Key Features and Updates

Security Updates

OpenSSL 3

Changes

• We are now offering OpenSSL 3.3. The full change log can be found here.

• Under the hood, Azure Linux 3.0 uses SymCrypt as the default cryptographic library. SymCrypt is the core cryptographic function library used by Windows. Azure Linux 3.0 uses SymCrypt engine for OpenSSL (SCOSSL) to direct OpenSSL API calls to the SymCrypt module via the OpenSSL engine interface.

Breaking Changes

• Previously, non FIPS-approved algorithms would be blocked at the OpenSSL layer when the system is in FIPS mode. With Azure Linux 3.0 + OpenSSL 3 + SymCrypt, the behavior will behave more like Windows where, when the system is in FIPS mode, non FIPS-approved algorithms will be allowable, and FIPS compliance will be assessed through other means such as SDL.

Linux Security Modules (LSM)

Changes

• SELinux set as the default major LSM.

• Integrity Policy Enforcement (IPE) LSM is available for use.

• New BPF LSM is available for use.

• Landlock LSM is available.

Breaking Changes

• No breaking changes are expected for SELinux users. Our SELinux configuration remains unchanged.

• AppArmor support has been removed; please migrate to SELinux.

Kernel

Changes

• Added AMD SEV-SNP support for Confidential Computing scenarios.

• Secondary keyring support was added to allow trusted key addition at runtime.

• Prebuilt Unified Kernel Images (UKI) is now supported through the kernel-uki package.

• Multipath TCP (MPTCP) support added, allowing multiple interface paths to improve throughput and redundancy.

• user-based event tracing added, allowing user processes to create events and trace data that can be viewed by tools such as ftrace and perf.

• Added Extended Verification Module (EVM) support for IMA, allowing verification of security-related extended attributes like SELinux labels or IMA hashes.

• FS-verity support added.

• Enhanced Read-Only File System (EROFS) support added.

Breaking Changes

• Users of kernel-hci and kernel-mos packages can now enjoy the desired kernel features without needing to replace the kernel. All previous kernel-hci and kernel-mos features and code are integrated into the default mainstream Azure Linux kernel.

• Disabled legacy kexec. It is recommended to use the file-based kexec system call instead since it is more secure.

• Deprecated XFS V4 support in favor of XFS V5 format

• Disabled legacy TIOCSTI due to security hardening concerns

Cloud-init

Changes

• Azure Linux has been added as a supported distro in upstream cloud-init.

Breaking Changes

• No breaking changes are expected.

Dhcp

Changes

• dhcp package replaced by dhcpcd. isc-dhcp has been deprecated upstream. Dhcpcd works the same as isc-dhcp as the network configurator. All packages which have dependency on dhcp now use dhcpcd.

Breaking Changes

• Services referencing files provided by the deprecated dhcp package (i.e., dhclient, dhclient-script) should now use dhcpcd instead.

Cgroups

Changes

• cgroupsv2 is now the default resource control method in all Azure Linux base images. Cgroups v2 is the new generation of the Linux cgroup API. Cgroup v2 provides a single unified hierarchy in the API, new features such as pressure stall information (PSI), and better resource allocation management and isolation across multiple resources. Azure Linux 3.0 will still have cgroupsv1 support that users can choose to enable.

Breaking Changes

• Azure Linux 3.0 defaults to using cgroup v2, which may impact some of your application runtimes if they explicitly relied on cgroupsv1 file locations. As a result, certain adaptations and compatibility work may be required. (e.g., If you have applications that access the cgroups file system directly, either on the node or from inside a container, you must update the applications to use the cgroups v2 API instead of the cgroups v1 API.)

Reference

• Kubernetes 1.25: cgroup v2 graduates to GA | Kubernetes

• Embracing Cgroups V2: Best Practices for Migrating Kubernetes Clusters | CNCF

Compiler

Changes

• Gcc was upgraded from the 11 series to the 13 series. For a complete list of changes, refer to the upstream gcc documentation for both series 12 and series 13. The default dialect for C remains gnu17. For C++ the default dialect remains gnu++17.

