Release notes for Alibaba Cloud Linux 3 - Alibaba Cloud Linux

This topic describes the release notes for Alibaba Cloud Linux 3 images and provides links to the relevant references. The release notes are sorted by release date in reverse chronological order.

Background information

Unless otherwise stated, the released updates apply to all Alibaba Cloud regions where Elastic Compute Service (ECS) is available.
Most instance families support Alibaba Cloud Linux 3 images. However, some Alibaba Cloud Linux 3 images are supported only by specific instance families. Some instance families can use only specific public images:
Arm images whose ID contains _arm64_ are supported by Alibaba Cloud Arm-based instances.

2024

Alibaba Cloud Linux 3.2104 U10

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.2104 U10	aliyun_3_x64_20G_alibase_20240819.vhd	2024-08-19	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-17.2.al8. Updates: For more information, see the Updates section of this topic.
	aliyun_3_x64_20G_dengbao_alibase_20240819.vhd	2024-08-19	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (MLPS 2.0 Level 3)` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-17.2.al8. Updates: For more information, see the Updates section of this topic.
	aliyun_3_arm64_20G_alibase_20240819.vhd	2024-08-19	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-17.2.al8. Updates: For more information, see the Updates section of this topic.
	aliyun_3_arm64_20G_dengbao_alibase_20240819.vhd	2024-08-19	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm (MLPS 2.0 Level 3)` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-17.2.al8. Updates: For more information, see the Updates section of this topic.

Updates

Security updates

Software package name	CVE ID	Version
adwaita-qt	CVE-2023-32573 CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197	1.4.2-1.al8
apr	CVE-2022-24963	1.7.0-12.al8
avahi	CVE-2021-3468 CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473	0.7-21.0.1.al8.1
bind	CVE-2023-4408 CVE-2023-50387 CVE-2023-50868	9.11.36-14.0.1.al8
c-ares	CVE-2020-22217 CVE-2023-31130	1.13.0-9.al8.1
cockpit	CVE-2024-2947	310.4-1.al8
cups	CVE-2023-32324 CVE-2023-34241	2.2.6-54.0.1.al8
cups-filters	CVE-2023-24805	1.20.0-32.0.1.al8
curl	CVE-2023-38546	7.61.1-34.0.1.al8
device-mapper-multipath	CVE-2022-41973	0.8.4-39.0.2.al8
dhcp	CVE-2023-4408 CVE-2023-50387 CVE-2023-50868	4.3.6-50.0.1.al8
dnsmasq	CVE-2023-50387 CVE-2023-50868	2.79-32.0.1.al8
edk2	CVE-2022-36763 CVE-2022-36764 CVE-2022-36765 CVE-2023-3446 CVE-2023-45229 CVE-2023-45230 CVE-2023-45231 CVE-2023-45232 CVE-2023-45233 CVE-2023-45234 CVE-2023-45235	20220126gitbb1bba3d77-13.0.1.al8
expat	CVE-2023-52425	2.2.5-13.al8
evolution-mapi	CVE-2022-1615 CVE-2022-2127 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968	3.40.1-6.al8
flatpak	CVE-2023-28100 CVE-2023-28101 CVE-2024-32462	1.12.9-1.al8
frr	CVE-2023-31490 CVE-2023-41358 CVE-2023-41909 CVE-2023-46752 CVE-2023-46753	7.5.1-16.0.4.al8
fwupd	CVE-2022-3287	1.7.8-2.0.1.al8
ghostscript	CVE-2024-33871	9.54.0-16.al8
git	CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021 CVE-2024-32465	2.43.5-1.0.1.al8
glib2	CVE-2023-29499 CVE-2023-32611 CVE-2023-32665	2.68.4-11.al8
gmp	CVE-2021-43618	6.2.0-13.0.1.al8
gnutls	CVE-2023-5981	3.6.16-8.0.2.al8
grafana	CVE-2024-1313 CVE-2024-1394	9.2.10-16.0.1.al8
grafana-pcp	CVE-2024-1394	5.1.1-2.0.1.al8
gstreamer1-plugins-bad-free	CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-50186	1.22.1-4.0.1.al8
gstreamer1-plugins-base	CVE-2023-37328	1.22.1-2.0.1.al8
gstreamer1-plugins-good	CVE-2023-37327	1.16.1-4.al8
harfbuzz	CVE-2023-25193	2.7.4-10.0.1.al8
httpd	CVE-2023-31122 CVE-2023-45802 CVE-2024-27316	2.4.37-64.0.1.al8
mod_http2	CVE-2023-31122 CVE-2023-45802 CVE-2024-27316	1.15.7-10.al8
java-1.8.0-openjdk	CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952 CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094	1.8.0.412.b08-2.0.1.1.al8
java-11-openjdk	CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952 CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094	11.0.23.0.9-3.0.1.1.al8
libfastjson	CVE-2020-12762	0.99.9-5.al8
libjpeg-turbo	CVE-2021-29390	2.0.90-7.0.1.al8
liblouis	CVE-2023-26767 CVE-2023-26768 CVE-2023-26769	3.16.1-5.al8
libmicrohttpd	CVE-2023-27371	0.9.59-3.al8
libpq	CVE-2022-41862	13.11-1.0.1.al8
librabbitmq	CVE-2023-35789	0.11.0-7.0.1.al8
libreoffice	CVE-2022-26305 CVE-2022-26306 CVE-2022-26307 CVE-2022-3140 CVE-2022-38745 CVE-2023-0950 CVE-2023-1183 CVE-2023-2255 CVE-2023-6185 CVE-2023-6186	7.1.8.1-12.0.1.1.al8.1
libreswan	CVE-2023-2295 CVE-2023-30570 CVE-2023-38710 CVE-2023-38711 CVE-2023-38712	4.12-2.0.2.al8
libsndfile	CVE-2022-33065	1.0.28-13.0.2.al8
libssh	CVE-2023-48795 CVE-2023-6004 CVE-2023-6918	0.9.6-12.al8
libtiff	CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2867 CVE-2022-2868 CVE-2022-2953 CVE-2022-3627 CVE-2022-3970 CVE-2022-48281 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 CVE-2023-26965 CVE-2023-26966 CVE-2023-2731 CVE-2023-3316 CVE-2023-3576 CVE-2022-40090 CVE-2023-3618 CVE-2023-40745 CVE-2023-41175 CVE-2023-6228	4.4.0-12.0.1.al8
libvirt	CVE-2021-3750 CVE-2023-3019 CVE-2023-3301 CVE-2023-3255 CVE-2023-5088 CVE-2023-6683 CVE-2023-6693 CVE-2024-2494	8.0.0-23.1.0.1.al8
qemu-kvm	CVE-2021-3750 CVE-2023-3019 CVE-2023-3301 CVE-2023-3255 CVE-2023-5088 CVE-2023-6683 CVE-2023-6693 CVE-2024-2494	6.2.0-49.0.1.al8
libX11	CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 CVE-2023-3138	1.7.0-9.al8
libxml2	CVE-2023-39615 CVE-2024-25062	2.9.7-18.0.3.al8
libXpm	CVE-2023-43788 CVE-2023-43789	3.5.13-10.0.1.al8
linux-firmware	CVE-2022-46329 CVE-2023-20569 CVE-2023-20592	20240111-121.gitb3132c18.al8
motif	CVE-2023-43788 CVE-2023-43789	2.3.4-20.al8
openchange	CVE-2022-2127 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968	2.3-32.0.1.al8
opensc	CVE-2023-40660 CVE-2023-40661 CVE-2023-5992 CVE-2023-2977	0.20.0-7.0.1.al8
openssh	CVE-2023-51385	8.0p1-20.0.1.al8
openssl	CVE-2023-3446 CVE-2023-3817 CVE-2023-5678	1.1.1k-12.0.1.al8
pam	CVE-2024-22365	1.3.1-28.al8
pcp	CVE-2024-3019	5.3.7-20.0.1.al8
perl-HTTP-Tiny	CVE-2023-31486	0.074-2.0.1.al8.1
pixman	CVE-2022-44638	0.40.0-6.al8
pmix	CVE-2023-41915	3.2.3-5.al8
poppler	CVE-2020-36024	20.11.0-10.0.2.al8
postgresql-jdbc	CVE-2024-1597	42.2.14-3.al8
procps-ng	CVE-2023-4016	3.3.15-14.0.1.al8
protobuf-c	CVE-2022-48468	1.3.0-7.al8
python-cryptography	CVE-2023-23931	3.2.1-7.al8
python-dns	CVE-2023-29483	1.15.0-12.al8
python-pillow	CVE-2023-50447 CVE-2023-44271	5.1.1-20.al8
python-pip	CVE-2007-4559	9.0.3-23.0.1.al8.1
python3	CVE-2007-4559 CVE-2022-48560 CVE-2022-48564 CVE-2023-27043 CVE-2023-40217 CVE-2023-6597 CVE-2024-0450	3.6.8-62.0.1.2.al8
qt5-qtbase	CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197 CVE-2023-51714 CVE-2024-25580	5.15.3-5.0.3.al8
qt5-qtsvg	CVE-2023-32573	5.15.3-2.al8
rpm	CVE-2021-35937 CVE-2021-35938 CVE-2021-35939	4.14.3-27.0.5.2.al8
samba	CVE-2023-3961 CVE-2023-4091 CVE-2023-42669	4.18.6-3.0.1.1.al8
shadow-utils	CVE-2023-4641	4.6-19.0.1.al8
shim	CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551	15.8-2.0.1.1.al8
sqlite	CVE-2023-7104	3.26.0-19.al8
squashfs-tools	CVE-2021-40153 CVE-2021-41072	4.3-20.1.0.3.al8
sssd	CVE-2023-3758	2.9.4-3.al8
sudo	CVE-2023-28486 CVE-2023-28487 CVE-2023-42465	1.9.5p2-1.0.1.al8
sysstat	CVE-2023-33204	11.7.3-11.0.1.al8
tang	CVE-2023-1672	7-8.al8
tcpdump	CVE-2021-41043	4.9.3-4.0.1.al8
tigervnc	CVE-2023-5380 CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-31080 CVE-2024-31081 CVE-2024-31083	1.13.1-10.0.1.al8
tpm2-tss	CVE-2023-22745	2.3.2-5.0.2.al8
traceroute	CVE-2023-46316	2.1.0-6.2.0.3.al8
unbound	CVE-2024-1488	1.16.2-7.al8
util-linux	CVE-2024-28085	2.32.1-45.0.1.1.al8.1
webkit2gtk3	CVE-2014-1745 CVE-2023-32359 CVE-2023-39928 CVE-2023-40414 CVE-2023-41983 CVE-2023-42852 CVE-2023-42883 CVE-2023-42890 CVE-2024-23206 CVE-2024-23213	2.42.5-1.0.1.al8
wireshark	CVE-2023-0666 CVE-2023-2856 CVE-2023-2858 CVE-2023-2952	2.6.2-17.al8
xorg-x11-server	CVE-2023-1393 CVE-2024-31080 CVE-2024-31081 CVE-2024-31083	1.20.11-16.0.4.al8
xorg-x11-server-Xwayland	CVE-2022-3550 CVE-2022-3551 CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344 CVE-2023-0494 CVE-2023-1393 CVE-2023-5367 CVE-2023-6377 CVE-2023-6478 CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886	22.1.9-5.al8
yajl	CVE-2023-33460	2.1.0-12.0.1.al8
zziplib	CVE-2020-18770	0.13.71-11.al8
buildah	CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180 CVE-2024-28176	1.33.7-2.al8
cockpit-podman	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	84.1-1.al8
conmon	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	2.1.10-1.al8
container-selinux	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	2.229.0-2.al8
containernetworking-plugins	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1.4.0-2.0.1.al8
containers-common	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1-81.0.1.al8
criu	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	3.18-5.0.1.al8
fuse-overlayfs	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1.13-1.0.1.al8
podman	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180 CVE-2024-28176	4.9.4-3.0.1.al8
runc	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1.1.12-1.0.1.al8
slirp4netns	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1.2.3-1.al8
libslirp	CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	4.4.0-2.al8

Software package updates

New features

The Elastic Remote Direct Memory Access (eRDMA) feature is supported by the rdma-core component.
The rasdaemon tool can isolate memory corrected errors (CEs).
NGINX supports OpenSSL 3.0.
The aliyun-cli component is updated to version 3.0.210.

