All Products
Search
Document Center

Alibaba Cloud Linux:Release notes for Alibaba Cloud Linux 3

Last Updated:Dec 19, 2024

This topic describes the release notes for Alibaba Cloud Linux 3 images and provides links to the relevant references. The release notes are sorted by release date in reverse chronological order.

Background information

  • Unless otherwise stated, the released updates apply to all Alibaba Cloud regions where Elastic Compute Service (ECS) is available.

  • Most instance families support Alibaba Cloud Linux 3 images. However, some Alibaba Cloud Linux 3 images are supported only by specific instance families. Some instance families can use only specific public images:

    Arm images whose ID contains _arm64_ are supported by Alibaba Cloud Arm-based instances.

2024

Alibaba Cloud Linux 3.2104 U10.1

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U10.1

aliyun_3_x64_20G_alibase_20241103.vhd

2024-11-03

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-17.3.al8.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_x64_20G_dengbao_alibase_20241103.vhd

2024-11-03

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (MLPS 2.0 Level 3) base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-17.3.al8.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_arm64_20G_alibase_20241103.vhd

2024-11-03

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-17.3.al8.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_arm64_20G_dengbao_alibase_20241103.vhd

2024-11-03

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm (MLPS 2.0 Level 3) base image is updated to include the latest software versions.

  • The kernel version is updated to 5.10.134-17.3.al8.

  • Updates: For more information, see the Updates section of this topic.

Updates

Security updates

Software package name

CVE ID

Version

buildah

CVE-2023-45290

CVE-2024-1394

CVE-2024-3727

CVE-2024-6104

CVE-2024-24783

CVE-2024-24784

CVE-2024-24789

CVE-2024-37298

buildah-1.33.8-4.al8

containernetworking-plugins

CVE-2023-45290

CVE-2024-1394

CVE-2024-3727

CVE-2024-6104

CVE-2024-24783

CVE-2024-24784

CVE-2024-24789

CVE-2024-37298

containernetworking-plugins-1.4.0-5.0.1.al8

containers-common

CVE-2023-45290

CVE-2024-1394

CVE-2024-3727

CVE-2024-6104

CVE-2024-24783

CVE-2024-24784

CVE-2024-24789

CVE-2024-37298

containers-common-1-82.0.1.al8

podman

CVE-2023-45290

CVE-2024-1394

CVE-2024-3727

CVE-2024-6104

CVE-2024-24783

CVE-2024-24784

CVE-2024-24789

CVE-2024-37298

podman-4.9.4-12.0.1.al8

python-podman

CVE-2023-45290

CVE-2024-1394

CVE-2024-3727

CVE-2024-6104

CVE-2024-24783

CVE-2024-24784

CVE-2024-24789

CVE-2024-37298

python-podman-4.9.0-2.al8

runc

CVE-2023-45290

CVE-2024-1394

CVE-2024-3727

CVE-2024-6104

CVE-2024-24783

CVE-2024-24784

CVE-2024-24789

CVE-2024-37298

runc-1.1.12-4.0.1.al8

skopeo

CVE-2023-45290

CVE-2024-1394

CVE-2024-3727

CVE-2024-6104

CVE-2024-24783

CVE-2024-24784

CVE-2024-24789

CVE-2024-37298

skopeo-1.14.5-3.0.1.al8

httpd

CVE-2023-27522

httpd-2.4.37-65.0.1.al8.2

git-lfs

CVE-2023-45288

CVE-2023-45289

CVE-2023-45290

CVE-2024-24783

git-lfs-3.4.1-2.0.1.al8

bind

CVE-2024-1975

CVE-2024-1737

bind-9.11.36-16.0.1.al8

python-setuptools

CVE-2024-6345

python-setuptools-39.2.0-8.al8.1

less

CVE-2022-48624

CVE-2024-32487

less-530-3.0.1.al8

java-17-openjdk

CVE-2024-21131

CVE-2024-21138

CVE-2024-21140

CVE-2024-21144

CVE-2024-21145

CVE-2024-21147

java-17-openjdk-17.0.12.0.7-2.0.2.1.al8

java-11-openjdk

CVE-2024-21131

CVE-2024-21138

CVE-2024-21140

CVE-2024-21144

CVE-2024-21145

CVE-2024-21147

java-11-openjdk-11.0.24.0.8-3.0.2.1.al8

postgresql

CVE-2024-7348

postgresql-13.16-1.0.1.al8

flatpak

CVE-2024-42472

flatpak-1.12.9-3.al8

bubblewrap

CVE-2024-42472

bubblewrap-0.4.0-2.2.al8

java-1.8.0-openjdk

CVE-2024-21131

CVE-2024-21138

CVE-2024-21140

CVE-2024-21144

CVE-2024-21145

CVE-2024-21147

java-1.8.0-openjdk-1.8.0.422.b05-2.0.2.1.al8

fence-agents

CVE-2024-6345

fence-agents-4.10.0-62.0.2.al8.4

pcp

CVE-2024-45769

CVE-2024-45770

pcp-5.3.7-22.0.1.al8

delve

CVE-2024-24791

CVE-2024-34155

CVE-2024-34156

CVE-2024-34158

delve-1.21.2-4.0.1.al8

golang

CVE-2024-24791

CVE-2024-34155

CVE-2024-34156

CVE-2024-34158

golang-1.21.13-2.0.1.al8

go-toolset

CVE-2024-24791

CVE-2024-34155

CVE-2024-34156

CVE-2024-34158

go-toolset-1.21.13-1.al8

edk2

CVE-2023-45236

CVE-2023-45237

CVE-2024-1298

edk2-20220126gitbb1bba3d77-13.0.1.al8.2

curl

CVE-2024-2398

curl-7.61.1-35.0.2.al8

libvpx

CVE-2023-6349

CVE-2024-5197

libvpx-1.7.0-11.0.1.al8

resource-agents

CVE-2024-37891

CVE-2024-6345

resource-agents-4.9.0-54.al8.4

389-ds-base

CVE-2024-5953

389-ds-base-1.4.3.39-8.0.1.al8

python-urllib3

CVE-2024-37891

python-urllib3-1.24.2-8.al8

pcs

CVE-2024-41123

CVE-2024-41946

CVE-2024-43398

pcs-0.10.18-2.0.1.1.al8.2

grafana

CVE-2024-24788

CVE-2024-24789

CVE-2024-24790

grafana-9.2.10-17.0.1.al8

libuv

CVE-2024-24806

libuv-1.42.0-2.al8

c-ares

CVE-2024-25629

c-ares-1.13.0-11.al8

xmlrpc-c

CVE-2023-52425

xmlrpc-c-1.51.0-9.0.1.al8

yajl

CVE-2022-24795

CVE-2023-33460

yajl-2.1.0-13.0.1.al8

wpa_supplicant

CVE-2023-52160

wpa_supplicant-2.10-2.al8

cups

CVE-2024-35235

cups-2.2.6-60.0.1.al8

linux-firmware

CVE-2023-31346

linux-firmware-20240610-122.git90df68d2.al8

wget

CVE-2024-38428

wget-1.19.5-12.0.1.al8

poppler

CVE-2024-6239

poppler-20.11.0-12.0.1.al8

krb5

CVE-2024-37370

CVE-2024-37371

krb5-1.18.2-29.0.1.al8

git-lfs

CVE-2024-34156

git-lfs-3.4.1-3.0.1.al8

libreoffice

CVE-2024-3044

CVE-2024-6472

libreoffice-7.1.8.1-12.0.2.1.al8.1

orc

CVE-2024-40897

orc-0.4.28-4.al8

jose

CVE-2023-50967

CVE-2024-28176

jose-10-2.3.al8.3

openssh

CVE-2020-15778

CVE-2023-48795

CVE-2023-51385

openssh-8.0p1-25.0.1.1.al8

libnbd

CVE-2024-3446

CVE-2024-7383

CVE-2024-7409

libnbd-1.6.0-6.0.1.al8

qemu-kvm

CVE-2024-3446

CVE-2024-7383

CVE-2024-7409

qemu-kvm-6.2.0-53.0.1.al8

libvirt

CVE-2024-3446

CVE-2024-7383

CVE-2024-7409

libvirt-8.0.0-23.2.0.2.al8

osbuild-composer

CVE-2024-34156

osbuild-composer-101-2.0.1.al8

libreswan

CVE-2024-3652

libreswan-4.12-2.0.2.al8.4

mod_auth_openidc

CVE-2024-24814

mod_auth_openidc-2.4.9.4-6.al8

podman

CVE-2023-45290

CVE-2024-24783

CVE-2024-24784

CVE-2024-24788

CVE-2024-24791

podman-4.9.4-13.0.1.al8

ghostscript

CVE-2024-29510

CVE-2024-33869

CVE-2024-33870

ghostscript-9.54.0-18.al8

emacs

CVE-2024-39331

emacs-27.2-9.0.3.al8

dovecot

CVE-2024-23184

CVE-2024-23185

dovecot-2.3.16-5.0.1.al8

expat

CVE-2024-45490

CVE-2024-45491

CVE-2024-45492

expat-2.2.5-13.0.1.al8

glib2

CVE-2024-34397

glib2-2.68.4-14.0.2.al8

python-idna

CVE-2024-3651

python-idna-2.5-7.al8

openldap

CVE-2023-2953

openldap-2.4.46-19.al8

python-pillow

CVE-2024-28219

python-pillow-5.1.1-21.al8

nghttp2

CVE-2024-28182

nghttp2-1.33.0-6.0.1.al8.1

python-jinja2

CVE-2024-34064

python-jinja2-2.10.1-3.0.3.al8

opencryptoki

CVE-2024-0914

opencryptoki-3.22.0-3.al8

gdk-pixbuf2

CVE-2021-44648

CVE-2021-46829

CVE-2022-48622

gdk-pixbuf2-2.42.6-4.0.1.al8

rear

CVE-2024-23301

rear-2.6-13.0.1.al8

grub2

CVE-2023-4692

CVE-2023-4693

CVE-2024-1048

grub2-2.02-150.0.2.al8

nss

CVE-2023-5388

CVE-2023-6135

nss-3.101.0-7.0.1.al8

gnutls

CVE-2024-0553

CVE-2024-28834

gnutls-3.6.16-8.0.1.al8.3

python3

CVE-2024-4032

CVE-2024-6232

CVE-2024-6923

python3-3.6.8-67.0.1.2.al8

grafana

CVE-2024-24791

grafana-9.2.10-18.0.1.al8

cups-filters

CVE-2024-47076

CVE-2024-47175

CVE-2024-47176

CVE-2024-47850

cups-filters-1.20.0-35.0.1.al8

linux-firmware

CVE-2023-20584

CVE-2023-31315

CVE-2023-31356

linux-firmware-20240827-124.git3cff7109.al8

golang

CVE-2024-9355

golang-1.21.13-3.0.1.al8

openssl

CVE-2024-5535

openssl-1.1.1k-14.0.1.al8

nano

CVE-2024-5742

nano-2.9.8-2.0.1.al8

runc

CVE-2023-45290

CVE-2024-34155

CVE-2024-34156

CVE-2024-34158

runc-1.1.12-5.0.1.al8

OpenIPMI

CVE-2024-42934

OpenIPMI-2.0.32-5.0.1.al8

Software package updates

New features

  • The libyang2 component is added.

  • keentuned and keentune-target are updated to version 3.1.1.

    • A tuning option is added to change the number of queues supported by a network interface controller (NIC).

    • A tuning option is added to change priorities.

    • The file-max and scheduler tuning options are removed.

    • The executions of unsafe commands are removed.

  • The following API components of keentuned are added: keentune-bench, keentune-brain, keentune-ui, and keenopt.

  • tcprt is updated to version 1.1.0, which provides enhanced TCP monitoring capabilities.

  • Node.js is updated to version 20.16, which provides baseline capabilities of Node.js version 20 to Alibaba Cloud Container Registry (ACR) Artifact Center.

  • erofs-utils is updated to version 1.8.2, which fixes specific bugs and optimizes the Enhanced Read-Only File System (EROFS).

Important updates

Kernel updates

The kernel is updated to version 5.10.134-17.3.al8.

  • OpenAnolis in-house features

    • SMC

      • The AutoSplit feature is added to reduce the transmission latency of large packets.

      • Remote Direct Memory Access (RDMA) queue pairs (QPs) can be exclusively used by connections in Shared Memory Communications (SMC) link groups.

      • The shared memory watermark control feature is added.

      • The SMC-layer data dump feature is added.

    • swiotlb

      The swiotlb=any cmdline setting is added to allow the reservation of Software Input/Output Translation Lookaside Buffer (swiotlb) across the entire memory space.

  • Community features

    • SMC limited handshake-related sysctl is backported from the community.

    • The SMC LGR-level and net namespace-level shared memory usage statistics feature is backported from the community.

  • TDX

    • The Trusted Domain Extensions (TDX) Guest Reported Target Measurement Register (RTMR) update interface is added, which allows you to add custom measurements for remote attestation.

    • The Elliptic Curve Digital Signature Algorithm (ECDSA) module is added.

Fixed issues

  • util-linux-2.32.1-46.0.3.al8 is used to fix the issue of a long execution time for the lscpu command when a large number of Peripheral Component Interconnect (PCI) devices in a search cluster.

  • tzdata-2024a-1.0.1.6.al8 is used to fix the issue that specific time zone files do not exist.

  • Issues in the SMC module, such as divide-by-zero errors and memory leaks, are fixed.

  • The following issue is fixed: A bug in the ftrace subsystem may cause system downtime when multiple security software programs coexist.

  • The following issue is fixed: An out-of-bounds memory access exception may occur when the uprobe feature is used.

Alibaba Cloud Linux 3.2104 U10

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U10

aliyun_3_x64_20G_alibase_20240819.vhd

2024-08-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-17.2.al8.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_x64_20G_dengbao_alibase_20240819.vhd

2024-08-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (MLPS 2.0 Level 3) base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-17.2.al8.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_arm64_20G_alibase_20240819.vhd

2024-08-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-17.2.al8.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_arm64_20G_dengbao_alibase_20240819.vhd

2024-08-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm (MLPS 2.0 Level 3) base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-17.2.al8.

  • Updates: For more information, see the Updates section of this topic.

