alibaba Cloud Linux 3 Arm64 images is resolved.

  • The bugfix is backported from the mainline kernel to address a memory leak issue that arises in a cgroup when a process fails to fork.

  • An overlayfs permission issue is resolved. If all upper directories and lower directories are located in the same file system and files or directories on which the read permissions are not enabled in the file system are accessed, ovl_override_creds() cannot be executed as expected due to logic errors from previous overlayfs performance optimizations. The actual execute permissions are not elevated to the credential of the mounter, and a permission lack error is reported when read permissions are required to perform copy up operations.

  • FUSE bugfixes are backported from the mainline kernel, improving FUSE stability.

  • Multiple ext4 bugfixes of the bigalloc feature are backported from the kernel community, significantly optimizing real-time scale-outs in these scenarios.

  • Potential data consistency issues that arise when CONT-PTE or CONT-PMD is backported from the kernel community are resolved.

  • The issue that specific AMD instances cannot use resctrl is resolved.

  • The stability issue of the IAX hardware compression and decompression accelerator is resolved.

  • The cyclic redundancy check (CRC) failure in the IAX hardware compression and decompression accelerator is resolved.

  • Memory thrashing issues that are caused by the improper use of the swap_info_struct lock in high-concurrency swapon and swapoff scenarios are resolved. This bugfix is integrated into the kernel community.

  • The issue that the self-developed zombie memcg reaper feature does not take effect in one-shot mode is resolved.

  • Potential stability issues that occur on YiTian 710 instances when Memory System Resource Partitioning and Monitoring (MPAM) is used are resolved.

Image updates

  • Container images

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.8

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest

      Note

      After a new version is released, you can no longer obtain version 3.8 of images by specifying latest.

  • Virtual machine images

Known issues

In extreme scenarios, performance may decrease in ANCK 5.10-015 due to the synchronization of a wake-up scheduling optimization to the upstream community. This issue occurs only in benchmarking scenarios that involve high loads and does not affect your normal usage.

Alibaba Cloud Linux 3.2104 U7

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U7

aliyun_3_x64_20G_alibase_20230516.vhd

2023-05-16

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-14.al8.x86_64.

  • Updates: For more information, see Updates.

aliyun_3_arm64_20G_alibase_20230515.vhd

2023-05-15

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-14.al8.aarch64.

  • Updates: For more information, see Updates.

Updates

  • Kernel bugs and critical security vulnerabilities are fixed.

  • The multi-pcp feature is supported to bypass the lock of the buddy system and improve packet reception performance.

    The multi-pcp feature reserves memory pages that have orders greater than 0 in per-core memory pools. This eliminates the need to allocate high-order memory pages by using the zone buddy system. This also bypasses the lock of the buddy system and improves packet reception performance.

  • The IAA driver is supported to enhance compression and decompression performance.

    IAA is a hardware accelerator that provides primitive analytic features and high-throughput compression and decompression capabilities. The driver code comes from Intel code repositories and is optimized to ensure compatibility with the ANCK kernel. Bugs are fixed.

  • Silent data corruption that is caused by truncated page cache is fixed for the shmem and hugetlb file systems.

    Before the update, poisoned shmem and hugetlb pages are removed from the page cache. Subsequent access to the offset in the file results in a new zero-filled page, which causes silent data corruption. After the update, silent data corruption that is caused by poisoned pages is fixed in the shmem, tmpfs, and hugetlb file systems.

  • The CoreSight Embedded Trace Extension (ETE) driver is added, and tools under tools/perf are supported.

  • The signal handling mechanism of the Kernel-based Virtual Machine (KVM) module for the ARM64 platform is enhanced to fix failures that occur in Reliability, Availability, and Serviceability (RAS) scenarios.

    Before the update, if the TIF_NOTIFY_RESUME flag is not handled before the CPU enters the guest mode, failures occur due to exceptions that are triggered by frequent RAS events. To address this issue, the full generic entry infrastructure is supported on the ARM64 platform to handle pending tasks.

  • The Coherent Mesh Network (CMN) and Direct Rendering Manager (DRM) drivers of the Linux community and debugfs are supported, and vulnerabilities are fixed.

    In versions earlier than 5.10-014, the CMN and DRW drivers deviate from those of the Linux community. To reduce maintenance costs, 5.10-014 synchronizes the CMN and DRW drivers of the Linux community and ensures compatibility with CMN-700 of YiTian 710. debugfs is supported, and vulnerabilities are fixed. The topology of CMN can be viewed in user mode.