Important updates

Kernel updates

The kernel is upgraded to version 5.10.134-17.2.al8.

New features

The Filesystem in Userspace (FUSE) failover feature is supported, which provides kernel-native FUSE fault recovery capabilities to ensure uninterrupted file access.
The dynamic kernel preemption feature is supported. The design of dynamic kernel preemption in the Linux community is backported to allow users to switch the preemption mode by using the bootcmdline parameter or the sysfs interface. The kernel preemption mode can be none or voluntary, except for the full mode.
The perf feature is enhanced to support performance metrics used in the Coherent Mesh Network (CMN) Performance Monitoring Unit (PMU) and DDR PMU.
New Berkeley Packet Filter (BPF) features are added.
- The following BPF helpers are supported:
  - The bpf_for_each_map_elem helper traverses all elements in a BPF map.
  - The bpf_snprintf helper formats strings.
  - The bpf_timer helper triggers the callback function after a specific period of time.
  - The bpf_loop helper allows an unlimited number of loops that can be run, which removes the constraint on the number of loops able to be run.
  - The bpf_strncmp helper compares strings.
  - The bpf_ktime_get_tai_ns helper queries the CLOCK_TAI time.
  - The bpf_skb_load_bytes helper supported by the raw_tp data type can read socket buffer (SKB) data, including nonlinear data, from raw_tp programs.
- The Arm 64 architecture supports the attachments of trampoline-related features such as fentry, fexit, fmod_ret, and bpf_lsm. This improves the tracing, diagnostics, and security capabilities of the architecture.
- BPF trampoline (bpf_trampoline) can coexist with hot fixes.
The following virtio-net features are supported:
- The virtio-net device statistics feature is supported. The kernel can obtain device statistics to improve troubleshooting and issue diagnostics capabilities.
- The queue reset feature is introduced, which allows you to resize the queues on a virtual machine (VM) to reduce packet loss and latency.
- The dynamic interrupt moderation (netdim) feature is used to intelligently adjust interrupt coalescing parameters based on real-time traffic to optimize data reception performance.
- The virtio checksum is optimized. The system can use the virtio checksum to complete verification on virtio network interface controllers (NICs), without the need to re-verify checksums in a guest operating system in specific scenarios, such as Express Data Path (XDP) application scenario. This helps reduce CPU utilization.
The failover feature is supported by the Enhanced Read-Only File System (EROFS) in on-demand load mode.
A semantics issue related to O_DIRECT and O_SYNC in the Ext4 file system is resolved. This issue exists since the iomap framework was introduced. The generic_write_sync() function is called within the iomap framework to record the i_disksize parameter. The iomap_dio_rw() function is called to update the i_disksize parameter, which is later than the generic_write_sync() function. The updated i_disksize value is not recorded. As a result, if an appending write is performed on a file, the written data cannot be read in the event of an unexpected disk power outage.
The eXtensible File System (XFS) file system supports delayed inode invalidation. This feature allows the system to offload reclaim tasks to background threads by adding the tasks to the kworker process. This reduces risks of system stutter due to deletion operations on applications.
The following FUSE-related features are supported:
- Shared memory mapping (mmap) is supported when the cache parameter is set to none.
- The dynamic switch of the strictlimit feature is supported. The strictlimit feature can be configured for the FUSE module, which may cause slow writeback or even stutter in specific scenarios. The issues can be dynamically resolved by using the sysfs knob switch.
The global lock competition in the kernel file system (kernfs) is optimized to reduce the impact of loadD increases due to concurrent access to the monitoring program.
Group identity-related features are supported.
The fine-grained preemptive priority is supported in group identity 2.0.
- The smc_pnet feature is supported when Shared Memory Communications over Remote Direct Memory Access (SMC-R) and eRDMA are used.
- To resolve the kernel crash issue, the reachability check is optimized in the scenario in which Shared Memory Communications (SMC) and eRDMA are used.
The CPU share scale calibration feature is added to group identity 2.0.
The force idled time metric is added to group identity 2.0.
The group identity feature is optimized to more efficiently control loads for the tasks that have different priorities.
The following basic group balancer features are supported:
- In Registry Acceleration File System version 6 (RAFSv6) mode, the zero-length iovec parameter can be passed in.
- In RAFSv6 mode, direct access (DAX) mapping can be reclaimed to prevent issues such as out of memory (OOM) errors and FUSE hangs.
- Kconfig parameters can be configured to allow RAFSv6 only in secure container scenarios.
SMC-related features are supported or optimized.
virtio supports the timeout mechanism of control virtqueues (VQs) to prevent continuous high-load polling of VM CPUs due to unresponsive devices. The default timeout period is seven days.
The slab memory used by the out-of-tree (OOT) module can be isolated, which helps address the memory stomp issue of the OOT module.
The fast OOM feature is added to prevent long-term machine unresponsiveness caused by memory shortage in multi-core and large memory environments. This feature helps business increase the memory deployment density and improves the stability of online business that has high resource usage.
EROFS-related features are supported or optimized.
The XFS file system supports the fsdax, reflink, and dedupe features and is optimized for Tair instances that use Persistent Memory (PMEM) in several aspects, such as the improved continuity of snapshot source files, improved dirty page writeback efficiency, and removal of reverse B-tree mapping dependencies to reduce page fault latency.
The cgroup writeback feature is supported to resolve the issue that memory cgroups are not released for an extended period of time when the lazytime option is enabled. This issue may cause the system to maintain a large number of memory cgroups in a containerized deployment environment for an extended period of time, which may occupy memory and cause issues such as the issue of the high CPU sys ultilization that occurs when the system traverses cgroups.
I/O SLI parameters are added for the blkio subsystem of cgroup v2, including the wait time, service time, complete time, I/O queued, and bytes queued parameters.
In extreme cases, when 2-MB I/O requests are initiated, each bio_vec can contain only one 4-KB page. In kernel 5.10, I/O requests of up to 1 MB per request are supported, and additional processing of data split logics may affect the performance in specific scenarios.
The ABBA deadlock issue is resolved. This issue may occur when threads compete for locks when you configure the blk-iocost QoS feature.
The parameters of the tcmu_loop module become configurable, including can_queue, nr_hw_queues, cmd_per_lun, and sg_tablesize. When the backend device has high capabilities, properly increasing these parameters can significantly improve performance.

Image updates

Operating system images
- The spec_rstack_overflow=off boot parameter is added.
- The kfence.sample_interval=100 and kfence.booting_max=0-2G:0,2G-32G:2M,32G-:32M boot parameters are added.
- The default net.ipv4.tcp_retries2 value is changed to 8.
- The default net.ipv4.tcp_syn_retries value is changed to 4.
- The classic-network Network Time Protocol (NTP) server configurations are removed.
Container images
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.2104U10

Fixed issues

Kernel issues
- The following issue is fixed: The linked list is polluted when the credits_announce_work element is incorrectly scheduled in the SMC kernel module.
- The following issue is fixed: The perf_cgroup_switch race issue occurs.
- The following issue is fixed: Statistics about the queue other time may be negative in group identity 2.0.
- The following issue is fixed: A cfs_rq runtime statistics issue occurs.
- The following issue is fixed: The return value of cfs_rq->core may be NULL.
- The following issue is fixed: The sound card-related driver (CONFIG_SND) cannot be enabled.
- The following issue is fixed: Kernel Electric-Fence (KFENCE) causes kernel downtime when cgroup kmem statistics collection is enabled.
- The issue related to repairing the Loongson architecture is fixed.
- The following issue is fixed: The compression stability of EROFS is affected.
- The following issue is fixed: The stability of EROFS over FS-Cache is affected.
- The following issue is fixed: SMC-related stability is affected.
- The following issue is fixed: If backing device info (BDI) uses the strictlimit feature and the BDI max_ratio value is 0%, writeback performance is degraded.
- The following issue is fixed: The secure computing (seccomp) memory leaks.
- The following issue is fixed: User operations may cause incorrect counts of ZERO_PAGE references.
- The following issue is fixed: The memory of Target Core Module in Userspace (TCMU) may be recursively reclaimed.
- The following issue is fixed: The kernel crashes when the IO Address Space ID (IOASID) subsystem migrates the threads of the kernel.
- The following issue is fixed: Duplicate I/O statistics are collected when throttling rules are not configured.
- The following issue is fixed: Hardware signals are unexpectedly hung when Phytium Tengyun S2500 processors frequently communicate with specific Baseboard Management Controller (BMC) chips within a short period of time.
- The following issue is fixed: A kernel panic occurs when the group identity feature and the core scheduling feature are enabled.
- The following issue is fixed: The bandwidth control efficiency is low when a large number of CPUs are used, because the Completely Fair Scheduler (CFS) bandwidth is controlled in synchronous mode that is expected to be the asynchronous mode.
- The following issue is fixed: The race condition may exist when the core scheduling algorithm (core sched) is disabled.
- The following issue is fixed: Statistics about idle sibling (sibidle) threads are inaccurate when a large number of interrupt requests (IRQs) are initiated.
- The following issue is fixed: The system stability is low. To resolve the issue, the patch for the most recent version of Non-Volatile Memory Express (NVMe) over Remote Direct Memory Access (RDMA) is backported.
- The following issue is fixed: A deadlock occurs when nvme_reset and nvme_rescan are concurrently executed.
- The following issue is fixed: The kernel crashes due to the use-after-free (UAF) vulnerability that occurs when the active-state power management (ASPM) of the Peripheral Component Interconnect Express (PCIe) driver is used.
- The following issue is fixed: The screen flickers on a device equipped with the Phytium Tengyun S5000C processors and the ASPEED AST2600 graphics card.
- The following issue is fixed: A scheduling deadlock occurs due to the warning message generated by the asynchronous unthrottling feature.
- CVE-2023-52445
- CVE-2023-6817
- CVE-2024-0646
- CVE-2023-20569
- CVE-2023-51042
- CVE-2023-6915
- CVE-2023-6546
- CVE-2022-38096
- CVE-2024-0565
- CVE-2024-26589
- CVE-2024-23307
- CVE-2024-22099
- CVE-2024-24860
- CVE-2024-1086
- CVE-2023-51779
- CVE-2024-26597
- CVE-2024-24855
- CVE-2023-52438
- CVE-2023-4622
- CVE-2023-6932
- CVE-2023-20588
- CVE-2023-5717
- CVE-2023-6931
- CVE-2023-28464
- CVE-2023-39192
- CVE-2023-6176
- CVE-2023-45863
- CVE-2023-5178
- CVE-2023-45871
- CVE-2023-4155
- CVE-2023-20593
- CVE-2023-3567
- CVE-2023-3358
- CVE-2023-0615
- CVE-2023-31083
- CVE-2023-4015
- CVE-2023-42753
- CVE-2023-4623
- CVE-2023-4921
- CVE-2023-2860
- CVE-2023-1206
- CVE-2023-3772
- CVE-2023-42755
- CVE-2023-3863
- CVE-2022-3114
- CVE-2023-31085
- CVE-2023-4132
- CVE-2022-3424
- CVE-2022-3903
- CVE-2022-45887
- CVE-2023-3006
- CVE-2023-42754
- CVE-2023-0160
Image issues
- The following issue is fixed: The names of the debuginfo repository may be different. To resolve this issue, a unified name of the debuginfo repository is used. You can run the dnf debuginfo-install <Package name> command to install the debuginfo package.
- The following issue is fixed: A short active duration of the dnf-makecache service causes impacts of the service on the disks and network. To resolve this issue, the duration is extended from 1 hour to 1 day.
- The following issue is fixed: The configurations of the virtio_blk module are stored in the initial ram file system (initramfs). The virtio_blk module is in the in-tree state in the kernel. Therefore, the configurations of the virtio_blk module are removed from the initramfs.
Software package issues
The following issue is fixed: The dnf command is unavailable due to the dnf-plugin-releasever-adapter issue.

Alibaba Cloud Linux 3.2104 U9.1

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.2104 U9.1	aliyun_3_x64_20G_alibase_20240528.vhd	2024-05-28	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-16.3.al8.x86_64. Updates: For more information, see the Updates section of this topic.
Alibaba Cloud Linux 3.2104 U9.1	aliyun_3_arm64_20G_alibase_20240528.vhd	2024-05-28	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-16.3.al8.aarch64. Updates: For more information, see the Updates section of this topic.

