Microsoft has published an update to the distribution kit CBL-Mariner 2.0.20221029 (Common Base Linux Mariner), which is being developed as a universal base platform for Linux environments used in cloud infrastructure, edge systems and various Microsoft services. The project is aimed at unifying the Linux solutions used in Microsoft and simplifying the maintenance of Linux systems for various purposes up to date. The project's developments are distributed under the MIT license. Packages are generated for aarch64 and x86_64 architectures. Bootable ISO image prepared (1.1 GB) for x86_64 architecture.
In the new version:
- Updated package versions, including proposed Linux kernel releases 5.15.74, PHP 8.1.11, nodejs 16.17.1, cassandra 4.0.7, dbus 1.15.2, expat 2.5.0, mysql 8.0.31, terraform 1.32.2, tidy 5.8.0, wireshark 3.4.16, nginx 1.22.1.
- Added new packages cairomm 1.12.0, cpptest 1.1.2, k-exec-tools, kernel-drivers-gpu, libcroco 0.6.13, python-google-auth-oauthlib, sgx-backwards-compatability.
- Included modules for changing the TCP congestion control algorithm (TCP Congestion).
- Moved vulnerability fixes to libtar, unbound, aspell, libtiff, redis, livepatch, libtasn1, PHP, nodejs, dbus, expat, mod_wsgi, wireshark, nginx, mysql, terraform packages.
The CBL-Mariner distribution kit provides a small standard set of basic packages that serve as a universal basis for creating the stuffing of containers, host environments and services launched in cloud infrastructures and on edge devices. More complex and specialized solutions can be created by adding additional packages on top of the CBL-Mariner, but the basis for all such systems remains the same, making it easier to maintain and prepare upgrades. For example, CBL-Mariner is used as the basis for the WSLg mini distribution, which provides graphics stack components for running Linux GUI applications in WSL2 (Windows Subsystem for Linux) environments. Extended functionality in WSLg is realized through the inclusion of additional packages with Weston Composite Server, XWayland, PulseAudio and FreeRDP.
The CBL-Mariner build system allows you to generate both separate RPM packages based on SPEC files and sources, as well as monolithic system images generated using the rpm-ostree toolkit and updated atomically without breaking into separate packages. Accordingly, two update delivery models are supported: by updating individual packages and by rebuilding and updating the entire system image. A repository is available with about 3000 RPMs already built that you can use to build your own images based on the configuration file.
The distribution includes only the most necessary components and is optimized for minimal memory and disk space consumption, as well as for high download speeds. The distribution is also notable for including various additional security mechanisms. The project uses a “maximum security by default” approach. It provides the ability to filter system calls using the seccomp mechanism, encrypt disk partitions, and verify packages by digital signature.
Address space randomization modes supported in the Linux kernel, as well as protection mechanisms against attacks related to symbolic links, mmap, /dev/mem and /dev/kmem, are activated. For memory areas that contain segments with kernel and module data, the mode is set to read only and code execution is prohibited. Optionally available is the ability to disable the loading of kernel modules after system initialization. The iptables toolkit is used to filter network packets. By default, the build pass enables protection modes against stack overflows, buffer overflows, and string formatting problems (_FORTIFY_SOURCE, -fstack-protector, -Wformat-security, relro).
The systemd system manager is used to manage services and boot. Package managers RPM and DNF are provided for package management. The SSH server is not enabled by default. To install the distribution, an installer is provided that can work in both text and graphical modes. The installer provides the ability to install with a full or basic set of packages, offers an interface for selecting a disk partition, choosing a host name and creating users.
Source: opennet.ru