Amazon ECS-Optimized Amazon Linux 2 AMIs moving to use Docker v25.0.3

0

Hello AWS Support,

I hope this message finds you well.

We recently received a notification regarding an upcoming update to the Docker version used in the Amazon ECS-Optimized AMIs. The update states that starting from May 16, 2024, Amazon ECS-Optimized AL2 AMIs will use Docker version 25.0.3. We understand the importance of staying up-to-date with security patches and improvements. However, we have some questions regarding the mandatory nature of this update and its potential impacts.

Is the update to Docker version 25.0.3 mandatory for all users of Amazon ECS-Optimized AL2 AMIs, or do users have the option to remain on the current version (20.10) if needed? If we choose not to update to Docker version 25.0.3 by the specified date, what potential impacts might we encounter? Specifically, are there any security risks or compatibility issues that could arise from running an unsupported Docker version? We appreciate your assistance in clarifying these questions. Ensuring the stability and security of our systems is a top priority for us, and we want to make informed decisions regarding this update.

Thank you for your attention to this matter. We look forward to your prompt response.

Best regards,

Oscar Zappaterra

  • please accept the answer if it was useful

asked 6 months ago2.8K views
1 Answer
0

The update to Docker version 25.0.3 in Amazon ECS-Optimized AL2 AMIs is not explicitly mandatory, but there are strong recommendations and implications for not updating. Starting from June 12, 2024, Amazon ECS-optimized AMIs based on Amazon Linux will no longer automatically apply all "Critical" and "Important" security updates at instance launch. Instead, users are encouraged to update to new AMI releases as they become available, which will include the latest security patches and Docker versions​ https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html

The update to Docker version 25.0.3 in Amazon ECS-Optimized AL2 AMIs is not explicitly mandatory, but there are strong recommendations and implications for not updating. Starting from June 12, 2024, Amazon ECS-optimized AMIs based on Amazon Linux will no longer automatically apply all "Critical" and "Important" security updates at instance launch. Instead, users are encouraged to update to new AMI releases as they become available, which will include the latest security patches and Docker versions​ (Amazon Web Services (AWS) Docs)​.

If you choose not to update to Docker version 25.0.3 by the specified date, your instances will not benefit from the latest security improvements and bug fixes. Using an unsupported version of Docker could expose your environment to security vulnerabilities, compatibility issues with new versions of the Amazon ECS container agent, and potential operational challenges due to a lack of support for older Docker versions from new software updates and features.

Amazon emphasizes the importance of using the latest AMI versions to ensure software components like Docker and the ECS container agent are up-to-date. This approach helps in maintaining the security and stability of your ECS environments​ https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html https://docs.aws.amazon.com/AmazonECS/latest/developerguide/agent-update-ecs-ami.html

For environments where updates cannot be applied immediately, Amazon provides mechanisms to manage updates more flexibly. However, consistently running on older Docker versions may not only pose security risks but could also lead to compatibility issues with other software relying on Docker within your infrastructure​ https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html

To manage these updates, Amazon recommends automating the environment to shift to new AMI versions as they are released, potentially using managed instance draining to minimize disruption during updates​ https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html This proactive approach can help mitigate risks associated with outdated software versions.

profile picture
EXPERT
answered 6 months ago
  • AWS doesn't provide an AMI with docker v25 for Amazon ECS GPU-optimized family. The latest AMI still comes with docker v20. What can we do for such scenario to update docker to v25?

  • Thanks for the information and links.

    I have a similar question to Ajay's - the latest AMI for EB ECS AL2 (HVM) also still comes with Docker v20 (aws-elasticbeanstalk-amzn-2.0.20240521.64bit-eb_ecs_amazon_linux_2-hvm-2024-05-24T09-52).

    Is there a timeline for a new AMI being available? If so, how can we test and/or plan for a docker upgrade to v25?

    Thank you for your help!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions