Microsoft has published an update to the CBL-Mariner 1.0.20210901 (Common Base Linux Mariner) distribution kit, which is being developed as a universal base platform for Linux environments used in cloud infrastructure, edge systems and various Microsoft services. The project is aimed at unifying the Linux solutions used in Microsoft and simplifying the maintenance of Linux systems for various purposes up to date. Project developments are distributed under the MIT license.
In the new release:
- The formation of the base iso-image (700 MB) has begun. In the first release, ready-made ISO images were not provided, it was understood that the user could create an image with the necessary stuffing himself (assembly instructions were prepared for Ubuntu 18.04).
- Implemented support for automatic updating of packages, for which the Dnf-Automatic application is included.
- The Linux kernel has been updated to version 5.10.60.1. Updated software versions, including openvswitch 2.15.1, golang 1.16.7, logrus 1.8.1, tcell 1.4.0, gonum 0.9.3, testify 1.7.0, crunchy 0.4.0, xz 0.5.10, swig 4.0.2. 4.4, squashfs-tools 8.0.26, mysql XNUMX.
- OpenSSL provides the ability to return support for TLS 1 and TLS 1.1.
- The sha256sum utility is used to check the source texts of the toolkit.
- New packages included: etcd-tools, cockpit, aide, fipscheck, tini.
- Removed brp-strip-debug-symbols, brp-strip-unneeded and ca-legacy packages. Removed the SPEC files for the Dotnet and aspnetcore packages, which are now built by the core .NET development team and placed in a separate repository.
- Vulnerability fixes have been ported to the package versions in use.
Recall that the CBL-Mariner distribution kit provides a small standard set of basic packages that serve as a universal basis for creating the filling of containers, host environments and services launched in cloud infrastructures and on edge devices. More complex and specialized solutions can be created by adding additional packages on top of the CBL-Mariner, but the basis for all such systems remains the same, making it easier to maintain and prepare upgrades. For example, CBL-Mariner is used as the basis of the WSLg mini-distribution, which provides graphics stack components for running Linux GUI applications in WSL2 (Windows Subsystem for Linux) environments. Extended functionality in WSLg is realized through the inclusion of additional packages with Weston Composite Server, XWayland, PulseAudio and FreeRDP.
The CBL-Mariner build system allows you to generate both separate RPM packages based on SPEC files and sources, as well as monolithic system images generated using the rpm-ostree toolkit and updated atomically without breaking into separate packages. Accordingly, two update delivery models are supported: by updating individual packages and by rebuilding and updating the entire system image. A repository is available with about 3000 RPMs already built that you can use to build your own images based on the configuration file.
The distribution includes only the most necessary components and is optimized for minimal memory and disk space consumption, as well as for high download speeds. The distribution is also notable for including various additional security mechanisms. The project uses a βmaximum security by defaultβ approach. It provides the ability to filter system calls using the seccomp mechanism, encrypt disk partitions, and verify packages by digital signature.
Address space randomization modes supported in the Linux kernel, as well as protection mechanisms against attacks related to symbolic links, mmap, /dev/mem and /dev/kmem, are activated. For memory areas that contain segments with kernel and module data, the mode is set to read only and code execution is prohibited. Optionally available is the ability to disable the loading of kernel modules after system initialization. The iptables toolkit is used to filter network packets. By default, the build pass enables protection modes against stack overflows, buffer overflows, and string formatting problems (_FORTIFY_SOURCE, -fstack-protector, -Wformat-security, relro).
The systemd system manager is used to manage services and boot. RPM and DNF package managers (vmWare's variant of tdnf) are provided for package management. The SSH server is not enabled by default. To install the distribution, an installer is provided that can work in both text and graphical modes. The installer provides the ability to install with a full or basic set of packages, offers an interface for selecting a disk partition, choosing a host name and creating users.
Source: opennet.ru