dotnet · lbussell · Apr 17, 2026 · Apr 16, 2026 · Apr 16, 2026
@@ -57,7 +57,7 @@ docker scout cves mcr.microsoft.com/dotnet/runtime-deps:10.0-noble-chiseled
 **Azure Linux**:
 
 ```bash
-docker scout cves mcr.microsoft.com/dotnet/runtime-deps:10.0-cbl-mariner2.0-distroless
+docker scout cves mcr.microsoft.com/dotnet/runtime-deps:10.0-azurelinux3.0-distroless
 ```
 
 ### How do I write my Dockerfile to work without a shell?

@@ -523,7 +523,7 @@ If you get an error like the following: `unable to start container process: exec
 docker run --rm <image-digest> cat /etc/os-release
 ```
 
-The output will include a `NAME` field indicating the name of the distro (`Debian`, `Ubuntu`, `Alpine`, `Microsoft Azure Linux`, or `Common Base Linux Mariner`).
+The output will include a `NAME` field indicating the name of the distro (`Debian`, `Ubuntu`, `Alpine`, or `Microsoft Azure Linux`).
 In the case of Debian and Ubuntu, the output will also include a `VERSION_CODENAME` field. Make note of this codename because the vulnerability pages on the distro's website refers to that codename instead of a version number.
 
 #### Distroless Images

@@ -7,7 +7,7 @@
 
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
     set isWindows to find(OS_VERSION, "nanoserver") >= 0 || find(OS_VERSION, "windowsservercore") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "cbl-mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^
 
     set lineContinuation to when(isWindows, "`", "\") ^

@@ -9,8 +9,8 @@
     set isAlpine to find(OS_ARCH_HYPHENATED, "Alpine") >= 0 ^
     set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^
     set isUbuntu to find(OS_ARCH_HYPHENATED, "Ubuntu") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "cbl-mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
-    set isDistrolessAzureLinux to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+-distroless$")) || defined(match(OS_VERSION, "^azurelinux\d+\.\d+-distroless$")) ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
+    set isDistrolessAzureLinux to defined(match(OS_VERSION, "^azurelinux\d+\.\d+-distroless$")) ^
     set isFullAzureLinux to isAzureLinux && !isDistrolessAzureLinux ^
 
     set dotnetDepsComment to "# .NET dependencies" ^

@@ -6,7 +6,7 @@
         no-clean (optional): skip package manager cleanup after install ^
 
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "cbl-mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set isDnf to ARGS["pkg-mgr"] = "dnf" ^
     set isTdnf to ARGS["pkg-mgr"] = "tdnf" || (!isDnf && isAzureLinux) ^
     set isApk to ARGS["pkg-mgr"] = "apk" || isAlpine ^

@@ -7,11 +7,10 @@
         no-clean (optional): skip package manager cleanup after install ^
 
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "cbl-mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
 
     set isDnf to ARGS["pkg-mgr"] = "dnf" ^
     set isTdnf to ARGS["pkg-mgr"] = "tdnf" || (!isDnf && isAzureLinux) ^
-    set isTdnf3_4 to isTdnf && find(OS_VERSION, "3.0") >= 0 ^
     set isApk to ARGS["pkg-mgr"] = "apk" || isAlpine ^
     set isApt to ARGS["pkg-mgr"] = "apt-get" || (!isDnf && !isTdnf && !isApk) ^
 
@@ -20,14 +19,12 @@
             "apk del",
         when(isDnf,
             "dnf remove -y",
-        when(isTdnf3_4,
-            "tdnf autoremove -y",
         when(isTdnf,
-            "tdnf remove -y",
+            "tdnf autoremove -y",
         when (ARGS["noninteractive"],
             "DEBIAN_FRONTEND=noninteractive apt-get remove -y",
             "apt-get remove -y"
-        ))))) ^
+        )))) ^
 