  • Machine Check Exception (MCE) errors that are triggered by copy-on-write (COW) can be fixed on x86 instances that run in kernel mode.

    If uncorrectable errors are triggered when COW is implemented in the kernel, the system fails because it does not have recovery programs for this case where poison is consumed by the kernel. This feature adds support for recovery programs by sending a SIGBUS to applications to prevent system failures.

  • Top-down performance analysis can be performed by using performance metrics to make CPU Performance Monitoring Unit (PMU) easier to use.

    In versions earlier than 5.10-014, the performance metric feature is not supported and no top-down performance analysis tool is available. In 5.10-014, the performance metric feature is supported to make CPU PMU easier to use and help users troubleshoot CPU performance bottlenecks. Top-down metrics of YiTian 710, Kunpeng, and x86 are also supported.

  • UDP Segmentation Offload (USO) is supported for virtio-net.

    Compared with UDP Fragmentation Offload (UFO), USO improves packet reception performance in complex network environments and the forwarding performance of forwarding components. Starting from version 5.10-014, USO is supported for virtio-net. Compared with UFO, USO reduces packet loss that is caused by fragment reassembly in unstable network conditions, incast scenarios, and traffic spikes. USO also reduces the overhead of fragment reassembly on the receiving side. Packet loss and out-of-order (OOO) packets cause fragment reassembly for forwarding components. As such, USO improves the efficiency of forwarding components.

  • Secure Encrypted Virtualization (SEV) and Secure Encrypted Virtualization-Encrypted State (SEV-ES) are supported. This ensures that the pre-attestation feature of SEV confidential containers works as expected.

  • The following issue is fixed: The empty pci_iounmap() implementation of the AArch64 architecture exhausts virtual address space.

    In versions earlier than 5.10-014, the pci_iounmap function is empty when CONFIG_GENERIC_IOMAP is not configured. Mapped memory cannot be released. This results in virtual address space exhaustion. In 5.10-014, pci_iounmap() can be implemented.

  • The high-performance ublk is supported.

    ublk is a high-performance framework that is used to implement block device logic from userspace based on the io_uring passthrough mechanism. ublk can be used to efficiently deploy agents in distributed storage.

  • The following technologies developed in-house by Alibaba Cloud are supported:

    • Code block lock is supported. The code blocks that reside in memory can be locked as a whole or by cgroup.

      Low memory usage triggers memory reclamation. Code blocks of core business that are stored in the memory may also be reclaimed. When the business programs are rerun, the code blocks are retrieved from disks and then stored in the memory. Frequent I/O operations slow down response speeds and cause performance jitters. The feature locks the cgroups of the memory where core code blocks are stored to prevent the memory from being frequently swapped in and out. This feature also allows you to configure a memory lock quota that specifies the proportion of code block memory that you want to retain.

    • A size limit can be specified for the page cache to free up memory space to support business growth.

      In scenarios that involve containers, the available memory that is provided by the containers is limited. If the page cache occupies a large amount of memory, memory reclamation is triggered. If the reclamation cannot meet the memory requirements for business growth, OOM errors may occur and degrade performance. To address this issue, this feature is provided by ANCK to limit the size of page cache for containers. Excess page cache is reclaimed in advance to free up memory space. This feature can limit the page cache size for all containers or containers that reside in each cgroup. This feature also supports synchronous and asynchronous reclamation methods to provide high flexibility.

    • Dynamic CPU isolation is supported.

      CPU isolation involves assigning different CPU cores or CPU sets to different tasks to prevent resource competition and improve system performance and stability. To support crucial tasks, the CPU isolation technology assigns isolated CPUs to crucial tasks and non-isolated CPUs to non-crucial tasks. The number of crucial tasks changes during task runtime. If you isolate a large number of CPUs to support crucial tasks, resources may be wasted and costs may increase. Dynamic CPU isolation allows the number of isolated CPUs to be changed to maximize resource utilization, reduce costs, and improve business performance.

    • CPU burst and the minimum memory watermark QoS capability are supported in cgroup v2.

      To promote the use of cgroup v2, the interfaces of cgroup v2 of various in-house ANCK technologies, including CPU burst and the minimum memory watermark QoS capability, are supported.

    • The vmalloc() function is supported for the XDP socket feature to allocate virtual memory to queues. This prevents XDP socket allocation failures that are caused by memory fragmentation.

      By default, the XDP socket feature uses the __get_free_pages() function to allocate contiguous physical memory. If severe memory fragmentation occurs on instances, XDP sockets may fail to be created. This feature uses the vmalloc() function to allocate memory to reduce the risks of XDP socket creation failure.