Updates

Security updates

Software package name

CVE ID

Version

adwaita-qt

  • CVE-2023-32573

  • CVE-2023-33285

  • CVE-2023-34410

  • CVE-2023-37369

  • CVE-2023-38197

1.4.2-1.al8

apr

CVE-2022-24963

1.7.0-12.al8

avahi

  • CVE-2021-3468

  • CVE-2023-1981

  • CVE-2023-38469

  • CVE-2023-38470

  • CVE-2023-38471

  • CVE-2023-38472

  • CVE-2023-38473

0.7-21.0.1.al8.1

bind

  • CVE-2023-4408

  • CVE-2023-50387

  • CVE-2023-50868

9.11.36-14.0.1.al8

c-ares

  • CVE-2020-22217

  • CVE-2023-31130

1.13.0-9.al8.1

cockpit

CVE-2024-2947

310.4-1.al8

cups

  • CVE-2023-32324

  • CVE-2023-34241

2.2.6-54.0.1.al8

cups-filters

CVE-2023-24805

1.20.0-32.0.1.al8

curl

CVE-2023-38546

7.61.1-34.0.1.al8

device-mapper-multipath

CVE-2022-41973

0.8.4-39.0.2.al8

dhcp

  • CVE-2023-4408

  • CVE-2023-50387

  • CVE-2023-50868

4.3.6-50.0.1.al8

dnsmasq

  • CVE-2023-50387

  • CVE-2023-50868

2.79-32.0.1.al8

edk2

  • CVE-2022-36763

  • CVE-2022-36764

  • CVE-2022-36765

  • CVE-2023-3446

  • CVE-2023-45229

  • CVE-2023-45230

  • CVE-2023-45231

  • CVE-2023-45232

  • CVE-2023-45233

  • CVE-2023-45234

  • CVE-2023-45235

20220126gitbb1bba3d77-13.0.1.al8

expat

CVE-2023-52425

2.2.5-13.al8

evolution-mapi

  • CVE-2022-1615

  • CVE-2022-2127

  • CVE-2023-34966

  • CVE-2023-34967

  • CVE-2023-34968

3.40.1-6.al8

flatpak

  • CVE-2023-28100

  • CVE-2023-28101

  • CVE-2024-32462

1.12.9-1.al8

frr

  • CVE-2023-31490

  • CVE-2023-41358

  • CVE-2023-41909

  • CVE-2023-46752

  • CVE-2023-46753

7.5.1-16.0.4.al8

fwupd

CVE-2022-3287

1.7.8-2.0.1.al8

ghostscript

CVE-2024-33871

9.54.0-16.al8

git

  • CVE-2024-32002

  • CVE-2024-32004

  • CVE-2024-32020

  • CVE-2024-32021

  • CVE-2024-32465

2.43.5-1.0.1.al8

glib2

  • CVE-2023-29499

  • CVE-2023-32611

  • CVE-2023-32665

2.68.4-11.al8

gmp

CVE-2021-43618

6.2.0-13.0.1.al8

gnutls

CVE-2023-5981

3.6.16-8.0.2.al8

grafana

  • CVE-2024-1313

  • CVE-2024-1394

9.2.10-16.0.1.al8

grafana-pcp

CVE-2024-1394

5.1.1-2.0.1.al8

gstreamer1-plugins-bad-free

  • CVE-2023-40474

  • CVE-2023-40475

  • CVE-2023-40476

  • CVE-2023-50186

1.22.1-4.0.1.al8

gstreamer1-plugins-base

CVE-2023-37328

1.22.1-2.0.1.al8

gstreamer1-plugins-good

CVE-2023-37327

1.16.1-4.al8

harfbuzz

CVE-2023-25193

2.7.4-10.0.1.al8

httpd

  • CVE-2023-31122

  • CVE-2023-45802

  • CVE-2024-27316

2.4.37-64.0.1.al8

mod_http2

  • CVE-2023-31122

  • CVE-2023-45802

  • CVE-2024-27316

1.15.7-10.al8

java-1.8.0-openjdk

  • CVE-2024-20918

  • CVE-2024-20919

  • CVE-2024-20921

  • CVE-2024-20926

  • CVE-2024-20945

  • CVE-2024-20952

  • CVE-2024-21011

  • CVE-2024-21068

  • CVE-2024-21085

  • CVE-2024-21094

1.8.0.412.b08-2.0.1.1.al8

java-11-openjdk

  • CVE-2024-20918

  • CVE-2024-20919

  • CVE-2024-20921

  • CVE-2024-20926

  • CVE-2024-20945

  • CVE-2024-20952

  • CVE-2024-21011

  • CVE-2024-21012

  • CVE-2024-21068

  • CVE-2024-21085

  • CVE-2024-21094

11.0.23.0.9-3.0.1.1.al8

libfastjson

CVE-2020-12762

0.99.9-5.al8

libjpeg-turbo

CVE-2021-29390

2.0.90-7.0.1.al8

liblouis

  • CVE-2023-26767

  • CVE-2023-26768

  • CVE-2023-26769

3.16.1-5.al8

libmicrohttpd

CVE-2023-27371

0.9.59-3.al8

libpq

CVE-2022-41862

13.11-1.0.1.al8

librabbitmq

CVE-2023-35789

0.11.0-7.0.1.al8

libreoffice

  • CVE-2022-26305

  • CVE-2022-26306

  • CVE-2022-26307

  • CVE-2022-3140

  • CVE-2022-38745

  • CVE-2023-0950

  • CVE-2023-1183

  • CVE-2023-2255

  • CVE-2023-6185

  • CVE-2023-6186

7.1.8.1-12.0.1.1.al8.1

libreswan

  • CVE-2023-2295

  • CVE-2023-30570

  • CVE-2023-38710

  • CVE-2023-38711

  • CVE-2023-38712

4.12-2.0.2.al8

libsndfile

CVE-2022-33065

1.0.28-13.0.2.al8

libssh

  • CVE-2023-48795

  • CVE-2023-6004

  • CVE-2023-6918

0.9.6-12.al8

libtiff

  • CVE-2022-2056

  • CVE-2022-2057

  • CVE-2022-2058

  • CVE-2022-2519

  • CVE-2022-2520

  • CVE-2022-2521

  • CVE-2022-2867

  • CVE-2022-2868

  • CVE-2022-2953

  • CVE-2022-3627

  • CVE-2022-3970

  • CVE-2022-48281

  • CVE-2023-0795

  • CVE-2023-0796

  • CVE-2023-0797

  • CVE-2023-0798

  • CVE-2023-0799

  • CVE-2023-0800

  • CVE-2023-0801

  • CVE-2023-0802

  • CVE-2023-0803

  • CVE-2023-0804

  • CVE-2023-26965

  • CVE-2023-26966

  • CVE-2023-2731

  • CVE-2023-3316

  • CVE-2023-3576

  • CVE-2022-40090

  • CVE-2023-3618

  • CVE-2023-40745

  • CVE-2023-41175

  • CVE-2023-6228

4.4.0-12.0.1.al8

libvirt

  • CVE-2021-3750

  • CVE-2023-3019

  • CVE-2023-3301

  • CVE-2023-3255

  • CVE-2023-5088

  • CVE-2023-6683

  • CVE-2023-6693

  • CVE-2024-2494

8.0.0-23.1.0.1.al8

qemu-kvm

  • CVE-2021-3750

  • CVE-2023-3019

  • CVE-2023-3301

  • CVE-2023-3255

  • CVE-2023-5088

  • CVE-2023-6683

  • CVE-2023-6693

  • CVE-2024-2494

6.2.0-49.0.1.al8

libX11

  • CVE-2023-43785

  • CVE-2023-43786

  • CVE-2023-43787

  • CVE-2023-3138

1.7.0-9.al8

libxml2

  • CVE-2023-39615

  • CVE-2024-25062

2.9.7-18.0.3.al8

libXpm

  • CVE-2023-43788

  • CVE-2023-43789

3.5.13-10.0.1.al8

linux-firmware

  • CVE-2022-46329

  • CVE-2023-20569

  • CVE-2023-20592

20240111-121.gitb3132c18.al8

motif

  • CVE-2023-43788

  • CVE-2023-43789

2.3.4-20.al8

openchange

  • CVE-2022-2127

  • CVE-2023-34966

  • CVE-2023-34967

  • CVE-2023-34968

2.3-32.0.1.al8

opensc

  • CVE-2023-40660

  • CVE-2023-40661

  • CVE-2023-5992

  • CVE-2023-2977

0.20.0-7.0.1.al8

openssh

CVE-2023-51385

8.0p1-20.0.1.al8

openssl

  • CVE-2023-3446

  • CVE-2023-3817

  • CVE-2023-5678

1.1.1k-12.0.1.al8

pam

CVE-2024-22365

1.3.1-28.al8

pcp

CVE-2024-3019

5.3.7-20.0.1.al8

perl-HTTP-Tiny

CVE-2023-31486

0.074-2.0.1.al8.1

pixman

CVE-2022-44638

0.40.0-6.al8

pmix

CVE-2023-41915

3.2.3-5.al8

poppler

CVE-2020-36024

20.11.0-10.0.2.al8

postgresql-jdbc

CVE-2024-1597

42.2.14-3.al8

procps-ng

CVE-2023-4016

3.3.15-14.0.1.al8

protobuf-c

CVE-2022-48468

1.3.0-7.al8

python-cryptography

CVE-2023-23931

3.2.1-7.al8

python-dns

CVE-2023-29483

1.15.0-12.al8

python-pillow

  • CVE-2023-50447

  • CVE-2023-44271

5.1.1-20.al8

python-pip

CVE-2007-4559

9.0.3-23.0.1.al8.1

python3

  • CVE-2007-4559

  • CVE-2022-48560

  • CVE-2022-48564

  • CVE-2023-27043

  • CVE-2023-40217

  • CVE-2023-6597

  • CVE-2024-0450

3.6.8-62.0.1.2.al8

qt5-qtbase

  • CVE-2023-33285

  • CVE-2023-34410

  • CVE-2023-37369

  • CVE-2023-38197

  • CVE-2023-51714

  • CVE-2024-25580

5.15.3-5.0.3.al8

qt5-qtsvg

CVE-2023-32573

5.15.3-2.al8

rpm

  • CVE-2021-35937

  • CVE-2021-35938

  • CVE-2021-35939

4.14.3-27.0.5.2.al8

samba

  • CVE-2023-3961

  • CVE-2023-4091

  • CVE-2023-42669

4.18.6-3.0.1.1.al8

shadow-utils

CVE-2023-4641

4.6-19.0.1.al8

shim

  • CVE-2023-40546

  • CVE-2023-40547

  • CVE-2023-40548

  • CVE-2023-40549

  • CVE-2023-40550

  • CVE-2023-40551

15.8-2.0.1.1.al8

sqlite

CVE-2023-7104

3.26.0-19.al8

squashfs-tools

  • CVE-2021-40153

  • CVE-2021-41072

4.3-20.1.0.3.al8

sssd

CVE-2023-3758

2.9.4-3.al8

sudo

  • CVE-2023-28486

  • CVE-2023-28487

  • CVE-2023-42465

1.9.5p2-1.0.1.al8

sysstat

CVE-2023-33204

11.7.3-11.0.1.al8

tang

CVE-2023-1672

7-8.al8

tcpdump

CVE-2021-41043

4.9.3-4.0.1.al8

tigervnc

  • CVE-2023-5380

  • CVE-2023-6816

  • CVE-2024-0229

  • CVE-2024-21885

  • CVE-2024-21886

  • CVE-2024-31080

  • CVE-2024-31081

  • CVE-2024-31083

1.13.1-10.0.1.al8

tpm2-tss

CVE-2023-22745

2.3.2-5.0.2.al8

traceroute

CVE-2023-46316

2.1.0-6.2.0.3.al8

unbound

CVE-2024-1488

1.16.2-7.al8

util-linux

CVE-2024-28085

2.32.1-45.0.1.1.al8.1

webkit2gtk3

  • CVE-2014-1745

  • CVE-2023-32359

  • CVE-2023-39928

  • CVE-2023-40414

  • CVE-2023-41983

  • CVE-2023-42852

  • CVE-2023-42883

  • CVE-2023-42890

  • CVE-2024-23206

  • CVE-2024-23213

2.42.5-1.0.1.al8

wireshark

  • CVE-2023-0666

  • CVE-2023-2856

  • CVE-2023-2858

  • CVE-2023-2952

2.6.2-17.al8

xorg-x11-server

  • CVE-2023-1393

  • CVE-2024-31080

  • CVE-2024-31081

  • CVE-2024-31083

1.20.11-16.0.4.al8

xorg-x11-server-Xwayland

  • CVE-2022-3550

  • CVE-2022-3551

  • CVE-2022-4283

  • CVE-2022-46340

  • CVE-2022-46341

  • CVE-2022-46342

  • CVE-2022-46343

  • CVE-2022-46344

  • CVE-2023-0494

  • CVE-2023-1393

  • CVE-2023-5367

  • CVE-2023-6377

  • CVE-2023-6478

  • CVE-2023-6816

  • CVE-2024-0229

  • CVE-2024-0408

  • CVE-2024-0409

  • CVE-2024-21885

  • CVE-2024-21886

22.1.9-5.al8

yajl

CVE-2023-33460

2.1.0-12.0.1.al8

zziplib

CVE-2020-18770

0.13.71-11.al8

buildah

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

  • CVE-2024-28176

1.33.7-2.al8

cockpit-podman

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

84.1-1.al8

conmon

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

2.1.10-1.al8

container-selinux

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

2.229.0-2.al8

containernetworking-plugins

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

1.4.0-2.0.1.al8

containers-common

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

1-81.0.1.al8

criu

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

3.18-5.0.1.al8

fuse-overlayfs

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

1.13-1.0.1.al8

podman

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

  • CVE-2024-28176

4.9.4-3.0.1.al8

runc

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

1.1.12-1.0.1.al8

slirp4netns

  • CVE-2022-27191

  • CVE-2022-2989

  • CVE-2022-3064

  • CVE-2022-41723

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-25173

  • CVE-2023-25809

  • CVE-2023-27561

  • CVE-2023-28642

  • CVE-2023-29400

  • CVE-2023-29406

  • CVE-2023-3978

  • CVE-2024-21626 CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

1.2.3-1.al8

libslirp

  • CVE-2018-25091

  • CVE-2021-33198

  • CVE-2021-34558

  • CVE-2022-2879

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2023-29409

  • CVE-2023-39318

  • CVE-2023-39319

  • CVE-2023-39321

  • CVE-2023-39322

  • CVE-2023-39326

  • CVE-2023-45287

  • CVE-2023-45803

  • CVE-2023-48795

  • CVE-2024-1753

  • CVE-2024-23650

  • CVE-2024-24786

  • CVE-2024-28180

4.4.0-2.al8

Software package updates

New features

  • The Elastic Remote Direct Memory Access (eRDMA) feature is supported by the rdma-core component.

  • The rasdaemon tool can isolate memory corrected errors (CEs).

  • NGINX supports OpenSSL 3.0.

  • The aliyun-cli component is updated to version 3.0.210.

Important updates

Kernel updates

The kernel is upgraded to version 5.10.134-17.2.al8.

New features

  • The Filesystem in Userspace (FUSE) failover feature is supported, which provides kernel-native FUSE fault recovery capabilities to ensure uninterrupted file access.

  • The dynamic kernel preemption feature is supported. The design of dynamic kernel preemption in the Linux community is backported to allow users to switch the preemption mode by using the bootcmdline parameter or the sysfs interface. The kernel preemption mode can be none or voluntary, except for the full mode.

  • The perf feature is enhanced to support performance metrics used in the Coherent Mesh Network (CMN) Performance Monitoring Unit (PMU) and DDR PMU.

  • New Berkeley Packet Filter (BPF) features are added.

    • The following BPF helpers are supported:

      • The bpf_for_each_map_elem helper traverses all elements in a BPF map.

      • The bpf_snprintf helper formats strings.

      • The bpf_timer helper triggers the callback function after a specific period of time.

      • The bpf_loop helper allows an unlimited number of loops that can be run, which removes the constraint on the number of loops able to be run.

      • The bpf_strncmp helper compares strings.

      • The bpf_ktime_get_tai_ns helper queries the CLOCK_TAI time.

      • The bpf_skb_load_bytes helper supported by the raw_tp data type can read socket buffer (SKB) data, including nonlinear data, from raw_tp programs.

    • The Arm 64 architecture supports the attachments of trampoline-related features such as fentry, fexit, fmod_ret, and bpf_lsm. This improves the tracing, diagnostics, and security capabilities of the architecture.

    • BPF trampoline (bpf_trampoline) can coexist with hot fixes.

  • The following virtio-net features are supported:

    • The virtio-net device statistics feature is supported. The kernel can obtain device statistics to improve troubleshooting and issue diagnostics capabilities.

    • The queue reset feature is introduced, which allows you to resize the queues on a virtual machine (VM) to reduce packet loss and latency.

    • The dynamic interrupt moderation (netdim) feature is used to intelligently adjust interrupt coalescing parameters based on real-time traffic to optimize data reception performance.

    • The virtio checksum is optimized. The system can use the virtio checksum to complete verification on virtio NICs, without the need to re-verify checksums in a guest operating system in specific scenarios, such as Express Data Path (XDP) application scenarios. This helps reduce CPU utilization.

  • The failover feature is supported by the Enhanced Read-Only File System (EROFS) in on-demand load mode.

  • A semantics issue related to O_DIRECT and O_SYNC in the Ext4 file system is resolved. This issue exists since the iomap framework was introduced. The generic_write_sync() function is called within the iomap framework to record the i_disksize parameter. The iomap_dio_rw() function is called to update the i_disksize parameter, which is later than the generic_write_sync() function. The updated i_disksize value is not recorded. As a result, if an appending write is performed on a file, the written data cannot be read in the event of an unexpected disk power outage.

  • The eXtensible File System (XFS) file system supports delayed inode invalidation. This feature allows the system to offload reclaim tasks to background threads by adding the tasks to the kworker process. This reduces risks of system stutter due to deletion operations on applications.

  • The following FUSE-related features are supported:

    • Shared memory mapping (mmap) is supported when the cache parameter is set to none.

    • The dynamic switch of the strictlimit feature is supported. The strictlimit feature can be configured for the FUSE module, which may cause slow writeback or even stutter in specific scenarios. The issues can be dynamically resolved by using the sysfs knob switch.

  • The global lock competition in the kernel file system (kernfs) is optimized to reduce the impact of loadD increases due to concurrent access to the monitoring program.

  • Group identity-related features are supported.

  • The fine-grained preemptive priority is supported in group identity 2.0.

    • The smc_pnet feature is supported when Shared Memory Communications over Remote Direct Memory Access (SMC-R) and eRDMA are used.

    • To resolve the kernel crash issue, the reachability check is optimized in the scenario in which Shared Memory Communications (SMC) and eRDMA are used.

  • The CPU share scale calibration feature is added to group identity 2.0.

  • The force idled time metric is added to group identity 2.0.

  • The group identity feature is optimized to more efficiently control loads for the tasks that have different priorities.

  • The following basic group balancer features are supported:

    • In Registry Acceleration File System version 6 (RAFSv6) mode, the zero-length iovec parameter can be passed in.

    • In RAFSv6 mode, direct access (DAX) mapping can be reclaimed to prevent issues such as out of memory (OOM) errors and FUSE hangs.

    • Kconfig parameters can be configured to allow RAFSv6 only in secure container scenarios.

  • SMC-related features are supported or optimized.

  • virtio supports the timeout mechanism of control virtqueues (VQs) to prevent continuous high-load polling of VM CPUs due to unresponsive devices. The default timeout period is seven days.

  • The slab memory used by the out-of-tree (OOT) module can be isolated, which helps address the memory stomp issue of the OOT module.

  • The fast OOM feature is added to prevent long-term machine unresponsiveness caused by memory shortage in multi-core and large memory environments. This feature helps business increase the memory deployment density and improves the stability of online business that has high resource usage.

  • EROFS-related features are supported or optimized.

  • The XFS file system supports the fsdax, reflink, and dedupe features and is optimized for Tair instances that use Persistent Memory (PMEM) in several aspects, such as the improved continuity of snapshot source files, improved dirty page writeback efficiency, and removal of reverse B-tree mapping dependencies to reduce page fault latency.

  • The cgroup writeback feature is supported to resolve the issue that memory cgroups are not released for an extended period of time when the lazytime option is enabled. This issue may cause the system to maintain a large number of memory cgroups in a containerized deployment environment for an extended period of time, which may occupy memory and cause issues such as the issue of the high CPU sys ultilization that occurs when the system traverses cgroups.

  • I/O SLI parameters are added for the blkio subsystem of cgroup v2, including the wait time, service time, complete time, I/O queued, and bytes queued parameters.

  • In extreme cases, when 2-MB I/O requests are initiated, each bio_vec can contain only one 4-KB page. In kernel 5.10, I/O requests of up to 1 MB per request are supported, and additional processing of data split logics may affect the performance in specific scenarios.

  • The ABBA deadlock issue is resolved. This issue may occur when threads compete for locks when you configure the blk-iocost QoS feature.

  • The parameters of the tcmu_loop module become configurable, including can_queue, nr_hw_queues, cmd_per_lun, and sg_tablesize. When the backend device has high capabilities, properly increasing these parameters can significantly improve performance.

Image updates

  • Operating system images

    • The spec_rstack_overflow=off boot parameter is added.

    • The kfence.sample_interval=100 and kfence.booting_max=0-2G:0,2G-32G:2M,32G-:32M boot parameters are added.

    • The default net.ipv4.tcp_retries2 value is changed to 8.

    • The default net.ipv4.tcp_syn_retries value is changed to 4.

    • The classic-network Network Time Protocol (NTP) server configurations are removed.

  • Container images

    alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.2104U10

Fixed issues

  • Kernel issues

    • The following issue is fixed: The linked list is polluted when the credits_announce_work element is incorrectly scheduled in the SMC kernel module.

    • The following issue is fixed: The perf_cgroup_switch race issue occurs.

    • The following issue is fixed: Statistics about the queue other time may be negative in group identity 2.0.

    • The following issue is fixed: A cfs_rq runtime statistics issue occurs.

    • The following issue is fixed: The return value of cfs_rq->core may be NULL.

    • The following issue is fixed: The sound card-related driver (CONFIG_SND) cannot be enabled.

    • The following issue is fixed: Kernel Electric-Fence (KFENCE) causes kernel downtime when cgroup kmem statistics collection is enabled.

    • The issue related to repairing the Loongson architecture is fixed.

    • The following issue is fixed: The compression stability of EROFS is affected.

    • The following issue is fixed: The stability of EROFS over FS-Cache is affected.

    • The following issue is fixed: SMC-related stability is affected.

    • The following issue is fixed: If backing device info (BDI) uses the strictlimit feature and the BDI max_ratio value is 0%, writeback performance is degraded.

    • The following issue is fixed: The secure computing (seccomp) memory leaks.

    • The following issue is fixed: User operations may cause incorrect counts of ZERO_PAGE references.

    • The following issue is fixed: The memory of Target Core Module in Userspace (TCMU) may be recursively reclaimed.

    • The following issue is fixed: The kernel crashes when the IO Address Space ID (IOASID) subsystem migrates the threads of the kernel.

    • The following issue is fixed: Duplicate I/O statistics are collected when throttling rules are not configured.

    • The following issue is fixed: Hardware signals are unexpectedly hung when Phytium Tengyun S2500 processors frequently communicate with specific Baseboard Management Controller (BMC) chips within a short period of time.

    • The following issue is fixed: A kernel panic occurs when the group identity feature and the core scheduling feature are enabled.

    • The following issue is fixed: The bandwidth control efficiency is low when a large number of CPUs are used, because the Completely Fair Scheduler (CFS) bandwidth is controlled in synchronous mode that is expected to be the asynchronous mode.

    • The following issue is fixed: The race condition may exist when the core scheduling algorithm (core sched) is disabled.

    • The following issue is fixed: Statistics about idle sibling (sibidle) threads are inaccurate when a large number of interrupt requests (IRQs) are initiated.

    • The following issue is fixed: The system stability is low. To resolve the issue, the patch for the most recent version of Non-Volatile Memory Express (NVMe) over Remote Direct Memory Access (RDMA) is backported.

    • The following issue is fixed: A deadlock occurs when nvme_reset and nvme_rescan are concurrently executed.

    • The following issue is fixed: The kernel crashes due to the use-after-free (UAF) vulnerability that occurs when the active-state power management (ASPM) of the Peripheral Component Interconnect Express (PCIe) driver is used.

    • The following issue is fixed: The screen flickers on a device equipped with the Phytium Tengyun S5000C processors and the ASPEED AST2600 graphics card.

    • The following issue is fixed: A scheduling deadlock occurs due to the warning message generated by the asynchronous unthrottling feature.

    • CVE-2023-52445

    • CVE-2023-6817

    • CVE-2024-0646

    • CVE-2023-20569

    • CVE-2023-51042

    • CVE-2023-6915

    • CVE-2023-6546

    • CVE-2022-38096

    • CVE-2024-0565

    • CVE-2024-26589

    • CVE-2024-23307

    • CVE-2024-22099

    • CVE-2024-24860

    • CVE-2024-1086

    • CVE-2023-51779

    • CVE-2024-26597

    • CVE-2024-24855

    • CVE-2023-52438

    • CVE-2023-4622

    • CVE-2023-6932

    • CVE-2023-20588

    • CVE-2023-5717

    • CVE-2023-6931

    • CVE-2023-28464

    • CVE-2023-39192

    • CVE-2023-6176

    • CVE-2023-45863

    • CVE-2023-5178

    • CVE-2023-45871

    • CVE-2023-4155

    • CVE-2023-20593

    • CVE-2023-3567

    • CVE-2023-3358

    • CVE-2023-0615

    • CVE-2023-31083

    • CVE-2023-4015

    • CVE-2023-42753

    • CVE-2023-4623

    • CVE-2023-4921

    • CVE-2023-2860

    • CVE-2023-1206

    • CVE-2023-3772

    • CVE-2023-42755

    • CVE-2023-3863

    • CVE-2022-3114

    • CVE-2023-31085

    • CVE-2023-4132

    • CVE-2022-3424

    • CVE-2022-3903

    • CVE-2022-45887

    • CVE-2023-3006

    • CVE-2023-42754

    • CVE-2023-0160

  • Image issues

    • The following issue is fixed: The names of the debuginfo repository may be different. To resolve this issue, a unified name of the debuginfo repository is used. You can run the dnf debuginfo-install <Package name> command to install the debuginfo package.

    • The following issue is fixed: A short active duration of the dnf-makecache service causes impacts of the service on the disks and network. To resolve this issue, the duration is extended from 1 hour to 1 day.

    • The following issue is fixed: The configurations of the virtio_blk module are stored in the initial ram file system (initramfs). The virtio_blk module is in the in-tree state in the kernel. Therefore, the configurations of the virtio_blk module are removed from the initramfs.

  • Software package issues

    The following issue is fixed: The dnf command is unavailable due to the dnf-plugin-releasever-adapter issue.

Alibaba Cloud Linux 3.2104 U9.1

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U9.1

aliyun_3_x64_20G_alibase_20240528.vhd

2024-05-28

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-16.3.al8.x86_64.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_arm64_20G_alibase_20240528.vhd

2024-05-28

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-16.3.al8.aarch64.

  • Updates: For more information, see the Updates section of this topic.

Updates

Security updates

Software package name

CVE ID

Software package version

kernel

  • CVE-2024-22099

  • CVE-2024-24860

  • CVE-2024-1086

  • CVE-2023-51779

  • CVE-2024-26597

  • CVE-2024-24855

  • CVE-2023-52438

  • CVE-2023-4622

  • CVE-2023-6932

  • CVE-2023-20588

  • CVE-2023-5717

  • CVE-2023-6931

  • CVE-2023-28464

  • CVE-2023-39192

  • CVE-2023-6176

  • CVE-2023-45863

  • CVE-2023-5178

  • CVE-2023-45871

5.10.134-16.3.al8

bind

CVE-2022-3094

9.11.36-11.0.1.al8

buildah

  • CVE-2023-25173

  • CVE-2022-41724

  • CVE-2022-41725

  • CVE-2023-24537

  • CVE-2023-24538

  • CVE-2023-24534

  • CVE-2023-24536

  • CVE-2022-41723

  • CVE-2023-24539

  • CVE-2023-24540

  • CVE-2023-29400

1.31.3-1.al8

dnsmasq

CVE-2023-28450

2.79-31.0.1.al8

edk2-20220126gitbb1bba3d77

CVE-2019-14560

6.0.2.al8

frr

  • CVE-2023-38406

  • CVE-2023-38407

  • CVE-2023-47235

  • CVE-2023-47234

7.5.1-16.0.2.al8

grafana

  • CVE-2023-3128

  • CVE-2023-39325

  • CVE-2023-44487

9.2.10-7.0.1.al8

grafana

CVE-2024-1394

9.2.10-7.0.1.al8

grafana-pcp

5.1.1-1.0.1.al8

gstreamer1-plugins-bad-free

CVE-2023-44429

1.22.1-2.0.1.al8

tigervnc

CVE-2023-44446

1.13.1-2.al8

unbound

  • CVE-2023-50387

  • CVE-2023-50868

1.16.2-6.al8

webkit2gtk3

CVE-2023-42917

2.40.5-1.0.2.al8.1

glibc

CVE-2024-2961

2.32-1.16.al8

python2-setuptools

CVE-2022-40897

39.0.1-13.1.module+al8+9+77049424

Software package updates

Software package name

Version

cloud-init

23.2.2

container-selinux

2.229.0

ethtool

6.6

iproute

6.2.0

iptables

1.8.5

keentuned

2.4.0

keentune-target

2.4.0

rng-tools

6.16

sssd

2.9.1

sudo

1.9.5p2

sysak

2.4.0

Important updates

  • Kernel updates

    • The kernel is updated to version 5.10.134-16.3.al8.

    • The smc_pnet feature is supported when SMC-R and eRDMA are used.

    • HWDRC is supported to control RDT-based dynamic memory bandwidth. Compared with the predecessor, HWDRC can control resources, such as memory bandwidth and cache, in a more precise manner.

    • The group identity feature is optimized to more efficiently control loads for the tasks that have different priorities.

  • New software package features

    • aliyun-cli is updated to version 3.0.204, which can be installed or updated by using a yum or dnf command.

    • cloud-init is updated to version 23.2.2 to support access to instance metadata in security hardening mode.

    • ethtool is updated to version 6.6 to support the Content Management Interoperability Services (CMIS) standard.

    • System Analyse Kit (SysAK) is updated to version 2.4.0. In the new version, the diagnostics feature is optimized, the node monitoring feature is provided, the SysOM observability feature on the node side is optimized, and specific bugs are fixed.

    • KeenTune is updated to version 2.4.0.

Image updates

  • Container images

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9.1

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest

      Note

      After a new version is released, you can no longer specify the latest parameter to obtain version 3.9.1 of images.

  • VM images

    If the boot mode of an image is UEFI-Preferred, the image can be started in Legacy BIOS or Unified Extensible Firmware Interface (UEFI) boot mode.

Fixed issues

  • Kernel issues

    • The following issue is fixed: The compression stability of EROFS is affected.

    • The following issue is fixed: The stability of EROFS over FS-Cache is affected.

    • The following issue is fixed: SMC-related stability is affected.

    • The following issue is fixed: If BDI uses the strictlimit feature and the BDI max_ratio value is 0%, writeback performance is degraded.

    • The following issue is fixed: The secure computing (seccomp) memory leaks.

    • The following issue is fixed: User operations may cause incorrect counts of ZERO_PAGE references.

    • The following issue is fixed: The memory of TCMU may be recursively reclaimed.

    • The following issue is fixed: The kernel crashes when the IOASID subsystem migrates the threads of the kernel.

    • The following issue is fixed: Duplicate I/O statistics are collected when throttling rules are not configured.

    • The following issue is fixed: Hardware signals are unexpectedly hung out when Phytium Tengyun S2500 processors frequently communicate with specific BMC chips within a short period of time.

    • The following issue is fixed: A kernel panic occurs when the group identity feature and the core scheduling feature are enabled.

    • The following issue is fixed: The bandwidth control efficiency is low when a large number of CPUs are used, because the CFS bandwidth is controlled in synchronous mode that is expected to be the asynchronous mode.

    • The following issue is fixed: The race condition may exist when the core scheduling algorithm is disabled.

    • The following issue is fixed: Statistics about idle sibling (sibidle) threads are inaccurate when a large number of IRQs are initiated.

  • Image issues

    The following issue is fixed: The image of an instance does not take effect after a different kernel version is installed on the image and the instance is restarted.

2023

Alibaba Cloud Linux 3.2104 U9

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U9

aliyun_3_9_x64_20G_alibase_20231219.vhd

2023-12-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-16.1.al8.x86_64.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_9_arm64_20G_alibase_20231219.vhd

2023-12-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-16.1.al8.aarch64.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_9_x64_20G_uefi_alibase_20231219.vhd

2023-12-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-16.1.al8.x86_64.

  • Updates: For more information, see the Updates section of this topic.

Updates

Security updates

Software package name

CVE ID

Software package version

kernel

  • CVE-2022-3108

  • CVE-2022-3114

  • CVE-2022-3424

  • CVE-2022-36280

  • CVE-2022-3903

  • CVE-2022-39188

  • CVE-2022-41850

  • CVE-2022-42432

  • CVE-2022-4379

  • CVE-2022-4382

  • CVE-2022-45887

  • CVE-2023-0045

  • CVE-2023-0160

  • CVE-2023-0458

  • CVE-2023-0459

  • CVE-2023-0615

  • CVE-2023-1078

  • CVE-2023-1206

  • CVE-2023-1382

  • CVE-2023-1670

  • CVE-2023-1829

  • CVE-2023-1855

  • CVE-2023-1859

  • CVE-2023-1989

  • CVE-2023-1990

  • CVE-2023-2002

  • CVE-2023-2006

  • CVE-2023-20569

  • CVE-2023-20593

  • CVE-2023-20928

  • CVE-2023-20938

  • CVE-2023-2124

  • CVE-2023-2156

  • CVE-2023-2162

  • CVE-2023-2177

  • CVE-2023-2194

  • CVE-2023-22995

  • CVE-2023-2483

  • CVE-2023-26607

  • CVE-2023-28327

  • CVE-2023-2860

  • CVE-2023-2985

  • CVE-2023-3006

  • CVE-2023-30772

  • CVE-2023-3090

  • CVE-2023-31083

  • CVE-2023-31084

  • CVE-2023-31085

  • CVE-2023-3111

  • CVE-2023-3117

  • CVE-2023-31248

  • CVE-2023-3161

  • CVE-2023-3212

  • CVE-2023-3220

  • CVE-2023-32269

  • CVE-2023-3268

  • CVE-2023-33288

  • CVE-2023-3358

  • CVE-2023-35001

  • CVE-2023-3567

  • CVE-2023-35788

  • CVE-2023-35823

  • CVE-2023-35824

  • CVE-2023-35825

  • CVE-2023-35828

  • CVE-2023-35829

  • CVE-2023-3609

  • CVE-2023-3610

  • CVE-2023-3611

  • CVE-2023-3772

  • CVE-2023-3773

  • CVE-2023-3776

  • CVE-2023-3812

  • CVE-2023-3863

  • CVE-2023-4004

  • CVE-2023-4015

  • CVE-2023-40283

  • CVE-2023-4128

  • CVE-2023-4132

  • CVE-2023-4147

  • CVE-2023-4155

  • CVE-2023-42753

  • CVE-2023-42754

  • CVE-2023-42755

  • CVE-2023-4563

  • CVE-2023-4623

  • CVE-2023-4921

5.10.134-16.1.al8

java-1.8.0-openjdk

  • CVE-2022-40433

  • CVE-2023-22067

  • CVE-2023-22081

1.8.0.392.b08-4.0.3.al8

java-11-openjdk

CVE-2023-22081

11.0.21.0.9-2.0.3.al8

mariadb

  • CVE-2022-32081

  • CVE-2022-32082

  • CVE-2022-32084

  • CVE-2022-32089

  • CVE-2022-32091

  • CVE-2022-38791

  • CVE-2022-47015

  • CVE-2023-5157

10.5.22-1.0.1.al8

open-vm-tools

  • CVE-2023-34058

  • CVE-2023-34059

12.2.5-3.al8.1

bind

CVE-2023-3341

9.11.36-8.al8.2

dmidecode-doc

CVE-2023-30630

3.3-5.0.2.al8

frr

CVE-2023-38802

7.5.1-8.0.1.al8

ghostscript

  • CVE-2023-28879

  • CVE-2023-38559

  • CVE-2023-4042

  • CVE-2023-43115

9.54.0-14.al8

glibc

CVE-2023-4911

2.32-1.12.al8

grafana

  • CVE-2023-39325

  • CVE-2023-44487

7.5.15-5.0.1

libvpx

  • CVE-2023-44488

  • CVE-2023-5217

1.7.0-10.0.1.al8

linux-firmware

CVE-2023-20593

20230404-117.git2e92a49f.al8

ncurses

CVE-2023-29491

6.1-10.20180224.0.1.al8

nghttp2

CVE-2023-44487

1.33.0-4.0.1.al8.1

  • qemu-kvm

  • seabios

  • CVE-2022-40284

  • CVE-2023-3354

  • 6.2.0-33.0.2.al8

  • 1.16.0-4.al8

tracker-miners

CVE-2023-5557

3.1.2-4.0.1.al8

Software package updates

Software package name

Version

ca-certificates

2023.2.60_v7.0.306

firewalld

0.9.11

java-1.8.0-openjdk

1.8.0.392.b08

java-11-openjdk

11.0.21.0.9

libbpf

0.6.0

lz4

1.9.4

mariadb

10.5.22

nmstate

2.2.15

nspr

4.35.0

nss

3.90.0

open-vm-tools

12.2.5

openscap

1.3.8

scap-security-guide

0.1.69

sos

4.6.0

xz

5.4.4

Important updates

Kernel updates

  • New features

    • Core scheduling is supported.

      The core scheduling security feature that is released by the upstream community is backported. This feature allows trusted processes only in the same group to run on the hyper threads of the same physical core. This feature is incompatible with the group identity feature. Do not enable the features at the same time. By default, this feature is disabled. To enable this feature, run the sysctl -w kernel.sched_core=1 command.

    • The extended Berkeley Packet Filter (eBPF) trampoline feature is supported on the Arm 64-bit architecture.

      The eBPF trampoline feature is backported on the Arm 64-bit architecture to support the BPF struct_ops feature. The BPF fentry series features are unavailable because they are not backported on the Arm 64-bit architecture.

    • The Multi-Generational Least Recently Used (MGLRU) feature is supported.

      The MGLRU feature supports memory page reclaim with improved performance. This way, the speed and accuracy of memory reclaim in big data scenarios are increased, and E2E performance is improved.

    • Batch translation lookaside buffer (TLB) flushing is supported.

      The batch migration feature uses batch TLB flushing and page copying during memory page migration to improve the performance of kernel page migration operations.

      The current batch migration feature is a refactored version that is optimized from the previous version in the kernel based on the upstream code. Main changes: The batch_migrate parameter is removed from cmdline, the /sys/kernel/mm/migrate/batch_migrate_enabled interface is removed, and batch migration becomes the default configuration used during page migration.

      The /sys/kernel/mm/migrate/dma_migration_min_pages interface is added. Default value: 32. This interface applies only to scenarios where the Direct Memory Access (DMA) page copy feature is enabled. The DMA page copy feature is used only when the /sys/kernel/mm/migrate/dma_migrate_enabled parameter is set to enabled and the number of migrate pages reaches the /sys/kernel/mm/migrate/dma_migration_min_pages value.

    • The cachestat feature is backported.

      The cachestat system call is introduced in the kernel. This allows you to view detailed page cache statistics about a specific file.

    • Arm 64 kernel-mode Reliability, Availability, and Serviceability (RAS) events are enhanced.

      The abilities of recovering from RAS errors in different scenarios are supported, such as copy_{from/to}_user, {get/put}_user, copy-on-write (COW), and pagecache read.

    • The in-house Shared Memory Communication-Direct Memory Access (SMC-D) loopback feature is supported.

      The SMC-D loopback feature is introduced to accelerate TCP communication between local processes and between containers.

    • The in-house page table binding feature is supported and provides cross-die statistics on page tables.

      The ability of binding page tables to cores is provided to allocate the page tables of QoS-sensitive services to the current Non-Uniform Memory Access (NUMA) node as much as possible when the memory is insufficient. This feature helps reduce the memory access latency and implement more efficient memory access.

    • The in-house duptext feature is enhanced.

      An asynchronous task can be used to make another attempt if multiple copies of the code do not take effect on process startup. The memory.duptext_nodes kernel interface is added to limit the duptext memory allocation nodes.

    • The in-house KFENCE enhancements are added.

      • The in-house KFENCE enhancement feature is added on the Arm 64-bit architecture. This feature can flexibly and dynamically enable or disable KFENCE to fully capture memory pollution problems. This facilitates online detection and offline debugging.

      • The immediate downtime feature is added to trigger downtime as soon as a memory issue is detected, to help developers better analyze problems in a debugging environment. You can enable this feature by specifying the boot cmdline "kfence.fault=panic" or echo panic > /sys/module/kfence/parameters/fault parameter. The default value is report, which indicates that the system only displays logs without downtime.

    • The in-house control interface is provided for memcg Transparent Huge Pages (THPs).

      The memcg THP control interface is used to prohibit the application of a specific memcg THP.

    • The in-house Assess CPU (ACPU) is supported.

      The ACPU can count the peer HT idle time of a task during the runtime and provide per-cgroup statistics, which can be used to evaluate the hardware resource competition on shared CPUs during the task runtime.

    • The in-house HT-aware-quota feature is supported.

      The computing power stabilization solution based on CFS bandwidth control and core scheduling can calibrate quotas by checking whether the HT peer is idle in hybrid deployment scenarios. This way, tasks can obtain relatively stable computing power in each scheduling cycle. The solution is suitable for compute-intensive tasks.

    • In-house group identity 2.0 is supported.

      The SCHED_IDLE feature is provided for cgroups. You can set the cpu.idle property of a cgroup to use the SCHED_IDLE scheduling policy for the cgroup. This feature is suitable for batch management of offline tasks.

  • Behavior changes

    • The module signature feature is added.

      Signatures are added to kernel modules to help developers identify and reject unsigned kernel modules.

    • By default, mitigations for the Spectre-BHB and Variant 4 vulnerabilities are disabled on the Arm 64-bit architecture.

      The Spectre-BHB and Variant 4 vulnerabilities are fixed when you fix the Spectre V2 vulnerability, disable the unprivileged eBPF or Site Isolation technology, or disable the SharedArrayBuffer object. You do not need to separately fix the Spectre-BHB and Variant 4 vulnerabilities. By default, on the Arm 64-bit architecture, the nospectre_bhb ssbd=force-off parameter is added to cmdline to disable mitigations for the Spectre-BHB and Variant4 vulnerabilities to improve performance.

    • Trust Domain Extensions (TDX) guest-related configurations are added to support TDX confidential VM scenarios.

New software package features

  • Provision of erofs-utils-1.7.1 by using software repositories

    The erofs-utils tool is used to create, check, and compress EROFS. This tool supports compression algorithms such as LZ4, Lempel–Ziv–Markov chain algorithm (LZMA), and DEFLATE, and supports tar-to-erofs format conversion.

  • Provision of stress-ng-0.15.00 by using software repositories

  • Provision of alibaba-cloud-compiler-13.0.1.4 by using software repositories

    Alibaba Cloud Compiler is a C/C++ compiler developed by Alibaba Cloud based on the open source version from the Clang/LLVM-13 community. Alibaba Cloud Compiler inherits all options and parameters supported in the open source version. In addition, Alibaba Cloud Compiler is deeply optimized based on the Alibaba Cloud infrastructure and provides unique features and optimizations to make the C/C++ compiler better for Alibaba Cloud users.

  • glibc is patched to support GB18030-2022 coding.

  • Dragonwell17 is updated to 17.0.9.0.10.9. In the just-in-time compilation (JIT) compiler, inlining performance is improved, and the judgment logic of inline based on the number of absolute calls is removed.

  • Dragonwell8 is updated to 8.15.16.372. Multiple coroutines can wait for the read and write events of the same socket, and bugs in the okhttp scenario are fixed.