Updates

Security updates

Software package name	CVE ID	Software package version
kernel	CVE-2024-22099 CVE-2024-24860 CVE-2024-1086 CVE-2023-51779 CVE-2024-26597 CVE-2024-24855 CVE-2023-52438 CVE-2023-4622 CVE-2023-6932 CVE-2023-20588 CVE-2023-5717 CVE-2023-6931 CVE-2023-28464 CVE-2023-39192 CVE-2023-6176 CVE-2023-45863 CVE-2023-5178 CVE-2023-45871	5.10.134-16.3.al8
bind	CVE-2022-3094	9.11.36-11.0.1.al8
buildah	CVE-2023-25173 CVE-2022-41724 CVE-2022-41725 CVE-2023-24537 CVE-2023-24538 CVE-2023-24534 CVE-2023-24536 CVE-2022-41723 CVE-2023-24539 CVE-2023-24540 CVE-2023-29400	1.31.3-1.al8
dnsmasq	CVE-2023-28450	2.79-31.0.1.al8
edk2-20220126gitbb1bba3d77	CVE-2019-14560	6.0.2.al8
frr	CVE-2023-38406 CVE-2023-38407 CVE-2023-47235 CVE-2023-47234	7.5.1-16.0.2.al8
grafana	CVE-2023-3128 CVE-2023-39325 CVE-2023-44487	9.2.10-7.0.1.al8
grafana	CVE-2024-1394	9.2.10-7.0.1.al8
grafana-pcp	CVE-2024-1394	5.1.1-1.0.1.al8
gstreamer1-plugins-bad-free	CVE-2023-44429	1.22.1-2.0.1.al8
tigervnc	CVE-2023-44446	1.13.1-2.al8
unbound	CVE-2023-50387 CVE-2023-50868	1.16.2-6.al8
webkit2gtk3	CVE-2023-42917	2.40.5-1.0.2.al8.1
glibc	CVE-2024-2961	2.32-1.16.al8
python2-setuptools	CVE-2022-40897	39.0.1-13.1.module+al8+9+77049424

Software package updates

Software package name	Version
cloud-init	23.2.2
container-selinux	2.229.0
ethtool	6.6
iproute	6.2.0
iptables	1.8.5
keentuned	2.4.0
keentune-target	2.4.0
rng-tools	6.16
sssd	2.9.1
sudo	1.9.5p2
sysak	2.4.0

Important updates

Kernel updates
- The kernel is updated to version 5.10.134-16.3.al8.
- The smc_pnet feature is supported when SMC-R and eRDMA are used.
- HWDRC is supported to control RDT-based dynamic memory bandwidth. Compared with the predecessor, HWDRC can control resources, such as memory bandwidth and cache, in a more precise manner.
- The group identity feature is optimized to more efficiently control loads for the tasks that have different priorities.
New software package features
- aliyun-cli is updated to version 3.0.204, which can be installed or updated by using a yum or dnf command.
- cloud-init is updated to version 23.2.2 to support access to instance metadata in security hardening mode.
- ethtool is updated to version 6.6 to support the Content Management Interoperability Services (CMIS) standard.
- System Analyse Kit (SysAK) is updated to version 2.4.0. In the new version, the diagnostics feature is optimized, the node monitoring feature is provided, the SysOM observability feature on the node side is optimized, and specific bugs are fixed.
- KeenTune is updated to version 2.4.0.

Image updates

Container images
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9.1
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
  Note
  After a new version is released, you can no longer specify the latest parameter to obtain version 3.9.1 of images.
VM images
If the boot mode of an image is UEFI-Preferred, the image can be started in Legacy BIOS or Unified Extensible Firmware Interface (UEFI) boot mode.

Fixed issues

Kernel issues
- The following issue is fixed: The compression stability of EROFS is affected.
- The following issue is fixed: The stability of EROFS over FS-Cache is affected.
- The following issue is fixed: SMC-related stability is affected.
- The following issue is fixed: If BDI uses the strictlimit feature and the BDI max_ratio value is 0%, writeback performance is degraded.
- The following issue is fixed: The secure computing (seccomp) memory leaks.
- The following issue is fixed: User operations may cause incorrect counts of ZERO_PAGE references.
- The following issue is fixed: The memory of TCMU may be recursively reclaimed.
- The following issue is fixed: The kernel crashes when the IOASID subsystem migrates the threads of the kernel.
- The following issue is fixed: Duplicate I/O statistics are collected when throttling rules are not configured.
- The following issue is fixed: Hardware signals are unexpectedly hung out when Phytium Tengyun S2500 processors frequently communicate with specific BMC chips within a short period of time.
- The following issue is fixed: A kernel panic occurs when the group identity feature and the core scheduling feature are enabled.
- The following issue is fixed: The bandwidth control efficiency is low when a large number of CPUs are used, because the CFS bandwidth is controlled in synchronous mode that is expected to be the asynchronous mode.
- The following issue is fixed: The race condition may exist when the core scheduling algorithm is disabled.
- The following issue is fixed: Statistics about idle sibling (sibidle) threads are inaccurate when a large number of IRQs are initiated.
Image issues
The following issue is fixed: The image of an instance does not take effect after a different kernel version is installed on the image and the instance is restarted.

2023

Alibaba Cloud Linux 3.2104 U9

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.2104 U9	aliyun_3_9_x64_20G_alibase_20231219.vhd	2023-12-19	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-16.1.al8.x86_64. Updates: For more information, see the Updates section of this topic.
	aliyun_3_9_arm64_20G_alibase_20231219.vhd	2023-12-19	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-16.1.al8.aarch64. Updates: For more information, see the Updates section of this topic.
	aliyun_3_9_x64_20G_uefi_alibase_20231219.vhd	2023-12-19	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI)` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-16.1.al8.x86_64. Updates: For more information, see the Updates section of this topic.

Updates

Security updates

Software package name	CVE ID	Software package version
kernel	CVE-2022-3108 CVE-2022-3114 CVE-2022-3424 CVE-2022-36280 CVE-2022-3903 CVE-2022-39188 CVE-2022-41850 CVE-2022-42432 CVE-2022-4379 CVE-2022-4382 CVE-2022-45887 CVE-2023-0045 CVE-2023-0160 CVE-2023-0458 CVE-2023-0459 CVE-2023-0615 CVE-2023-1078 CVE-2023-1206 CVE-2023-1382 CVE-2023-1670 CVE-2023-1829 CVE-2023-1855 CVE-2023-1859 CVE-2023-1989 CVE-2023-1990 CVE-2023-2002 CVE-2023-2006 CVE-2023-20569 CVE-2023-20593 CVE-2023-20928 CVE-2023-20938 CVE-2023-2124 CVE-2023-2156 CVE-2023-2162 CVE-2023-2177 CVE-2023-2194 CVE-2023-22995 CVE-2023-2483 CVE-2023-26607 CVE-2023-28327 CVE-2023-2860 CVE-2023-2985 CVE-2023-3006 CVE-2023-30772 CVE-2023-3090 CVE-2023-31083 CVE-2023-31084 CVE-2023-31085 CVE-2023-3111 CVE-2023-3117 CVE-2023-31248 CVE-2023-3161 CVE-2023-3212 CVE-2023-3220 CVE-2023-32269 CVE-2023-3268 CVE-2023-33288 CVE-2023-3358 CVE-2023-35001 CVE-2023-3567 CVE-2023-35788 CVE-2023-35823 CVE-2023-35824 CVE-2023-35825 CVE-2023-35828 CVE-2023-35829 CVE-2023-3609 CVE-2023-3610 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3812 CVE-2023-3863 CVE-2023-4004 CVE-2023-4015 CVE-2023-40283 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4155 CVE-2023-42753 CVE-2023-42754 CVE-2023-42755 CVE-2023-4563 CVE-2023-4623 CVE-2023-4921	5.10.134-16.1.al8
java-1.8.0-openjdk	CVE-2022-40433 CVE-2023-22067 CVE-2023-22081	1.8.0.392.b08-4.0.3.al8
java-11-openjdk	CVE-2023-22081	11.0.21.0.9-2.0.3.al8
mariadb	CVE-2022-32081 CVE-2022-32082 CVE-2022-32084 CVE-2022-32089 CVE-2022-32091 CVE-2022-38791 CVE-2022-47015 CVE-2023-5157	10.5.22-1.0.1.al8
open-vm-tools	CVE-2023-34058 CVE-2023-34059	12.2.5-3.al8.1
bind	CVE-2023-3341	9.11.36-8.al8.2
dmidecode-doc	CVE-2023-30630	3.3-5.0.2.al8
frr	CVE-2023-38802	7.5.1-8.0.1.al8
ghostscript	CVE-2023-28879 CVE-2023-38559 CVE-2023-4042 CVE-2023-43115	9.54.0-14.al8
glibc	CVE-2023-4911	2.32-1.12.al8
grafana	CVE-2023-39325 CVE-2023-44487	7.5.15-5.0.1
libvpx	CVE-2023-44488 CVE-2023-5217	1.7.0-10.0.1.al8
linux-firmware	CVE-2023-20593	20230404-117.git2e92a49f.al8
ncurses	CVE-2023-29491	6.1-10.20180224.0.1.al8
nghttp2	CVE-2023-44487	1.33.0-4.0.1.al8.1
qemu-kvm seabios	CVE-2022-40284 CVE-2023-3354	6.2.0-33.0.2.al8 1.16.0-4.al8
tracker-miners	CVE-2023-5557	3.1.2-4.0.1.al8

Software package updates

Software package name	Version
ca-certificates	2023.2.60_v7.0.306
firewalld	0.9.11
java-1.8.0-openjdk	1.8.0.392.b08
java-11-openjdk	11.0.21.0.9
libbpf	0.6.0
lz4	1.9.4
mariadb	10.5.22
nmstate	2.2.15
nspr	4.35.0
nss	3.90.0
open-vm-tools	12.2.5
openscap	1.3.8
scap-security-guide	0.1.69
sos	4.6.0
xz	5.4.4