Alibaba Cloud Linux 3.2104 U6.1

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U6.1

aliyun_3_x64_20G_alibase_20230424.vhd

2023-04-24

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-13.1.al8.x86_64.

aliyun_3_arm64_20G_alibase_20230424.vhd

2023-04-24

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-13.1.al8.aarch64.

aliyun_3_x64_20G_alibase_20230327.vhd

2023-03-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-13.1.al8.x86_64.

aliyun_3_arm64_20G_alibase_20230327.vhd

2023-03-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-13.1.al8.aarch64.

Alibaba Cloud Linux 3.2104 U6

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U6

aliyun_3_x64_20G_qboot_alibase_20230214.vhd

2023-02-14

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is updated.

  • This image is derived from the aliyun_3_x64_20G_alibase_20230110.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

aliyun_3_x64_20G_uefi_alibase_20230214.vhd

2023-02-14

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20230110.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The boot mode is changed to Unified Extensible Firmware Interface (UEFI), and only the UEFI mode is supported.

aliyun_3_x64_20G_alibase_20230110.vhd

2023-01-10

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The configurations of the Plus debug repository are added.

  • Kernel updates:

    • The kernel version is updated to 5.10.134-13.al8.x86_64.

    • Kernel bugs and critical security vulnerabilities are fixed.

    • /dev/ioasid is supported.

      In versions earlier than ANCK 5.10-013, device-passthrough frameworks (such as VFIO and vDPA) create their own logic to isolate untrusted device DMAs that are initiated by userspace. In ANCK 5.10-013 and later, /dev/ioasid provides a unified interface to manage I/O page tables for devices that are assigned to userspace. This simplifies Virtual Function I/O (VFIO) and vDPA.

    • The performance of the SoftWare Input/Output Translation Lookaside Buffer (SWIOTLB) mechanism is optimized.

      In versions earlier than ANCK 5.10-013, the SWIOTLB mechanism that is used to communicate with peripherals only uses a single lock when allocating memory. In ANCK 5.10-013 and later, the lock is split into multiple locks and allows user configuration. Confidential virtual machines (AMD SEV- or Intel TDX-based virtual machines) that have high configurations, such as more than 32 CPUs, can benefit from the change. For Redis and MySQL, the tests show that I/O performance can be improved by up to eight times after the lock splitting.

    • napi.tx is enabled in virtio-net to improve the performance of TCP Small Queue (TSQ).

      In 3bedc5bca69d ('ck: Revert "virtio_net: enable napi_tx by default"'), high si leads to performance degradations in some special scenarios. This causes TSQ not to work as expected. To resolve the issue, the napi.tx feature is re-enabled.

    • The AST2600 PCIe 2D Video Graphics Array (VGA) driver is supported.

      In versions earlier than ANCK 5.10-013, ASPEED AST2600 graphics cards are not supported. In ANCK 5.10-013 and later, ASPEED AST2600 graphics cards are supported. When such a graphics card is connected to an external monitor, images can be properly displayed on the screen.

    • The group identity feature can be dynamically enabled.

      In ANCK 5.10-013, the global sysctl switch is added for group identity. By default, the switch is turned off to reduce the scheduling overhead of common processes. You can run the echo 1 > /proc/sys/kernel/sched_group_identity_enabled command to turn on the switch.

    • The default kernel boot cmdline is adjusted on the Arm64 platform.

      In 5.10.134-013 and later, the following parameter settings are added to the kernel boot cmdline on the Arm64 platform to improve performance:

      cgroup.memory=nokmem iommu.passthrough=1 iommu.strict=0
      • cgroup.memory=nokmem: disables kernel memory accounting. When enabled, kernel memory accounting results in additional logic for allocating and releasing slab pages and affects performance. For more information, go to OpenAnolis.

      • iommu.passthrough=1: bypasses the Input-Output Memory Management Unit (IOMMU) for direct memory access (DMA). This can reduce translations for page table mappings. If iommu.passthrough=1 is not added to the kernel boot cmdline, the value of CONFIG_IOMMU_DEFAULT_PASSTHROUGH is used. The iommu.passthrough parameter takes effect for physical machines.

      • iommu.strict=0: indicates that the lazy mode is used for translation look-aside buffer (TLB) invalidation. The lazy mode defers the invalidation of hardware TLBs during DMA unmap operations to increase throughput and the unmapping speed. If the lazy mode is not supported by the relevant IOMMU driver, the mode automatically switches back to the strict mode (iommu.strict=1). The strict mode invalidates IOMMU hardware TLBs during DMA unmap operations.

