Alibaba Cloud Linux 3 Image Release Notes

• Bug fixes for Alibaba Cloud Linux 3:

  • The systemd component is updated from systemd-239-82.0.4.3.al8.5 to systemd-239-82.0.4.4.al8.5 to backport a fix for a race condition between mount and reload. This update is included in the image.

  • The glibc component is updated from glibc-2.32-1.21.al8 to glibc-2.32-1.22.al8 to resolve a "missed wakeup" issue in pthread_cond_wait. This update is included in the image.

  • The tee-primitives component is updated from tee-primitives-1.0-2.al8 to tee-primitives-1.0-3.al8 to address an issue caused by a source code md5sum change. This update is available in the yum repository.

  • The qt5-qtmultimedia component is updated from qt5-qtmultimedia-5.15.3-1.al8 to qt5-qtmultimedia-5.15.3-1.1.al8 to resolve dependency issues. This update is available in the yum repository.

  • The dracut component is updated from dracut-049-233.git20240115.0.2.al8 to dracut-049-233.git20240115.0.2.1.al8 to fix an error when installing a 6.x kernel version on Alibaba Cloud Linux 3. This update is available in the yum repository.

  • The intel-QAT20 component is updated from intel-QAT20-L.0.9.4-00004.12.al8 to intel-QAT20-L.0.9.4-00004.15.al8 to resolve an issue with the Intel QAT VF device ID on 9th-generation GNR instances. This update is available in the yum repository.

  • The qatengine component is updated from qatengine-1.2.0-3.al8 to qatengine-1.2.0-4.al8 to resolve an issue where TLS v1.0 and v1.1 are unsupported when using OpenSSL 3. This update is available in the yum repository.

  • The intel-ipp-crypto-mb component is updated from intel-ipp-crypto-mb-1.0.6-4.al8 to intel-ipp-crypto-mb-1.0.6-5.al8 to resolve an issue where TLS v1.0 and v1.1 are unsupported when using OpenSSL 3. This update is available in the yum repository.

• This release provides bug fixes for 12 Anolis OS 8 components. One is updated in the image, and 11 are available from the yum repository:

  Component	Previous version	New version	Update reason	Update method
  which	which-2.21-20.0.1.al8	which-2.21-21.0.1.al8	Adds a readability check for /proc/$$/exe.	Updated in the image
  dnsmasq	dnsmasq-2.79-33.al8	dnsmasq-2.79-35.al8	Changes the behavior of repeated DNS queries.	Updated from the yum repository
  gnome-session	gnome-session-40.1.1-9.0.1.al8	gnome-session-40.1.1-10.0.1.al8	Reduces unnecessary log output during debugging.	Updated from the yum repository
  gnome-settings-daemon	gnome-settings-daemon-40.0.1-17.0.1.al8	gnome-settings-daemon-40.0.1-19.0.1.al8	Fixes the default power button action setting for servers. Fixes an issue that prevented a smart card from working without a cold plug.	Updated from the yum repository
  java-1.8.0-openjdk-portable	java-1.8.0-openjdk-portable-1.8.0.462.b08-1.0.1.1.al8	java-1.8.0-openjdk-portable-1.8.0.472.b08-1.0.1.1.al8	Resolves JDK-8202369.	Updated from the yum repository
  ksh	ksh-20120801-267.0.1.al8	ksh-20120801-269.0.1.al8	Fixes an issue with pasting long multi-byte characters via SSH.
  libdrm	libdrm-2.4.121-1.0.1.al8	libdrm-2.4.123-2.0.1.al8	Fixes an issue where the libpciaccess PCI access library is unavailable on RHEL 9 for aarch64, ppc64le, and s390x.	Updated from the yum repository
  motif	motif-2.3.4-21.al8	motif-2.3.4-24.al8	Fixes a memory leak related to UTF-8 strings.	Updated from the yum repository
  mysql-selinux	mysql-selinux-1.0.13-1.al8	mysql-selinux-1.0.14-1.al8	Resolves rhbz#2380217 by upgrading to version 1.0.14 and updating related hash and release information.	Updated from the yum repository
  net-snmp	net-snmp-5.8-30.0.1.al8	net-snmp-5.8-31.0.1.al8	Fixes a "use after free" issue in a callback function.	Updated from the yum repository
  intel-ipp-crypto-mb	intel-ipp-crypto-mb-1.0.6-4.al8	intel-ipp-crypto-mb-1.0.6-5.al8	Resolves an issue with the installation dependency on OpenSSL 3.0.	Updated from the yum repository
  qatengine	qatengine-1.2.0-3.al8	qatengine-1.2.0-4.al8	Resolves an issue with the installation dependency on OpenSSL 3.0.	Updated from the yum repository

• This release addresses CVEs in 24 components: 4 are updated in the image and 20 are available via the yum repository.

