Microsoft has published the release of CBL-Mariner 1.0 (Common Base Linux Mariner), which is marked as the first stable release of the project. The CBL-Mariner distribution is being developed as a universal base platform for Linux environments used in cloud infrastructure, edge systems and various Microsoft services. The project is aimed at unifying the Linux solutions used in Microsoft and simplifying the maintenance of Linux systems for various purposes up to date. Project developments are distributed under the MIT license.
The distribution kit provides a small standard set of core packages that serve as a universal basis for creating the filling of containers, host environments and services that run in cloud infrastructures and on edge devices. More complex and specialized solutions can be created by adding additional packages on top of the CBL-Mariner, but the basis for all such systems remains the same, making it easier to maintain and prepare upgrades.
For example, CBL-Mariner is used as the basis of the WSLg mini-distribution, which provides graphics stack components for running Linux GUI applications in WSL2 (Windows Subsystem for Linux) environments. The basis of this distribution is unchanged, and extended functionality is implemented through the inclusion of additional packages with the Weston composite server, XWayland, PulseAudio and FreeRDP.
The CBL-Mariner build system allows you to generate both separate RPM packages based on SPEC files and sources, as well as monolithic system images generated using the rpm-ostree toolkit and updated atomically without breaking into separate packages. Accordingly, two update delivery models are supported: by updating individual packages and by rebuilding and updating the entire system image. The distribution includes only the most necessary components and is optimized for minimal memory and disk space consumption, as well as for high download speeds. The distribution is also notable for including various additional security mechanisms.
The project uses a "maximum security by default" approach. It provides the ability to filter system calls using the seccomp mechanism, encrypt disk partitions, and verify packages by digital signature. By default, the build pass enables protection modes against stack overflows, buffer overflows, and string formatting problems (_FORTIFY_SOURCE, -fstack-protector, -Wformat-security, relro). Address space randomization modes supported in the Linux kernel, as well as protection mechanisms against attacks related to symbolic links, mmap, /dev/mem and /dev/kmem, are activated. For memory areas that contain segments with kernel and module data, the mode is set to read only and code execution is prohibited. Optionally available is the ability to disable the loading of kernel modules after system initialization. The iptables toolkit is used to filter network packets.
Prepared ISO images are not provided. It is understood that the user can create an image with the necessary stuffing himself (assembly instructions are provided for Ubuntu 18.04). A repository is available with pre-built RPMs that you can use to build your own images based on the configuration file. The repository offers about 3300 packages. For example, to build a complete iso image, just run: git clone https://github.com/microsoft/CBL-Mariner.git cd CBL-Mariner/toolkit sudo make iso REBUILD_TOOLS=y REBUILD_PACKAGES=n CONFIG_FILE=./imageconfigs/full .json
The systemd system manager is used to manage services and boot. RPM and DNF package managers (vmWare's variant of tdnf) are provided for package management. The SSH server is not enabled by default. To install the distribution, an installer is provided that can work in both text and graphical modes. The installer provides the ability to install with a full or basic set of packages, offers an interface for selecting a disk partition, choosing a host name and creating users.
Source: opennet.ru