Updating your host kernel on Amazon Linux

3 min read · Advanced

This guide shows how to change and boot an Edera host kernel under Xen on Amazon Linux. Our AMIs are Amazon Linux (AL2023) with Edera baked in; use this when you want to pin or change the dom0 kernel directly from ghcr.io/edera-dev/host-kernel. The script handles images that export a kernel/ tree (not a root-layout tar), ensures the version string matches across /boot/vmlinuz-*, /boot/initramfs-*.img, and /lib/modules/*, creates a Xen GRUB entry, sets it as the default, and reboots.

⚠️
This can impact a running system. Proceed with caution.

Note

It is recommended these instructions run during a machine image build rather than on a live environment.

⚠️
If the GRUB entry is wrong, the box may fail to boot. In EC2 you can recover with the Serial Console or by detaching the root volume and fixing GRUB on a rescue host.

Install script

Copy and paste the below script into file named host-kernel-swap.sh.
Make sure KVER is the correct version.
Then run the file, bash ./host-kernel-swap.sh.

#!/usr/bin/env bash
# Install Edera host kernel from ghcr.io and boot it under Xen.
# Handles images that export kernel/{image, addons.squashfs[, config.gz]}.
set -euo pipefail

KVER="${KVER:-6.6}" # desired kernel version (metadata may override)
IMG="ghcr.io/edera-dev/host-kernel:${KVER}"
WORKDIR=$(mktemp -d)
FINALDIR=${FINALDIR:-/}

echo "Creating WORKDIR=$WORKDIR"
mkdir -p $WORKDIR
echo "Creating FINALDIR=$FINALDIR"
mkdir -p $FINALDIR

# --- Install Necessary Tools ---
command -v crane >/dev/null || {
  curl -sSL https://github.com/google/go-containerregistry/releases/latest/download/go-containerregistry_Linux_x86_64.tar.gz | tar -xz crane && sudo mv crane /usr/local/bin/
}
if ! command -v unsquashfs >/dev/null; then
  if command -v dnf >/dev/null; then sudo dnf -y install squashfs-tools; else
    sudo yum -y install squashfs-tools || { sudo yum clean all && sudo yum -y makecache fast && sudo yum -y install squashfs-tools; }
  fi
fi
command -v dracut >/dev/null || { command -v dnf >/dev/null && sudo dnf -y install dracut || sudo yum -y install dracut; }
command -v rsync >/dev/null || { command -v dnf >/dev/null && sudo dnf -y install rsync || sudo yum -y install rsync; }

# --- Export host kernel image ---
crane export "$IMG" | sudo tar -C $WORKDIR -xvpf -
mv $WORKDIR/kernel/* $WORKDIR

# --- Extract host kernel image onto filesystem ---
KERNEL_VERSION="$(cat $WORKDIR/metadata | grep -E '^KERNEL_VERSION=' | awk -F '=' '{print $2}')"
mkdir -p "$FINALDIR/lib/modules"
unsquashfs -strict-errors -dest $WORKDIR/addons $WORKDIR/addons.squashfs
mv $WORKDIR/addons/modules "$FINALDIR/lib/modules/${KERNEL_VERSION}"
mkdir -p "$FINALDIR/boot"
cp $WORKDIR/image "$FINALDIR/boot/vmlinuz-${KERNEL_VERSION}"
gzip -d <$WORKDIR/config.gz >"$FINALDIR/boot/config-${KERNEL_VERSION}"
mv $WORKDIR/metadata $FINALDIR/metadata-edera

# --- Generate grub config ---
dracut --regenerate-all || true
grub2-mkconfig -o /boot/grub2/grub.cfg

# Set the newly installed kernel as the latest
grub2-set-default "Amazon Linux, with Xen xen and Linux ${KERNEL_VERSION}"

sudo reboot

Verify

Make sure your instance booted with the correct kernel

uname -r   # should equal KVER printed by the script (e.g., 6.6.93 or 6.6.93-edera)
[ -f /sys/hypervisor/type ] && cat /sys/hypervisor/type   # should say: xen

Rollback

If you need to rollback your kernel for any reason, follow the below steps.

Choose a known-good kernel menu entry from:
awk -F"'" '/menuentry /{print $2}' /boot/grub2/grub.cfg

and then:

sudo grub2-set-default 'Amazon Linux, with Xen xen and Linux 6.1.141'
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
sudo reboot
ℹ️
The version string must match across /boot/vmlinuz-*, /boot/initramfs-*.img, and /lib/modules/*.
If your image ships no modules at all, you’ll need a companion modules artifact; otherwise depmod/dracut will fail.
Last updated on
Injecting the Edera RuntimeClass with Kyverno