  • Provision of plugsched-1.3 by using software repositories

    Plugsched is an SDK that supports the live update of the Linux kernel scheduler. Plugsched is intended for kernel scheduler developers. You can install plugsched to develop scheduler modules.

  • Sysak is updated to 2.2.0. The application observation feature is added to support the metric observation and diagnostics of MySQL and Java applications. The metrics related to container monitoring and cluster monitoring are added. The local monitoring feature is added.

  • Keentune is updated to version 2.3.0. x264/265-related scripts are updated to support the latest FFmpeg. The issue of binding errors of Transmit Packet Steering (XPS) and Receive Packet Steering (RPS) is fixed. The default eRDMA settings in the profile are updated.

  • The software chain of the Intel QuickAssist (QAT), Dynamic Load Balancer (DLB), and In-Memory Analytics Accelerator (IAA) is updated. The QAT driver bug is fixed. The DLB driver is upgraded. User-mode bugfixes are added in QAT and IAA. The centralized memory management solution for user-mode DMA of accelerators across architectures is added.

  • Shared Memory Communications (SMC) tools are updated. The smc-ebpf command is added to control the effective range of smc_run based on the port granularity. The control mode supports blacklists, whitelists, and intelligent scheduling.

Fixed issues

  • The following issue is fixed: If RPM packages such as kernel-modules-extra and kernel-modules-internal are not automatically installed when the kernel is updated, the netfilter-related features are unavailable.

  • The following issue is fixed: The /proc/sys/kernel/sched_group_identity_enabled interface sometimes fails to shut down because the group identity reference count is incorrect during cgroup creation or deletion.

Image updates

  • Container images

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest

      Note

      After a new version is released, you can no longer specify the latest parameter to obtain version 3.9 of images.

  • VM images

    • By default, the rpmdb format is switched to the sqlite format.

    • By default, the KeenTune service is installed and disabled.

    • By default, the NFS-server service is disabled.

Known issues

  • The kdump service may fail to work as expected on ecs.g6r.large instances due to the memory size. You can adjust the crash parameters such as 0M-2G:0M,2G-128G:256M, and 128G-:384M to prevent the kdump service failure.

  • In Network File System Version 3 (NFSv3) file systems, the S permission can be added to files. In special cases, after the owner of a file is changed, the S permission of the belonging group is missing.

    The fix for this issue is 2d8ae8c417 ("db nfsd: use vfs setgid helper"). However, the code of the auxiliary function and kernel version 5.10 required for the fix have changed greatly. This issue is not fixed.

  • After you replace TCP with SMC, the netperf test may exit unexpectedly.

    SMC uses a fixed-size ring buffer, and the remaining space in the ring buffer may be less than the amount of data specified by send() during the sending process. In this case, SMC returns the number of bytes that can be sent, which is generally less than the user-specified amount in send(). This behavior is considered abnormal and the netperf test exits. The upstream maintainers recommend maintaining the existing design to prevent the connection stalled issue. This issue is not fixed.

Alibaba Cloud Linux 3.2104 U8

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U8

aliyun_3_arm64_20G_alibase_20230731.vhd

2023-07-31

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-15.al8.aarch64.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_x64_20G_alibase_20230727.vhd

2023-07-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-15.al8.x86_64.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_x64_20G_qboot_alibase_20230727.vhd

2023-07-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is released.

  • This image is derived from the aliyun_3_x64_20G_alibase_20230727.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The kernel is updated to version 5.10.134-15.al8.x86_64.

aliyun_3_x64_20G_uefi_alibase_20230727.vhd

2023-07-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20230727.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The boot mode is changed to UEFI, and only the UEFI mode is supported.

  • The kernel is updated to version 5.10.134-15.al8.x86_64.

Updates

Security updates

Software package name

CVE ID

Software package version

ctags

CVE-2022-4515

5.8-23.0.1.al8

gssntlmssp

  • CVE-2023-25563

  • CVE-2023-25564

  • CVE-2023-25565

  • CVE-2023-25566

  • CVE-2023-25567

1.2.0-1.0.1.al8

libtar

  • CVE-2021-33643

  • CVE-2021-33644

  • CVE-2021-33645

  • CVE-2021-33646

1.2.20-17.0.1.al8

device-mapper-multipath

CVE-2022-41973

0.8.4-37.0.1.al8

postgresql-jdbc

CVE-2022-41946

42.2.14-2.al8

freerdp

  • CVE-2022-39282

  • CVE-2022-39283

  • CVE-2022-39316

  • CVE-2022-39317

  • CVE-2022-39318

  • CVE-2022-39319

  • CVE-2022-39320

  • CVE-2022-39347

  • CVE-2022-41877

2.2.0-10.0.1.al8

tigervnc

  • CVE-2022-4283

  • CVE-2022-46340

  • CVE-2022-46341

  • CVE-2022-46342

  • CVE-2022-46343

  • CVE-2022-46344

1.12.0-15.al8

xorg-x11-server

  • CVE-2022-3550

  • CVE-2022-3551

  • CVE-2022-4283

  • CVE-2022-46340

  • CVE-2022-46341

  • CVE-2022-46342

  • CVE-2022-46343

  • CVE-2022-46344

  • CVE-2023-0494

1.20.11-15.0.1.al8

poppler

CVE-2022-38784

20.11.0-6.0.1.al8

wayland

CVE-2021-3782

1.21.0-1.al8

net-snmp

  • CVE-2022-44792

  • CVE-2022-44793

5.8-27.0.1.al8

dhcp

  • CVE-2022-2928

  • CVE-2022-2929

4.3.6-49.0.1.al8

python-mako

CVE-2022-40023

1.0.6-14.al8

curl

CVE-2023-27535

7.61.1-30.0.2.al8.2

  • go-toolset

  • golang

  • CVE-2023-29402

  • CVE-2023-29403

  • CVE-2023-29404

  • CVE-2023-29405

  • 1.19.10-1.al8

  • 1.19.10-1.0.1.al8

dnsmasq

CVE-2023-28450

2.79-27.al8

qt5

CVE-2022-25255

5.15.3-1.0.1.al8

autotrace

CVE-2022-32323

0.31.1-55.al8

bind

CVE-2023-2828

9.11.36-8.al8.1

  • libnbd

  • libtpms

  • libvirt

  • nbdkit

  • qemu-kvm

  • supermin

  • virt-v2v

  • CVE-2021-46790

  • CVE-2022-3165

  • CVE-2022-30784

  • CVE-2022-30786

  • CVE-2022-30788

  • CVE-2022-30789

  • CVE-2023-1018

  • libnbd-1.6.0-5.0.1.al8

  • libtpms-0.9.1-2.20211126git1ff6fe1f43.al8

  • libvirt-8.0.0-20.al8

  • nbdkit-1.24.0-5.al8

  • qemu-kvm-6.2.0-32.0.1.al8

  • supermin-5.2.1-2.0.2.al8

  • virt-v2v-1.42.0-22.al8

mysql

  • CVE-2022-21594

  • CVE-2022-21599

  • CVE-2022-21604

  • CVE-2022-21608

  • CVE-2022-21611

  • CVE-2022-21617

  • CVE-2022-21625

  • CVE-2022-21632

  • CVE-2022-21633

  • CVE-2022-21637

  • CVE-2022-21640

  • CVE-2022-39400

  • CVE-2022-39408

  • CVE-2022-39410

  • CVE-2023-21836

  • CVE-2023-21863

  • CVE-2023-21864

  • CVE-2023-21865

  • CVE-2023-21867

  • CVE-2023-21868

  • CVE-2023-21869

  • CVE-2023-21870

  • CVE-2023-21871

  • CVE-2023-21873

  • CVE-2023-21874

  • CVE-2023-21875

  • CVE-2023-21876

  • CVE-2023-21877

  • CVE-2023-21878

  • CVE-2023-21879

  • CVE-2023-21880

  • CVE-2023-21881

  • CVE-2023-21882

  • CVE-2023-21883

  • CVE-2023-21887

  • CVE-2023-21912

  • CVE-2023-21917

8.0.32-1.0.2.al8

ruby

  • CVE-2021-33621

  • CVE-2023-28755

  • CVE-2023-28756

2.7.8-139.0.1.al8

kernel

  • CVE-2021-33061

  • CVE-2021-3759

  • CVE-2022-3606

  • CVE-2022-36280

  • CVE-2022-3707

  • CVE-2022-39188

  • CVE-2022-4095

  • CVE-2022-41849

  • CVE-2022-42432

  • CVE-2022-4379

  • CVE-2022-4382

  • CVE-2022-4662

  • CVE-2022-4744

  • CVE-2022-47521

  • CVE-2022-47929

  • CVE-2023-0045

  • CVE-2023-0386

  • CVE-2023-0458

  • CVE-2023-0459

  • CVE-2023-0461

  • CVE-2023-0590

  • CVE-2023-0597

  • CVE-2023-1073

  • CVE-2023-1074

  • CVE-2023-1075

  • CVE-2023-1076

  • CVE-2023-1077

  • CVE-2023-1078

  • CVE-2023-1079

  • CVE-2023-1095

  • CVE-2023-1118

  • CVE-2023-1281

  • CVE-2023-1380

  • CVE-2023-1382

  • CVE-2023-1611

  • CVE-2023-1670

  • CVE-2023-1829

  • CVE-2023-1855

  • CVE-2023-1859

  • CVE-2023-1989

  • CVE-2023-1990

  • CVE-2023-2002

  • CVE-2023-20928

  • CVE-2023-20938

  • CVE-2023-2124

  • CVE-2023-2162

  • CVE-2023-2177

  • CVE-2023-2194

  • CVE-2023-2269

  • CVE-2023-22995

  • CVE-2023-23000

  • CVE-2023-23004

  • CVE-2023-2483

  • CVE-2023-25012

  • CVE-2023-26545

  • CVE-2023-26607

  • CVE-2023-28327

  • CVE-2023-28466

  • CVE-2023-2985

  • CVE-2023-30456

  • CVE-2023-30772

  • CVE-2023-3117

  • CVE-2023-31248

  • CVE-2023-31436

  • CVE-2023-3220

  • CVE-2023-32233

  • CVE-2023-32269

  • CVE-2023-3268

  • CVE-2023-33288

  • CVE-2023-35001

  • CVE-2023-35788

  • CVE-2023-35825

5.10.134-15.al8

webkit2gtk3

  • CVE-2023-32435

  • CVE-2023-32439

2.38.5-1.0.1.al8.5

libssh

  • CVE-2023-1667

  • CVE-2023-2283

0.9.6-7.al8

open-vm-tools

CVE-2023-20867

12.1.5-2.al8

grafana

  • CVE-2022-2880

  • CVE-2022-27664

  • CVE-2022-39229

  • CVE-2022-41715

7.5.15-4.0.2.al8

grafana-pcp

CVE-2022-27664

3.2.0-3.0.1.al8

frr

CVE-2022-37032

7.5.1-7.0.1.al8

sqlite

CVE-2020-24736

3.26.0-18.al8

git-lfs

  • CVE-2022-2880

  • CVE-2022-41715

  • CVE-2022-41717

3.2.0-2.0.1.al8

sysstat

CVE-2022-39377

11.7.3-9.0.1.al8

python3

CVE-2023-24329

3.6.8-51.0.1.al8.1

c-ares

CVE-2023-32067

1.13.0-6.al8.2

cups-filters

CVE-2023-24805

1.20.0-29.0.1.al8.2

webkit2gtk3

  • CVE-2023-28204

  • CVE-2023-32373

2.38.5-1.0.1.al8.4

delve

go-toolset

golang

CVE-2023-24540

delve-1.9.1-1.0.1.al8

go-toolset-1.19.9-1.al8

golang-1.19.9-1.0.1.al8

kernel

  • CVE-2022-47929

  • CVE-2023-0386

  • CVE-2023-1075

  • CVE-2023-1380

  • CVE-2023-26545

  • CVE-2023-28466

  • CVE-2023-30456

  • CVE-2023-32233

5.10.134-14.1.al8

git

  • CVE-2023-22490

  • CVE-2023-23946

  • CVE-2023-25652

  • CVE-2023-25815

  • CVE-2023-29007

2.39.3-1.1.al8

apr-util

CVE-2022-25147

1.6.1-6.2.al8.1

webkit2gtk3

CVE-2023-2203

2.38.5-1.0.1.al8.3

edk2

  • CVE-2022-4304

  • CVE-2022-4450

  • CVE-2023-0215

  • CVE-2023-0286

20220126gitbb1bba3d77-4.al8

mingw-expat

CVE-2022-40674

2.4.8-2.al8

Software package updates

Software package name

Version

at

at-3.1.20-12.0.1.al8

audit

audit-3.0.7-2.0.1.al8.2

authselect

authselect-1.2.6-1.al8

bind

bind-9.11.36-8.al8.1

checkpolicy

checkpolicy-2.9-1.2.al8

cloud-utils-growpart

cloud-utils-growpart-0.33-0.0.1.al8

container-selinux

container-selinux-2.189.0-1.al8

coreutils

coreutils-8.30-13.al8

crypto-policies

crypto-policies-20221215-1.gitece0092.al8

cups

cups-2.2.6-51.0.1.al8

dbus

dbus-1.12.8-24.0.1.al8

ding-libs

ding-libs-0.6.1-40.al8

dnf

dnf-4.7.0-16.0.1.al8

dnf-plugins-core

dnf-plugins-core-4.0.21-14.1.al8

dracut

dracut-049-223.git20230119.al8

elfutils

elfutils-0.188-3.0.1.al8

emacs

emacs-27.2-8.0.3.al8.1

expat

expat-2.2.5-11.al8

file

file-5.33-24.al8

freetype

freetype-2.10.4-9.al8

fuse

fuse-2.9.7-16.al8

gmp

gmp-6.2.0-10.0.1.al8

gnupg2

gnupg2-2.2.20-3.al8

graphite2

graphite2-1.3.10-10.2.al8

grub2

grub2-2.02-148.0.1.al8

harfbuzz

harfbuzz-1.7.5-3.2.al8

hwdata

hwdata-0.314-8.16.al8

iproute

iproute-5.18.0-1.al8

iptables

iptables-1.8.4-24.0.1.al8

kernel

kernel-5.10.134-15.al8

kernel-hotfix-13383560-5.10.134-15

kernel-hotfix-13383560-5.10.134-15-1.0-20230724161633.al8

kexec-tools

kexec-tools-2.0.25-5.0.1.al8

kmod

kmod-25-19.0.2.al8

kpatch

kpatch-0.9.7-2.0.1.al8

libarchive

libarchive-3.5.3-4.al8

libffi

libffi-3.1-24.0.1.al8

libteam

libteam-1.31-4.0.1.al8

libuser

libuser-0.62-25.0.1.al8

libxml2

libxml2-2.9.7-16.0.1.al8

linux-firmware

linux-firmware-20230404-114.git2e92a49f.al8

logrotate

logrotate-3.14.0-6.0.1.al8

NetworkManager

NetworkManager-1.40.16-1.0.1.al8

nfs-utils

nfs-utils-2.3.3-59.0.2.al8

nftables

nftables-0.9.3-26.al8

oddjob

oddjob-0.34.7-3.0.1.al8

openssh

openssh-8.0p1-17.0.2.al8

openssl-pkcs11

openssl-pkcs11-0.4.10-3.0.1.al8

pam

pam-1.3.1-25.0.1.al8

pciutils

pciutils-3.7.0-3.0.1.al8

python-linux-procfs

python-linux-procfs-0.7.1-1.al8

python-rpm-generators

python-rpm-generators-5-8.al8

python-slip

python-slip-0.6.4-13.al8

rng-tools

rng-tools-6.15-3.0.1.al8

rpcbind

rpcbind-1.2.5-10.0.1.al8

rpm

rpm-4.14.3-26.0.1.al8

rsyslog

rsyslog-8.2102.0-13.al8

selinux-policy

selinux-policy-3.14.3-117.0.1.al8

setools

setools-4.3.0-3.al8

setup

setup-2.12.2-9.0.1.al8

sg3_utils

sg3_utils-1.44-6.0.1.al8

shared-mime-info

shared-mime-info-2.1-5.0.1.al8

sssd

sssd-2.8.2-2.0.1.al8

tpm2-tss

tpm2-tss-2.3.2-4.0.2.al8

unbound

unbound-1.16.2-5.al8

util-linux

util-linux-2.32.1-42.0.1.al8

virt-what

virt-what-1.25-3.al8

wget

wget-1.19.5-11.0.1.al8

which

which-2.21-18.0.1.al8

xfsprogs

xfsprogs-5.0.0-10.0.6.al8

Important updates

  • Kernel updates

    • Community tracking

      • Devlink supports subfunction management.