Important updates

Kernel updates

New features
- Core scheduling is supported.
  The core scheduling security feature that is released by the upstream community is backported. This feature allows trusted processes only in the same group to run on the hyper threads of the same physical core. This feature is incompatible with the group identity feature. Do not enable the features at the same time. By default, this feature is disabled. To enable this feature, run the sysctl -w kernel.sched_core=1 command.
- The extended Berkeley Packet Filter (eBPF) trampoline feature is supported on the Arm 64-bit architecture.
  The eBPF trampoline feature is backported on the Arm 64-bit architecture to support the BPF struct_ops feature. The BPF fentry series features are unavailable because they are not backported on the Arm 64-bit architecture.
- The Multi-Generational Least Recently Used (MGLRU) feature is supported.
  The MGLRU feature supports memory page reclaim with improved performance. This way, the speed and accuracy of memory reclaim in big data scenarios are increased, and E2E performance is improved.
- Batch translation lookaside buffer (TLB) flushing is supported.
  The batch migration feature uses batch TLB flushing and page copying during memory page migration to improve the performance of kernel page migration operations.
  The current batch migration feature is a refactored version that is optimized from the previous version in the kernel based on the upstream code. Main changes: The batch_migrate parameter is removed from cmdline, the /sys/kernel/mm/migrate/batch_migrate_enabled interface is removed, and batch migration becomes the default configuration used during page migration.
  The /sys/kernel/mm/migrate/dma_migration_min_pages interface is added. Default value: 32. This interface applies only to scenarios where the Direct Memory Access (DMA) page copy feature is enabled. The DMA page copy feature is used only when the /sys/kernel/mm/migrate/dma_migrate_enabled parameter is set to enabled and the number of migrate pages reaches the /sys/kernel/mm/migrate/dma_migration_min_pages value.
- The cachestat feature is backported.
  The cachestat system call is introduced in the kernel. This allows you to view detailed page cache statistics about a specific file.
- Arm 64 kernel-mode Reliability, Availability, and Serviceability (RAS) events are enhanced.
  The abilities of recovering from RAS errors in different scenarios are supported, such as copy_{from/to}_user, {get/put}_user, copy-on-write (COW), and pagecache read.
- The in-house Shared Memory Communication-Direct Memory Access (SMC-D) loopback feature is supported.
  The SMC-D loopback feature is introduced to accelerate TCP communication between local processes and between containers.
- The in-house page table binding feature is supported and provides cross-die statistics on page tables.
  The ability of binding page tables to cores is provided to allocate the page tables of QoS-sensitive services to the current Non-Uniform Memory Access (NUMA) node as much as possible when the memory is insufficient. This feature helps reduce the memory access latency and implement more efficient memory access.
- The in-house duptext feature is enhanced.
  An asynchronous task can be used to make another attempt if multiple copies of the code do not take effect on process startup. The memory.duptext_nodes kernel interface is added to limit the duptext memory allocation nodes.
- The in-house KFENCE enhancements are added.
  - The in-house KFENCE enhancement feature is added on the Arm 64-bit architecture. This feature can flexibly and dynamically enable or disable KFENCE to fully capture memory pollution problems. This facilitates online detection and offline debugging.
  - The immediate downtime feature is added to trigger downtime as soon as a memory issue is detected, to help developers better analyze problems in a debugging environment. You can enable this feature by specifying the boot cmdline "kfence.fault=panic" or echo panic > /sys/module/kfence/parameters/fault parameter. The default value is report, which indicates that the system only displays logs without downtime.
- The in-house control interface is provided for memcg Transparent Huge Pages (THPs).
  The memcg THP control interface is used to prohibit the application of a specific memcg THP.
- The in-house Assess CPU (ACPU) is supported.
  The ACPU can count the peer HT idle time of a task during the runtime and provide per-cgroup statistics, which can be used to evaluate the hardware resource competition on shared CPUs during the task runtime.
- The in-house HT-aware-quota feature is supported.
  The computing power stabilization solution based on CFS bandwidth control and core scheduling can calibrate quotas by checking whether the HT peer is idle in hybrid deployment scenarios. This way, tasks can obtain relatively stable computing power in each scheduling cycle. The solution is suitable for compute-intensive tasks.
- In-house group identity 2.0 is supported.
  The SCHED_IDLE feature is provided for cgroups. You can set the cpu.idle property of a cgroup to use the SCHED_IDLE scheduling policy for the cgroup. This feature is suitable for batch management of offline tasks.
Behavior changes
- The module signature feature is added.
  Signatures are added to kernel modules to help developers identify and reject unsigned kernel modules.
- By default, mitigations for the Spectre-BHB and Variant 4 vulnerabilities are disabled on the Arm 64-bit architecture.
  The Spectre-BHB and Variant 4 vulnerabilities are fixed when you fix the Spectre V2 vulnerability, disable the unprivileged eBPF or Site Isolation technology, or disable the SharedArrayBuffer object. You do not need to separately fix the Spectre-BHB and Variant 4 vulnerabilities. By default, on the Arm 64-bit architecture, the nospectre_bhb ssbd=force-off parameter is added to cmdline to disable mitigations for the Spectre-BHB and Variant4 vulnerabilities to improve performance.
- Trust Domain Extensions (TDX) guest-related configurations are added to support TDX confidential VM scenarios.

New software package features

Provision of erofs-utils-1.7.1 by using software repositories
The erofs-utils tool is used to create, check, and compress EROFS. This tool supports compression algorithms such as LZ4, Lempel–Ziv–Markov chain algorithm (LZMA), and DEFLATE, and supports tar-to-erofs format conversion.
Provision of stress-ng-0.15.00 by using software repositories
Provision of alibaba-cloud-compiler-13.0.1.4 by using software repositories
Alibaba Cloud Compiler is a C/C++ compiler developed by Alibaba Cloud based on the open source version from the Clang/LLVM-13 community. Alibaba Cloud Compiler inherits all options and parameters supported in the open source version. In addition, Alibaba Cloud Compiler is deeply optimized based on the Alibaba Cloud infrastructure and provides unique features and optimizations to make the C/C++ compiler better for Alibaba Cloud users.
glibc is patched to support GB18030-2022 coding.
Dragonwell17 is updated to 17.0.9.0.10.9. In the just-in-time compilation (JIT) compiler, inlining performance is improved, and the judgment logic of inline based on the number of absolute calls is removed.
Dragonwell8 is updated to 8.15.16.372. Multiple coroutines can wait for the read and write events of the same socket, and bugs in the okhttp scenario are fixed.
Provision of plugsched-1.3 by using software repositories
Plugsched is an SDK that supports the live update of the Linux kernel scheduler. Plugsched is intended for kernel scheduler developers. You can install plugsched to develop scheduler modules.
Sysak is updated to 2.2.0. The application observation feature is added to support the metric observation and diagnostics of MySQL and Java applications. The metrics related to container monitoring and cluster monitoring are added. The local monitoring feature is added.
Keentune is updated to version 2.3.0. x264/265-related scripts are updated to support the latest FFmpeg. The issue of binding errors of Transmit Packet Steering (XPS) and Receive Packet Steering (RPS) is fixed. The default eRDMA settings in the profile are updated.
The software chain of the Intel QuickAssist (QAT), Dynamic Load Balancer (DLB), and In-Memory Analytics Accelerator (IAA) is updated. The QAT driver bug is fixed. The DLB driver is upgraded. User-mode bugfixes are added in QAT and IAA. The centralized memory management solution for user-mode DMA of accelerators across architectures is added.
Shared Memory Communications (SMC) tools are updated. The smc-ebpf command is added to control the effective range of smc_run based on the port granularity. The control mode supports blacklists, whitelists, and intelligent scheduling.

Fixed issues

The following issue is fixed: If RPM packages such as kernel-modules-extra and kernel-modules-internal are not automatically installed when the kernel is updated, the netfilter-related features are unavailable.
The following issue is fixed: The /proc/sys/kernel/sched_group_identity_enabled interface sometimes fails to shut down because the group identity reference count is incorrect during cgroup creation or deletion.

Image updates

Container images
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
  Note
  After a new version is released, you can no longer specify the latest parameter to obtain version 3.9 of images.
VM images
- By default, the rpmdb format is switched to the sqlite format.
- By default, the KeenTune service is installed and disabled.
- By default, the NFS-server service is disabled.

Known issues

The kdump service may fail to work as expected on ecs.g6r.large instances due to the memory size. You can adjust the crash parameters such as 0M-2G:0M,2G-128G:256M, and 128G-:384M to prevent the kdump service failure.
In Network File System Version 3 (NFSv3) file systems, the S permission can be added to files. In special cases, after the owner of a file is changed, the S permission of the belonging group is missing.
The fix for this issue is 2d8ae8c417 ("db nfsd: use vfs setgid helper"). However, the code of the auxiliary function and kernel version 5.10 required for the fix have changed greatly. This issue is not fixed.
After you replace TCP with SMC, the netperf test may exit unexpectedly.
SMC uses a fixed-size ring buffer, and the remaining space in the ring buffer may be less than the amount of data specified by send() during the sending process. In this case, SMC returns the number of bytes that can be sent, which is generally less than the user-specified amount in send(). This behavior is considered abnormal and the netperf test exits. The upstream maintainers recommend maintaining the existing design to prevent the connection stalled issue. This issue is not fixed.

Alibaba Cloud Linux 3.2104 U8

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.2104 U8	aliyun_3_arm64_20G_alibase_20230731.vhd	2023-07-31	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-15.al8.aarch64. Updates: For more information, see the Updates section of this topic.
	aliyun_3_x64_20G_alibase_20230727.vhd	2023-07-27	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-15.al8.x86_64. Updates: For more information, see the Updates section of this topic.
	aliyun_3_x64_20G_qboot_alibase_20230727.vhd	2023-07-27	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start)` image is released. This image is derived from the aliyun_3_x64_20G_alibase_20230727.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. The kernel is updated to version 5.10.134-15.al8.x86_64.
	aliyun_3_x64_20G_uefi_alibase_20230727.vhd	2023-07-27	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI)` image is updated to include the latest software versions. This image is derived from the aliyun_3_x64_20G_alibase_20230727.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. The boot mode is changed to UEFI, and only the UEFI mode is supported. The kernel is updated to version 5.10.134-15.al8.x86_64.

Updates

Security updates

Software package name	CVE ID	Software package version
ctags	CVE-2022-4515	5.8-23.0.1.al8
gssntlmssp	CVE-2023-25563 CVE-2023-25564 CVE-2023-25565 CVE-2023-25566 CVE-2023-25567	1.2.0-1.0.1.al8
libtar	CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646	1.2.20-17.0.1.al8
device-mapper-multipath	CVE-2022-41973	0.8.4-37.0.1.al8
postgresql-jdbc	CVE-2022-41946	42.2.14-2.al8
freerdp	CVE-2022-39282 CVE-2022-39283 CVE-2022-39316 CVE-2022-39317 CVE-2022-39318 CVE-2022-39319 CVE-2022-39320 CVE-2022-39347 CVE-2022-41877	2.2.0-10.0.1.al8
tigervnc	CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344	1.12.0-15.al8
xorg-x11-server	CVE-2022-3550 CVE-2022-3551 CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344 CVE-2023-0494	1.20.11-15.0.1.al8
poppler	CVE-2022-38784	20.11.0-6.0.1.al8
wayland	CVE-2021-3782	1.21.0-1.al8
net-snmp	CVE-2022-44792 CVE-2022-44793	5.8-27.0.1.al8
dhcp	CVE-2022-2928 CVE-2022-2929	4.3.6-49.0.1.al8
python-mako	CVE-2022-40023	1.0.6-14.al8
curl	CVE-2023-27535	7.61.1-30.0.2.al8.2
go-toolset golang	CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405	1.19.10-1.al8 1.19.10-1.0.1.al8
dnsmasq	CVE-2023-28450	2.79-27.al8
qt5	CVE-2022-25255	5.15.3-1.0.1.al8
autotrace	CVE-2022-32323	0.31.1-55.al8
bind	CVE-2023-2828	9.11.36-8.al8.1
libnbd libtpms libvirt nbdkit qemu-kvm supermin virt-v2v	CVE-2021-46790 CVE-2022-3165 CVE-2022-30784 CVE-2022-30786 CVE-2022-30788 CVE-2022-30789 CVE-2023-1018	libnbd-1.6.0-5.0.1.al8 libtpms-0.9.1-2.20211126git1ff6fe1f43.al8 libvirt-8.0.0-20.al8 nbdkit-1.24.0-5.al8 qemu-kvm-6.2.0-32.0.1.al8 supermin-5.2.1-2.0.2.al8 virt-v2v-1.42.0-22.al8
mysql	CVE-2022-21594 CVE-2022-21599 CVE-2022-21604 CVE-2022-21608 CVE-2022-21611 CVE-2022-21617 CVE-2022-21625 CVE-2022-21632 CVE-2022-21633 CVE-2022-21637 CVE-2022-21640 CVE-2022-39400 CVE-2022-39408 CVE-2022-39410 CVE-2023-21836 CVE-2023-21863 CVE-2023-21864 CVE-2023-21865 CVE-2023-21867 CVE-2023-21868 CVE-2023-21869 CVE-2023-21870 CVE-2023-21871 CVE-2023-21873 CVE-2023-21874 CVE-2023-21875 CVE-2023-21876 CVE-2023-21877 CVE-2023-21878 CVE-2023-21879 CVE-2023-21880 CVE-2023-21881 CVE-2023-21882 CVE-2023-21883 CVE-2023-21887 CVE-2023-21912 CVE-2023-21917	8.0.32-1.0.2.al8
ruby	CVE-2021-33621 CVE-2023-28755 CVE-2023-28756	2.7.8-139.0.1.al8
kernel	CVE-2021-33061 CVE-2021-3759 CVE-2022-3606 CVE-2022-36280 CVE-2022-3707 CVE-2022-39188 CVE-2022-4095 CVE-2022-41849 CVE-2022-42432 CVE-2022-4379 CVE-2022-4382 CVE-2022-4662 CVE-2022-4744 CVE-2022-47521 CVE-2022-47929 CVE-2023-0045 CVE-2023-0386 CVE-2023-0458 CVE-2023-0459 CVE-2023-0461 CVE-2023-0590 CVE-2023-0597 CVE-2023-1073 CVE-2023-1074 CVE-2023-1075 CVE-2023-1076 CVE-2023-1077 CVE-2023-1078 CVE-2023-1079 CVE-2023-1095 CVE-2023-1118 CVE-2023-1281 CVE-2023-1380 CVE-2023-1382 CVE-2023-1611 CVE-2023-1670 CVE-2023-1829 CVE-2023-1855 CVE-2023-1859 CVE-2023-1989 CVE-2023-1990 CVE-2023-2002 CVE-2023-20928 CVE-2023-20938 CVE-2023-2124 CVE-2023-2162 CVE-2023-2177 CVE-2023-2194 CVE-2023-2269 CVE-2023-22995 CVE-2023-23000 CVE-2023-23004 CVE-2023-2483 CVE-2023-25012 CVE-2023-26545 CVE-2023-26607 CVE-2023-28327 CVE-2023-28466 CVE-2023-2985 CVE-2023-30456 CVE-2023-30772 CVE-2023-3117 CVE-2023-31248 CVE-2023-31436 CVE-2023-3220 CVE-2023-32233 CVE-2023-32269 CVE-2023-3268 CVE-2023-33288 CVE-2023-35001 CVE-2023-35788 CVE-2023-35825	5.10.134-15.al8
webkit2gtk3	CVE-2023-32435 CVE-2023-32439	2.38.5-1.0.1.al8.5
libssh	CVE-2023-1667 CVE-2023-2283	0.9.6-7.al8
libssh	CVE-2023-1667 CVE-2023-2283	0.9.6-7.al8
open-vm-tools	CVE-2023-20867	12.1.5-2.al8
grafana	CVE-2022-2880 CVE-2022-27664 CVE-2022-39229 CVE-2022-41715	7.5.15-4.0.2.al8
grafana-pcp	CVE-2022-27664	3.2.0-3.0.1.al8
frr	CVE-2022-37032	7.5.1-7.0.1.al8
sqlite	CVE-2020-24736	3.26.0-18.al8
git-lfs	CVE-2022-2880 CVE-2022-41715 CVE-2022-41717	3.2.0-2.0.1.al8
sysstat	CVE-2022-39377	11.7.3-9.0.1.al8
python3	CVE-2023-24329	3.6.8-51.0.1.al8.1
c-ares	CVE-2023-32067	1.13.0-6.al8.2
cups-filters	CVE-2023-24805	1.20.0-29.0.1.al8.2
webkit2gtk3	CVE-2023-28204 CVE-2023-32373	2.38.5-1.0.1.al8.4
delve go-toolset golang	CVE-2023-24540	delve-1.9.1-1.0.1.al8 go-toolset-1.19.9-1.al8 golang-1.19.9-1.0.1.al8
kernel	CVE-2022-47929 CVE-2023-0386 CVE-2023-1075 CVE-2023-1380 CVE-2023-26545 CVE-2023-28466 CVE-2023-30456 CVE-2023-32233	5.10.134-14.1.al8
git	CVE-2023-22490 CVE-2023-23946 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007	2.39.3-1.1.al8
apr-util	CVE-2022-25147	1.6.1-6.2.al8.1
webkit2gtk3	CVE-2023-2203	2.38.5-1.0.1.al8.3
edk2	CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0286	20220126gitbb1bba3d77-4.al8
mingw-expat	CVE-2022-40674	2.4.8-2.al8