    • The Compact NUMA aware (CNA) spinlock feature is supported.

      In 5.10.134-013 and later, NUMA awareness is added to qspinlock. One of the following kernel boot cmdline parameter settings can be added to enable the CNA spinlock feature: numa_spinlock=on or numa_spinlock=auto.

      After this feature is enabled, qspinlock can give a lock to the CPU of the same NUMA node as much as possible when CPUs on different NUMA nodes compete for the spinlock. This reduces the number of cross-NUMA sessions and improves performance. In the benchmark tests of sysbench and leveldb, performance is improved by more than 10%.

    • The perf mem and perf c2c commands provide more features on the Arm64 platform.

      In 5.10.134-013 and later, the perf mem and perf c2c commands are extended to provide more features. On the Arm64 platform, perf mem and perf c2c can be used to show the data sources of samples, such as L1 hit. perf mem supports synthesized memory events, synthesized instruction events, synthesis directive events, and instruction delay information. perf c2c provides the capability of locating NUMA node information.

    • fsck.xfs supports journal replay.

      After a machine breaks down, file systems may be in the inconsistent state and the journal log is not replayed. In xfsprogs-5.0.0-10.0.4 and earlier, this may drop the machine into the rescue shell because fsck.xfs does not support journal replay, which brings maintenance trouble. In xfsprogs-5.0.0-10.0.5 and later, fsck.xfs supports journal replay. When you assume the administrator role, you can set fsck.mode to force and fsck.repair to yes to enable journal replay. Take note that journal replay takes effect only for system disks.

    • Adaptive Huge Pages are supported.

      In 5.10.134-013 and later, the adaptive Huge Pages feature is provided to resolve hardware drawbacks, especially for x86 platforms. An example of the hardware drawbacks is that Intel Skylake has only eight iTLB entries to use. This feature selects the most popular 2 MB areas into huge pages based on page table entry (PTE) scan results. In short, this feature provides two system interfaces to limit the number of huge pages per application and prevent performance degradations that are caused by iTLB miss increase. This feature is applicable to Java applications and applications with large code segments, such as ApsaraDB for OceanBase and MySQL.

    • Software Guard Extensions (SGX) dynamic memory management is supported.

      In versions earlier than ANCK 5.10, the dynamic management of SGX enclave memory is not supported. In ANCK 5.10 and later, the SGX Enclave Dynamic Memory Management (EDMM) feature is provided to allow the dynamic management of SGX memory.

    • The WireGuard module is enabled.

      In versions earlier than ANCK 5.10-013, the WireGuard module is not enabled. In ANCK 5.10 and later, the WireGuard module is enabled. WireGuard is an easy-to-configure, fast, and secure virtual private network (VPN) that can replace IPSec. WireGuard is abstract and suitable for general use in most scenarios.

aliyun_3_arm64_20G_alibase_20230110.vhd

2023-01-10

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The configurations of the Plus debug repository are added.

  • Kernel updates:

    • The kernel version is updated to 5.10.134-13.al8.aarch64.

    • Kernel bugs and critical security vulnerabilities are fixed.

Release notes for 2022

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.5.2

aliyun_3_x64_20G_alibase_20221118.vhd

2022-11-18

The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

aliyun_3_arm64_20G_alibase_20221118.vhd

2022-11-18

The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

aliyun_3_x64_20G_alibase_20221102.vhd

2022-11-02

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-12.2.al8.x86_64.

aliyun_3_arm64_20G_alibase_20221102.vhd

2022-11-02

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-12.2.al8.aarch64.

Alibaba Cloud Linux 3.5

aliyun_3_x64_20G_alibase_20220907.vhd

2022-09-07

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel version is updated to 5.10.134-12.al8.x86_64.

    • Kernel bugs and critical security vulnerabilities are fixed.

    • YiTian 710 processors are supported.

    • Panjiu M-series servers are supported.

    • The performance on the YiTian platform is optimized.

    • MPAM is supported on the Arm 64-bit architecture.

    • Datop can be used to monitor NUMA across nodes and identify cold and hot memory in processes.

    • The hot migration capability of AMD SEV is supported by the guest OS.

    • More than 4 GB of memory can be reserved for a crash kernel on the Arm 64-bit architecture.

    • Hotfixes for kernel modules are supported on the Arm 64-bit architecture.

    • ftrace osnoise tracer is supported.