• Clang was upgraded from the 12 series to the 18 series. For a complete list of changes, refer to the upstream clang documentation for series 13, series 14, series 15, series 16, series 17 and series 18. The default dialect for C remains gnu17. For C++ the default dialect is now c++17.

Boot

Changes

• Grub2-mkconfig is now the default for grub configuration. Users can configure the boot behavior by editing values inside /etc/default/grub and invoking grub2-mkconfig. This grub2-mkconfig tooling is standard across many popular distributions, including Azure Linux 3.0.

Breaking Changes

• Services that previously would edit the grub.cfg file directly should now use grub2-mkconfig tooling to regenerate the system grub.cfg file with the desired customizations.

Systemd

Changes

• Unified Kernel Image (UKI) Support - The "systemd-bootctl" tool now shows if the system was booted from a UKI, and new tools like "systemd-pcrlock" manage TPM2 PCR policies, improving security for systems using Secure Boot.

• Systemd-boot bootloader now available. It is a simpler bootloader than grub2, with smaller attack surface and generally just works without additional configuration.

• Storage Target Mode. Inspired by macOS, the new "systemd-storagetm" feature allows locked block devices to be exposed as NVMe-TCP, facilitating remote access and management of storage devices.

• Soft Reboot capability available. It is similar to a regular reboot except it only affects user-space.

• Disabled Link-Local Multicast Name Resolution (LLMNR) support to prevent MitM attack technique through LLMNR poisoning. LLMNR is actively being phased out in favor of mDNS.

Breaking Changes

• We are now implementing systemd to always coredump using zstd compression, instead of LZ4.

• Drop TPM 1.x support in favor of TPM2 support.

• Most systemd services start off by default to improve security and need to be enabled per application.

Cloud Hypervisor

• Cloud-hypervisor package is now cloud-hypervisor-cvm. A cloud-hypervisor-cvm contains the Microsoft enhancements to support confidential VMs and the codebase is maintained by Microsoft.

Debugging Tools

• Inspektor Gadget now available in Azure Linux 3.0

  • Inspektor Gadget is available in AzureLinux 3 | Inspektor Gadget (inspektor-gadget.io)

• Kernel Crashdumps (kdump) are now compressed and collection performance improved

• Support added to crash utility for analyzing arm64 kernel dump files with crash on x86-64 host machines.

• Sos now has built-in Azure Linux support, for better diagnostics collection and system triage

Package Manager

Package Manager	Azure Linux 3.0	Mariner 2.0
DNF	4.19	4.8.0
TDNF	3.5.6	3.5.2
RPM	4.18.2	4.18.0
Symbolic link YUM -> TDNF	No longer present	Present

Changes

• RPM: RPM (Red Hat Package Manager) has been upgraded including several bugfixes and enhancements. Here's the summary of the changes from RPM 4.18.1

• TDNF&DNF: The default software package management tool on Azure Linux 3.0 remains TDNF (lightweight implementation of DNF for containers) & DNF. Note that they have been upgraded to a version closer to upstream. (DNF5 is also available, however, TDNF and DNF remain the default and the official supported Azure Linux 3.0 package managers.)

Breaking Changes

• Yum: Yum is deprecated upstream. Therefore, the symbolic link found in Mariner 2.0 to provide a convenient alias to allow users to silently redirect their yum commands to tdnf has been removed in Azure Linux 3.0.

Using yum command in Azure Linux 3.0 will fail and generate an error as follows:

# yum
-bash: yum: command not found 

Meaning that users now need to explicitly call tdnf.

Explicitly calling tdnf has zero impact because users running the yum command in Mariner 2.0 were seamlessly using tdnf without noticing any difference, due to the symlink. Users will be able to perform the same package management tasks as before.

• Createrepo: Createrepo is a tool to create local repository. Version 1.0.3 introduces breaking changes to the repo metadata format it creates. For compatibility with TDNF use createrepo --compatibility /path/to/repo.

Toolkit

Changes

• Toolkit no longer requires initramfs to be specified as last package in packages.json files.