        A subfunction is a lightweight function that is deployed on a parent Peripheral Component Interconnect (PCI) function. Compared with a PCI Express (PCIe) Virtual Function (VF), a subfunction is more lightweight and shares resources with its parent PCI function. A subfunction provides all networking-related resources, such as transmit queues, receive queues, and completion queues. A subfunction serves as a complete NIC in Linux. This update allows you to use devlink to manage subfunctions on NICs. You can use devlink together with drivers to create, destroy, or query subfunctions on NICs.

      • IO_uring NVMe passthrough is supported.

        In access to storage devices, the overheads of a complex storage stack have a significant impact on latency and IOPS. As storage devices become faster, the proportion of overheads that are introduced by the software stack increases. When you access NVMe disks, you must traverse through multiple abstraction layers, including file system, block layer, and NVMe driver. This update backports the io_uring uring_cmd feature, which was introduced in mainline Linux kernel 5.19. The feature passes the actual file operations to the kernel by using io_uring. This way, the operations are not parsed at the io_uring layer and are sent directly to the NVMe driver layer, bypassing the file system layer and block layer. Additionally, to support this feature, io_uring is introduced to support CQE32 and NVMe character device creation.

      • Fine-grained permissions control is supported for NVMe and Small Computer System Interface (SCSI) persistent reservations.

        Before the update, performing persistent reservations required the CAP_SYS_ADMIN permission, which prevented the use of persistent reservations in specific non-privileged scenarios, such as containers. After the update, persistent reservations can be performed by non-privileged processes that have write permissions on block storage devices but do not have the CAP_SYS_ADMIN permission. This allows persistent reservations to be used in more scenarios.

      • The IOPS throttling of large I/O block sizes is optimized.

        In Linux kernel 5.10, IOPS throttling may not work as expected in scenarios that involve large I/O block sizes such as 1 MB. This is primarily due to the mishandling of split large I/O block sizes initiated by IOPS throttling of block throttle. This phenomenon is more apparent in I/O buffering scenarios where buffers are first stored in page caches and then written back. In these scenarios, large I/O block sizes are often generated. This issue is optimized in mainline kernel 5.18. This update optimizes the IOPS throttling of large I/O block sizes by using backported patches from the mainline kernel and fixes the vulnerability of repeatedly calculating bits per second (BPS).

      • Hash BPF maps are backported from the community for the lookup_and_delete_elem operation, and bloom filter maps are supported.

        • Before the update, the lookup_and_delete_elem operation supports only queue and stack maps. After the update, hash maps are also supported.

        • Bloom filter maps are supported to help you efficiently find sets.

      • The CPU and memory hot-swapping feature for QEMU Arm 64 that is used as the VM guest operating system.

        • The vCPU quantity can be hot-updated in the guest OS by running the virsh setvcpus command.

        • By default, the CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE configuration is enabled to prevent the memhp_default_online_type configuration from being set to offline. This way, hot-plugged memory is automatically available for use, eliminating hot-plugging failures caused by insufficient memory that results from creating page descriptors.

      • The Hardware P-State (HWP) IO boost feature is supported for all Intel chips.

        The HWP IO boost technology enhances I/O performance. In the previous kernel versions, HWP IO boost was enabled only for specific Skylake platforms and enterprise servers. This patch removes the CPU type check to enable HWP IO boost for all CPUs by default.

      • The HugeTLB Vmemmap Optimization (HVO) feature is backported from the community.

        The HVO technique reduces the vmemmap space occupied by large pages. Specifically, this technique maps all virtual addresses of a struct page for a large page in vmemmap to the same physical address to release the physical memory occupied by the struct page.

      • The memcg Least Recently Used (LRU) lock feature is backported.

        In scenarios that require a global LRU lock, this feature replaces the global LRU lock with locks that are specific to the memcg where the involved pages reside. These scenarios include page movement, memcg movement, and swap-in and swap-out scenarios. This update reduces contention caused by the global LRU lock and improves performance by 50% in scenarios where multiple memcgs are involved.

      • Linux kernels can run on Intel TDX guests.

        Linux kernels can run on Intel TDX guests to provide various features, such as memory encryption, memory integrity protection, CPU register protection, and remote attestation of the trusted environment.

      • PMU capabilities are enabled on Emerald Rapids (EMR) platforms.

        • EMR CPU IDs are added to PMU drivers to enable PMU capabilities on EMR platforms.

        • The Array Built-in-Self-Test (BIST) support is added to In Field Scan (IFS). IFS is a feature that runs circuit-level tests on each CPU core to detect issues that are not caught by error correction code (ECC) checks.

    • In-house features

      • SMC-R can help TCP network applications transparently use RDMA to obtain network communication services with high bandwidth and low latency.

        SMC is a high-performance kernel network stack that is contributed by IBM to the upstream Linux. SMC-R can help TCP network applications transparently use RDMA to obtain network communication services with high bandwidth and low latency. ANCK fixes a large number of stability issues based on the upstream foundation, supports the default use of SMCv2 and SMCv2.1 protocol negotiation, and incorporates features such as max_link, max_conn, and Alibaba Vendor ID. It optimizes the number of link connections, supports Receive Queue (RQ) throttling, and supports the RDMA Write With Immediate operation. ANCK has added various diagnostic information, supports the use of the SMC protocol stack by using the PF_INET protocol family, and supports transparent replacement by using BPF.

      • The cache consistency in FUSE is enhanced, and a data collection interface is added.

        • A debugging interface is added to sysfs to display all requests that are sent to the userspace daemon and wait to be processed in a specific FUSE file system.

        • A data collection interface is added to sysfs to count and display the number and processing time of various requests for a specific FUSE file system.

        • Cache consistency in cache (cache=always|auto) mode is enhanced to apply to distributed file system backends that rely on strong consistency, such as NFS.

          1. A userspace daemon can notify the FUSE client to invalidate all directory entries (dentries) within a directory.

          2. The Close-To-Open (CTO) cache consistency model is implemented. The model implements flush-on-close and invalidate-on-open semantics on both data and metadata.

          3. The cache consistency model is enhanced in FUSE failover mode.

      • TAR files can be directly mounted in EROFS, and non-compressed 4k-block EROFS images can be mounted on the Arm 64-bit architecture that uses 16K or 64K pages.

        • Non-compressed 4k-block EROFS images can be mounted on the Arm 64-bit architecture that uses 16K or 64K pages.

        • TAR files can be used as data sources. You can use EROFS metadata to mount and access the data in the TAR files.

      • Cross-namespace propagation of FUSE mount points is supported.

        FUSE mount points can be propagated from non-privileged sidecar containers to application containers, providing a solution for FUSE-based remote storage in cloud-native scenarios.

      • Memory bloat issues that are caused by THP are fixed.

        THP enhances performance but may lead to memory bloat issues. Memory bloat can trigger OOM errors. For example, if an application that requests 8 KiB of memory (two 4-KiB pages) is assigned a THP, the THP consists of two 4-KiB pages that the application requests and 510 4-KiB pages that are filled with zeros, known as zero pages. As a result, OOM errors may occur due to the increase of Resident Set Size (RSS) memory usage.

        THP zero subpages reclaim (ZSR) is proposed to fix memory bloat issues. THP ZSR is a mechanism that splits THPs into subpages and reclaims zero subpages to prevent OOM errors that are caused by memory bloat.

  • System configuration updates

    • The value of tcp_max_tw_buckets is reset to 5000.

    • The default character set for mounting VFAT file systems is reset to ISO-8859-1.

  • Software package feature updates

    • By default, aliyun_cli is integrated.

    • By default, container-selinux is integrated.

    • The anolis-epao-release package is added. Alibaba Cloud Linux 3 can access packages from the Anolis OS epao repository to install AI and other applications.

Fixed issues

  • The issue that rngd.service failed to start in Alibaba Cloud Linux 3 64-bit for Arm images is fixed.

  • The bugfix is backported from the mainline kernel to address a memory leak issue that arises in a cgroup when a process fails to fork.

  • An overlayfs permission issue is fixed. If all upper directories and lower directories are located in the same file system and files or directories on which the read permissions are not granted in the file system are accessed, ovl_override_creds() cannot be executed as expected due to logic errors from previous overlayfs performance optimizations. The actual execute permissions are not elevated to the credential of the mounter, and a permission lack error is reported when read permissions are required to perform copy up operations.

  • FUSE bugfixes are backported from the mainline kernel, improving FUSE stability.

  • Multiple ext4 bugfixes of the bigalloc feature are backported from the kernel community, significantly optimizing real-time scale-outs in these scenarios.

  • Potential data consistency issues that arise when CONT-PTE or CONT-PMD is backported from the kernel community are fixed.

  • The issue that specific AMD instances cannot use resctrl is fixed.

  • The stability issue of the IAX hardware compression and decompression accelerator is fixed.

  • The cyclic redundancy check (CRC) failure in the IAX hardware compression and decompression accelerator is fixed.

  • Memory thrashing issues that are caused by the improper use of the swap_info_struct lock in high-concurrency swapon and swapoff scenarios are fixed. This bugfix is integrated into the kernel community.

  • The issue that the self-developed zombie memcg reaper feature does not take effect in one-shot mode is fixed.

  • Potential stability issues that occur on YiTian 710 instances when Memory System Resource Partitioning and Monitoring (MPAM) is used are fixed.

Image updates

  • Container images

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.8

    • alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest

      Note

      After a new version is released, you can no longer specify the latest parameter to obtain version 3.8 of images.

  • VM images

Known issues

In extreme scenarios, performance may decrease in ANCK 5.10-015 due to the synchronization of a wake-up scheduling optimization to the upstream community. This issue occurs only in benchmarking scenarios that involve high loads and does not affect your normal use.

Alibaba Cloud Linux 3.2104 U7

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U7

aliyun_3_x64_20G_alibase_20230516.vhd

2023-05-16

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-14.al8.x86_64.

  • Updates: For more information, see the Updates section of this topic.

aliyun_3_arm64_20G_alibase_20230515.vhd

2023-05-15

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-14.al8.aarch64.

  • Updates: For more information, see the Updates section of this topic.

Updates

  • Kernel bugs and critical common vulnerabilities and exposures (CVEs) are fixed.

  • The multi-pcp feature is supported to bypass the lock of the buddy system and improve packet reception performance.

    The multi-pcp feature reserves memory pages that have orders greater than 0 in per-core memory pools. This eliminates the need to allocate high-order memory pages by using the zone buddy system. This also bypasses the lock of the buddy system and improves packet reception performance.

  • The IAA driver is supported to enhance compression and decompression performance.

    IAA is a hardware accelerator that provides primitive analytic features and high-throughput compression and decompression capabilities. The driver code comes from Intel code repositories and is optimized to ensure compatibility with the ANCK kernel. Bugs are fixed.

  • Silent data corruption that is caused by truncated page cache is fixed for the shmem and hugetlb file systems.

    Before the update, poisoned shmem and hugetlb pages are removed from the page cache. Subsequent access to the offset in the file results in a new zero-filled page, which causes silent data corruption. After the update, silent data corruption that is caused by poisoned pages is fixed in the shmem, tmpfs, and hugetlb file systems.

  • The CoreSight Embedded Trace Extension (ETE) driver is added, and tools under tools/perf are supported.

  • The signal handling mechanism of the Kernel-based Virtual Machine (KVM) module for the Arm 64-bit architecture is enhanced to fix failures that occur in RAS scenarios.

    Before the update, if the TIF_NOTIFY_RESUME flag is not handled before the CPU enters the guest mode, failures occur due to exceptions that are triggered by frequent RAS events. To address this issue, the full generic entry infrastructure is supported on the Arm 64-bit architecture to handle pending tasks.

  • The CMN and Direct Rendering Manager (DRM) drivers of the Linux community and debugfs are supported, and vulnerabilities are fixed.

    In versions earlier than 5.10-014, the CMN and DRW drivers deviate from those of the Linux community. To reduce maintenance costs, 5.10-014 synchronizes the CMN and DRW drivers of the Linux community and ensures compatibility with CMN-700 of YiTian 710. debugfs is supported, and vulnerabilities are fixed. The topology of CMN can be viewed in user mode.

  • Machine Check Exception (MCE) errors that are triggered by copy-on-write (COW) can be fixed on x86 instances that run in kernel mode.

    If uncorrectable errors are triggered when COW is implemented in the kernel, the system fails because it does not have recovery programs for this case where poison is consumed by the kernel. This feature adds support for recovery programs by sending a SIGBUS to applications to prevent system failures.

  • Top-down performance analysis can be performed by using performance metrics to make CPU PMU easier to use.

    In versions earlier than 5.10-014, the performance metric feature is not supported and no top-down performance analysis tool is available. In 5.10-014, the performance metric feature is supported to make CPU PMU easier to use and help users troubleshoot CPU performance bottlenecks. Top-down metrics of YiTian 710, Kunpeng, and x86 are also supported.

  • UDP Segmentation Offload (USO) is supported for virtio-net.