  Component	Previous version	New version	CVE ID	Update method
  bind	bind-9.11.36-16.0.1.al8.4	bind-9.11.36-16.0.1.al8.6	CVE-2025-40778	Updated in the image
  expat	expat-2.2.5-17.al8	expat-2.5.0-1.al8	CVE-2025-59375	Updated in the image
  libssh	libssh-0.9.6-12.al8	libssh-0.9.6-16.0.1.al8	CVE-2025-5318	Updated in the image
  sssd	sssd-2.9.4-5.al8.2	sssd-2.9.4-5.al8.3	CVE-2025-11561	Updated in the image
  galera	galera-26.4.20-1.al8	galera-26.4.22-1.al8	CVE-2023-52969 CVE-2023-52970 CVE-2025-21490 CVE-2025-30693 CVE-2025-30722	Updated via yum repository
  haproxy	haproxy-2.4.22-3.0.1.al8.1	haproxy-2.8.14-1.0.1.al8.1	CVE-2025-11230	Updated via yum repository
  java-1.8.0-openjdk	java-1.8.0-openjdk-1.8.0.462.b08-2.0.1.1.al8	java-1.8.0-openjdk-1.8.0.472.b08-1.0.1.1.al8	CVE-2025-53057 CVE-2025-53066	Updated via yum repository
  java-17-openjdk	java-17-openjdk-17.0.16.0.8-2.0.1.1.al8	java-17-openjdk-17.0.17.0.10-1.0.2.1.al8	CVE-2025-53057 CVE-2025-53066	Updated via yum repository
  lasso	lasso-2.6.0-13.0.1.al8	lasso-2.6.0-14.0.1.al8	CVE-2025-47151	Updated via yum repository
  libsoup	libsoup-2.62.3-9.0.1.al8	libsoup-2.62.3-10.0.1.al8	CVE-2025-11021 CVE-2025-4945	Updated via yum repository
  libtiff	libtiff-4.4.0-12.0.3.al8	libtiff-4.4.0-15.0.1.al8	CVE-2025-8176 CVE-2025-9900	Updated via yum repository
  mariadb	mariadb-10.5.27-1.0.1.al8	mariadb-10.5.29-2.0.1.al8	CVE-2023-52969 CVE-2023-52970 CVE-2025-21490 CVE-2025-30693 CVE-2025-30722	Updated via yum repository
  mingw-expat	mingw-expat-2.4.8-2.al8	mingw-expat-2.5.0-1.al8	CVE-2025-59375	Updated via yum repository
  mingw-libtiff	mingw-libtiff-4.0.9-2.1.al8	mingw-libtiff-4.0.9-3.al8	CVE-2025-8176 CVE-2025-9900	Updated via yum repository
  osbuild-composer	osbuild-composer-132.2-2.0.1.al8	osbuild-composer-132.2-3.0.1.al8	CVE-2025-27144	Updated via yum repository
  pcs	pcs-0.10.18-2.0.1.1.al8.6	pcs-0.10.18-2.0.1.1.al8.7	CVE-2025-59830 CVE-2025-61770 CVE-2025-61771 CVE-2025-61772 CVE-2025-61919	Updated via yum repository
  python-kdcproxy	python-kdcproxy-0.4-5.3.al8.1	python-kdcproxy-0.4-5.3.al8.2	CVE-2025-59088 CVE-2025-59089	Updated via yum repository
  redis	redis-6.2.19-1.0.1.1.al8	redis-6.2.20-1.0.1.1.al8	CVE-2025-46817 CVE-2025-46818 CVE-2025-46819 CVE-2025-49844	Updated via yum repository
  runc	runc-1.1.12-6.0.1.al8	runc-1.2.5-2.al8	CVE-2025-31133 CVE-2025-52565 CVE-2025-52881	Updated via yum repository
  squid	squid-4.15-13.al8.5	squid-4.15-13.al8.6	CVE-2025-62168	Updated via yum repository
  tigervnc	tigervnc-1.15.0-7.al8	tigervnc-1.15.0-8.al8	CVE-2025-62229 CVE-2025-62230 CVE-2025-62231	Updated via yum repository
  xorg-x11-server	xorg-x11-server-1.20.11-26.0.1.al8	xorg-x11-server-1.20.11-27.0.1.al8	CVE-2025-62229 CVE-2025-62230 CVE-2025-62231	Updated via yum repository
  xorg-x11-server-Xwayland	xorg-x11-server-Xwayland-23.2.7-4.al8	xorg-x11-server-Xwayland-23.2.7-5.al8	CVE-2025-62229 CVE-2025-62230 CVE-2025-62231	Updated via yum repository
  zziplib	zziplib-0.13.71-11.0.1.al8	zziplib-0.13.71-12.0.1.al8	CVE-2018-17828	Updated via yum repository