• Source Tarball Blobstore has moved to a new location.

• Daily Build Trigger for 3.0 and 2.0 dev branch builds.

  • Artifact Feed Produces a daily .repo file for each daily build.

  • .repo file points to unsigned artifacts from last night developer build

  • Feed may be consumed by other teams for daily test purposes

• Documentation and Locales may be disabled or configured when building images.

• Make now accepts a QUICK_REBUILD_PACKAGE=y argument that improves package build time.

• Make now accepts a USE_CCACHE=y argument to improve package builds. The CCache is updated at each monthly release for new and updated packages. So it is optimized for locally rebuilding that latest available versions of packages.

Breaking Changes

• Removed toolkit read-only root support for dm-verity. Setting ReadOnlyVerityRoot.Enable = true in an image configuration json file will result in an error. The ImageCustomizer tool now supports creating verity images.

Miscellaneous

Intel SPDK full support. Enabling optimized storage performance and enhanced compatibility for our users.

Initial frame-pointer support was added. Kernel and glibc are now compiled with frame-pointers enabled, allowing for better performance profiling.

What's new in Azure Linux 3.0

Key Package Improvements

Core/Toolchain

Packages	Azure Linux 3.0	Mariner 2.0	Release Notes
Linux kernel	6.6.35.1 (Latest LTS)	5.15.148 (Previous LTS)	Linux_6.6
Systemd	255	250	Releases · systemd
OpenSSL	3.3.0	1.1.1k	OpenSSL 3.3 Release Notes
Glibc	2.38	2.35	Glibc Timeline
Gcc	13.2.0	11.2.0	GCC 13 Release Changes, New Features, and Fixes
LLVM (Clang, compiler-rt)	18.1.2	12.0.1	Download LLVM releases
Python3	3.12.3	3.9.14	What's New In 3.12
Rust	1.75.0	1.72.0	Rust changelogs
Containerd (AKA moby-containerd)	1.7.13	1.6.26	Releases · containerd

Other Languages

Packages	Azure Linux 3.0	Mariner 2.0	Release Notes
Bash	5.2.15	5.1.8	Features added to 5.2 since 5.1
.NET (From .NET team)	.NET 8,9	.NET 6, 7, 8	.NET what's new? .NET 6 will EOL in Nov 2024. No support will be provided for that short window. .NET 7 reached EOL
Erlang	26.2.3	25.2	Erlang/OTP 26 Highlights
Golang (Supplied by msft-golang team)	1.22.5	1.17.8 -> 1.20.10+	Go 1.22 Release Notes
Java (Supplied by MSOpenJDK team)	8 (Eclipse Temurin) 11/17/21 (Microsoft)	8 (Eclipse Temurin) 11/17/21 (Microsoft)
JavaScript (Node.JS)	20.14	18, 16	Node.js 20 ChangeLog We have split Node.js and npm into two separate packages.
Ocaml	5.1.1	4.13.1	OCaml Releases
Perl	5.38.2	5.34.1	Perl 5 version history
Php	8.3.8	7.4.14	PHP: PHP 8 ChangeLog
Ruby	3.3.0	3.1.4	Ruby 3.3.0 Released
R-core	4.4.1	4.1.0	R Project - 4.4.1 changelog
kernel	Linux	Linux	Linux

Where to find Azure Linux 3.0 GA artifacts

Marketplace

Find information about our Azure Linux 3.0 VMs

az vm image list --publisher MicrosoftCBLMariner --offer azure-linux-3 --all --output table

The images are available on Azure Marketplace as follows:

• MicrosoftCBLMariner:azure-linux-3:azure-linux-3:latest

• MicrosoftCBLMariner:azure-linux-3:azure-linux-3-arm64:latest

• MicrosoftCBLMariner:azure-linux-3:azure-linux-3-gen2:latest

THE FOLLOWING ARE FOR TEST USE ONLY. NOT AVAILABLE FOR PRODUCTION USE

• MicrosoftCBLMariner:azure-linux-3:azure-linux-3-gen2-fips:latest

• MicrosoftCBLMariner:azure-linux-3:azure-linux-3-fips:latest

Confidential VM Preview

Azure Linux 3.0 has an image offer which supports Azure Confidential VMs

• MicrosoftCBLMariner:azure-linux-3:azure-linux-3-cvm:latest

Azure Linux 3.0 VM are available in the following Azure regions:

