Migrate remaining CBL-Mariner 2.0 Dockerfile and clean up stale references

[WilliamBerryiii]

Summary

An audit of all 21 Dockerfiles in the repository found 1 Dockerfile still on CBL-Mariner 2.0 and 3 stale CBL-Mariner references that should be cleaned up. 17 Dockerfiles have already been migrated to Azure Linux 3.0 and 2 use non-CBL-Mariner bases (.NET 9, Ubuntu 24.04).

Remaining CBL-Mariner Dockerfile

src/500-application/507-ai-inference/services/ai-edge-inference/Dockerfile.acr — HIGH priority

This is the single-platform ACR build variant for ai-edge-inference. The main Dockerfile for the same service was already migrated to Azure Linux 3.0, but this .acr variant was missed.

Current state:

• Uses mcr.microsoft.com/cbl-mariner/base/core:2.0 (SHA pinned) for both build and runtime stages
• Version-pinned tdnf packages with .cm2 suffixes (CBL-Mariner 2.0 pattern)
• OpenSSL 1.1.1k (CBL-Mariner 2.0) vs OpenSSL 3.x (Azure Linux 3.0)

Migration considerations:

• The main Dockerfile for the same service has already been migrated and can serve as a template
• Version-pinned .cm2 packages must be updated to unversioned equivalents
• OpenSSL 1.1.1k → 3.x may affect ONNX Runtime compilation
• Single-platform (amd64 only) — no cross-compilation complexity

Stale CBL-Mariner References

1. scripts/security/Update-DockerSHAPinning.ps1 — MEDIUM priority

Two stale entries in the $DockerImageSHAMap hashtable:

'mcr.microsoft.com/cbl-mariner/base/core:2.0' = 'mcr.microsoft.com/cbl-mariner/base/core:2.0@sha256:b462b8e...'
'mcr.microsoft.com/cbl-mariner/base/rust:1.72' = 'mcr.microsoft.com/cbl-mariner/base/rust:1.72@sha256:b9fcab3...'

The cbl-mariner/base/rust:1.72 entry is completely unused. The cbl-mariner/base/core:2.0 entry is only used by Dockerfile.acr. Both should be removed once Dockerfile.acr is migrated.

2. src/500-application/501-rust-telemetry/services/receiver/Dockerfile line 27 — LOW priority

Stale comment referencing mcr.microsoft.com/cbl-mariner/base/rust:1. The FROM lines already use Azure Linux 3.0.

3. src/000-cloud/072-azure-local-host/terraform/ — OUT OF SCOPE

Uses CBLMariner as AKS osSKU value. This is an Azure API enum, not a Docker base image. Changing it requires Azure Local API validation and is a separate investigation.

Audit Summary

Status	Count
Already on Azure Linux 3.0	17
Non-Microsoft base (OK)	2
Still on CBL-Mariner 2.0	1

Checklist

• Migrate Dockerfile.acr to Azure Linux 3.0 using the main Dockerfile as a template
• Remove stale CBL-Mariner entries from Update-DockerSHAPinning.ps1
• Remove/update stale CBL-Mariner comment in receiver Dockerfile
• Evaluate Azure Local osSKU change from CBLMariner to AzureLinux (separate investigation)