    • ext4 fast commit is supported, which is frequently applied to the fsync function. For example, ext4 fast commit optimizes the performance of MySQL and PostgreSQL databases. The corresponding e2fsprogs version is updated to 1.46.0.

    • The following features developed in-house by Alibaba Cloud are supported:

      • 2 MB unaligned part at the end of executable binary files can be filled, which improves the performance by 2% for specific scenarios.

      • The XFS 16k atomic write feature is supported. Compared with double writes, XFS 16k atomic writes improve the performance of disks by up to 50% and reduce I/O on disks. The corresponding xfsprogs and mariadb repositories are updated to Anolis YUM repositories. This solution has the following advantages over the hardware-based atomic write solution:

        • This solution is based on the COW technique.

        • This solution does not depend on hardware.

        • This solution does not depend on runtime I/O path configurations.

        The XFS 16k atomic write feature can be used together with the Hugetext feature. For more information, see Work with MariaDB 16K atomic writes.

      • Nydus and erofs over fscache can be used to accelerate container images. Nydus and erofs over fscache are developed by OpenAnolis and are integrated into mainline Linux 5.19. Nydus and erofs over fscache are the first native in-kernel acceleration solution that is supported by the Linux community for container images. For more information, see OpenAnolis.

      • The fuse fd passthrough and fd attach features are supported. fd passthrough can reduce I/O latency by 90% for common scenarios. fd attach can recover fuse mount points in abnormal cases without impacts and help improve the stability of production environments.

      • Kidled can be used to scan anonymous pages, files, and slabs.

      • The memory.use_priority_swap interface is added to reclaim memory based on the priorities of cgroups.

      • 1-RTT and RDMA DIM are supported by SMC to optimize CQ interrupt process logic and improve QPS by 40% in data paths. SMC continuous integration and continuous delivery (CI/CD) is supported to fix dozens of stability issues.

aliyun_3_arm64_20G_alibase_20220907.vhd

2022-09-07

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel version is updated to 5.10.134-12.al8.aarch64.

    • Kernel bugs and critical security vulnerabilities are fixed.

    • YiTian 710 processors are supported.

    • Panjiu M-series servers are supported.

    • The performance on the YiTian platform is optimized.

    • MPAM is supported on the Arm 64-bit architecture.

    • Datop can be used to monitor NUMA across nodes and identify cold and hot memory in processes.

    • The hot migration capability of AMD SEV is supported by the guest OS.

    • More than 4 GB of memory can be reserved for a crash kernel on the Arm 64-bit architecture.

    • Hotfixes for kernel modules are supported on the Arm 64-bit architecture.

    • ftrace osnoise tracer is supported.

    • ext4 fast commit is supported, which is frequently applied to the fsync function. For example, ext4 fast commit optimizes the performance of MySQL and PostgreSQL databases. The corresponding e2fsprogs version is updated to 1.46.0.

    • The following features developed in-house by Alibaba Cloud are supported:

      • 2 MB unaligned part at the end of executable binary files can be filled, which improves the performance by 2% for specific scenarios.

      • The XFS 16k atomic write feature is supported. Compared with double writes, XFS 16k atomic writes improve the performance of disks by up to 50% and reduce I/O on disks. The corresponding xfsprogs and mariadb repositories are updated to Anolis YUM repositories. This solution has the following advantages over the hardware-based atomic write solution:

        • This solution is based on the COW technique.

        • This solution does not depend on hardware.

        • This solution does not depend on runtime I/O path configurations.

        The XFS 16k atomic write feature can be used together with the Hugetext feature. For more information, see Work with MariaDB 16K atomic writes.

      • Nydus and erofs over fscache can be used to accelerate container images. Nydus and erofs over fscache are developed by OpenAnolis and are integrated into mainline Linux 5.19. Nydus and erofs over fscache are the first native in-kernel acceleration solution that is supported by the Linux community for container images. For more information, see OpenAnolis.

      • The fuse fd passthrough and fd attach features are supported. fd passthrough can reduce I/O latency by 90% for common scenarios. fd attach can recover fuse mount points in abnormal cases without impacts and help improve the stability of production environments.

      • Kidled can be used to scan anonymous pages, files, and slabs.

      • The memory.use_priority_swap interface is added to reclaim memory based on the priorities of cgroups.