• Azure Global

• Azure Government (e.g., Fairfax)

• Azure China (e.g., mooncake)

Microsoft Container Registry (MCR)

Azure Linux 3.0 container & distroless images are published in the Microsoft Container Registry (MCR) under a new namespace called azurelinux. The images are accessible via anonymous pull, allowing users to seamlessly integrate it into their workflows.

The same golden containers found in Mariner 2.0, are available for Azure Linux 3.0, except for the Redis Golden Container which is not available due to a recent license change.

Our Azure Linux Base container: mcr.microsoft.com/azurelinux/base/core:3.0

FIPS container

There is no specific FIPS container image. As long as the container host has FIPS mode enabled, the container will inherit its (container host) FIPS configuration automatically.

VHD/VHDX & ISO

https://aka.ms/azurelinux-3.0-x86_64.iso

PMC Prod Repo

If you are producing RPM packages for Mariner, you'll need to publish your Azure Linux 3.0 package in PROD: azurelinux/3.0/prod/ (microsoft.com)

Rebranding from Mariner to Azure Linux

With our 3.0 release, we are fully transitioning the branding from CBL-Mariner to Azure Linux, including PMC, GitHub, Azure Marketplace, and in the source references such as /etc/os-release.

PMC

Azure Linux 3.0 packages are published in a new PMC location: Index of azurelinux/3.0/prod/ (microsoft.com)

With the following repository layout:

• base

  • This is the official Azure Linux repository.

• cloud-native

  • This repository is for CNCF (Cloud Native Computing Foundation) package.

• extended

  • This repository is for experimental and testing purposes only and is not intended for production use.

• ms-non-oss (formerly known as extras)

  • This repository is for closed-source Microsoft software.

• ms-oss (formerly known as Microsoft)

  • This repository is for open-source Microsoft software.

• nvidia

  • This repository is for a NVIDIA/CUDA-specific package.

GitHub

You can now find us on our newly rebranded GitHub page

• The Azure Linux code repository including our SPEC file, etc.

  • https://github.com/Microsoft/AzureLinux

• Contains OVAL documents describing vulnerabilities detected in Azure Linux

  • https://github.com/microsoft/AzureLinuxVulnerabilityData

• Provides detailed instructions for building Azure Linux from end-to-end:

  • https://github.com/microsoft/azurelinux-tutorials

OS Config

The product rebranding resulted in modifications to certain configuration values. Note that certain files listed below are often used by programs to do Linux distribution detection. Some code might need to be adjusted.

Renamed /etc/mariner-release to /etc/azurelinux-release file.

Azure Linux	3.0.20240229
AZURELINUX_BUILD_NUMBER	XXXXX

/etc/os-release

NAME	Microsoft Azure Linux
VERSION	3.0.20240229
ID	azurelinux
VERSION_ID	3.0
PRETTY_NAME	Microsoft Azure Linux 3.0
ANSI_COLOR	1;34
HOME_URL	https://aka.ms/azurelinux
BUG_REPORT	https://aka.ms/azurelinux
SUPPORT_URL	https://aka.ms/azurelinux

/etc/lsb-release

DISTRIB_ID	azurelinux
DISTRIB_RELEASE	3.0.20240229
DISTRIB_CODENAME	AzureLinux
DISTRIB_DESCRIPTION	3.0
PRETTY_NAME	Microsoft Azure Linux 3.0.20240229

/etc/issue

Welcome to Azure Linux 3.0.20240229 (x86_64) \r (\l)

/etc/issue.net

Welcome to Azure Linux 3.0.20240229 (x86_64)