Software package updates

Software package name	Version
at	at-3.1.20-12.0.1.al8
audit	audit-3.0.7-2.0.1.al8.2
authselect	authselect-1.2.6-1.al8
bind	bind-9.11.36-8.al8.1
checkpolicy	checkpolicy-2.9-1.2.al8
cloud-utils-growpart	cloud-utils-growpart-0.33-0.0.1.al8
container-selinux	container-selinux-2.189.0-1.al8
coreutils	coreutils-8.30-13.al8
crypto-policies	crypto-policies-20221215-1.gitece0092.al8
cups	cups-2.2.6-51.0.1.al8
dbus	dbus-1.12.8-24.0.1.al8
ding-libs	ding-libs-0.6.1-40.al8
dnf	dnf-4.7.0-16.0.1.al8
dnf-plugins-core	dnf-plugins-core-4.0.21-14.1.al8
dracut	dracut-049-223.git20230119.al8
elfutils	elfutils-0.188-3.0.1.al8
emacs	emacs-27.2-8.0.3.al8.1
expat	expat-2.2.5-11.al8
file	file-5.33-24.al8
freetype	freetype-2.10.4-9.al8
fuse	fuse-2.9.7-16.al8
gmp	gmp-6.2.0-10.0.1.al8
gnupg2	gnupg2-2.2.20-3.al8
graphite2	graphite2-1.3.10-10.2.al8
grub2	grub2-2.02-148.0.1.al8
harfbuzz	harfbuzz-1.7.5-3.2.al8
hwdata	hwdata-0.314-8.16.al8
iproute	iproute-5.18.0-1.al8
iptables	iptables-1.8.4-24.0.1.al8
kernel	kernel-5.10.134-15.al8
kernel-hotfix-13383560-5.10.134-15	kernel-hotfix-13383560-5.10.134-15-1.0-20230724161633.al8
kexec-tools	kexec-tools-2.0.25-5.0.1.al8
kmod	kmod-25-19.0.2.al8
kpatch	kpatch-0.9.7-2.0.1.al8
libarchive	libarchive-3.5.3-4.al8
libffi	libffi-3.1-24.0.1.al8
libteam	libteam-1.31-4.0.1.al8
libuser	libuser-0.62-25.0.1.al8
libxml2	libxml2-2.9.7-16.0.1.al8
linux-firmware	linux-firmware-20230404-114.git2e92a49f.al8
logrotate	logrotate-3.14.0-6.0.1.al8
NetworkManager	NetworkManager-1.40.16-1.0.1.al8
nfs-utils	nfs-utils-2.3.3-59.0.2.al8
nftables	nftables-0.9.3-26.al8
oddjob	oddjob-0.34.7-3.0.1.al8
openssh	openssh-8.0p1-17.0.2.al8
openssl-pkcs11	openssl-pkcs11-0.4.10-3.0.1.al8
pam	pam-1.3.1-25.0.1.al8
pciutils	pciutils-3.7.0-3.0.1.al8
python-linux-procfs	python-linux-procfs-0.7.1-1.al8
python-rpm-generators	python-rpm-generators-5-8.al8
python-slip	python-slip-0.6.4-13.al8
rng-tools	rng-tools-6.15-3.0.1.al8
rpcbind	rpcbind-1.2.5-10.0.1.al8
rpm	rpm-4.14.3-26.0.1.al8
rsyslog	rsyslog-8.2102.0-13.al8
selinux-policy	selinux-policy-3.14.3-117.0.1.al8
setools	setools-4.3.0-3.al8
setup	setup-2.12.2-9.0.1.al8
sg3_utils	sg3_utils-1.44-6.0.1.al8
shared-mime-info	shared-mime-info-2.1-5.0.1.al8
sssd	sssd-2.8.2-2.0.1.al8
tpm2-tss	tpm2-tss-2.3.2-4.0.2.al8
unbound	unbound-1.16.2-5.al8
util-linux	util-linux-2.32.1-42.0.1.al8
virt-what	virt-what-1.25-3.al8
wget	wget-1.19.5-11.0.1.al8
which	which-2.21-18.0.1.al8
xfsprogs	xfsprogs-5.0.0-10.0.6.al8

Important updates

Kernel updates
- Community tracking
  - Devlink supports subfunction management.
    A subfunction is a lightweight function that is deployed on a parent Peripheral Component Interconnect (PCI) function. Compared with a PCI Express (PCIe) Virtual Function (VF), a subfunction is more lightweight and shares resources with its parent PCI function. A subfunction provides all networking-related resources, such as transmit queues, receive queues, and completion queues. A subfunction serves as a complete NIC in Linux. This update allows you to use devlink to manage subfunctions on NICs. You can use devlink together with drivers to create, destroy, or query subfunctions on NICs.
  - IO_uring NVMe passthrough is supported.
    In access to storage devices, the overheads of a complex storage stack have a significant impact on latency and IOPS. As storage devices become faster, the proportion of overheads that are introduced by the software stack increases. When you access NVMe disks, you must traverse through multiple abstraction layers, including file system, block layer, and NVMe driver. This update backports the io_uring uring_cmd feature, which was introduced in mainline Linux kernel 5.19. The feature passes the actual file operations to the kernel by using io_uring. This way, the operations are not parsed at the io_uring layer and are sent directly to the NVMe driver layer, bypassing the file system layer and block layer. Additionally, to support this feature, io_uring is introduced to support CQE32 and NVMe character device creation.
  - Fine-grained permissions control is supported for NVMe and Small Computer System Interface (SCSI) persistent reservations.
    Before the update, performing persistent reservations required the CAP_SYS_ADMIN permission, which prevented the use of persistent reservations in specific non-privileged scenarios, such as containers. After the update, persistent reservations can be performed by non-privileged processes that have write permissions on block storage devices but do not have the CAP_SYS_ADMIN permission. This allows persistent reservations to be used in more scenarios.
  - The IOPS throttling of large I/O block sizes is optimized.
    In Linux kernel 5.10, IOPS throttling may not work as expected in scenarios that involve large I/O block sizes such as 1 MB. This is primarily due to the mishandling of split large I/O block sizes initiated by IOPS throttling of block throttle. This phenomenon is more apparent in I/O buffering scenarios where buffers are first stored in page caches and then written back. In these scenarios, large I/O block sizes are often generated. This issue is optimized in mainline kernel 5.18. This update optimizes the IOPS throttling of large I/O block sizes by using backported patches from the mainline kernel and fixes the vulnerability of repeatedly calculating bits per second (BPS).
  - Hash BPF maps are backported from the community for the lookup_and_delete_elem operation, and bloom filter maps are supported.
    - Before the update, the lookup_and_delete_elem operation supports only queue and stack maps. After the update, hash maps are also supported.
    - Bloom filter maps are supported to help you efficiently find sets.
  - The CPU and memory hot-swapping feature for QEMU Arm 64 that is used as the VM guest operating system.
    - The vCPU quantity can be hot-updated in the guest OS by running the virsh setvcpus command.
    - By default, the CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE configuration is enabled to prevent the memhp_default_online_type configuration from being set to offline. This way, hot-plugged memory is automatically available for use, eliminating hot-plugging failures caused by insufficient memory that results from creating page descriptors.
  - The Hardware P-State (HWP) IO boost feature is supported for all Intel chips.
    The HWP IO boost technology enhances I/O performance. In the previous kernel versions, HWP IO boost was enabled only for specific Skylake platforms and enterprise servers. This patch removes the CPU type check to enable HWP IO boost for all CPUs by default.
  - The HugeTLB Vmemmap Optimization (HVO) feature is backported from the community.
    The HVO technique reduces the vmemmap space occupied by large pages. Specifically, this technique maps all virtual addresses of a struct page for a large page in vmemmap to the same physical address to release the physical memory occupied by the struct page.
  - The memcg Least Recently Used (LRU) lock feature is backported.
    In scenarios that require a global LRU lock, this feature replaces the global LRU lock with locks that are specific to the memcg where the involved pages reside. These scenarios include page movement, memcg movement, and swap-in and swap-out scenarios. This update reduces contention caused by the global LRU lock and improves performance by 50% in scenarios where multiple memcgs are involved.
  - Linux kernels can run on Intel TDX guests.
    Linux kernels can run on Intel TDX guests to provide various features, such as memory encryption, memory integrity protection, CPU register protection, and remote attestation of the trusted environment.
  - PMU capabilities are enabled on Emerald Rapids (EMR) platforms.
    - EMR CPU IDs are added to PMU drivers to enable PMU capabilities on EMR platforms.
    - The Array Built-in-Self-Test (BIST) support is added to In Field Scan (IFS). IFS is a feature that runs circuit-level tests on each CPU core to detect issues that are not caught by error correction code (ECC) checks.
- In-house features
  - SMC-R can help TCP network applications transparently use RDMA to obtain network communication services with high bandwidth and low latency.
    SMC is a high-performance kernel network stack that is contributed by IBM to the upstream Linux. SMC-R can help TCP network applications transparently use RDMA to obtain network communication services with high bandwidth and low latency. ANCK fixes a large number of stability issues based on the upstream foundation, supports the default use of SMCv2 and SMCv2.1 protocol negotiation, and incorporates features such as max_link, max_conn, and Alibaba Vendor ID. It optimizes the number of link connections, supports Receive Queue (RQ) throttling, and supports the RDMA Write With Immediate operation. ANCK has added various diagnostic information, supports the use of the SMC protocol stack by using the PF_INET protocol family, and supports transparent replacement by using BPF.
  - The cache consistency in FUSE is enhanced, and a data collection interface is added.
    - A debugging interface is added to sysfs to display all requests that are sent to the userspace daemon and wait to be processed in a specific FUSE file system.
    - A data collection interface is added to sysfs to count and display the number and processing time of various requests for a specific FUSE file system.
    - Cache consistency in cache (cache=always|auto) mode is enhanced to apply to distributed file system backends that rely on strong consistency, such as NFS.
      1. A userspace daemon can notify the FUSE client to invalidate all directory entries (dentries) within a directory.
      2. The Close-To-Open (CTO) cache consistency model is implemented. The model implements flush-on-close and invalidate-on-open semantics on both data and metadata.
      3. The cache consistency model is enhanced in FUSE failover mode.
  - TAR files can be directly mounted in EROFS, and non-compressed 4k-block EROFS images can be mounted on the Arm 64-bit architecture that uses 16K or 64K pages.
    - Non-compressed 4k-block EROFS images can be mounted on the Arm 64-bit architecture that uses 16K or 64K pages.
    - TAR files can be used as data sources. You can use EROFS metadata to mount and access the data in the TAR files.
  - Cross-namespace propagation of FUSE mount points is supported.
    FUSE mount points can be propagated from non-privileged sidecar containers to application containers, providing a solution for FUSE-based remote storage in cloud-native scenarios.
  - Memory bloat issues that are caused by THP are fixed.
    THP enhances performance but may lead to memory bloat issues. Memory bloat can trigger OOM errors. For example, if an application that requests 8 KiB of memory (two 4-KiB pages) is assigned a THP, the THP consists of two 4-KiB pages that the application requests and 510 4-KiB pages that are filled with zeros, known as zero pages. As a result, OOM errors may occur due to the increase of Resident Set Size (RSS) memory usage.
    THP zero subpages reclaim (ZSR) is proposed to fix memory bloat issues. THP ZSR is a mechanism that splits THPs into subpages and reclaims zero subpages to prevent OOM errors that are caused by memory bloat.
System configuration updates
- The value of tcp_max_tw_buckets is reset to 5000.
- The default character set for mounting VFAT file systems is reset to ISO-8859-1.
Software package feature updates
- By default, aliyun_cli is integrated.
- By default, container-selinux is integrated.
- The anolis-epao-release package is added. Alibaba Cloud Linux 3 can access packages from the Anolis OS epao repository to install AI and other applications.

