Summary
An audit of all 21 Dockerfiles in the repository found 1 Dockerfile still on CBL-Mariner 2.0 and 3 stale CBL-Mariner references that should be cleaned up. 17 Dockerfiles have already been migrated to Azure Linux 3.0 and 2 use non-CBL-Mariner bases (.NET 9, Ubuntu 24.04).
Remaining CBL-Mariner Dockerfile
src/500-application/507-ai-inference/services/ai-edge-inference/Dockerfile.acr — HIGH priority
This is the single-platform ACR build variant for ai-edge-inference. The main Dockerfile for the same service was already migrated to Azure Linux 3.0, but this .acr variant was missed.
Current state:
- Uses
mcr.microsoft.com/cbl-mariner/base/core:2.0 (SHA pinned) for both build and runtime stages
- Version-pinned tdnf packages with
.cm2 suffixes (CBL-Mariner 2.0 pattern)
- OpenSSL 1.1.1k (CBL-Mariner 2.0) vs OpenSSL 3.x (Azure Linux 3.0)
Migration considerations:
- The main
Dockerfile for the same service has already been migrated and can serve as a template
- Version-pinned
.cm2 packages must be updated to unversioned equivalents
- OpenSSL 1.1.1k → 3.x may affect ONNX Runtime compilation
- Single-platform (amd64 only) — no cross-compilation complexity
Stale CBL-Mariner References
1. scripts/security/Update-DockerSHAPinning.ps1 — MEDIUM priority
Two stale entries in the $DockerImageSHAMap hashtable:
'mcr.microsoft.com/cbl-mariner/base/core:2.0' = 'mcr.microsoft.com/cbl-mariner/base/core:2.0@sha256:b462b8e...'
'mcr.microsoft.com/cbl-mariner/base/rust:1.72' = 'mcr.microsoft.com/cbl-mariner/base/rust:1.72@sha256:b9fcab3...'
The cbl-mariner/base/rust:1.72 entry is completely unused. The cbl-mariner/base/core:2.0 entry is only used by Dockerfile.acr. Both should be removed once Dockerfile.acr is migrated.
2. src/500-application/501-rust-telemetry/services/receiver/Dockerfile line 27 — LOW priority
Stale comment referencing mcr.microsoft.com/cbl-mariner/base/rust:1. The FROM lines already use Azure Linux 3.0.
3. src/000-cloud/072-azure-local-host/terraform/ — OUT OF SCOPE
Uses CBLMariner as AKS osSKU value. This is an Azure API enum, not a Docker base image. Changing it requires Azure Local API validation and is a separate investigation.
Audit Summary
| Status |
Count |
| Already on Azure Linux 3.0 |
17 |
| Non-Microsoft base (OK) |
2 |
| Still on CBL-Mariner 2.0 |
1 |
Checklist
Summary
An audit of all 21 Dockerfiles in the repository found 1 Dockerfile still on CBL-Mariner 2.0 and 3 stale CBL-Mariner references that should be cleaned up. 17 Dockerfiles have already been migrated to Azure Linux 3.0 and 2 use non-CBL-Mariner bases (.NET 9, Ubuntu 24.04).
Remaining CBL-Mariner Dockerfile
src/500-application/507-ai-inference/services/ai-edge-inference/Dockerfile.acr— HIGH priorityThis is the single-platform ACR build variant for ai-edge-inference. The main
Dockerfilefor the same service was already migrated to Azure Linux 3.0, but this.acrvariant was missed.Current state:
mcr.microsoft.com/cbl-mariner/base/core:2.0(SHA pinned) for both build and runtime stages.cm2suffixes (CBL-Mariner 2.0 pattern)Migration considerations:
Dockerfilefor the same service has already been migrated and can serve as a template.cm2packages must be updated to unversioned equivalentsStale CBL-Mariner References
1.
scripts/security/Update-DockerSHAPinning.ps1— MEDIUM priorityTwo stale entries in the
$DockerImageSHAMaphashtable:The
cbl-mariner/base/rust:1.72entry is completely unused. Thecbl-mariner/base/core:2.0entry is only used by Dockerfile.acr. Both should be removed once Dockerfile.acr is migrated.2.
src/500-application/501-rust-telemetry/services/receiver/Dockerfileline 27 — LOW priorityStale comment referencing
mcr.microsoft.com/cbl-mariner/base/rust:1. The FROM lines already use Azure Linux 3.0.3.
src/000-cloud/072-azure-local-host/terraform/— OUT OF SCOPEUses
CBLMarineras AKSosSKUvalue. This is an Azure API enum, not a Docker base image. Changing it requires Azure Local API validation and is a separate investigation.Audit Summary
Checklist
Dockerfile.acrto Azure Linux 3.0 using the mainDockerfileas a templateUpdate-DockerSHAPinning.ps1DockerfileosSKUchange fromCBLMarinertoAzureLinux(separate investigation)