Packages

Added Packages

annobin

authselect

azure-nvme-utils

cargo2rpm

cephfs-mirror

cephfs-top

ck

cryptsetup-ssh-token

cvt

cxl-cli

cxl-devel

cxl-libs

dhcpcd

dracut-hostonly

dracut-virtio

dracut-vrf

dracut-xen

duktape

egl-wayland

eglexternalplatform-devel

fontawesome4 (old Mariner 2.0 fontawesome)

freeglut

gbenchmark

giflib

glslang

ig

iniparser

jakarta-servlet

kernel-uki

kf- (old Mariner 2.0 kf5-)

libadwaita

libarrow

libei

libeis

libmodulemd

libnvme

libtpms

libtracecmd

libtracefs

libva-wayland2

libva-x11

libva2

libxdp

lujavrite

mdevctl

npm (Node.js and npm are now separated into two individual packages.)

pesign

poetry

pssh

python-rich

python3-editables

python3-fastjsonschema

python3-hatch-fancy-pypi-readme

python3-hatch-vcs

python3-hatchling

python3-lark

python3-libdnet

python3-libevdev

python3-looseversion

python3-mdurl

python3-ml-dtypes

python3-omegaconf

python3-openpyxl

python3-optree

python3-poetry

python3-pybind11

python3-pathspec

python3-pytest-flakes

python3-rich

python3-sortedcontainers

python3-trove-classifiers

python3-xlsxwriter

python3-zope-event

python3-zstd

rasdaemon

rust-packaging

spirv-tools

swtpm

systemd-container

systemd-journal-remote

systemd-libs

systemd-networkd

systemd-standalone*

systemd-pam

systemd-udev

systemd-ukify

tpm2-pkcs11

tpm2-pytss

trace-cmd

virtiofsd

xcb-util

xdp-tools

Removed Packages

apparmor

bind-pkcs11-devel

bind-pkcs11-libs

bind-pkcs11-utils

blobfuse (has been removed in favor of blob-fuse2)

bridge-utils

bzr

cpp-hocon

cri-o

cri-o-kubeadm

csi-driver-lvm

csi-driver-lvm-csi-lvmplugin-provisioner

csi-driver-lvm-lvmplugin

dhcp-client

dhcp-devel

dhcp-libs

dhcp-server

double-conversion-*

ewftools

fapolicyd

finger

fish

git-svn

glassfish-servlet

glide

glog

hiera

installkernel

KeysInUse-OpenSSL

k3s

kernel-azure-drivers-*

kernel-azure-tools

kernel-hci

kernel-mos

kernel-rt

kf5-*

knem

knem-modules

leatherman

libgsystem

libidn2

libnvme

libpq

librpmem

libwef

maven3 (default maven package is now maven 3.9)

moby-buildx (In 3.0 this is now docker-buildx)

moby-cli (In 3.0 this is now docker-cli)

moby-compose (In 3.0 this is now docker-compose)

moby-runc (In 3.0 this is now runc)

mozjs

msft-golang (In Mariner 3.0 this is simply golang, upstream golang dropped)

multilib-rpm-config

nmi

nodejs18 (Default nodejs package in 3.0 is nodejs 20)

osslsigncode

pam_apparmore

pypam

python3-junit-xml

python3-tf-nightly

python3-tensorflow-estimator

qt5 (qt v6 is available as qt)

quotatool

reaper

redis (Due to recent licensing changes.)

rook

rpmemd

rubygem-augeas

rubygem-aws-eventstream

rubygem-aws-partitions

rubygem-aws-sdk-core

rubygem-aws-sdk-s3

rubygem-aws-sdk-sqs

rubygem-aws-sigv4

rubygem-bigdecimal

rubygem-bundler

rubygem-fluent-plugin-s3

rubygem-fluent-td

rubygem-hocon

rubygem-ioconsole

rubygem-json

rubygem-openssl

rubygem-psych

rubygem-rdoc

rubygem-stringio

rubygem-thor

zfs-fuse

Moved to Extended Repository (Unsupported/Experimental Use Only)

cri-o

kernel-rt

Xorg-x11-server