Orchestrating Containerized Environments: A Deep Dive into Docker on Amazon Linux 2023 and Amazon Linux 2

The integration of containerization technologies with cloud-native operating systems represents a pivotal intersection in modern software deployment and infrastructure management. Docker, as a foundational component of numerous open-source container management ecosystems, provides the mechanism to automate the deployment of applications as lightweight, portable, and self-sufficient units. When paired with Amazon Linux, a distribution explicitly engineered by Amazon Web Services to provide a stable, secure, and high-performance execution environment for applications on Amazon EC2, the synergy creates a robust foundation for serverless development, microservices architecture, and scalable production workloads. The complexity of this integration lies not merely in the installation of the software but in understanding the nuances of package management across different Amazon Linux generations, the specific security implications of container runtimes, and the precise configuration required to align local development environments with AWS Lambda-like production conditions. This analysis exhaustively details the methodologies for installing, configuring, and maintaining Docker on both Amazon Linux 2 and Amazon Linux 2023, addressing version-specific repositories, user privilege management, and the broader ecosystem of Amazon Linux container images available via Docker Hub.

The Architecture and Utility of Amazon Linux Container Images

Amazon Linux is provided by Amazon Web Services and is designed to offer a stable, secure, and high-performance execution environment for applications running on Amazon EC2. The distribution is characterized by its deep integration with AWS services, including launch configuration tools and numerous popular AWS libraries and tools. AWS provides ongoing security and maintenance updates to all instances running Amazon Linux, ensuring that the base operating system remains resilient against emerging threats and compatibility issues. The Amazon Linux container image, however, represents a distinct subset of the full distribution. It contains a minimal set of packages, optimized for size and efficiency rather than comprehensive functionality. This minimalism is a deliberate design choice, reducing the attack surface and resource footprint of containers while still providing the necessary foundation for most application runtimes.

Users of these container images are advised to install additional packages using the yum package manager. This command remains the primary interface for package management on Amazon Linux 2 and is supported in Amazon Linux 2023, although dnf is the preferred frontend for the latter. AWS provides three distinct versions of Amazon Linux, each with its own lineage and support lifecycle. These versions include the legacy Amazon Linux 1, the long-term support Amazon Linux 2, and the current generation Amazon Linux 2023. The Docker Hub repository for Amazon Linux, maintained by the Amazon Linux Team, hosts images for these versions, allowing developers to pull minimal base images for their custom container builds. It is critical to note that Docker Hub's vulnerability scanning for Amazon Linux is currently based on RPM versions. This methodology does not reflect the state of backported patches for vulnerabilities, meaning that a reported vulnerability in an RPM version may not actually affect the running container if AWS has applied a backport fix that does not change the upstream version number. Understanding this discrepancy is vital for security compliance and risk assessment in production environments.

Installation Protocols for Amazon Linux 2

Amazon Linux 2 has been a cornerstone of AWS infrastructure for many years, and its package management system relies on yum and the amazon-linux-extras repository. Installing Docker on Amazon Linux 2 is a streamlined process that leverages these built-in mechanisms. The primary directive for installation involves updating the installed packages and package cache on the instance to ensure system stability and compatibility with the latest software dependencies. This is achieved by executing the command sudo yum update -y. This step is critical as it resolves any existing package conflicts and ensures that the system libraries are up to date before introducing the Docker daemon.

Following the system update, the most recent Docker Community Edition package is installed. For Amazon Linux 2, this is not done through a direct yum install command from a third-party repository but rather through the amazon-linux-extras module. The command sudo amazon-linux-extras install docker is executed to retrieve and install the Docker package. This module provides curated extras that are compatible with the Amazon Linux 2 base, ensuring that the Docker engine and associated utilities are versioned correctly for the OS. After the installation is complete, the Docker service must be started. This is accomplished by running sudo service docker start. While systemctl is the standard for systemd-based services, the service command remains functional and is often used in official documentation for Amazon Linux 2 to ensure compatibility across different initialization systems.

