{"id":7451,"date":"2022-01-21T13:01:39","date_gmt":"2022-01-21T04:01:39","guid":{"rendered":"https:\/\/learningbox.co.jp\/?p=7451"},"modified":"2022-01-21T13:01:39","modified_gmt":"2022-01-21T04:01:39","slug":"blog-amazon-linux-2022","status":"publish","type":"post","link":"https:\/\/learningbox.co.jp\/en\/2022\/01\/21\/blog-amazon-linux-2022\/","title":{"rendered":"I touched Amazon Linux-2022 (preview version)."},"content":{"rendered":"<p>My name is Mita, and I joined the Tokyo team as a server engineer in October 2021.<\/p>\n<p>As a quick reminder, a preview version of Amazon Linux 2022 (henceforth AL2022) was released in November 2021.<br \/>\nThis is not news that we can ignore, as we use AWS (Amazon Web Services) as the infrastructure foundation for our own \"learningBOX\" service.<br \/>\nSince the support for Amazon Linux 2 (AL2) expires on June 30, 2023, it is certain that there will be a need to build or switch to AL2022 in the near future.<\/p>\n<p>Since December, I have been working on AL2022 in between other tasks, and I have found some differences between AL2022 and AL2, as well as some points where I got stuck in the configuration process, which I would like to describe below.<\/p>\n<p class=\"mokujimidasi\">Click here for table of contents<\/p>\n<ol class=\"mokuji\">\n<li><a href=\"#1\"><span style=\"color: #555555;\">SELinux enabled by default<\/span><\/a><\/li>\n<li><a href=\"#2\"><span style=\"color: #555555;\">Adding an encryption policy<\/span><\/a><\/li>\n<li><a href=\"#3\"><span style=\"color: #555555;\">The crontab command is missing.<\/span><\/a><\/li>\n<li><a href=\"#4\"><span style=\"color: #555555;\">summary<\/span><\/a><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h2 id=\"1\" class=\"heading__l\">SELinux enabled by default<\/h2>\n<p><span style=\"color: red;\">Disabled by default in AL2<\/span>(Disabled).<span style=\"color: red;\">Enabled for AL2022<\/span>(Enforcing).<br \/>\nWhen I tried disabling SELinux by following the steps below, the server appeared to be running normally on the AWS management console, but I was unable to make SSH connections to the server.<\/p>\n<p><code><\/code><\/p>\n<p># vim \/etc\/selinux\/config<br \/>\nSELINUX=disabled<\/p>\n<p># reboot<\/p>\n<p><span class=\"yellowline\">\/etc\/selinux\/config<\/span>If you follow the instructions, you will be able to start the server with SELinux disabled.<\/p>\n<p><code><\/code><\/p>\n<p># grubby -update-kernel ALL -args selinux=0<br \/>\n# reboot<\/p>\n<p>&nbsp;<\/p>\n<p>If you do not want to force SELinux (i.e., do not reject it but make it spit out logs), you can start the server in Permissive mode using the following method.<\/p>\n<p><code><\/code><\/p>\n<p># vim \/etc\/selinux\/config<br \/>\nSELINUX=permissive<\/p>\n<p># grubby -update-kernel ALL -args enforcing=0<br \/>\n# reboot<\/p>\n<p>SElinux is recommended to be enabled to reduce damage in the event of an unauthorized intrusion, but we want to make sure that the existing services work in the AL2022 environment first, so we are testing with it disabled.<br \/>\nHowever, I would like to get used to the SELinux settings before I start using the AL2022 in earnest.<\/p>\n<h2 id=\"2\" class=\"heading__l\">Adding an encryption policy<\/h2>\n<p>This is.<a href=\"https:\/\/access.redhat.com\/documentation\/ja-jp\/red_hat_enterprise_linux\/8\/html\/security_hardening\/using-the-system-wide-cryptographic-policies_security-hardening\">RedHat's documentation<\/a>was helpful.<\/p>\n<p>An attempt to retrieve a package with the wget command failed with the following error.<\/p>\n<p class=\"well\">GnuTLS: One of the involved algorithms has insufficient security level.<br \/>\nUnable to establish a connection via SSL.<\/p>\n<p>AL2022 adds a \"System-wide encryption policy\", and this policy level is DEFAULT by default.<br \/>\nIn this case, SHA-1 was mixed in the signature algorithm returned by the TLS handshake with the other server, and the connection could not be established because it was trapped by this policy level.<\/p>\n<p>We just want to get one package file that we've been using so far.