The Centers for Medicare & Medicaid Services (CMS) Hybrid Cloud Team announces the following CMS Gold Image (GI) updates for May 2025:
May 2025 GI Updates
Amazon Linux 2 (AL2) End-of-Life (EOL)
- Based on guidance from AWS Professional Services and the CMS Hybrid Cloud Team, all AL2 customers must transition to Amazon Linux 2023 (AL2023) by July 1, 2025.
- On Friday April 18, 2025, CMS customers who had active AL2 instances received dedicated support tickets to ensure all AL2 instances get closed.
- Please note the following AL2023 cms.cloud.gov (CCG) pages to help your team upgrade from AL2 to AL2023:
-
Gold Image: Amazon Linux 2023: As an added security measure, the /tmp directory is mounted with the NOEXEC option, which will not allow the execution of binaries within /tmp. This change may impact third-party tools that execute scripts out of the /tmp directory, like Packer, which allows you to specify a different directory to execute scripts from. Please review the documentation for more details.
-
Gold Image: Amazon Linux 2023 with Elastic Kubernetes Service (EKS) Optimization: The existing launch template configurations are based on the EKS-optimized AL2 GI and will not work for AL2023 because of a change to the node initialization process. Note that in the April AL2023 with EKS Optimization CMS GI, the firewall configuration was updated to ensure outbound traffic from containers. For more information, please review the Amazon-published documentation that highlights the changes and the Changes from AL2 to AL2023 CCG page.
- Please Note: The last AL2 CMS GI will be released on Friday, June 13, 2025.
Hardened Container Images Now Available in the CMS Artifactory Repository
-
The CMS Hybrid Cloud Team strongly recommends only using a hardened Iron Bank image as the base image for container builds to help:
-
Access Iron Bank images in the CMS JFrog Platform under the gi-gantuar-ironbank Artifactory repository.
-
The CMS Artifactory repository is a pull-through cache that allows you to access Iron Bank container images without registering for a separate Iron Bank account. It also helps you avoid any potential rate limits from the Iron Bank registry.
-
Please register for CMS Artifactory repository access to use the pre-cached Iron Bank container images already used in our CMS environment (such as Alpine Linux, RedHat UBI, UBI with NodeJS, Alpine, and UBI with Python).
CMS Marketplace Customers: Only Use "Bring Your Own License" (BYOL) Red Hat GIs
- CMS Marketplace Customers: Marketplace Information Technology Group (MITG) has a dedicated license for Red Hat Enterprise Linux (RHEL) that includes premium support. This means that if you use a regular GI instead of a BYOL RHEL GI, you will be charged unnecessary costs.
- Please Note: All BYOL GIs have "byol" in the GI name.
Gold Image Accessibility
CMS GI availability is based on each team's Customer Automation and Management Platform (CAMP) details. If your team wants to request a new CMS GI, please open a Hybrid Cloud Support Ticket and contact your assigned Hosting Coordinator.
For more information about CMS GIs, please review the available Gold Image documentation.
Questions or Concerns
For questions or concerns, please contact your assigned Hosting Coordinator/Technical Advisor or submit a Hybrid Cloud support ticket.
|
