Microsoft Releases Azure Linux 4.0 Preview, Transitioning CBL-Mariner to a General-Purpose Fedora-Derived Distro

Microsoft has launched the public preview of Azure Linux 4.0, transitioning its internal RPM-based operating system into a general-purpose cloud distribution for Azure VMs and WSL. The release shifts the build pipeline to a declarative overlay model tracking Fedora, swaps out the lightweight `tdnf` for standard `dnf5`, and updates the core runtime stack to Kernel 6.18 LTS.

Evolution from CBL-Mariner to Azure Linux 4.0

Azure Linux 4.0 marks the transition of Microsoft’s in-house Linux distribution from a specialized infrastructure appliance to a general-purpose cloud operating system. The distribution originated as CBL-Mariner (Common Base Linux), an internal RPM-based operating system built from scratch alongside a now-deprecated Debian-based sibling, CBL-Delridge. Mariner was officially renamed Azure Linux in March 2024.

While versions 1.0 through 3.0 operated primarily as the invisible host layer for Azure Kubernetes Service (AKS) nodes, WSLg, and internal Microsoft services, version 4.0 is engineered for direct deployment. It is now available in public preview as a general-purpose operating system for any Azure virtual machine, with WSL support scheduled to follow.

Fedora Upstream Integration and Declarative Overlays

Unlike previous versions that were assembled package-by-package with manually maintained spec files, Azure Linux 4.0 is derived directly from Fedora, specifically tracking a Fedora 43 snapshot. Microsoft has modified its engineering pipeline to track Fedora upstream while applying declarative overlays.

Every deviation from the upstream Fedora package is documented within the repository alongside a written justification. The fully rendered spec files are checked into the public repository to maintain supply-chain auditability, enabling operators to verify exactly what changes Microsoft introduced and why.

Modernized Package Management and Toolchain Upgrades

The most visible change for systems administrators is the deprecation of `tdnf` (Tiny DNF, a lightweight C reimplementation inherited from VMware's Photon OS) in favor of standard `dnf5`. This transition brings the full Fedora package management plugin ecosystem and standardized tooling to the distribution.

• glibc 2.42 and systemd 258
• OpenSSL 3.5, which introduces support for post-quantum cryptography
• Python 3.14
• RPM 6.0, featuring a modernized database backend and enhanced signature verification

Hardened Kernel and Supply Chain Security

Azure Linux 4.0 runs on an Azure-tuned fork of the Kernel 6.18 LTS. Microsoft maintains this fork directly, embedding its own signing keys into the build. The kernel includes native Hyper-V integration alongside driver support for GPUs and specialized AI accelerators.

• SELinux is supported and active across every deployment image.
• Kernel-level hardening features are enabled, including ASLR, stack protection, seccomp, and systemd service sandboxing.
• All packages and repositories are cryptographically signed.
• FIPS 140-3 cryptographic certification is currently in progress, targeted for the general availability release.
• Microsoft publishes complete Software Bills of Materials (SBOMs) to verify the integrity of the supply chain.

Deployment Targets and Production Scale

• Virtual Machines and Scale Sets: Deployable directly from the Azure Marketplace with no additional OS licensing fees.
• Containers: Base, distroless, and language-specific runtime images are hosted on the Microsoft Container Registry, sharing the same verified supply chain.
• Kubernetes: Acts as the container host for AKS, running alongside Azure Container Linux (an immutable, Flatcar-based variant that shares the same kernel).
• Local Development: Coming soon to Windows Subsystem for Linux (WSL), allowing local development on the exact runtime used in production.

The platform already handles massive production workloads. Databricks has migrated more than 100,000 virtual machines and over one million CPU cores to Azure Linux. Additionally, LinkedIn has transitioned its core infrastructure to the platform, which also backs first-party services like Azure SQL and Cosmos DB.