    Compared with UDP Fragmentation Offload (UFO), USO improves packet reception performance in complex network environments and the forwarding performance of forwarding components. Starting from version 5.10-014, USO is supported for virtio-net. Compared with UFO, USO reduces packet loss that is caused by fragment reassembly in unstable network conditions, incast scenarios, and traffic spikes. USO also reduces the overhead of fragment reassembly on the receiving side. Packet loss and out-of-order (OOO) packets cause fragment reassembly for forwarding components. As such, USO improves the efficiency of forwarding components.

  • The following issue is fixed: The empty pci_iounmap() implementation of the AArch64 architecture exhausts virtual address space.

    In versions earlier than 5.10-014, the pci_iounmap function is empty when CONFIG_GENERIC_IOMAP is not configured. Mapped memory cannot be released. Consequently, virtual address space is exhausted. In 5.10-014, pci_iounmap() can be implemented.

  • The high-performance ublk framework is supported.

    ublk is a high-performance framework that is used to implement block device logic from userspace based on the io_uring passthrough mechanism. ublk can be used to efficiently deploy agents in distributed storage.

  • The following technologies developed by Alibaba Cloud are supported:

    • Code block lock is supported. The code blocks that reside in memory can be locked as a whole or by cgroup.

      Low memory usage triggers memory reclamation. Code blocks of core business that are stored in the memory may also be reclaimed. When the business programs are rerun, the code blocks are retrieved from disks and then stored in the memory. Frequent I/O operations slow down response speeds and cause performance jitters. The feature locks the cgroups of the memory where core code blocks are stored to prevent the memory from being frequently swapped in and out. This feature also allows you to configure a memory lock quota. The quota specifies the proportion of code block memory that you want to retain.

    • A size limit can be specified for the page cache to free up memory space to support business growth.

      In scenarios that involve containers, the available memory that is provided by the containers is limited. If the page cache occupies a large amount of memory, memory reclamation is triggered. If the reclamation cannot meet the memory requirements for business growth, OOM errors may occur and degrade performance. To address this issue, this feature is provided by ANCK to limit the size of page cache for containers. Excess page cache is reclaimed in advance to free up memory space. This feature can limit the page cache size for all containers or containers that reside in each cgroup. This feature also supports synchronous and asynchronous reclamation methods to provide high flexibility.

    • Dynamic CPU isolation is supported.

      CPU isolation involves assigning different CPU cores or CPU sets to different tasks to prevent resource competition and improve system performance and stability. To support crucial tasks, the CPU isolation technology assigns isolated CPUs to crucial tasks and non-isolated CPUs to non-crucial tasks. The number of crucial tasks changes during task runtime. If you isolate a large number of CPUs to support crucial tasks, resources may be wasted and costs may increase. Dynamic CPU isolation allows the number of isolated CPUs to be changed to maximize resource utilization, reduce costs, and improve business performance.

    • CPU burst and the minimum memory watermark QoS capability are supported in cgroup v2.

      To promote the use of cgroup v2, the interfaces of cgroup v2 of various in-house ANCK technologies, including CPU burst and the minimum memory watermark QoS capability, are supported.

    • The vmalloc() function is supported for the XDP socket feature to allocate virtual memory to queues. This prevents XDP socket allocation failures that are caused by memory fragmentation.

      By default, the XDP socket feature uses the __get_free_pages() function to allocate contiguous physical memory. If the memory is severely fragmented, the system fails to apply for memory, which may cause XDP socket creation failures. This feature uses the vmalloc() function to allocate memory to reduce the risks of XDP socket creation failure.

Alibaba Cloud Linux 3.2104 U6.1

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U6.1

aliyun_3_x64_20G_alibase_20230424.vhd

2023-04-24

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-13.1.al8.x86_64.

aliyun_3_arm64_20G_alibase_20230424.vhd

2023-04-24

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-13.1.al8.aarch64.

aliyun_3_x64_20G_alibase_20230327.vhd

2023-03-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-13.1.al8.x86_64.

aliyun_3_arm64_20G_alibase_20230327.vhd

2023-03-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-13.1.al8.aarch64.

Alibaba Cloud Linux 3.2104 U6

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2104 U6

aliyun_3_x64_20G_qboot_alibase_20230214.vhd

2023-02-14

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is updated.

  • This image is derived from the aliyun_3_x64_20G_alibase_20230110.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

aliyun_3_x64_20G_uefi_alibase_20230214.vhd

2023-02-14

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20230110.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The boot mode is changed to UEFI, and only the UEFI mode is supported.

aliyun_3_x64_20G_alibase_20230110.vhd

2023-01-10

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The configurations of the Plus debug repository are added.

  • Kernel updates:

    • The kernel is updated to version 5.10.134-13.al8.x86_64.

    • Kernel bugs and critical CVEs are fixed.

    • /dev/ioasid is supported.

      In versions earlier than ANCK 5.10-013, device-passthrough frameworks such as Virtual Function I/O (VFIO) and vDPA create their own logic to isolate untrusted device DMAs that are initiated by userspace. In ANCK 5.10-013 and later, /dev/ioasid provides a unified interface to manage I/O page tables for devices that are assigned to userspace. This simplifies VFIO and vDPA.

    • The performance of the SoftWare Input/Output Translation Lookaside Buffer (SWIOTLB) mechanism is optimized.

      In versions earlier than ANCK 5.10-013, the SWIOTLB mechanism that is used to communicate with peripherals uses only one lock when allocating memory. In ANCK 5.10-013 and later, the lock is split into multiple locks and the locks become configurable. This is suitable for confidential VMs (Intel TDX-based VMs) with large specifications such as over 32 CPUs per VM. For Redis and MySQL, the tests show that I/O performance can be improved by up to eight times after the lock splitting.

    • napi.tx is enabled in virtio-net to improve the performance of TCP Small Queue (TSQ).

      In 3bedc5bca69d ('ck: Revert "virtio_net: enable napi_tx by default"'), high si leads to performance degradations in some special scenarios. This causes TSQ not to work as expected. To fix the issue, the napi.tx feature is re-enabled.

    • The AST2600 PCIe 2D Video Graphics Array (VGA) driver is supported.

      In versions earlier than ANCK 5.10-013, ASPEED AST2600 graphics cards are not supported. In ANCK 5.10-013 and later, ASPEED AST2600 graphics cards are supported. When such a graphics card is connected to an external monitor, images can be properly displayed on the screen.

    • A switch is added for the group identity feature.

      In ANCK 5.10-013, the global sysctl switch is added for the group identity feature. By default, the switch is turned off to reduce the scheduling overhead of common processes. You can run the echo 1 > /proc/sys/kernel/sched_group_identity_enabled command to turn on the switch.

    • The default kernel boot cmdline is adjusted on the Arm 64-bit architecture.

      In 5.10.134-013 and later, the following parameter settings are added to the kernel boot cmdline on the Arm 64-bit architecture to improve performance:

      cgroup.memory=nokmem iommu.passthrough=1 iommu.strict=0
      • cgroup.memory=nokmem: disables kernel memory accounting. When enabled, kernel memory accounting results in additional logic for allocating and releasing slab pages and affects performance. For more information, visit OpenAnolis.

      • iommu.passthrough=1: bypasses the Input-Output Memory Management Unit (IOMMU) for DMA. This can reduce translations for page table mappings. If iommu.passthrough=1 is not added to the kernel boot cmdline, the value of CONFIG_IOMMU_DEFAULT_PASSTHROUGH is used. The iommu.passthrough parameter takes effect for physical machines.

      • iommu.strict=0: invalidates TLBs in lazy mode. The lazy mode defers the invalidation of hardware TLBs during DMA unmap operations to increase throughput and the unmapping speed. If the lazy mode is not supported by the relevant IOMMU driver, the mode automatically switches back to the strict mode (iommu.strict=1). The strict mode invalidates IOMMU hardware TLBs during DMA unmap operations.

    • The Compact NUMA aware (CNA) spinlock feature is supported.

      In 5.10.134-013 and later, NUMA awareness is added to qspinlock. One of the following kernel boot cmdline parameter settings can be added to enable the CNA spinlock feature: numa_spinlock=on or numa_spinlock=auto.

      After this feature is enabled, qspinlock can give a lock to the CPU of the same NUMA node as much as possible when CPUs on different NUMA nodes compete for the spinlock. This reduces the number of cross-NUMA sessions and improves performance. In the benchmark tests of sysbench and leveldb, performance is improved by more than 10%.

    • The perf mem and perf c2c commands provide more features on the Arm 64-bit architecture.

      In 5.10.134-013 and later, the perf mem and perf c2c commands are extended to provide more features. On the Arm 64-bit architecture, perf mem and perf c2c can be used to show the data sources of samples, such as L1 hit. perf mem supports synthesized memory events, synthesized instruction events, synthesis directive events, and instruction delay information. perf c2c provides the capability of locating NUMA node information.

    • fsck.xfs supports journal replay.

      After a machine breaks down, file systems may be in the inconsistent state and the journal log is not replayed. In xfsprogs-5.0.0-10.0.4 and earlier, this may drop the machine into the rescue shell because fsck.xfs does not support journal replay, which brings maintenance trouble. In xfsprogs-5.0.0-10.0.5 and later, fsck.xfs supports journal replay. When you assume the administrator role, you can set the fsck.mode parameter to force and the fsck.repair parameter to yes to enable journal replay. Take note that journal replay takes effect only for system disks.

    • Adaptive Huge Pages are supported.

      In 5.10.134-013 and later, the adaptive Huge Pages feature is provided to resolve hardware drawbacks, especially for x86 platforms. An example of the hardware drawbacks is that Intel Skylake has only eight iTLB entries to use. This feature selects the most popular 2 MB areas into huge pages based on page table entry (PTE) scan results. In short, this feature provides two system interfaces to limit the number of huge pages per application and prevent performance degradations that are caused by iTLB miss increase. This feature is applicable to Java applications and applications with large code segments, such as ApsaraDB for OceanBase and MySQL.

    • Software Guard Extensions (SGX) dynamic memory management is supported.

      In versions earlier than ANCK 5.10, the dynamic management of SGX enclave memory is not supported. In ANCK 5.10 and later, the SGX Enclave Dynamic Memory Management (EDMM) feature is provided to allow the dynamic management of SGX memory.

    • The WireGuard module is enabled.

      In versions earlier than ANCK 5.10-013, the WireGuard module is disabled. In ANCK 5.10 and later, the WireGuard module is enabled. WireGuard is an easy-to-configure, fast, and secure VPN that can replace IPSec. WireGuard is abstract and suitable for general use in most scenarios.

aliyun_3_arm64_20G_alibase_20230110.vhd

2023-01-10

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The configurations of the Plus debug repository are added.

  • Kernel updates:

    • The kernel is updated to version 5.10.134-13.al8.aarch64.

    • Kernel bugs and critical CVEs are fixed.

2022

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.5.2

aliyun_3_x64_20G_alibase_20221118.vhd

2022-11-18

The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

aliyun_3_arm64_20G_alibase_20221118.vhd

2022-11-18

The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

aliyun_3_x64_20G_alibase_20221102.vhd

2022-11-02

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-12.2.al8.x86_64.

aliyun_3_arm64_20G_alibase_20221102.vhd

2022-11-02

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.134-12.2.al8.aarch64.

Alibaba Cloud Linux 3.5

aliyun_3_x64_20G_alibase_20220907.vhd

2022-09-07

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel is updated to version 5.10.134-12.al8.x86_64.

    • Kernel bugs and critical CVEs are fixed.

    • YiTian 710 processors are supported.

    • Panjiu M-series servers are supported.

    • The performance on the YiTian platform is optimized.

    • MPAM is supported on the Arm 64-bit architecture.

    • Datop can be used to monitor NUMA across nodes and identify cold and hot memory in processes.

    • More than 4 GB of memory can be reserved for a crash kernel on the Arm 64-bit architecture.

    • Hotfixes for kernel modules are supported on the Arm 64-bit architecture.

    • ftrace osnoise tracer is supported.

    • ext4 fast commit is supported, which is frequently applied to the fsync function. For example, ext4 fast commit optimizes the performance of MySQL and PostgreSQL databases. The corresponding e2fsprogs version is updated to 1.46.0.

    • The following technologies developed by Alibaba Cloud are supported:

      • 2 MB unaligned part at the end of executable binary files can be filled, which improves the performance by 2% for specific scenarios.

      • The XFS 16k atomic write feature is supported. Compared with double writes, XFS 16k atomic writes improve the performance of disks by up to 50% and reduce I/O on disks. The corresponding xfsprogs and mariadb repositories are updated to Anolis YUM repositories. This solution has the following advantages over the hardware-based atomic write solution:

        • This solution is based on the COW technique.

        • This solution does not depend on hardware.

        • This solution does not depend on runtime I/O path configurations.

        The XFS 16k atomic write feature can be used together with the Hugetext feature. For more information, see Work with MariaDB 16K atomic writes.

      • Nydus and EROFS over fscache can be used to accelerate container images. Nydus and erofs over fscache are developed by OpenAnolis and are integrated into mainline Linux 5.19. Nydus and erofs over fscache are the first native in-kernel acceleration solution that is supported by the Linux community for container images. For more information, see OpenAnolis.

      • The fuse fd passthrough and fd attach features are supported. fd passthrough can reduce I/O latency by 90% for common scenarios. fd attach can recover fuse mount points in abnormal cases without impacts and help improve the stability of production environments.

      • Kidled can be used to scan anonymous pages, files, and slabs.

      • The memory.use_priority_swap interface is added to reclaim memory based on the priorities of cgroups.

      • 1-RTT and RDMA DIM are supported by SMC to optimize CQ interrupt process logic and improve QPS by 40% in data paths. SMC continuous integration and continuous delivery (CI/CD) is supported to fix dozens of stability issues.

aliyun_3_arm64_20G_alibase_20220907.vhd

2022-09-07

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel is updated to version 5.10.134-12.al8.aarch64.

    • Kernel bugs and critical CVEs are fixed.

    • YiTian 710 processors are supported.

    • Panjiu M-series servers are supported.

    • The performance on the YiTian platform is optimized.

    • MPAM is supported on the Arm 64-bit architecture.

    • Datop can be used to monitor NUMA across nodes and identify cold and hot memory in processes.

    • More than 4 GB of memory can be reserved for a crash kernel on the Arm 64-bit architecture.

    • Hotfixes for kernel modules are supported on the Arm 64-bit architecture.

    • ftrace osnoise tracer is supported.

    • ext4 fast commit is supported, which is frequently applied to the fsync function. For example, ext4 fast commit optimizes the performance of MySQL and PostgreSQL databases. The corresponding e2fsprogs version is updated to 1.46.0.

    • The following technologies developed by Alibaba Cloud are supported:

      • 2 MB unaligned part at the end of executable binary files can be filled, which improves the performance by 2% for specific scenarios.

