Garbage Collector


It's all in the title !

🏷️ All Tags 📄 All Posts

Ever heard about the Linux distribution CBL-Mariner ?

- 3 minutes reading time
Ever heard about the Linux distribution CBL-Mariner ?
Mr Penguin at Microsoft France HQ, photo by Seb, license CC-BY-SA

A few days ago, I was on a business trip at Microsoft France HQ in Paris, to take part at some meetings organized between them and one of my clients regarding the various technologies they use from the publisher. During a session with the PM of Azure App Service/Functions, I’ve learned about something.

Did you knew that Microsoft released a Linux distribution ?

For my defense, I don’t work with Microsoft Azure since a long time, mostly 2 years, so I still have a lot of things to discover about this provider. And after digging on the topic, I’ve quickly seen that there was no big announcement about it, quite the opposite actually.

That’s not a new thing : Microsoft is contributing a lot to Linux and various open-source projects. They even have a team named Linux Systems Group that handles much of the company’s Linux work in the products that can host Linux-based systems to their clients (various Kernel patches for an Azure-tuned Kernel, Hyper-V optimization, etc). The Ballmer years are long gone, and despite not being a big fan of Microsoft, I think it’s a good thing for everybody.

But honestly, I didn’t knew they were actually building their own Linux distribution, which is CBL-Mariner (CBL standing for Common Base Linux). And following this one, I’ve also discovered they build SONiC, another Linux distribution specialized for networking usage used in Azure’s network layers.

CBL-Mariner’s release is not very old, the distribution has been published on GitHub two years ago. Mariner is the distribution used by Microsoft’s cloud infrastructure and edge products services. Similar to Fedora CoreOS, the distribution is a lightweight hardened Linux kernel having the necessary to run containers or being a container base image. BTW, before CBL-Mariner, Azure used Red Hat CoreOS to host Linux containers. For example Mariner is used for the Azure Stack HCI implementation of their managed Kubernetes service, and is also behind the Azure App Service Environment and Azure Containers. The distribution uses RPM packages and dnf tool to manage them (or tdnf, a dnf based package manager inherited from VMWare’s PhotonOS, one of Mariner’s inspiration). Aside the original licenses of the open-source components, every Microsoft additions are published under MIT license. The system updates are offered both as RPM packages and complete disk images.

As said above, CBL-Mariner uses a hardened kernel to prevent unauthorized accesses and reduce the attack surface. In the other security feature, we can also note the signed updates that verifies the updates before installing them, the address space layout randomization to prevent memory corruption vulnerabilities, and tamper-resistant logs to control and access to the code.

Despite being publicly published, CBL-Mariner’s usage remains internal to the Azure infrastructure and is a server-side distro. However, you may still install it if you want, the ISO are available on the GitHub repository or you can build them from the sources. There is also some usage documentation but it’s at the distro’s image : very lightweight.

CBL installer

The CBL-Mariner installer boot menu … With text reading speech enabled !

CBL installer

The only settings in the installer are the disk encryption and the admin user creation.

CBL installer

The installation is quick and one reboot later, we’re ready.

CBL installer

However, after installing the distribution and seeing what’s inside, I haven’t been able to go further. There is not a lot of detailed documentation as it remains an internal Microsoft product, and the various articles I’ve read about this distro were not going further than I did.

Anyway, I think it’s a nice thing to see this company publishing more and more open source products. Of course, I know it’s not philanthropy and there is always some motivations behind it.