<br \/>\nThis time, we temporarily lowered the policy level to deal with the problem.<\/p>\n<p><code><\/code><\/p>\n<p># update-crypto-policies -show<br \/>\nDEFAULT<\/p>\n<p># update-crypto-policies -set LEGACY<br \/>\n# update-crypto-policies -show<br \/>\nLEGACY<\/p>\n<p>After retrieving the file, revert to the settings<br \/>\n# update-crypto-policies -set DEFAULT<br \/>\n# update-crypto-policies -show<\/p>\n<p>&nbsp;<\/p>\n<p>It is best if the other server does not return SHA-1, but in this case, we compromised.<br \/>\nIn AL2, the update-crypto-policies command did not exist in the first place, so we would like to build and operate AL2022 with the policy level in mind.<\/p>\n<h2 id=\"3\" class=\"heading__l\">The crontab command is missing.<\/h2>\n<p>I tried to use crontab as usual to set up cron, but the command does not exist.<br \/>\nI was surprised because this was my first experience, but it works if you install it normally.<\/p>\n<p><code><\/code><\/p>\n<p>Comparison of installed packages<\/p>\n<p>AL2<br \/>\n$ rpm -qa | grep cron<br \/>\ncronie-1.4.11-23.amzn2.x86_64<br \/>\ncronie-anacron-1.4.11-23.amzn2.x86_64<br \/>\ncrontabs-1.11-6.20121102git.amzn2.noarch<\/p>\n<p>AL2022<br \/>\n$ rpm -qa | grep cron<br \/>\ncrontabs-1.11-24.20190603git.amzn2022.noarch<\/p>\n<p>Install<br \/>\n$ sudo yum install cronie-noanacron<br \/>\n$ rpm -qa | grep cron<br \/>\ncrontabs-1.11-24.20190603git.amzn2022.noarch<br \/>\ncronie-noanacron-1.5.7-1.amzn2022.x86_64<br \/>\ncronie-1.5.7-1.amzn2022.x86_64<\/p>\n<p>service activation<br \/>\n$ sudo systemctl start crond<\/p>\n<p>Automatic startup confirmation<br \/>\n$ sudo systemctl is-enabled crond<br \/>\nenabled<\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"4\" class=\"heading__l\">summary<\/h2>\n<p>In addition to the points listed above, there are other points that are different from AL2 and that I am having a hard time setting up, but I would like to tell you about them when I have a chance.<\/p>\n<p>Since AL2022 is still a preview version, there is a good chance that more changes will be added before the official release.<br \/>\nHowever, I would like to focus on learning, verifying, and preparing for the inevitable, such as adding encryption policies and enabling SELinux.<\/p>\n<p>Thank you for reading.<\/p>","protected":false},"excerpt":{"rendered":"2021\u5e7410\u6708\u306b\u30b5\u30fc\u30d0\u30a8\u30f3\u30b8\u30cb\u30a2\u8077\u3067\u5165\u793e\u3057\u307e\u3057\u305f\u3001\u6771\u4eac\u30c1\u30fc\u30e0\u306e\u4e09\u7530\u3068\u7533\u3057\u307e\u3059\u3002 \u65e9\u901f\u3067\u3059\u304c\u30012021\u5e7411\u6708 [&hellip;]","protected":false},"author":38,"featured_media":7455,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_vk_print_noindex":"","sitemap_hide":"","_veu_custom_css":"","veu_display_promotion_alert":"","vkexunit_cta_each_option":"","footnotes":"","jetpack_post_was_ever_published":false},"categories":[12,6,7,40],"tags":[42],"class_list":["post-7451","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-blog","category-7","category-40","tag-amazon-linux"],"acf":[],"jetpack_featured_media_url":"https:\/\/learningbox.co.jp\/wp-content\/uploads\/2022\/01\/Amazon.jpg","jetpack_shortlink":"https:\/\/wp.me\/pgMrZ4-1Wb","_links":{"self":[{"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/posts\/7451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/users\/38"}],"replies":[{"embeddable":true,"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/comments?post=7451"}],"version-history":[{"count":12,"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/posts\/7451\/revisions"}],"predecessor-version":[{"id":7469,"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/posts\/7451\/revisions\/7469"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/media\/7455"}],"wp:attachment":[{"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/media?parent=7451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/categories?post=7451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/learningbox.co.jp\/en\/wp-json\/wp\/v2\/tags?post=7451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}