Azure Linux 4.0 是微软首款通用 Linux。

Azure Linux 4.0 是微软首款通用 Linux。
Azure Linux 4.0 is Microsoft's first general-purpose Linux

原始链接: https://www.boxofcables.dev/azure-linux-4-0-is-microsofts-first-general-purpose-linux/

微软已正式将其内部 Linux 发行版 Azure Linux（原名 CBL-Mariner）从专用的内部基础设施工具转变为通用操作系统。随着 4.0 公开预览版的发布，用户现在可以在任何 Azure 虚拟机上部署该发行版，不再局限于此前仅作为 Azure Kubernetes 服务 (AKS) 主机使用的角色。 4.0 版本的重要更新包括转向基于 Fedora 的基础架构，利用声明式覆盖（declarative overlays）确保对上游源的每一次修改都有据可查且可审计。该操作系统现已具备现代化的工具链，包括 `dnf5` 软件包管理，以及增强安全性的软件栈，涵盖 SELinux、加密签名及持续进行的 FIPS 140-3 认证。 Azure Linux 专为云和服务器工作负载设计，强调极简的占用空间、供应链透明度，以及在虚拟机、容器和 WSL 之间保持一致性。此次演进是微软 Linux 之路的一个重要里程碑，标志着公司从单纯的 Linux 托管方转变为主动维护稳健的企业级发行版，并为更广泛的开源生态系统做出贡献。

微软宣布推出“Azure Linux 4.0”后，关于其身份和用途的讨论在 Hacker News 上引发了争议。尽管该产品被定位为通用 Linux 发行版，但批评者认为，它实际上是一个专门针对 Azure 云工作负载优化的 Fedora 分支，而非真正与硬件无关的通用操作系统。此次讨论主要聚焦于以下几点： * **功能性**：用户强调该发行版是为 Azure 服务器优化的，明确不支持桌面环境或图形用户界面（GUI）应用程序。 * **为何进行分支开发？** 评论者质疑微软为何不直接发布标准的 Fedora。共识是，维护一个分支版本可以让微软控制更新节奏、确保合规性（如 FIPS），并能够在无需等待上游发布周期的情况下推送内部修复程序。 * **质疑态度**：部分参与者从微软历史上“拥抱、扩展、消灭”（Embrace, Extend, Extinguish）的名声来看待此举，但也有人认为，组件的开源性质使得该策略难以实施。总的来说，社区认为这是微软为了更好地管理其内部云基础设施而采取的务实举措，而非旨在与更广泛的 Linux 桌面或服务器市场竞争。

原文

Linux

Microsoft’s in-house Linux, the distribution that grew out of CBL-Mariner, just hit public preview as a general-purpose cloud OS you can run on any Azure VM. Here is why that is a real step in Microsoft’s Linux journey, not just a version bump.

Microsoft shipped Azure Linux 4.0 into public preview at Build 2026, and for the first time you can run it on any Azure virtual machine, not just as the host underneath Azure Kubernetes Service. That sounds like a small distinction. But, this is the moment Microsoft's in-house Linux stops being a special-purpose appliance distro and becomes a general-purpose Linux distro.

I have been following this distribution since before it had a marketing name. So let me put 4.0 in context...

What I keep on about

Microsoft has built more than one Linux distribution. Back in February 2022 I went looking through Microsoft's package mirrors and found CBL-Delridge, a Debian-based distro that powered Azure Cloud Shell. It was never announced. Mary Jo Foley wrote it up at ZDNet after reading that post. By November 2022, Delridge was 404: its apt repository went dark and Cloud Shell moved to Microsoft's other Linux: CBL-Mariner.

CBL stands for Common Base Linux, a whole family of internal distros named after Seattle geography. Delridge was the Debian one. Mariner was an RPM one, built from scratch with spec files borrowed from Photon OS, Fedora, and Linux From Scratch. Mariner is the one that survived. In March 2024 Microsoft renamed it Azure Linux and renamed the GitHub repository to match.

So when I say Azure Linux, I mean the distribution that started internal development in September 2019, went public on GitHub in November 2020, hit 2.0 in April 2022, and has been the container host for AKS since 2023. None of that history was aimed at you running it on your own VM.

That is what changes now.