Once the Docker daemon is running, user permission management becomes the next critical step. By default, the Docker daemon binds to a Unix socket rather than a TCP port. This socket is owned by the user root and is typically accessible only by the root user or users in the docker group. To allow non-root users to run Docker commands without the need for sudo, which can introduce security risks and command-line friction, the user must be added to the docker group. For the default Amazon Linux 2 user, ec2-user, this is achieved by executing sudo usermod -a -G docker ec2-user. The -a flag appends the user to the group, and -G specifies the supplementary group. It is imperative to pick up the new group permissions by logging out and logging back in. This typically involves closing the current SSH terminal window and reconnecting to the instance in a new session. Without this step, the current shell session will not recognize the new group membership, and Docker commands will fail with permission denied errors.

Advanced Installation on Amazon Linux 2023

Amazon Linux 2023 represents a significant shift in the AWS Linux ecosystem, moving towards a rolling release model and utilizing dnf as the primary package manager. Installing Docker on this platform requires a different approach than Amazon Linux 2, particularly when specific versions are required. The standard method for installing the default Docker package on Amazon Linux 2023 is similar to the update process. First, the system packages are updated using sudo dnf update -y. Then, the Docker package is installed directly from the Amazon Linux repository using sudo dnf install -y docker. This installs the version of Docker that AWS has curated for Amazon Linux 2023. For instance, on an Amazon Linux 2023.6.20241121 instance, the installed version may be docker-25.0.6-1.amzn2023.0.2. The dnf info docker command reveals that this package is 150 MB in size, supports the aarch64 architecture, and is licensed under ASL 2.0, MIT, BSD, MPLv2.0, and WTFPL. The description confirms that Docker automates the deployment of containerized applications, encapsulating any payload to run consistently on and between virtually any server.

However, developers and DevOps engineers often require specific versions of Docker to ensure compatibility with CI/CD pipelines, build tools, or specific security patches. When the default repository version is insufficient, or when a specific version such as 27.3.1 is required, a more manual installation process is necessary. This process involves adding the official Docker repository for Amazon Linux 2023. The command sudo dnf config-manager --add-repo https://download.docker.com/linux/amazonlinux/docker-ce.repo is executed to add the repository file to the system's configuration. This repository provides access to the full suite of Docker Community Edition packages, including specific version pins.

Before installing the specific version, it is crucial to remove any existing Docker installations to prevent conflicts. This is done by running sudo dnf remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine. This comprehensive removal ensures that no residual configuration files or older binaries interfere with the new installation. Next, required dependencies such as yum-utils, device-mapper-persistent-data, and lvm2 are installed using sudo dnf install -y yum-utils device-mapper-persistent-data lvm2. These packages provide the underlying utilities and kernel modules necessary for Docker to manage storage and device mapping efficiently.

With the dependencies in place and the repository configured, the specific version of Docker CE can be installed. For example, to install version 27.3.1, the command sudo dnf install docker-ce-27.3.1 docker-ce-cli-27.3.1 containerd.io docker-buildx-plugin docker-compose-plugin is executed. This command explicitly pinns the version of the Docker CE engine, the CLI, the containerd runtime, and the essential plugins for building and composing containers. After installation, the Docker service is started and enabled to persist across reboots using sudo systemctl start docker and sudo systemctl enable docker. Similar to Amazon Linux 2, user permissions must be adjusted. The current user is added to the docker group using sudo usermod -aG docker $USER. As with the previous OS, logging out and back in is required for the group changes to take effect. Finally, the installation is verified by running docker --version, which should output Docker version 27.3.1.

In cases where the repository method fails or encounters dependency issues, manual installation of RPM packages may be necessary. This involves downloading the specific RPM files for Docker 27.3.1 from the Docker repository and installing them using the rpm command. This fallback method provides granular control over the installation but requires careful management of dependencies and updates.