This release updates the kernel to kernel-5.10.134-19.2.al8 and fixes the following issues:

• Fixed an issue where the Zenbleed vulnerability patch was incorrectly applied to non-Zen2 architectures during a microcode hot-upgrade.

• Added the swiotlb_any cmdline parameter to allow the system to allocate high-memory addresses as a bounce buffer for Confidential Computing scenarios.

• Fixed an issue where memory was not correctly accepted during the EFI stub phase when booting a TDX VM.

• Fixed a race condition following a PCIe secondary bus reset that allowed a downstream device to be used before its initialization was complete, potentially causing errors or taking the device offline.

• Fixed issues in the DWC_PMU driver to prevent kernel startup failures on Yitian instance models when hardware link anomalies occur.

• Fixed a potential crash in the Group Balancer.

• Fixed unexpected packet loss when using virtio_net with vhost under specific conditions.

For detailed release information, see https://openanolis.cn/sig/Cloud-Kernel/doc/1388258453605187661

New features

• Secure CAI components are updated to support remote device attestation and Hygon CSV. These updates are available from the yum repository.

  • trustee is updated to trustee-1.7.0-1.al8.

  • trustiflux is updated to trustiflux-1.4.4-1.al8.

  • cryptpilot is updated to cryptpilot-0.2.7-1.al8.

  • trusted-network-gateway is updated to trusted-network-gateway-2.2.6-1.al8.

  • gocryptfs is now available as gocryptfs-2.4.0-2.al8.

  • tee-primitives is updated to tee-primitives-1.0-2.al8.

• System O&M enhancements:

  • sysak is updated to sysak-3.8.0-1, enhancing System O&M capabilities.

• Base OS capability enhancements:

  • alinux-base-setup is updated to alinux-release-3.2104.12-2.al8. For security, the rpcbind service is disabled by default.

  • alinux-release is updated to alinux-release-3.2104.12-2.al8, marking the release of Alinux 3.12.1.

  • NetworkManager is updated to NetworkManager-1.40.16-19.0.1.1.al8 to enable ipvlan.

  • systemd is updated to systemd-239-82.0.4.3.al8.5 to support the new NetworkNamespacePath feature in Systemd.

  • logrotate is updated to logrotate-3.14.0-6.0.1.1.al8 to optimize memory usage by compressing system logs.

  • tpm2-tss is updated to tpm2-tss-2.4.6-1.0.2.al8 to add runtime dependencies for confidential computing.

  • tpm2-tools is updated to tpm2-tools-4.1.1-5.0.6.al8 to add runtime dependencies for confidential computing.

  • tengine is updated to tengine-3.1.0-3.al8. This version integrates the nginx-module-vts plugin and enhances performance on the Yitian Processor.

  • gcc-toolset-12-gcc is updated to gcc-toolset-12-gcc-12.3.0-1.2.al8, adding newer GCC capabilities.

  • rasdaemon is updated to rasdaemon-0.6.7-16.5.al8 providing an RAS diagnostic and self-healing solution.

  • tracker is updated to tracker-3.1.2-3.0.1.1.al8. This update modifies compilation options to disable the SQLite version check.

  • ostree is updated to ostree-2022.2-11.al8 to deliver security updates for ContainerOS.

• System tuning enhancements:

  • keentuned and keentune-target are released as version 3.2.0.

