Microsoft has published the first stable update of the new branch CBL-Mariner 2.0 (Common Base Linux Mariner) distribution, which is being developed as a universal base platform for Linux environments used in cloud infrastructure, edge systems and various Microsoft services. The project is aimed at unifying the Linux solutions used in Microsoft and simplifying the maintenance of Linux systems for various purposes up to date. Project developments are distributed under the MIT license. Package builds are generated for the aarch64 and x86_64 architectures.
The new release is notable for a significant update of software versions . This includes updated versions of the Linux kernel 5.15 (kernel 5.4 was used in the 1.0 branch), systemd 250, glibc 2.35, GCC 11.2, clang 12, Python 3.9, ruby 3.1.2, rpm 4.17, qemu 6.1, perl 5.34, ostree 2022.1. The base repository includes components for building a graphical interface, such as Wayland 1.20, Mesa 21.0, GTK 3.24 and X.Org Server 1.20.10, which were previously shipped in a separate coreui repository. Added kernel builds with PREEMPT_RT patches for use on real-time systems.
The CBL-Mariner distribution kit provides a small standard set of core packages that serve as a universal basis for creating containers, host environments and services running in cloud infrastructures and on edge devices . More complex and specialized solutions can be created by adding additional packages on top of the CBL-Mariner, but the basis for all such systems remains the same, making it easier to maintain and prepare upgrades. For example, CBL-Mariner is used as the basis of the WSLg , which provides graphics stack components for running Linux GUI applications in WSL2 (Windows Subsystem for Linux) environments. Extended functionality in WSLg is realized through the inclusion of additional packages with Weston Composite Server, XWayland, PulseAudio and FreeRDP.
The CBL-Mariner build system allows you to generate both separate RPM packages based on SPEC files and sources, as well as monolithic system images generated using the rpm-ostree toolkit and updated atomically without breaking into separate packages. Accordingly, two update delivery models are supported: by updating individual packages and by rebuilding and updating the entire system image. available repository with about 3,000 already built RPMs that you can use to build your own images based on the config file .
The distribution includes only the most necessary components and is optimized for minimal memory and disk space consumption, as well as for high download speeds. The distribution is also notable for including various additional security mechanisms. The project uses a “maximum security by default” approach. It provides the ability to filter system calls using the seccomp mechanism, encrypt disk partitions, and verify packages by digital signature.
Address space randomization modes supported in the Linux kernel, as well as protection mechanisms against attacks related to symbolic links, mmap, /dev/mem and /dev/kmem, are activated. For memory areas that contain segments with kernel and module data, the mode is set to read only and code execution is prohibited. Optionally available is the ability to disable the loading of kernel modules after system initialization. The iptables toolkit is used to filter network packets. By default, the build step enables protection modes against stack overflows, buffer overflows, and string formatting problems (_FORTIFY_SOURCE, -fstack-protector, -Wformat-security, relro).
The systemd system manager is used to manage services and boot. Package managers RPM and DNF are provided for package management. The SSH server is not enabled by default. To install the distribution, an installer is provided that can work in both text and graphical modes. The installer provides the ability to install with a full or basic set of packages, offers an interface for selecting a disk partition, choosing a host name and creating users.