      • 1-RTT and RDMA DIM are supported by SMC to optimize CQ interrupt process logic and improve QPS by 40% in data paths. SMC CI/CD is supported to fix dozens of stability issues.

aliyun_3_x64_20G_qboot_alibase_20220907.vhd

2022-09-07

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is updated.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220907.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

aliyun_3_x64_20G_uefi_alibase_20220907.vhd

2022-09-07

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220907.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The boot mode is changed to Unified Extensible Firmware Interface (UEFI), and only the UEFI mode is supported.

Alibaba Cloud Linux 3.4.2

aliyun_3_arm64_20G_alibase_20220819.vhd

2022-08-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.112-11.2.al8.aarch64.

aliyun_3_x64_20G_alibase_20220815.vhd

2022-08-15

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.112-11.2.al8.x86_64.

Alibaba Cloud Linux 3.4.1

aliyun_3_x64_20G_alibase_20220728.vhd

2022-07-28

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.112-11.1.al8.x86_64.

aliyun_3_arm64_20G_alibase_20220728.vhd

2022-07-28

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.112-11.1.al8.aarch64.

aliyun_3_x64_20G_alibase_20220527.vhd

2022-05-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel version is updated to 5.10.112-11.al8.x86_64.

    • Kernel bugs and critical security vulnerabilities are fixed.

    • The following technologies developed by Alibaba Cloud are supported:

      • Duptext

      • Enhanced Huge Pages

      • Kernel Electric-Fence (KFENCE), which is used to detect out-of-bound memory accesses and use-after-free errors

    • CSV2 confidential virtual machines that use Hygon processors can be started.

    • Up to 256 CPUs are supported by the guest OS.

    • The throughput, latency, and connection speeds of SMC in HTTP workloads such as NGINX are improved, and several stability and compatibility issues are fixed.

    • AMX, virtual AMX, IPI virtualization, UINTER, Intel_idle, and TDX are supported by Intel SPR processors.

    • SEV-ES, ptdma driver, CPU frequency, k10temp, and Error Detection And Correction (EDAC) are supported by AMD.

    • DDR PMU, PCIe PMU driver, Arm CoreLink CMN-700 Coherent Mesh Network, and RAS are supported by YiTian 710 processors.

    • CoreSight is supported.

    • Arm SPE perf memory profiling and c2c are supported by Arm architecture.

    • DAX per file is supported by virtiofs.

    • smmu event polling is supported.

aliyun_3_x64_20G_qboot_alibase_20220527.vhd

2022-05-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is updated.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220527.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

aliyun_3_x64_20G_uefi_alibase_20220527.vhd

2022-05-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220527.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The boot mode is changed to Unified Extensible Firmware Interface (UEFI), and only the UEFI mode is supported.

aliyun_3_arm64_20G_alibase_20220526.vhd

2022-05-26

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel version is updated to 5.10.112-11.al8.aarch64.

    • Kernel bugs and critical security vulnerabilities are fixed.

    • The following technologies developed by Alibaba Cloud are supported:

      • Duptext

      • Enhanced Huge Pages

      • KFENCE, which is used to detect out-of-bound memory accesses and use-after-free errors

    • CSV2 confidential virtual machines that use Hygon processors can be started.

    • Up to 256 CPUs are supported by the guest OS.

    • The throughput, latency, and connection speeds of SMC in HTTP workloads such as NGINX are improved, and several stability and compatibility issues are fixed.

    • AMX, virtual AMX, IPI virtualization, UINTER, Intel_idle, and TDX are supported by Intel SPR processors.

    • SEV-ES, ptdma driver, CPU frequency, k10temp, and EDAC are supported by AMD.

    • DDR PMU, PCIe PMU driver, Arm CoreLink CMN-700 Coherent Mesh Network, and RAS are supported by YiTian 710 processors.

    • CoreSight is supported.

    • Arm SPE perf memory profiling and c2c are supported by Arm architecture.

    • DAX per file is supported by virtiofs.

    • smmu event polling is supported.

Alibaba Cloud Linux 3.3.4

aliyun_3_x64_20G_alibase_20220413.vhd

2022-04-13

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel version is updated to 5.10.84-10.4.al8.x86_64.

    • The CVE-2022-1016 and CVE-2022-27666 vulnerabilities are fixed.

aliyun_3_arm64_20G_alibase_20220413.vhd

2022-04-13

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel version is updated to 5.10.84-10.4.al8.aarch64.

    • The CVE-2022-1016 and CVE-2022-27666 vulnerabilities are fixed.

Alibaba Cloud Linux 3.3.3

aliyun_3_x64_20G_alibase_20220315.vhd

2022-03-15

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • Common vulnerabilities and exposures (CVEs) are fixed.