Fixed issues

The issue that rngd.service failed to start in Alibaba Cloud Linux 3 64-bit for Arm images is fixed.
The bugfix is backported from the mainline kernel to address a memory leak issue that arises in a cgroup when a process fails to fork.
An overlayfs permission issue is fixed. If all upper directories and lower directories are located in the same file system and files or directories on which the read permissions are not granted in the file system are accessed, ovl_override_creds() cannot be executed as expected due to logic errors from previous overlayfs performance optimizations. The actual execute permissions are not elevated to the credential of the mounter, and a permission lack error is reported when read permissions are required to perform copy up operations.
FUSE bugfixes are backported from the mainline kernel, improving FUSE stability.
Multiple ext4 bugfixes of the bigalloc feature are backported from the kernel community, significantly optimizing real-time scale-outs in these scenarios.
Potential data consistency issues that arise when CONT-PTE or CONT-PMD is backported from the kernel community are fixed.
The issue that specific AMD instances cannot use resctrl is fixed.
The stability issue of the IAX hardware compression and decompression accelerator is fixed.
The cyclic redundancy check (CRC) failure in the IAX hardware compression and decompression accelerator is fixed.
Memory thrashing issues that are caused by the improper use of the swap_info_struct lock in high-concurrency swapon and swapoff scenarios are fixed. This bugfix is integrated into the kernel community.
The issue that the self-developed zombie memcg reaper feature does not take effect in one-shot mode is fixed.
Potential stability issues that occur on YiTian 710 instances when Memory System Resource Partitioning and Monitoring (MPAM) is used are fixed.

Image updates

Container images
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.8
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
  Note
  After a new version is released, you can no longer specify the latest parameter to obtain version 3.8 of images.
VM images

Known issues

In extreme scenarios, performance may decrease in ANCK 5.10-015 due to the synchronization of a wake-up scheduling optimization to the upstream community. This issue occurs only in benchmarking scenarios that involve high loads and does not affect your normal use.

Alibaba Cloud Linux 3.2104 U7

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.2104 U7	aliyun_3_x64_20G_alibase_20230516.vhd	2023-05-16	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-14.al8.x86_64. Updates: For more information, see the Updates section of this topic.
Alibaba Cloud Linux 3.2104 U7	aliyun_3_arm64_20G_alibase_20230515.vhd	2023-05-15	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-14.al8.aarch64. Updates: For more information, see the Updates section of this topic.

Updates

Kernel bugs and critical common vulnerabilities and exposures (CVEs) are fixed.
The multi-pcp feature is supported to bypass the lock of the buddy system and improve packet reception performance.
The multi-pcp feature reserves memory pages that have orders greater than 0 in per-core memory pools. This eliminates the need to allocate high-order memory pages by using the zone buddy system. This also bypasses the lock of the buddy system and improves packet reception performance.
The IAA driver is supported to enhance compression and decompression performance.
IAA is a hardware accelerator that provides primitive analytic features and high-throughput compression and decompression capabilities. The driver code comes from Intel code repositories and is optimized to ensure compatibility with the ANCK kernel. Bugs are fixed.
Silent data corruption that is caused by truncated page cache is fixed for the shmem and hugetlb file systems.
Before the update, poisoned shmem and hugetlb pages are removed from the page cache. Subsequent access to the offset in the file results in a new zero-filled page, which causes silent data corruption. After the update, silent data corruption that is caused by poisoned pages is fixed in the shmem, tmpfs, and hugetlb file systems.
The CoreSight Embedded Trace Extension (ETE) driver is added, and tools under tools/perf are supported.
The signal handling mechanism of the Kernel-based Virtual Machine (KVM) module for the Arm 64-bit architecture is enhanced to fix failures that occur in RAS scenarios.
Before the update, if the TIF_NOTIFY_RESUME flag is not handled before the CPU enters the guest mode, failures occur due to exceptions that are triggered by frequent RAS events. To address this issue, the full generic entry infrastructure is supported on the Arm 64-bit architecture to handle pending tasks.
The CMN and Direct Rendering Manager (DRM) drivers of the Linux community and debugfs are supported, and vulnerabilities are fixed.
In versions earlier than 5.10-014, the CMN and DRW drivers deviate from those of the Linux community. To reduce maintenance costs, 5.10-014 synchronizes the CMN and DRW drivers of the Linux community and ensures compatibility with CMN-700 of YiTian 710. debugfs is supported, and vulnerabilities are fixed. The topology of CMN can be viewed in user mode.
Machine Check Exception (MCE) errors that are triggered by copy-on-write (COW) can be fixed on x86 instances that run in kernel mode.
If uncorrectable errors are triggered when COW is implemented in the kernel, the system fails because it does not have recovery programs for this case where poison is consumed by the kernel. This feature adds support for recovery programs by sending a SIGBUS to applications to prevent system failures.
Top-down performance analysis can be performed by using performance metrics to make CPU PMU easier to use.
In versions earlier than 5.10-014, the performance metric feature is not supported and no top-down performance analysis tool is available. In 5.10-014, the performance metric feature is supported to make CPU PMU easier to use and help users troubleshoot CPU performance bottlenecks. Top-down metrics of YiTian 710, Kunpeng, and x86 are also supported.
UDP Segmentation Offload (USO) is supported for virtio-net.
Compared with UDP Fragmentation Offload (UFO), USO improves packet reception performance in complex network environments and the forwarding performance of forwarding components. Starting from version 5.10-014, USO is supported for virtio-net. Compared with UFO, USO reduces packet loss that is caused by fragment reassembly in unstable network conditions, incast scenarios, and traffic spikes. USO also reduces the overhead of fragment reassembly on the receiving side. Packet loss and out-of-order (OOO) packets cause fragment reassembly for forwarding components. As such, USO improves the efficiency of forwarding components.
The following issue is fixed: The empty pci_iounmap() implementation of the AArch64 architecture exhausts virtual address space.
In versions earlier than 5.10-014, the pci_iounmap function is empty when CONFIG_GENERIC_IOMAP is not configured. Mapped memory cannot be released. Consequently, virtual address space is exhausted. In 5.10-014, pci_iounmap() can be implemented.
The high-performance ublk framework is supported.
ublk is a high-performance framework that is used to implement block device logic from userspace based on the io_uring passthrough mechanism. ublk can be used to efficiently deploy agents in distributed storage.
The following technologies developed by Alibaba Cloud are supported:
- Code block lock is supported. The code blocks that reside in memory can be locked as a whole or by cgroup.
  Low memory usage triggers memory reclamation. Code blocks of core business that are stored in the memory may also be reclaimed. When the business programs are rerun, the code blocks are retrieved from disks and then stored in the memory. Frequent I/O operations slow down response speeds and cause performance jitters. The feature locks the cgroups of the memory where core code blocks are stored to prevent the memory from being frequently swapped in and out. This feature also allows you to configure a memory lock quota. The quota specifies the proportion of code block memory that you want to retain.
- A size limit can be specified for the page cache to free up memory space to support business growth.
  In scenarios that involve containers, the available memory that is provided by the containers is limited. If the page cache occupies a large amount of memory, memory reclamation is triggered. If the reclamation cannot meet the memory requirements for business growth, OOM errors may occur and degrade performance. To address this issue, this feature is provided by ANCK to limit the size of page cache for containers. Excess page cache is reclaimed in advance to free up memory space. This feature can limit the page cache size for all containers or containers that reside in each cgroup. This feature also supports synchronous and asynchronous reclamation methods to provide high flexibility.
- Dynamic CPU isolation is supported.
  CPU isolation involves assigning different CPU cores or CPU sets to different tasks to prevent resource competition and improve system performance and stability. To support crucial tasks, the CPU isolation technology assigns isolated CPUs to crucial tasks and non-isolated CPUs to non-crucial tasks. The number of crucial tasks changes during task runtime. If you isolate a large number of CPUs to support crucial tasks, resources may be wasted and costs may increase. Dynamic CPU isolation allows the number of isolated CPUs to be changed to maximize resource utilization, reduce costs, and improve business performance.
- CPU burst and the minimum memory watermark QoS capability are supported in cgroup v2.
  To promote the use of cgroup v2, the interfaces of cgroup v2 of various in-house ANCK technologies, including CPU burst and the minimum memory watermark QoS capability, are supported.
- The vmalloc() function is supported for the XDP socket feature to allocate virtual memory to queues. This prevents XDP socket allocation failures that are caused by memory fragmentation.
  By default, the XDP socket feature uses the __get_free_pages() function to allocate contiguous physical memory. If the memory is severely fragmented, the system fails to apply for memory, which may cause XDP socket creation failures. This feature uses the vmalloc() function to allocate memory to reduce the risks of XDP socket creation failure.

Alibaba Cloud Linux 3.2104 U6.1

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.2104 U6.1	aliyun_3_x64_20G_alibase_20230424.vhd	2023-04-24	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-13.1.al8.x86_64.
	aliyun_3_arm64_20G_alibase_20230424.vhd	2023-04-24	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-13.1.al8.aarch64.
	aliyun_3_x64_20G_alibase_20230327.vhd	2023-03-27	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-13.1.al8.x86_64.
	aliyun_3_arm64_20G_alibase_20230327.vhd	2023-03-27	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-13.1.al8.aarch64.

