Add Azure Linux 4.0 images for .NET 10 and 11#7209
Open
Copilot wants to merge 7 commits into
Open
Conversation
Co-authored-by: lbussell <36081148+lbussell@users.noreply.github.com>
Per the supported platforms policy, Azure Linux 4.0 should only be added to the latest LTS (10.0) and the active preview (11.0). This removes the AL 4.0 entries for .NET 8.0 and 9.0, while keeping AL 4.0 for 10.0 and 11.0 intact. Co-authored-by: lbussell <36081148+lbussell@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
lbussell
May 22, 2026 18:02
View session
Azure Linux 4.0's tdnf no longer accepts package name arguments to the 'autoremove' command (matching dnf semantics where 'autoremove' only removes orphaned dependencies). This was causing AL 4.0 runtime-deps image builds to fail with: Unknown argument "shadow-utils" for command "autoremove". Switch the remove-pkgs template to use 'tdnf remove -y' which is supported on both AL 3.0 and AL 4.0 and provides equivalent cleanup of orphaned dependencies via tdnf's default clean_requirements_on_remove behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Azure Linux 4.0 is based on Fedora and uses dnf as the underlying package manager (with tdnf aliased to dnf for compatibility). Notably, AL 4.0's dnf-backed 'autoremove' command no longer accepts package name arguments, which broke the runtime-deps image build: Unknown argument "shadow-utils" for command "autoremove". Update the templates to use dnf directly for Azure Linux 4.0+: - Detect AL 4.0+ via OS_VERSION pattern in install-pkgs / remove-pkgs. - Emit 'dnf install', 'dnf remove', 'dnf clean all' for AL 4.0+ and keep 'tdnf' for AL 3.0. - Pass 'dnf' as the pkg-mgr for distroless AL 4.0+ in install-deps. - Clean up /etc/dnf and /var/cache/dnf (instead of the tdnf paths) in the distroless staging directory for AL 4.0+. AL 3.0 dockerfiles are unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The AL 4.0 distroless base image (azurelinux-beta/distroless/minimal:4.0) does not include /var/lib/rpmmanifest/container-manifest-2 (or any other package manifest) — all RPM/dnf metadata has been stripped. The current template's COPY of that file fails the build, and there is nothing equivalent to append to. Skip the manifest-generation block (and the 'gawk' install it required) entirely for AL 4.0+. AL 3.0 dockerfiles are unchanged. The longer-term manifest story for AL 4.0 will be coordinated with the Azure Linux team before the base image leaves beta. Also pass '--use-host-config' to dnf when --installroot is in use on AL 4.0+, since dnf (unlike tdnf) otherwise looks for repo config inside the install root rather than inheriting the host's repos. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Azure Linux 4.0 does not yet ship a 'prebuilt-ca-certificates' package
(the variant used on AL 3.0 distroless to avoid pulling install-time
scriptlet dependencies like python3). Installing the regular
'ca-certificates' package into the staging install root pulls in 62
transitive packages (python3, coreutils, systemd-libs, sqlite-libs,
etc.), inflating the runtime-deps image from ~47 MB to ~159 MB.
Fortunately, the AL 4.0 beta distroless base image already contains
the full ca-trust bundle:
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (146 root CAs)
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/tls/certs/{ca-bundle.crt,ca-certificates.crt,cert.pem}
Since we overlay the staged content with 'COPY --from=installer
/staging/ /' and never write to /etc/pki/ca-trust in the staging step,
the base image's pre-extracted certs survive untouched.
Drop the ca-certificates package from the AL 4.0 distroless prefix
package list, relying on the base image's bundle. AL 3.0 dockerfiles
are unchanged.
A bug will be filed with the Azure Linux team to ship a proper
prebuilt-ca-certificates package (or otherwise document the supported
pattern) before AL 4.0 leaves beta.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Azure Linux 4.0 is still in beta — the package set in the base image (and what we install on top) is subject to change. Examples already in flight: - 'prebuilt-ca-certificates' does not yet exist on AL 4.0, so the distroless runtime-deps image relies on the base image's CA bundle. - The container manifest convention used on AL 3.0 distroless is absent on AL 4.0 distroless. Mark AzureLinux40 (and the derived AzureLinux40Distroless) with the existing OSInfo.IsUnstable flag, and have VerifyInstalledPackagesBase early-return with a log message when the image's OS is unstable. This follows the existing skip pattern used elsewhere in the test suite (e.g. VerifyCommonInsecureFiles for Ubuntu 26.04 / resolute). Other tests still run against AL 4.0 — only the package-list assertion is suppressed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes #7190. Per supported platforms policy, this includes .NET 10 and .NET 11 Preview.
Changes from Azure Linux 3.0
dnfinstead oftdnf--use-host-configalongside--installrootso dnf reads repo config from the host./var/lib/rpmmanifest/container-manifest-*generation because 4.0 doesn't have an equivalent to 3.0'scontainer-manifest-2file yetprebuilt-ca-certificatespackage. Just use the certs from the base distroless image.