• Kernel-related component updates:

  • smc-tools is updated to smc-tools-1.8.3-1.0.4.al8. This update adds monitoring and packet capture capabilities.

  • vtoa is updated to vtoa-2.1.1-1.al8 to provide forward and backward compatibility.

  • erofs-utils is updated to erofs-utils-1.8.10-1.al8. This update includes bug fixes.

• Cloud application component updates:

  • aliyun-cli is updated to aliyun-cli-3.0.305-1.al8.

  • ossfs is updated to ossfs-1.91.8-1.al8, fixing issues with basic functionality.

• OS Copilot updates:

  • os-copilot is updated to os-copilot-0.9.1-1.al8.

• This release includes updates for 11 components synchronized from Anolis OS 8. Of these, three are updated in the image and eight are available from the yum repository.

• This release updates 27 components with bug fixes from Anolis OS 8: 12 in the image and 15 through the yum repository.

• This update addresses 116 CVEs:

• qemu-kvm version 6.2.0-53.0.8.al8.4 fixes an issue where SPICE was not supported on the arm64 architecture.

• anaconda version 33.16.7.12-1.0.7.4.al8 changes /etc/timezone from a symbolic link to a text file.

• cloud-init version 23.2.2-9.0.1.1.al8 fixes an issue where symbolic links remained after uninstallation.

• kexec-tools version 2.0.26-14.0.1.7.al8.2 fixes an issue where Normal memory was not reserved for Node0 on c9i instances.

• fuse version 2.9.7-19.1.al8 fixes an issue where OSS mount points were lost.

• gcc-toolset-12 version 12.0-6.1.al8 fixes an issue where installing the pcp software incorrectly triggered a rebuild into the gcc-toolset-12 directory, which impaired functionality.

• util-linux version 2.32.1-46.0.4.1.al8 fixes an "invalid parameter" error when setting the hardware clock.

The NetworkManager-wait-online service fails to start on ebmhfr7.48xlarge16 ECS Bare Metal Instances. This occurs because the instance has a usb0 interface that is not managed by NetworkManager. To resolve this issue, you must manually create a configuration file and then reboot the system.

Solution

1. Create the /etc/NetworkManager/conf.d/99-unmanaged-device.conf file with the following content:

   [device-usb0-unmanaged]
   match-device=interface-name:usb0
   managed=0

2. After saving the file, reboot the system and verify that the NetworkManager-wait-online service starts correctly.

Upgraded the kernel to 5.10.134-19.2.al8.aarch64.

1. Kernel updates:

   • Fixed an issue where a microcode hot patch for the Zenbleed vulnerability was incorrectly applied to non-Zen2 architectures.

   • Added the swiotlb_any command-line parameter to enable the system to allocate high-memory addresses (>2 GB) as bounce buffers for Confidential Computing scenarios.

   • Fixed an issue where the EFI stub did not correctly accept memory when booting a TDX VM.

   • Fixed an issue where a downstream device could be used before its initialization was complete after a PCIe secondary bus reset, potentially causing errors or taking the device offline.

   • Fixed issues in the DWC_PMU driver to prevent kernel boot failures on Yitian-based instance types when hardware links are abnormal.

   • Fixed a potential crash in the Group Balancer.

   • Fixed unexpected packet loss in virtio_net when used with vhost under specific conditions.

2. Image updates:

   • Installed python3.12-3.12.7-1.al8 by default and configured it as the default Python 3 version.

   • Added keentuned-3.4.1-1.al8 to provide Intelligent Tuning for AI workloads.

   • Installed kmod-fuse-5.10.134~19.2-1.2.5~1.al8 by default to enhance support for the fuse over io_uring mode and increase performance to 1 million IOPS and a cache read/write bandwidth of 40 GB/s.

1. Kernel

   1. The kernel is upgraded to version 5.10.134-19.103.al8.x86_64.

   2. New features

      1. Adds support for five-level page tables to enable petabyte-scale memory management. For compatibility, user-mode applications must explicitly specify a high address as a hint during the mmap phase to enable allocation in the five-level page table space.

      2. Introduces the PCIe Resizable BAR feature, which lets you adjust the BAR size of PCIe devices without modifying BIOS settings.