Alibaba Cloud Linux 3.2104 U6

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.2104 U6	aliyun_3_x64_20G_qboot_alibase_20230214.vhd	2023-02-14	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start)` image is updated. This image is derived from the aliyun_3_x64_20G_alibase_20230110.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image.
	aliyun_3_x64_20G_uefi_alibase_20230214.vhd	2023-02-14	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI)` image is updated to include the latest software versions. This image is derived from the aliyun_3_x64_20G_alibase_20230110.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. The boot mode is changed to UEFI, and only the UEFI mode is supported.
	aliyun_3_x64_20G_alibase_20230110.vhd	2023-01-10	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The configurations of the Plus debug repository are added. Kernel updates: The kernel is updated to version 5.10.134-13.al8.x86_64. Kernel bugs and critical CVEs are fixed. /dev/ioasid is supported. In versions earlier than ANCK 5.10-013, device-passthrough frameworks such as Virtual Function I/O (VFIO) and vDPA create their own logic to isolate untrusted device DMAs that are initiated by userspace. In ANCK 5.10-013 and later, /dev/ioasid provides a unified interface to manage I/O page tables for devices that are assigned to userspace. This simplifies VFIO and vDPA. The performance of the SoftWare Input/Output Translation Lookaside Buffer (SWIOTLB) mechanism is optimized. In versions earlier than ANCK 5.10-013, the SWIOTLB mechanism that is used to communicate with peripherals uses only one lock when allocating memory. In ANCK 5.10-013 and later, the lock is split into multiple locks and the locks become configurable. This is suitable for confidential VMs (Intel TDX-based VMs) with large specifications such as over 32 CPUs per VM. For Redis and MySQL, the tests show that I/O performance can be improved by up to eight times after the lock splitting. napi.tx is enabled in virtio-net to improve the performance of TCP Small Queue (TSQ). In 3bedc5bca69d ('ck: Revert "virtio_net: enable napi_tx by default"'), high si leads to performance degradations in some special scenarios. This causes TSQ not to work as expected. To fix the issue, the napi.tx feature is re-enabled. The AST2600 PCIe 2D Video Graphics Array (VGA) driver is supported. In versions earlier than ANCK 5.10-013, ASPEED AST2600 graphics cards are not supported. In ANCK 5.10-013 and later, ASPEED AST2600 graphics cards are supported. When such a graphics card is connected to an external monitor, images can be properly displayed on the screen. A switch is added for the group identity feature. In ANCK 5.10-013, the global sysctl switch is added for the group identity feature. By default, the switch is turned off to reduce the scheduling overhead of common processes. You can run the `echo 1 > /proc/sys/kernel/sched_group_identity_enabled` command to turn on the switch. The default kernel boot cmdline is adjusted on the Arm 64-bit architecture. In 5.10.134-013 and later, the following parameter settings are added to the kernel boot cmdline on the Arm 64-bit architecture to improve performance: `cgroup.memory=nokmem iommu.passthrough=1 iommu.strict=0` cgroup.memory=nokmem: disables kernel memory accounting. When enabled, kernel memory accounting results in additional logic for allocating and releasing slab pages and affects performance. For more information, visit OpenAnolis. iommu.passthrough=1: bypasses the Input-Output Memory Management Unit (IOMMU) for DMA. This can reduce translations for page table mappings. If iommu.passthrough=1 is not added to the kernel boot cmdline, the value of CONFIG_IOMMU_DEFAULT_PASSTHROUGH is used. The iommu.passthrough parameter takes effect for physical machines. iommu.strict=0: invalidates TLBs in lazy mode. The lazy mode defers the invalidation of hardware TLBs during DMA unmap operations to increase throughput and the unmapping speed. If the lazy mode is not supported by the relevant IOMMU driver, the mode automatically switches back to the strict mode (iommu.strict=1). The strict mode invalidates IOMMU hardware TLBs during DMA unmap operations. The Compact NUMA aware (CNA) spinlock feature is supported. In 5.10.134-013 and later, NUMA awareness is added to qspinlock. One of the following kernel boot cmdline parameter settings can be added to enable the CNA spinlock feature: numa_spinlock=on or numa_spinlock=auto. After this feature is enabled, qspinlock can give a lock to the CPU of the same NUMA node as much as possible when CPUs on different NUMA nodes compete for the spinlock. This reduces the number of cross-NUMA sessions and improves performance. In the benchmark tests of sysbench and leveldb, performance is improved by more than 10%. The perf mem and perf c2c commands provide more features on the Arm 64-bit architecture. In 5.10.134-013 and later, the perf mem and perf c2c commands are extended to provide more features. On the Arm 64-bit architecture, perf mem and perf c2c can be used to show the data sources of samples, such as L1 hit. perf mem supports synthesized memory events, synthesized instruction events, synthesis directive events, and instruction delay information. perf c2c provides the capability of locating NUMA node information. fsck.xfs supports journal replay. After a machine breaks down, file systems may be in the inconsistent state and the journal log is not replayed. In xfsprogs-5.0.0-10.0.4 and earlier, this may drop the machine into the rescue shell because fsck.xfs does not support journal replay, which brings maintenance trouble. In xfsprogs-5.0.0-10.0.5 and later, fsck.xfs supports journal replay. When you assume the administrator role, you can set the fsck.mode parameter to force and the fsck.repair parameter to yes to enable journal replay. Take note that journal replay takes effect only for system disks. Adaptive Huge Pages are supported. In 5.10.134-013 and later, the adaptive Huge Pages feature is provided to resolve hardware drawbacks, especially for x86 platforms. An example of the hardware drawbacks is that Intel Skylake has only eight iTLB entries to use. This feature selects the most popular 2 MB areas into huge pages based on page table entry (PTE) scan results. In short, this feature provides two system interfaces to limit the number of huge pages per application and prevent performance degradations that are caused by iTLB miss increase. This feature is applicable to Java applications and applications with large code segments, such as ApsaraDB for OceanBase and MySQL. Software Guard Extensions (SGX) dynamic memory management is supported. In versions earlier than ANCK 5.10, the dynamic management of SGX enclave memory is not supported. In ANCK 5.10 and later, the SGX Enclave Dynamic Memory Management (EDMM) feature is provided to allow the dynamic management of SGX memory. The WireGuard module is enabled. In versions earlier than ANCK 5.10-013, the WireGuard module is disabled. In ANCK 5.10 and later, the WireGuard module is enabled. WireGuard is an easy-to-configure, fast, and secure VPN that can replace IPSec. WireGuard is abstract and suitable for general use in most scenarios.
	aliyun_3_arm64_20G_alibase_20230110.vhd	2023-01-10	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The configurations of the Plus debug repository are added. Kernel updates: The kernel is updated to version 5.10.134-13.al8.aarch64. Kernel bugs and critical CVEs are fixed.