Alternative Installation via Fedora-Based Repositories

In certain scenarios, administrators may attempt to use repositories designed for other Red Hat-based distributions, such as Fedora, to install specific Docker versions on Amazon Linux 2023. This approach is more complex and requires manual modification of repository files. The process begins by adding the official Docker repository for Fedora using the command dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo. This adds a repository configuration file to /etc/yum.repos.d/docker-ce.repo.

However, Amazon Linux 2023 uses a different versioning scheme than Fedora. To resolve this, the repository file must be edited. Using a text editor such as vim, the file /etc/yum.repos.d/docker-ce.repo is opened. The variable $releasever within the file, which typically resolves to the Fedora release number, must be replaced with 41. This is done using the sed-like command %s/$releasever/41/g within the editor. This modification tricks the package manager into believing the system is running Fedora 41, allowing it to pull packages from that specific repository branch.

Once the repository file is modified, the specific Docker packages can be installed. For example, to install version 27.4.1, the command dnf install docker-ce-27.4.1 docker-ce-cli-27.4.1 containerd.io docker-buildx-plugin docker-compose-plugin -y is executed. This method provides access to newer versions of Docker that may not yet be available in the Amazon Linux-specific Docker repository. However, it carries the risk of dependency conflicts and is generally less stable than using the official Amazon Linux Docker repository.

After installation, user permissions and service management are handled similarly to the previous methods. The user is added to the docker group with sudo usermod -aG docker $USER. Additionally, the Docker socket permissions are adjusted using sudo chmod a+rw /var/run/docker.sock to ensure that all users can interact with the Docker daemon. The service is then started and enabled using sudo systemctl start docker and sudo systemctl enable docker. This method, while powerful, requires a deep understanding of repository management and should be used with caution in production environments.

Docker Hub and Amazon Linux Image Tags

The Docker Hub repository for Amazon Linux, identified by the name amazonlinux, is a critical resource for developers building containerized applications. The repository has accumulated over 500 million pulls, indicating its widespread adoption in the industry. The image is described as providing a stable, secure, and high-performance execution environment for applications. The repository contains various tags corresponding to different versions and release dates of Amazon Linux.

The latest tag is updated frequently, with the most recent push occurring 6 days ago by the maintainer doijanky. The latest image is available for both linux/amd64 and linux/arm64/v8 architectures. The amd64 variant is 52.04 MB in size, while the arm64/v8 variant is 50.97 MB. This small size is a testament to the minimal nature of the Amazon Linux container image.

Specific version tags are also available. For Amazon Linux 2023, tags such as 2023.11.20260406.2, 2023.10.20260330.0, and 2023.10.20260302.1 are present. These tags correspond to specific build dates and release versions. For example, the 2023.11.20260406.2 tag was pushed 6 days ago, while the 2023.10.20260330.0 tag was pushed 18 days ago. The 2023 tag is also available, pointing to a recent release.

For Amazon Linux 2, tags such as 2.0.20260406.1, 2.0.20260330.0, and 2.0.20260302.0 are available. The 2 tag points to the latest Amazon Linux 2 release. The 1 tag points to the legacy Amazon Linux 1 release. The image sizes for these tags vary, with some being around 50-60 MB. This variety of tags allows developers to pin their builds to specific versions of Amazon Linux, ensuring reproducibility and stability.

Security Considerations and CVE Mitigation

Security is a paramount concern in containerized environments. AWS regularly releases updated Docker packages to address security vulnerabilities. For example, updated packages are available for Amazon Linux 2 and Amazon Linux 2023 to address CVE-2024-41110. For Amazon Linux 2, the updated packages are docker-20.10.25-1.amzn2.0.5 and docker-25.0.6-1.amzn2.0.1. For Amazon Linux 2023, the updated package is docker-25.0.6-1amzn2023.0.1. AWS recommends that customers using Docker upgrade to these or later versions to mitigate the risk associated with this CVE.

