Microsoft unveiled recently releasing the first stable update of the new branch of your Linux distribution "CBL-Mariner 2.0" (Common Base Linux Mariner), which is being developed as a universal base platform for Linux environments used in cloud infrastructure, edge systems, and various Microsoft services.
The project aims to unify the Linux solutions used at Microsoft and simplify the maintenance of Linux systems for various purposes to date. The developments of the project are distributed under the MIT license.
About CBL-Mariner
For those who are unaware of CBL-Mariner, you should know that this distribution is characterized by providing a small standard set of basic packages that serve as universal foundation for building containers, hosting environments, and services running on cloud infrastructures and edge devices.
More complex and specialized solutions can be created by adding additional packages to CBL-Mariner, but the foundation for all of these systems remains the same, making it easier to maintain and prepare for upgrades. For example, CBL-Mariner is used as the base of the WSLg mini-distribution, which provides graphics stack components for launching Linux GUI applications in environments based on the WSL2 (Windows Subsystem for Linux) subsystem. Extended functionality in WSLg is done by including additional packages with Weston Composite Server, XWayland, PulseAudio, and FreeRDP.
CBL-Mariner build system allows you to generate stand-alone RPM packages based on source and SPEC files, as well as monolithic system images generated with the rpm-ostree toolkit and atomically updated without splitting into separate packages. Consequently, two update delivery models are supported: by updating individual packages and by rebuilding and updating the entire system image. A repository is available with around 3000 RPMs already built that you can use to build your own images based on the config file.
The distribution includes only the most necessary components and is optimized for minimal memory and disk space consumption, as well as for high download speeds. The distribution also stands out for including several additional security mechanisms.
The project uses a "maximum security by default" approach. Provides the ability to filter system calls using the seccomp mechanism, encrypt disk partitions, and verify packets using digital signatures.
The address space randomization modes supported in the Linux kernel are activated, as well as the protection mechanisms against attacks related to symbolic links, mmap, /dev/mem and /dev/kmem. For memory areas that contain segments with kernel and module data, the mode is set to read-only and code execution is prohibited.
Optionally available is the ability to disable loading of kernel modules after system initialization. The iptables toolkit is used to filter network packets. By default, the build step enables protection modes against stack overflows, buffer overflows, and string formatting issues (_FORTIFY_SOURCE, -fstack-protector, -Wformat-security, relro).
The system administrator systemd is used to manage services and startup. RPM and DNF package managers are provided for package management.
What's new in CBL-Mariner 2.0
The new version stands out for a major upgrade of software versions, this includes updated versions of linux kernel 5.15, systemd 250, glibc 2.35, gcc 11.2, clang 12, python 3.9, ruby 3.1.2, rpm 4.17, qemu 6.1, perl 5.34, ostree 2022.1.
In addition to this, it is noted that the base repository includes components to create a graphical interface, such as Wayland 1.20, Mesa 21.0, GTK 3.24, and X.Org Server 1.20.10, which were previously shipped in a separate coreui repository.
It is also noted that kernel builds with PREEMPT_RT patches have been added for use on real-time systems.
Finally for those interested, you should know that package builds are generated for the architectures aarch64 and x86_64.
The server SSH is not enabled by default. To install the distribution, an installer is provided that can work in both text and graphical modes.
The installer provides the ability to install with a full or basic set of packages, provides an interface for selecting a disk partition, choosing a hostname, and creating users.