2022

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.5.2	aliyun_3_x64_20G_alibase_20221118.vhd	2022-11-18	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions.
	aliyun_3_arm64_20G_alibase_20221118.vhd	2022-11-18	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions.
	aliyun_3_x64_20G_alibase_20221102.vhd	2022-11-02	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-12.2.al8.x86_64.
	aliyun_3_arm64_20G_alibase_20221102.vhd	2022-11-02	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.134-12.2.al8.aarch64.
Alibaba Cloud Linux 3.5	aliyun_3_x64_20G_alibase_20220907.vhd	2022-09-07	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. Kernel updates: The kernel is updated to version 5.10.134-12.al8.x86_64. Kernel bugs and critical CVEs are fixed. YiTian 710 processors are supported. Panjiu M-series servers are supported. The performance on the YiTian platform is optimized. MPAM is supported on the Arm 64-bit architecture. Datop can be used to monitor NUMA across nodes and identify cold and hot memory in processes. More than 4 GB of memory can be reserved for a crash kernel on the Arm 64-bit architecture. Hotfixes for kernel modules are supported on the Arm 64-bit architecture. ftrace osnoise tracer is supported. ext4 fast commit is supported, which is frequently applied to the fsync function. For example, ext4 fast commit optimizes the performance of MySQL and PostgreSQL databases. The corresponding e2fsprogs version is updated to 1.46.0. The following technologies developed by Alibaba Cloud are supported: 2 MB unaligned part at the end of executable binary files can be filled, which improves the performance by 2% for specific scenarios. The XFS 16k atomic write feature is supported. Compared with double writes, XFS 16k atomic writes improve the performance of disks by up to 50% and reduce I/O on disks. The corresponding xfsprogs and mariadb repositories are updated to Anolis YUM repositories. This solution has the following advantages over the hardware-based atomic write solution: This solution is based on the COW technique. This solution does not depend on hardware. This solution does not depend on runtime I/O path configurations. The XFS 16k atomic write feature can be used together with the Hugetext feature. For more information, see Work with MariaDB 16K atomic writes. Nydus and EROFS over fscache can be used to accelerate container images. Nydus and erofs over fscache are developed by OpenAnolis and are integrated into mainline Linux 5.19. Nydus and erofs over fscache are the first native in-kernel acceleration solution that is supported by the Linux community for container images. For more information, see OpenAnolis. The fuse fd passthrough and fd attach features are supported. fd passthrough can reduce I/O latency by 90% for common scenarios. fd attach can recover fuse mount points in abnormal cases without impacts and help improve the stability of production environments. Kidled can be used to scan anonymous pages, files, and slabs. The memory.use_priority_swap interface is added to reclaim memory based on the priorities of cgroups. 1-RTT and RDMA DIM are supported by SMC to optimize CQ interrupt process logic and improve QPS by 40% in data paths. SMC continuous integration and continuous delivery (CI/CD) is supported to fix dozens of stability issues.
	aliyun_3_arm64_20G_alibase_20220907.vhd	2022-09-07	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. Kernel updates: The kernel is updated to version 5.10.134-12.al8.aarch64. Kernel bugs and critical CVEs are fixed. YiTian 710 processors are supported. Panjiu M-series servers are supported. The performance on the YiTian platform is optimized. MPAM is supported on the Arm 64-bit architecture. Datop can be used to monitor NUMA across nodes and identify cold and hot memory in processes. More than 4 GB of memory can be reserved for a crash kernel on the Arm 64-bit architecture. Hotfixes for kernel modules are supported on the Arm 64-bit architecture. ftrace osnoise tracer is supported. ext4 fast commit is supported, which is frequently applied to the fsync function. For example, ext4 fast commit optimizes the performance of MySQL and PostgreSQL databases. The corresponding e2fsprogs version is updated to 1.46.0. The following technologies developed by Alibaba Cloud are supported: 2 MB unaligned part at the end of executable binary files can be filled, which improves the performance by 2% for specific scenarios. The XFS 16k atomic write feature is supported. Compared with double writes, XFS 16k atomic writes improve the performance of disks by up to 50% and reduce I/O on disks. The corresponding xfsprogs and mariadb repositories are updated to Anolis YUM repositories. This solution has the following advantages over the hardware-based atomic write solution: This solution is based on the COW technique. This solution does not depend on hardware. This solution does not depend on runtime I/O path configurations. The XFS 16k atomic write feature can be used together with the Hugetext feature. For more information, see Work with MariaDB 16K atomic writes. Nydus and erofs over fscache can be used to accelerate container images. Nydus and erofs over fscache are developed by OpenAnolis and are integrated into mainline Linux 5.19. Nydus and erofs over fscache are the first native in-kernel acceleration solution that is supported by the Linux community for container images. For more information, see OpenAnolis. The fuse fd passthrough and fd attach features are supported. fd passthrough can reduce I/O latency by 90% for common scenarios. fd attach can recover fuse mount points in abnormal cases without impacts and help improve the stability of production environments. Kidled can be used to scan anonymous pages, files, and slabs. The memory.use_priority_swap interface is added to reclaim memory based on the priorities of cgroups. 1-RTT and RDMA DIM are supported by SMC to optimize CQ interrupt process logic and improve QPS by 40% in data paths. SMC CI/CD is supported to fix dozens of stability issues.
	aliyun_3_x64_20G_qboot_alibase_20220907.vhd	2022-09-07	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start)` image is updated. This image is derived from the aliyun_3_x64_20G_alibase_20220907.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image.
	aliyun_3_x64_20G_uefi_alibase_20220907.vhd	2022-09-07	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI)` image is updated to include the latest software versions. This image is derived from the aliyun_3_x64_20G_alibase_20220907.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. The boot mode is changed to UEFI, and only the UEFI mode is supported.
Alibaba Cloud Linux 3.4.2	aliyun_3_arm64_20G_alibase_20220819.vhd	2022-08-19	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.112-11.2.al8.aarch64.
Alibaba Cloud Linux 3.4.2	aliyun_3_x64_20G_alibase_20220815.vhd	2022-08-15	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.112-11.2.al8.x86_64.
Alibaba Cloud Linux 3.4.1	aliyun_3_x64_20G_alibase_20220728.vhd	2022-07-28	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. The kernel is updated to version 5.10.112-11.1.al8.x86_64.
Alibaba Cloud Linux 3.4.1	aliyun_3_arm64_20G_alibase_20220728.vhd	2022-07-28	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. The kernel is updated to version 5.10.112-11.1.al8.aarch64.
Alibaba Cloud Linux 3.4	aliyun_3_x64_20G_alibase_20220527.vhd	2022-05-27	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. Kernel updates: The kernel is updated to version 5.10.112-11.al8.x86_64. Kernel bugs and critical CVEs are fixed. The following technologies developed by Alibaba Cloud are supported: Duptext Enhanced Huge Pages KFENCE, which is used to detect out-of-bound memory accesses and use-after-free errors CSV2 confidential virtual machines that use Hygon processors can be started. Up to 256 CPUs are supported by the guest OS. The throughput, latency, and connection speeds of SMC in HTTP workloads such as NGINX are improved, and several stability and compatibility issues are fixed. AMX, virtual AMX, IPI virtualization, UINTER, Intel_idle, and TDX are supported by Intel SPR processors. The ptdma driver, CPU frequency, k10temp, and Error Detection And Correction (EDAC) are supported by AMD. DDR PMU, PCIe PMU driver, Arm CoreLink CMN-700 Coherent Mesh Network, and RAS are supported by YiTian 710 processors. CoreSight is supported. Arm SPE perf memory profiling and c2c are supported by the Arm architecture. DAX per file is supported by virtiofs. smmu event polling is supported.
	aliyun_3_x64_20G_qboot_alibase_20220527.vhd	2022-05-27	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start)` image is updated. This image is derived from the aliyun_3_x64_20G_alibase_20220527.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image.
	aliyun_3_x64_20G_uefi_alibase_20220527.vhd	2022-05-27	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI)` image is updated to include the latest software versions. This image is derived from the aliyun_3_x64_20G_alibase_20220527.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. The boot mode is changed to UEFI, and only the UEFI mode is supported.
	aliyun_3_arm64_20G_alibase_20220526.vhd	2022-05-26	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. Kernel updates: The kernel is updated to version 5.10.112-11.al8.aarch64. Kernel bugs and critical CVEs are fixed. The following technologies developed by Alibaba Cloud are supported: Duptext Enhanced Huge Pages KFENCE, which is used to detect out-of-bound memory accesses and use-after-free errors CSV2 confidential virtual machines that use Hygon processors can be started. Up to 256 CPUs are supported by the guest OS. The throughput, latency, and connection speeds of SMC in HTTP workloads such as NGINX are improved, and several stability and compatibility issues are fixed. AMX, virtual AMX, IPI virtualization, UINTER, Intel_idle, and TDX are supported by Intel SPR processors. The ptdma driver, CPU frequency, k10temp, and EDAC are supported by AMD. DDR PMU, PCIe PMU driver, Arm CoreLink CMN-700 Coherent Mesh Network, and RAS are supported by YiTian 710 processors. CoreSight is supported. Arm SPE perf memory profiling and c2c are supported by the Arm architecture. DAX per file is supported by virtiofs. smmu event polling is supported.
Alibaba Cloud Linux 3.3.4	aliyun_3_x64_20G_alibase_20220413.vhd	2022-04-13	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. Kernel updates: The kernel is updated to version 5.10.84-10.4.al8.x86_64. The CVE-2022-1016 and CVE-2022-27666 vulnerabilities are fixed.
Alibaba Cloud Linux 3.3.4	aliyun_3_arm64_20G_alibase_20220413.vhd	2022-04-13	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. Kernel updates: The kernel is updated to version 5.10.84-10.4.al8.aarch64. The CVE-2022-1016 and CVE-2022-27666 vulnerabilities are fixed.
Alibaba Cloud Linux 3.3.3	aliyun_3_x64_20G_alibase_20220315.vhd	2022-03-15	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. CVEs are fixed. Kernel updates: The kernel is updated to version 5.10.84-10.3.al8.x86_64. The CVE-2022-0435 and CVE-2022-0847 vulnerabilities are fixed.
Alibaba Cloud Linux 3.3.3	aliyun_3_arm64_20G_alibase_20220315.vhd	2022-03-15	The `Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm` base image is updated to include the latest software versions. CVEs are fixed. Kernel updates: The kernel is updated to version 5.10.84-10.3.al8.aarch64. The CVE-2022-0435 and CVE-2022-0847 vulnerabilities are fixed.
Alibaba Cloud Linux 3.3.2	aliyun_3_x64_20G_alibase_20220225.vhd	2022-02-25	The `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image is updated to include the latest software versions. CVEs are fixed. The Coordinated Universal Time (UTC) time standard is used by the real-time clock (RTC). For more information, see Linux time and time zones. Kernel updates: The kernel is updated to version 5.10.84-10.2.al8.x86_64. The CVE-2022-0492, CVE-2021-4197, CVE-2022-0330, CVE-2022-22942, and CVE-2022-0185 vulnerabilities are fixed. The following features developed by Alibaba Cloud are supported: Duptext Huge Pages RDMA/SMC-R AMX, RAS, RCEC, bus lock detection, Ratelimit support, and Uncore are supported by Intel SPR processors. The MCA-R feature is added to Intel Ice Lake processors. The Intel Driver & Support Assistant feature is enabled. The XDP socket feature is supported by virtio-net. The kernel TLS cryptography protocol is supported. KFENCE is supported to detect out-of-bound memory accesses and use-after-free errors. The AVX and AVX2 instruction sets of the SM4 algorithm in the kernel are optimized. Hygon CSV vm attestation is supported. The perf c2c feature of Arm SPE is supported. The i10nm_edac feature is supported. The unevictable_pid feature is ported. The memory watermark can be adjusted. The adaptive sqpoll mode of io_uring is supported. Huge vmalloc mappings are supported.
	aliyun_3_x64_20G_qboot_alibase_20220225.vhd	2022-02-25	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start)` image is updated. This image is derived from the aliyun_3_x64_20G_alibase_20220225.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. The UTC time standard is used by RTC. For more information, see Linux time and time zones.
	aliyun_3_arm64_20G_alibase_20220225.vhd	2022-02-25	The UTC time standard is used by RTC. For more information, see Linux time and time zones. Kernel updates: The kernel is updated to version 5.10.84-10.2.al8.aarch64. The CVE-2022-0492, CVE-2021-4197, CVE-2022-0330, CVE-2022-22942, and CVE-2022-0185 vulnerabilities are fixed. The following features developed by Alibaba Cloud are supported: Duptext Huge Pages RDMA/SMC-R AMX, RAS, RCEC, bus lock detection, Ratelimit support, and Uncore are supported by Intel SPR processors. The MCA-R feature is added to Intel Ice Lake processors. The Intel Driver & Support Assistant feature is enabled. The XDP socket feature is supported by virtio-net. The kernel TLS cryptography protocol is supported. KFENCE is supported to detect out-of-bound memory accesses and use-after-free errors. The AVX and AVX2 instruction sets of the SM4 algorithm in the kernel are optimized. Hygon CSV vm attestation is supported. The perf c2c feature of Arm SPE is supported. The i10nm_edac feature is supported. The unevictable_pid feature is ported. The memory watermark can be adjusted. The adaptive sqpoll mode of io_uring is supported. Huge vmalloc mappings are supported.
	aliyun_3_x64_20G_uefi_alibase_20220225.vhd	2022-02-25	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI)` image is updated to include the latest software versions. This image is derived from the aliyun_3_x64_20G_alibase_20220225.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. The UTC time standard is used by RTC. For more information, see Linux time and time zones.

2021

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3.2	aliyun_3_x64_20G_qboot_alibase_20211214.vhd	2021-12-14	The `Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start)` image is released. This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the `Alibaba Cloud Linux 3.2104 64-bit` base image.
	aliyun_3_x64_20G_alibase_20210910.vhd	2021-09-10	The `Alibaba Cloud Linux 3.2104 64-bit` base image is updated to include the latest software versions. CVEs are fixed. The update-motd service is added and enabled by default. By default, the kdump service is enabled. By default, the atd service is enabled. Kernel updates: The kernel is upgraded to upstream stable kernel release 5.10.60. The current kernel version is 5.10.60-9.al8.x86_64. Kernel bugs and critical CVEs are fixed. The following technologies developed by Alibaba Cloud are supported: eRDMA and SMC-R based on eRDMA Resource isolation technology: OOM priority control Memory KIDLED technology Resource isolation technology: memcg zombie reaper Rich container technology: rich container Resource isolation technology: CPU group identity Unified Kernel Fault Event Framework (UKFEF) technology Intel SPR CPUs are supported. The cpupower utility used for AMD Milan is supported. The Non-Maskable Interrupt (NMI) watchdog based on the System for Electronic Disclosure by Insiders (SEDI) is supported by the Arm 64-bit architecture. MPAM is supported by the Arm 64-bit architecture. Memory hotplug is supported by the Arm 64-bit architecture. The kernel quick start technology is enhanced. x86 SGX2 is supported. The performance of virtio-net is optimized. The eBPF Linux Security Modules (LSM) technology is supported. Software and hardware that are virtualized based on KVM are co-designed, and PV-qspinlock is supported during the co-design.
	aliyun_3_arm64_20G_alibase_20210910.vhd	2021-09-10	The `Alibaba Cloud Linux 3.2104 64-bit for Arm` image is updated to include the latest software versions. This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the `Alibaba Cloud Linux 3.2104 64-bit` base image.
	aliyun_3_x64_20G_uefi_alibase_20210910.vhd	2021-09-10	The `Alibaba Cloud Linux 3.2104 64-bit (UEFI)` image is updated to include the latest software versions. This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the `Alibaba Cloud Linux 3.2104 64-bit` base image. Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Shenzhen), China (Heyuan), and Singapore.
Alibaba Cloud Linux 3.1	aliyun_3_arm64_20G_alibase_20210709.vhd	2021-07-09	The `Alibaba Cloud Linux 3.2104 64-bit for Arm` image is released. Security Center can be connected. Supported region: China (Hangzhou).
	aliyun_3_x64_20G_alibase_20210425.vhd	2021-04-25	The `Alibaba Cloud Linux 3.2104 64-bit` base image is updated. Kernel updates: The kernel is updated to version 5.10.23-5.al8.x86_64.
	aliyun_3_x64_20G_uefi_alibase_20210425.vhd	2021-04-25	The `Alibaba Cloud Linux 3.2104 64-bit (UEFI)` image is released. This image is derived from the aliyun_3_x64_20G_alibase_20210425.vhd version of the `Alibaba Cloud Linux 3.2104 64-bit` base image. The boot mode is changed to UEFI, and only the UEFI mode is supported. Supported regions: China (Beijing), China (Hangzhou), China (Shanghai), and China (Shenzhen).
Alibaba Cloud Linux 3.0	aliyun_3_x64_20G_alibase_20210415.vhd	2021-04-15	The `Alibaba Cloud Linux 3.2104 64-bit` base image is released. Kernel description: The kernel is based on the 5.10 kernel version supported in the Linux community. The 5.10.23-4.al8.x86_64 kernel version is used in the base image. The PV-Panic, PV-Unhalt, and PV-Preempt features are supported by the Arm 64-bit architecture. Kernel Live Patching (KLP) is supported by the Arm 64-bit architecture. TCP-RT is supported. The memcg backend asynchronous reclaim feature is supported. The memcg QoS and Pressure Stall Information (PSI) features implemented based on cgroup v1 interfaces are supported. The cgroup writeback feature is supported. The monitoring of block I/O throttling is enhanced. An interface is provided to optimize JBD2 of ext4. The open source kernel of Alibaba Cloud is optimized and vulnerabilities in multiple subsystems including the scheduler, memory, file system, and block layer are fixed. The CPU burst feature is supported. For more information, see Enable the CPU burst feature for cgroup v1. Image description: The base image is compatible with the CentOS 8 and Red Hat Enterprise Linux (RHEL) 8 software ecosystems. CVEs are fixed. GCC 10.2.1 and glibc 2.32 are supported. Python 3.6 and Python 2.7 are supported. AppStream is supported. Supported region: China (Hangzhou).

References

For information about the release notes of Alibaba Cloud Linux 2 images, see Alibaba Cloud Linux 2 image release notes.
For information about the release notes of third-party and open source public images, see Release notes of public images.
You can use the latest version of an Alibaba Cloud Linux 3 image to create ECS instances. For information about how to create an instance, see Create an instance on Custom Launch tab.