      • The XFS 16k atomic write feature is supported. Compared with double writes, XFS 16k atomic writes improve the performance of disks by up to 50% and reduce I/O on disks. The corresponding xfsprogs and mariadb repositories are updated to Anolis YUM repositories. This solution has the following advantages over the hardware-based atomic write solution:

        • This solution is based on the COW technique.

        • This solution does not depend on hardware.

        • This solution does not depend on runtime I/O path configurations.

        The XFS 16k atomic write feature can be used together with the Hugetext feature. For more information, see Work with MariaDB 16K atomic writes.

      • Nydus and erofs over fscache can be used to accelerate container images. Nydus and erofs over fscache are developed by OpenAnolis and are integrated into mainline Linux 5.19. Nydus and erofs over fscache are the first native in-kernel acceleration solution that is supported by the Linux community for container images. For more information, see OpenAnolis.

      • The fuse fd passthrough and fd attach features are supported. fd passthrough can reduce I/O latency by 90% for common scenarios. fd attach can recover fuse mount points in abnormal cases without impacts and help improve the stability of production environments.

      • Kidled can be used to scan anonymous pages, files, and slabs.

      • The memory.use_priority_swap interface is added to reclaim memory based on the priorities of cgroups.

      • 1-RTT and RDMA DIM are supported by SMC to optimize CQ interrupt process logic and improve QPS by 40% in data paths. SMC CI/CD is supported to fix dozens of stability issues.

aliyun_3_x64_20G_qboot_alibase_20220907.vhd

2022-09-07

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is updated.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220907.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

aliyun_3_x64_20G_uefi_alibase_20220907.vhd

2022-09-07

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220907.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The boot mode is changed to UEFI, and only the UEFI mode is supported.

Alibaba Cloud Linux 3.4.2

aliyun_3_arm64_20G_alibase_20220819.vhd

2022-08-19

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.112-11.2.al8.aarch64.

aliyun_3_x64_20G_alibase_20220815.vhd

2022-08-15

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.112-11.2.al8.x86_64.

Alibaba Cloud Linux 3.4.1

aliyun_3_x64_20G_alibase_20220728.vhd

2022-07-28

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.112-11.1.al8.x86_64.

aliyun_3_arm64_20G_alibase_20220728.vhd

2022-07-28

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • The kernel is updated to version 5.10.112-11.1.al8.aarch64.

Alibaba Cloud Linux 3.4

aliyun_3_x64_20G_alibase_20220527.vhd

2022-05-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel is updated to version 5.10.112-11.al8.x86_64.

    • Kernel bugs and critical CVEs are fixed.

    • The following technologies developed by Alibaba Cloud are supported:

      • Duptext

      • Enhanced Huge Pages

      • KFENCE, which is used to detect out-of-bound memory accesses and use-after-free errors

    • CSV2 confidential virtual machines that use Hygon processors can be started.

    • Up to 256 CPUs are supported by the guest OS.

    • The throughput, latency, and connection speeds of SMC in HTTP workloads such as NGINX are improved, and several stability and compatibility issues are fixed.

    • AMX, virtual AMX, IPI virtualization, UINTER, Intel_idle, and TDX are supported by Intel SPR processors.

    • The ptdma driver, CPU frequency, k10temp, and Error Detection And Correction (EDAC) are supported by AMD.

    • DDR PMU, PCIe PMU driver, Arm CoreLink CMN-700 Coherent Mesh Network, and RAS are supported by YiTian 710 processors.

    • CoreSight is supported.

    • Arm SPE perf memory profiling and c2c are supported by the Arm architecture.

    • DAX per file is supported by virtiofs.

    • smmu event polling is supported.

aliyun_3_x64_20G_qboot_alibase_20220527.vhd

2022-05-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is updated.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220527.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

aliyun_3_x64_20G_uefi_alibase_20220527.vhd

2022-05-27

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220527.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The boot mode is changed to UEFI, and only the UEFI mode is supported.

aliyun_3_arm64_20G_alibase_20220526.vhd

2022-05-26

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel is updated to version 5.10.112-11.al8.aarch64.

    • Kernel bugs and critical CVEs are fixed.

    • The following technologies developed by Alibaba Cloud are supported:

      • Duptext

      • Enhanced Huge Pages

      • KFENCE, which is used to detect out-of-bound memory accesses and use-after-free errors

    • CSV2 confidential virtual machines that use Hygon processors can be started.

    • Up to 256 CPUs are supported by the guest OS.

    • The throughput, latency, and connection speeds of SMC in HTTP workloads such as NGINX are improved, and several stability and compatibility issues are fixed.

    • AMX, virtual AMX, IPI virtualization, UINTER, Intel_idle, and TDX are supported by Intel SPR processors.

    • The ptdma driver, CPU frequency, k10temp, and EDAC are supported by AMD.

    • DDR PMU, PCIe PMU driver, Arm CoreLink CMN-700 Coherent Mesh Network, and RAS are supported by YiTian 710 processors.

    • CoreSight is supported.

    • Arm SPE perf memory profiling and c2c are supported by the Arm architecture.

    • DAX per file is supported by virtiofs.

    • smmu event polling is supported.

Alibaba Cloud Linux 3.3.4

aliyun_3_x64_20G_alibase_20220413.vhd

2022-04-13

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel is updated to version 5.10.84-10.4.al8.x86_64.

    • The CVE-2022-1016 and CVE-2022-27666 vulnerabilities are fixed.

aliyun_3_arm64_20G_alibase_20220413.vhd

2022-04-13

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • Kernel updates:

    • The kernel is updated to version 5.10.84-10.4.al8.aarch64.

    • The CVE-2022-1016 and CVE-2022-27666 vulnerabilities are fixed.

Alibaba Cloud Linux 3.3.3

aliyun_3_x64_20G_alibase_20220315.vhd

2022-03-15

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions.

  • CVEs are fixed.

  • Kernel updates:

    • The kernel is updated to version 5.10.84-10.3.al8.x86_64.

    • The CVE-2022-0435 and CVE-2022-0847 vulnerabilities are fixed.

aliyun_3_arm64_20G_alibase_20220315.vhd

2022-03-15

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit for Arm base image is updated to include the latest software versions.

  • CVEs are fixed.

  • Kernel updates:

    • The kernel is updated to version 5.10.84-10.3.al8.aarch64.

    • The CVE-2022-0435 and CVE-2022-0847 vulnerabilities are fixed.

Alibaba Cloud Linux 3.3.2

aliyun_3_x64_20G_alibase_20220225.vhd

2022-02-25

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit base image is updated to include the latest software versions. CVEs are fixed.

  • The Coordinated Universal Time (UTC) time standard is used by the real-time clock (RTC). For more information, see Linux time and time zones.

  • Kernel updates:

    • The kernel is updated to version 5.10.84-10.2.al8.x86_64.

    • The CVE-2022-0492, CVE-2021-4197, CVE-2022-0330, CVE-2022-22942, and CVE-2022-0185 vulnerabilities are fixed.

    • The following features developed by Alibaba Cloud are supported:

      • Duptext

      • Huge Pages

      • RDMA/SMC-R

    • AMX, RAS, RCEC, bus lock detection, Ratelimit support, and Uncore are supported by Intel SPR processors.

    • The MCA-R feature is added to Intel Ice Lake processors.

    • The Intel Driver & Support Assistant feature is enabled.

    • The XDP socket feature is supported by virtio-net.

    • The kernel TLS cryptography protocol is supported.

    • KFENCE is supported to detect out-of-bound memory accesses and use-after-free errors.

    • The AVX and AVX2 instruction sets of the SM4 algorithm in the kernel are optimized.

    • Hygon CSV vm attestation is supported.

    • The perf c2c feature of Arm SPE is supported.

    • The i10nm_edac feature is supported.

    • The unevictable_pid feature is ported.

    • The memory watermark can be adjusted.

    • The adaptive sqpoll mode of io_uring is supported.

    • Huge vmalloc mappings are supported.

aliyun_3_x64_20G_qboot_alibase_20220225.vhd

2022-02-25

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is updated.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220225.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The UTC time standard is used by RTC. For more information, see Linux time and time zones.

aliyun_3_arm64_20G_alibase_20220225.vhd

2022-02-25

  • The UTC time standard is used by RTC. For more information, see Linux time and time zones.

  • Kernel updates:

    • The kernel is updated to version 5.10.84-10.2.al8.aarch64.

    • The CVE-2022-0492, CVE-2021-4197, CVE-2022-0330, CVE-2022-22942, and CVE-2022-0185 vulnerabilities are fixed.

    • The following features developed by Alibaba Cloud are supported:

      • Duptext

      • Huge Pages

      • RDMA/SMC-R

    • AMX, RAS, RCEC, bus lock detection, Ratelimit support, and Uncore are supported by Intel SPR processors.

    • The MCA-R feature is added to Intel Ice Lake processors.

    • The Intel Driver & Support Assistant feature is enabled.

    • The XDP socket feature is supported by virtio-net.

    • The kernel TLS cryptography protocol is supported.

    • KFENCE is supported to detect out-of-bound memory accesses and use-after-free errors.

    • The AVX and AVX2 instruction sets of the SM4 algorithm in the kernel are optimized.

    • Hygon CSV vm attestation is supported.

    • The perf c2c feature of Arm SPE is supported.

    • The i10nm_edac feature is supported.

    • The unevictable_pid feature is ported.

    • The memory watermark can be adjusted.

    • The adaptive sqpoll mode of io_uring is supported.

    • Huge vmalloc mappings are supported.

aliyun_3_x64_20G_uefi_alibase_20220225.vhd

2022-02-25

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20220225.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit base image.

  • The UTC time standard is used by RTC. For more information, see Linux time and time zones.

2021

Version

Image ID

Release date

Description

Alibaba Cloud Linux 3.2

aliyun_3_x64_20G_qboot_alibase_20211214.vhd

2021-12-14

  • The Alibaba Cloud Linux 3.2104 LTS 64-bit (Quick Start) image is released.

  • This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the Alibaba Cloud Linux 3.2104 64-bit base image.

aliyun_3_x64_20G_alibase_20210910.vhd

2021-09-10

  • The Alibaba Cloud Linux 3.2104 64-bit base image is updated to include the latest software versions. CVEs are fixed.

  • The update-motd service is added and enabled by default.

  • By default, the kdump service is enabled.

  • By default, the atd service is enabled.

  • Kernel updates:

    • The kernel is upgraded to upstream stable kernel release 5.10.60. The current kernel version is 5.10.60-9.al8.x86_64.

    • Kernel bugs and critical CVEs are fixed.

    • The following technologies developed by Alibaba Cloud are supported:

      • eRDMA and SMC-R based on eRDMA

      • Resource isolation technology: OOM priority control

      • Memory KIDLED technology

      • Resource isolation technology: memcg zombie reaper

      • Rich container technology: rich container

      • Resource isolation technology: CPU group identity

      • Unified Kernel Fault Event Framework (UKFEF) technology

    • Intel SPR CPUs are supported.

    • The cpupower utility used for AMD Milan is supported.

    • The Non-Maskable Interrupt (NMI) watchdog based on the System for Electronic Disclosure by Insiders (SEDI) is supported by the Arm 64-bit architecture.

    • MPAM is supported by the Arm 64-bit architecture.

    • Memory hotplug is supported by the Arm 64-bit architecture.

    • The kernel quick start technology is enhanced.

    • x86 SGX2 is supported.

    • The performance of virtio-net is optimized.

    • The eBPF Linux Security Modules (LSM) technology is supported.

    • Software and hardware that are virtualized based on KVM are co-designed, and PV-qspinlock is supported during the co-design.

aliyun_3_arm64_20G_alibase_20210910.vhd

2021-09-10

  • The Alibaba Cloud Linux 3.2104 64-bit for Arm image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the Alibaba Cloud Linux 3.2104 64-bit base image.

aliyun_3_x64_20G_uefi_alibase_20210910.vhd

2021-09-10

  • The Alibaba Cloud Linux 3.2104 64-bit (UEFI) image is updated to include the latest software versions.

  • This image is derived from the aliyun_3_x64_20G_alibase_20210910.vhd version of the Alibaba Cloud Linux 3.2104 64-bit base image.

  • Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Shenzhen), China (Heyuan), and Singapore.

Alibaba Cloud Linux 3.1

aliyun_3_arm64_20G_alibase_20210709.vhd

2021-07-09

  • The Alibaba Cloud Linux 3.2104 64-bit for Arm image is released.

  • Security Center can be connected.

  • Supported region: China (Hangzhou).

aliyun_3_x64_20G_alibase_20210425.vhd

2021-04-25

  • The Alibaba Cloud Linux 3.2104 64-bit base image is updated.

  • Kernel updates: The kernel is updated to version 5.10.23-5.al8.x86_64.

aliyun_3_x64_20G_uefi_alibase_20210425.vhd

2021-04-25

  • The Alibaba Cloud Linux 3.2104 64-bit (UEFI) image is released.

  • This image is derived from the aliyun_3_x64_20G_alibase_20210425.vhd version of the Alibaba Cloud Linux 3.2104 64-bit base image.

  • The boot mode is changed to UEFI, and only the UEFI mode is supported.

  • Supported regions: China (Beijing), China (Hangzhou), China (Shanghai), and China (Shenzhen).

Alibaba Cloud Linux 3.0

aliyun_3_x64_20G_alibase_20210415.vhd

2021-04-15

  • The Alibaba Cloud Linux 3.2104 64-bit base image is released.

  • Kernel description:

    • The kernel is based on the 5.10 kernel version supported in the Linux community. The 5.10.23-4.al8.x86_64 kernel version is used in the base image.

    • The PV-Panic, PV-Unhalt, and PV-Preempt features are supported by the Arm 64-bit architecture.

    • Kernel Live Patching (KLP) is supported by the Arm 64-bit architecture.

    • TCP-RT is supported.

    • The memcg backend asynchronous reclaim feature is supported.

    • The memcg QoS and Pressure Stall Information (PSI) features implemented based on cgroup v1 interfaces are supported.

    • The cgroup writeback feature is supported.

    • The monitoring of block I/O throttling is enhanced.

    • An interface is provided to optimize JBD2 of ext4.

    • The open source kernel of Alibaba Cloud is optimized and vulnerabilities in multiple subsystems including the scheduler, memory, file system, and block layer are fixed.

    • The CPU burst feature is supported. For more information, see Enable the CPU burst feature for cgroup v1.

  • Image description:

    • The base image is compatible with the CentOS 8 and Red Hat Enterprise Linux (RHEL) 8 software ecosystems. CVEs are fixed.

    • GCC 10.2.1 and glibc 2.32 are supported.

    • Python 3.6 and Python 2.7 are supported.

    • AppStream is supported.

  • Supported region: China (Hangzhou).

References