  • Kernel updates:

    • The kernel version is updated to 5.10.84-10.3.al8.x86_64.

    • The CVE-2022-0435 and CVE-2022-0847 vulnerabilities are fixed.

aliyun_3_arm64_20G_alibase_20220315.vhd

2022-03-15

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • CVEs are fixed.

  • Kernel updates:

    • The kernel version is updated to 5.10.84-10.3.al8.aarch64.

    • The CVE-2022-0435 and CVE-2022-0847 vulnerabilities are fixed.

Alibaba Cloud Linux 3.3.2

aliyun_3_x64_20G_alibase_20220225.vhd

2022-02-25

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions. CVEs are fixed.

  • The Coordinated Universal Time (UTC) time standard is used by the real-time clock (RTC). For more information, see Linux time and time zones.

  • Kernel updates:

    • The kernel version is updated to 5.10.84-10.2.al8.x86_64.

    • The CVE-2022-0492, CVE-2021-4197, CVE-2022-0330, CVE-2022-22942, and CVE-2022-0185 vulnerabilities are fixed.

    • The following features developed in-house by Alibaba Cloud are supported:

      • Duptext

      • Huge Pages

      • RDMA/SMC-R

    • AMX, RAS, RCEC, bus lock detection, Ratelimit support, and Uncore are supported by Intel SPR processors.

    • The MCA-R feature is added to Intel Ice Lake processors.

    • The Intel Driver & Support Assistant feature is enabled.

    • The XDP socket feature is supported by virtio-net.

    • The kernel TLS cryptography protocol is supported.

    • KFENCE is supported to detect out-of-bound memory accesses and use-after-free errors.

    • The AVX and AVX2 instruction sets of the SM4 algorithm in kernel are optimized.

    • Hygon CSV vm attestation is supported.

    • The perf c2c feature of Arm SPE is supported.

    • The i10nm_edac feature is supported.

    • The unevictable_pid feature is ported.

    • The memory watermark adjustment is supported.

    • The adaptive sqpoll mode of io_uring is supported.

    • Huge vmalloc mappings are supported.

aliyun_3_x64_20G_qboot_alibase_20220225.vhd

2022-02-25

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is updated.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220225.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The UTC time standard is used by RTC. For more information, see Linux time and time zones.

aliyun_3_arm64_20G_alibase_20220225.vhd

2022-02-25

  • The UTC time standard is used by RTC. For more information, see Linux time and time zones.

  • Kernel updates:

    • The kernel version is updated to 5.10.84-10.2.al8.aarch64.

    • The CVE-2022-0492, CVE-2021-4197, CVE-2022-0330, CVE-2022-22942, and CVE-2022-0185 vulnerabilities are fixed.

    • The following features developed in-house by Alibaba Cloud are supported:

      • Duptext

      • Huge Pages

      • RDMA/SMC-R

    • AMX, RAS, RCEC, bus lock detection, Ratelimit support, and Uncore are supported by Intel SPR processors.

    • The MCA-R feature is added to Intel Ice Lake processors.

    • The Intel Driver & Support Assistant feature is enabled.

    • The XDP socket feature is supported by virtio-net.

    • The kernel TLS cryptography protocol is supported.

    • KFENCE is supported to detect out-of-bound memory accesses and use-after-free errors.

    • The AVX and AVX2 instruction sets of the SM4 algorithm in kernel are optimized.

    • Hygon CSV vm attestation is supported.

    • The perf c2c feature of Arm SPE is supported.

    • The i10nm_edac feature is supported.

    • The unevictable_pid feature is ported.

    • The memory watermark adjustment is supported.

    • The adaptive sqpoll mode of io_uring is supported.

    • Huge vmalloc mappings are supported.

aliyun_3_x64_20G_uefi_alibase_20220225.vhd

2022-02-25

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220225.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The UTC time standard is used by RTC. For more information, see Linux time and time zones.

Release notes for 2021

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2

aliyun_3_x64_20G_qboot_alibase_20211214.vhd

2021-12-14

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is released.

  • This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the Alibaba Cloud Linux 3.2104 64-bit base image.

aliyun_3_x64_20G_alibase_20210910.vhd

2021-09-10

  • The Alibaba Cloud Linux 3.2104 64-bit base image is updated to include the latest software versions. CVEs are fixed.

  • The update-motd service is added and enabled by default.

  • The kdump service is enabled by default.

  • The atd service is enabled by default.