This vulnerability highlights the importance of keeping Docker and its underlying components up to date. While the specific details of CVE-2024-41110 are not provided in the reference materials, the existence of such updates underscores the dynamic nature of container security. Administrators must regularly check for updates and apply them promptly. This can be done using the yum update or dnf update commands, depending on the Amazon Linux version. Additionally, using official Docker images from Docker Hub and verifying their integrity can help ensure that the base image is secure.

Integration with AWS SAM and Local Development

Docker is not only a deployment tool but also a critical component of local development workflows, particularly for serverless applications. The AWS Serverless Application Model (SAM) CLI uses Docker to provide a local environment similar to AWS Lambda. This allows developers to build, test, and debug their serverless applications locally before deploying them to the cloud. Docker is required only for testing applications locally and for building deployment packages using the --use-container option.

The ability to run AWS Lambda functions locally in a Docker container that closely mimics the production environment significantly reduces the feedback loop for developers. It allows for faster iteration and easier debugging. The installation of Docker on Amazon Linux, as detailed in the previous sections, is therefore a prerequisite for using AWS SAM effectively. By ensuring that the Docker engine is properly installed and configured, developers can leverage the power of local emulation to enhance their development productivity.

Comparative Analysis of Installation Methods

The following table provides a comparative analysis of the different installation methods for Docker on Amazon Linux 2 and Amazon Linux 2023.

Feature Amazon Linux 2 (Standard) Amazon Linux 2023 (Standard) Amazon Linux 2023 (Custom Repo) Amazon Linux 2023 (Fedora Repo)
Package Manager yum dnf dnf dnf
Installation Command sudo amazon-linux-extras install docker sudo dnf install -y docker sudo dnf install docker-ce-27.3.1 ... sudo dnf install docker-ce-27.4.1 ...
Repository Source amazon-linux-extras Amazon Linux Repo Docker CE Repo (Amazon Linux) Docker CE Repo (Fedora)
Version Control Curated by AWS Curated by AWS Specific Version Pinning Specific Version Pinning
Complexity Low Low Medium High
User Group Command sudo usermod -a -G docker ec2-user sudo usermod -aG docker $USER sudo usermod -aG docker $USER sudo usermod -aG docker $USER
Service Start Command sudo service docker start sudo systemctl start docker sudo systemctl start docker sudo systemctl start docker
Post-Install Action Log out and back in Log out and back in Log out and back in Log out and back in

This table illustrates the progression from simple, curated installations to more complex, custom installations. The standard methods are recommended for most users, while the custom methods are reserved for specific version requirements or advanced use cases.

Conclusion

The installation and configuration of Docker on Amazon Linux platforms are multifaceted processes that require a deep understanding of the underlying operating system, package management systems, and container runtime mechanics. For Amazon Linux 2, the process is streamlined through the amazon-linux-extras module, providing a stable and supported path to containerization. For Amazon Linux 2023, the flexibility of dnf allows for both standard installations and highly specific version pinning through the official Docker CE repository. The alternative method of using Fedora-based repositories offers access to newer versions but introduces additional complexity and potential stability risks. Regardless of the method chosen, proper user permission management and service initialization are critical for a functional and secure Docker environment. Furthermore, the availability of minimal Amazon Linux container images on Docker Hub, with regular updates and vulnerability scanning, provides a solid foundation for building and deploying containerized applications. As AWS continues to evolve its Linux offerings, staying informed about package updates, security patches, and best practices is essential for maintaining robust and secure containerized workloads. The integration of Docker with tools like AWS SAM further underscores its importance in the modern cloud-native development lifecycle, enabling developers to bridge the gap between local development and production deployment with confidence and precision.

Sources

  1. AWS Re:Post
  2. Docker Hub Amazon Linux
  3. AWS SAM CLI Docker Installation
  4. Docker Hub Amazon Linux Overview

Related Posts