      3. Enables the page table page reclaim feature by default via the reclaim_pt kernel command-line parameter. This feature reclaims page table pages in the MADV_DONTNEED path to save memory and prevent premature out-of-memory (OOM) errors.

      4. Hybrid deployment enhancements: Optimizes the load balancing policy for hybrid deployment scenarios and refactors the absolute preemption policy to grant online tasks absolute priority, preventing offline tasks from preempting their resources.

   3. Compatibility

      1. Backports patches to support UPI on GNR.

      2. The kernel kABI remains consistent with previous versions.

      3. Command line changes: The 'pci_quirk' parameter is enabled by default (disable with 'pci_quirk=disable'), and the 'drv_quirk' parameter is disabled by default (enable with 'drv_quirk=enable').

   4. Stability improvements

      1. Fixes a checksum error in virtio-net for both large and small packets.

      2. Fixes a use-after-free issue in the group balancer.

      3. Fixes a null pointer dereference in the nvme driver during system reboot or shutdown.

      4. Fixes a vhost thread exception.

2. Image

   1. Adds the update-grubenv service. This service is enabled by default and runs automatically at system startup. It detects the current boot mode (UEFI or Legacy BIOS) and dynamically updates the /boot/grub2/grubenv configuration file to ensure that the GRUB environment variables match the actual boot mode.

   2. Upgraded keentuned to keentuned-3.4.0-1.al8.x86_64.

   3. Upgraded kmod-fuse to kmod-fuse-5.10.134~19.103-1.2.4.5~2.al8.x86_64.

   4. Removed drv_quirk=disable and drv_link_quirk=disable from the command line, and added reclaim_pt.

• Compared to Ubuntu 22.04, Alibaba Cloud Linux 3 AI Extension Edition 0.5.2 delivers improved training and inference performance with standard community openclip/bevformer AI container images (AC2):

  • For bevformer_base training, the average throughput per step is 13% higher with FP32 precision and 12% to 18% higher with FP16 precision.

  • For openclip (RN50), the average training throughput per step is 26% higher, and the average inference throughput is 26% higher.

• Replacing the community openclip/bevformer AI container images with Alibaba Cloud's optimized versions improves performance as follows:

  • For bevformer_base training, the average throughput per step is 22% higher with FP32 precision and 17% to 20% higher with FP16 precision.

  • For openclip (RN50), the average training throughput per step is 46% higher, and the average inference throughput is 26% higher.

This release upgrades the kernel to version 5.10.134-19.101.al8.x86_64.

• Scheduling

  • Backports cluster scheduling features.

  • Adds support for configuring BVT for non-movable threads in the root group.

  • Adds support in Core Scheduling for independently configuring special properties for each cookie.

    • Allows sharing a core with normal tasks that do not have a cookie.

    • Prevents load balancing from packing tasks with the same cookie, ensuring they are distributed across different cores.

• Memory

  • Enables Transparent Huge Pages (THP)-aligned address space allocation for mmap().

  • Adds support for the memmap_on_memory feature in virtio-mem to enable rapid container memory scaling.

  • Introduces a temporary file optimization feature that improves performance in model training scenarios.

  • Introduces a smooth reclamation feature for the pagecache limit that improves memory efficiency and performance in model training scenarios.

  • Introduces a page table page reclamation feature to improve memory efficiency and performance in model training scenarios. To enable this feature, add reclaim_pt to the cmdline.

  • Adds a switch to control the delayed release of shmem file pages.

  • Fixes various issues, including a stability issue in kfence and a THP counting issue for large code pages.

• Network

  • Fixes various SMC issues, including link group and link use-after-free problems, and resolves smc-r device lookup failures in container scenarios.

• Storage

  • erofs:

    • Backports several fixes for the erofs file system from the mainline branch.

    • Adds support for file-backed mounting and a 48-bit layout.

    • Adds support for sub-page blocks for compressed files.

  • Backports patches from the mainline stable branches for components such as ext4, block, blk-mq, and io_uring.

  • Introduces the virtio-blk passthrough feature for virtio-blk devices.

• Driver

  • The NVMe driver now supports batch processing of completed polled I/O commands.

  • Adds support for differential configuration of NVMe driver parameters for cloud disks and local disks.

  • Merges PCIe driver bugfix patches to resolve issues such as incorrect space size calculation and root bus allocation.

• BPF

  • Merges bugfix and CVE fix patches from community stable branches.