  • Kernel updates:

    • The kernel is upgraded to upstream stable kernel release 5.10.60. The current kernel version is 5.10.60-9.al8.x86_64.

    • Kernel bugs and critical security vulnerabilities are fixed.

    • The following technologies developed in-house by Alibaba Cloud are supported:

      • Elastic remote direct memory access (eRDMA) and SMC-R based on eRDMA

      • Resource isolation technology: OOM priority control

      • Memory KIDLED technology

      • Resource isolation technology: memcg zombie reaper

      • Rich container technology: rich container

      • Resource isolation technology: CPU group identity

      • Unified Kernel Fault Event Framework (UKFEF) technology

    • Intel SPR CPUs are supported.

    • The cpupower utility used for AMD Milan is supported.

    • The Non-Maskable Interrupt (NMI) watchdog based on the System for Electronic Disclosure by Insiders (SEDI) is supported by the Arm 64-bit architecture.

    • MPAM is supported by the Arm 64-bit architecture.

    • Memory hotplug is supported by the Arm 64-bit architecture.

    • The kernel quick start technology is enhanced.

    • x86 SGX2 is supported.

    • The performance of virtio-net is optimized.

    • The Extended Berkeley Packet Filter (eBPF) Linux Security Modules (LSM) technology is supported.

    • Software and hardware that are virtualized based on KVM are co-designed, and PV-qspinlock is supported during the co-design.

aliyun_3_arm64_20G_alibase_20210910.vhd

2021-09-10

  • The Alibaba Cloud Linux 3.2104 64-bit for Arm image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the Alibaba Cloud Linux 3.2104 64-bit base image.

aliyun_3_x64_20G_uefi_alibase_20210910.vhd

2021-09-10

  • The Alibaba Cloud Linux 3.2104 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the Alibaba Cloud Linux 3.2104 64-bit base image.

  • Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Shenzhen), China (Heyuan), and Singapore.

Alibaba Cloud Linux 3.1

aliyun_3_arm64_20G_alibase_20210709.vhd

2021-07-09

  • The Alibaba Cloud Linux 3.2104 64-bit for Arm image is released.

  • Security Center can be connected.

  • Supported region: China (Hangzhou).

aliyun_3_x64_20G_alibase_20210425.vhd

2021-04-25

  • The Alibaba Cloud Linux 3.2104 64-bit base image is updated.

  • Kernel updates: The kernel version is updated to 5.10.23-5.al8.x86_64.

aliyun_3_x64_20G_uefi_alibase_20210425.vhd

2021-04-25

  • The Alibaba Cloud Linux 3.2104 64-bit (UEFI) image is released.

  • This image is derived from the aliyun_3_x64_20G_alibase_20210425.vhd version of the Alibaba Cloud Linux 3.2104 64-bit base image.

  • The boot mode is changed to Unified Extensible Firmware Interface (UEFI), and only the UEFI mode is supported.

  • Supported regions: China (Beijing), China (Hangzhou), China (Shanghai), and China (Shenzhen).

Alibaba Cloud Linux 3.0

aliyun_3_x64_20G_alibase_20210415.vhd

2021-04-15

  • The Alibaba Cloud Linux 3.2104 64-bit base image is released.

  • Kernel description:

    • The kernel is based on the 5.10 kernel version supported in the Linux community. The 5.10.23-4.al8.x86_64 kernel version is used in the base image.

    • The PV-Panic, PV-Unhalt, and PV-Preempt features are supported by the Arm 64-bit architecture.

    • Kernel Live Patching (KLP) is supported by the Arm 64-bit architecture.

    • TCP-RT is supported.

    • The memcg backend asynchronous reclaim feature is supported.

    • The memcg quality of service (QoS) and Pressure Stall Information (PSI) features implemented based on cgroup v1 interfaces are supported.

    • The cgroup writeback feature is supported.

    • The monitoring of block I/O throttling is enhanced.

    • An interface is provided to optimize JBD2 of ext4.

    • The open source kernel of Alibaba Cloud is optimized and vulnerabilities in multiple subsystems including the scheduler, memory, file system, and block layer are fixed.

    • The CPU burst feature is supported. For more information, see Enable the CPU burst feature for cgroup v1.

  • Image description:

    • The base image is compatible with the CentOS 8 and Red Hat Enterprise Linux (RHEL) 8 software ecosystems. CVEs are fixed.

    • GCC 10.2.1 and glibc 2.32 are supported.

    • Python 3.6 and Python 2.7 are supported.

    • AppStream is supported.

  • Supported region: China (Hangzhou).

References