What is actually new in 4.0

Azure Linux 4.0 is derived from Fedora, right now a Fedora 43 snapshot, rather than assembled package by package the way 1.0 through 3.0 were. Microsoft no longer maintains every spec file by hand. Instead it tracks Fedora upstream and applies declarative overlays, where every deviation from Fedora carries a written description of why it exists. The rendered spec files are checked into the repository so you can read exactly what Microsoft changed and why.

The component stack moved up accordingly:

Kernel 6.18 LTS, Azure-tuned, with the Hyper-V integration and GPU and AI accelerator support you would expect from an Azure cloud kernel. Microsoft maintains its own kernel fork and embeds its signing keys directly in the build.
dnf5 replaces tdnf, Microsoft's lean C reimplementation of dnf inherited from Photon OS. This is the single most user-visible change. You now get standard dnf5 tooling and the full plugin ecosystem instead of a Microsoft-specific package manager.
glibc 2.42, systemd 258, OpenSSL 3.5 (with post-quantum cryptography support), Python 3.14, and RPM 6.0 with a modernized database backend and stronger signature verification.
FIPS 140-3 certification is in progress and slated for general availability.

Security is solid. SELinux is supported on every image, the kernel ships with hardening turned on (ASLR, stack protection, seccomp, and systemd service sandboxing), packages and repositories are cryptographically signed, and Microsoft publishes SBOMs for the supply chain.

Why this is the next step

Here is the part that matters. For most of its life, Azure Linux was infrastructure you ran on without knowing it. It was the host OS for AKS nodes, the base image for Microsoft's own first-party services, the system distro that hosts WSLg. You did not pick it. It was underneath the thing you picked.

Azure Linux 4.0 is built to be picked. It runs across every Azure compute surface:

Virtual machines and scale sets, deployable straight from the Azure Marketplace with no additional OS licensing cost.
Containers, with base, distroless, and language-runtime images on the Microsoft Container Registry, built from the same supply chain as the VM images.
AKS, where it has been the container host since 2023, now joined by Azure Container Linux, a Flatcar-based immutable variant that shares the same kernel for stricter compliance environments.
WSL, so you can develop locally on the same Linux you deploy to production with wsl --install -d AzureLinux (soon, go try it on Azure first).

Databricks migrated more than 100,000 VMs and over a million CPU cores to Azure Linux. LinkedIn moved its infrastructure to Azure Linux. Azure Linux already runs behind AKS, Azure SQL, and Cosmos DB. The 4.0 preview takes that and gives it to everyone else.

What makes Azure Linux different

There are a lot of cloud Linux distributions. Amazon has Amazon Linux. The Flatcar and CoreOS lineage offers immutable container hosts. Ubuntu and RHEL run nearly everywhere. So what is distinct here?

A few things stand out:

The supply chain is auditable by design. Building on Fedora with declarative overlays means every change from upstream is documented in the repository. That is a stronger story than most distributions can tell about what is in their packages and why.
It is minimal on purpose. Azure Linux ships only what cloud and server workloads need. There is no desktop, no GUI, no general-purpose sprawl. The distroless container images take this to its logical end: no shell, no package manager, almost nothing to exploit.
Microsoft made a Linux distro.

What it means for Linux

I have tracked Microsoft's open source arc for years. The short version: Azure started hosting Linux VMs in 2012, Satya Nadella said "Microsoft loves Linux" in 2014, Microsoft joined the Linux Foundation in 2016, shipped WSL the same year, cross-licensed 60,000 patents through the Open Invention Network in 2018, and by 2019 Linux was the majority operating system on Azure. Today more than two-thirds of customer cores on Azure run Linux.

Against that backdrop, a general-purpose Azure Linux is the logical next step. Microsoft went from consuming Linux, to shipping Linux internally, to shipping a Linux distribution anyone can run.

Another major vendor maintaining a distribution upstream-first against Fedora, contributing patches, and putting real money into supply-chain security work through OpenSSF and Alpha-Omega. More maintained distributions, built in the open, is good for everyone downstream.

From an undocumented Debian remix I had to reverse-engineer from a package mirror, to a Fedora-derived, FIPS-targeted, distroless-capable distribution you can deploy from a marketplace in two clicks. That is a long way in four years.

Microsoft ships Linux.