     set cleanCmd to
         when(isApk,

@@ -2,14 +2,12 @@
     set aspireVersionParts to split(PRODUCT_VERSION, ".") ^
     set aspireMajorMinor to cat(aspireVersionParts[0], ".", aspireVersionParts[1]) ^
 
-    set isAzureLinux to find(OS_VERSION, "mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set aspnetBaseTag to
         cat("$REPO:", VARIABLES[cat("dotnet|8.0|product-version")], "-", OS_VERSION, "-extra", ARCH_TAG_SUFFIX) ^
     set osVersionBase to match(OS_VERSION, ".+(?=.*-)")[0] ^
     set installerImageTag to when(isAzureLinux,
-        cat("mcr.microsoft.com/",
-            when(find(OS_VERSION, "3.0") >= 0, "azurelinux", "cbl-mariner"),
-            "/base/core:",
+        cat("mcr.microsoft.com/azurelinux/base/core:",
             OS_VERSION_NUMBER),
         cat(ARCH_VERSIONED, "/buildpack-deps:", osVersionBase, "-curl")) ^
 

@@ -5,7 +5,7 @@
 
     set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^
     set isFullAzureLinux to isAzureLinux && !isDistroless ^
     set isDistrolessAzureLinux to isAzureLinux && isDistroless ^
@@ -24,9 +24,7 @@
     set osVersionBase to when(isUbuntu && ARCH_VERSIONED = "arm32v7", "jammy", osVersionBase) ^
 
     set installerImageTag to when(isDistrolessAzureLinux,
-        cat("mcr.microsoft.com/"
-            when(find(OS_VERSION_NUMBER, "3.0") >= 0, "azurelinux", "cbl-mariner"),
-            "/base/core:",
+        cat("mcr.microsoft.com/azurelinux/base/core:",
             OS_VERSION_NUMBER),
         when(isAlpine || isFullAzureLinux,
             runtimeBaseTag,

@@ -1,7 +1,7 @@
 {{
     set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^
     set isFullAzureLinux to isAzureLinux && !isDistroless ^
     set isDistrolessAzureLinux to isAzureLinux && isDistroless ^
@@ -21,9 +21,7 @@
     set osVersionBase to when(isUbuntu && ARCH_VERSIONED = "arm32v7", "jammy", osVersionBase) ^
 
     set installerImageTag to when(isDistrolessAzureLinux,
-        cat("mcr.microsoft.com/",
-            when(find(OS_VERSION_NUMBER, "3.0") >= 0, "azurelinux", "cbl-mariner"),
-            "/base/core:",
+        cat("mcr.microsoft.com/azurelinux/base/core:",
             OS_VERSION_NUMBER),
         when(isAlpine || isFullAzureLinux,
             runtimeDepsBaseTag,

@@ -23,14 +23,12 @@
     set monitorBaseUrl to cat(monitorBaseUrl, monitorPath) ^
     set monitorBaseChecksumUrl to cat(monitorBaseChecksumUrl, monitorChecksumPath) ^
 
-    set isAzureLinux to find(OS_VERSION, "mariner") >= 0 || find(OS_VERSION, "azurelinux") >=0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set aspnetBaseTag to
         cat("$REPO:", VARIABLES[cat("dotnet|", dotnetMajorMinor, "|product-version")], "-", OS_VERSION, ARCH_TAG_SUFFIX) ^
     set osVersionBase to match(OS_VERSION, ".+(?=.*-)")[0] ^
     set installerImageTag to when(isAzureLinux,
-        cat("mcr.microsoft.com/"
-            when(find(OS_VERSION_NUMBER, "3.0") >= 0, "azurelinux", "cbl-mariner"),
-            "/base/core:",
+        cat("mcr.microsoft.com/azurelinux/base/core:",
             OS_VERSION_NUMBER),
         cat(ARCH_VERSIONED, "/buildpack-deps:", osVersionBase, "-curl")) ^
     set monitorBaseTemplate to when(monitorMajor != "8" && monitorMajor != "9", "Dockerfile.linux.install-monitor-base.10", "Dockerfile.linux.install-monitor-base")

@@ -21,19 +21,17 @@
     set monitorBaseUrl to cat(monitorBaseUrl, monitorPath) ^
     set monitorBaseChecksumUrl to cat(monitorBaseChecksumUrl, monitorChecksumPath) ^
 
-    set isAzureLinux to find(OS_VERSION, "mariner") >= 0 || find(OS_VERSION, "azurelinux") >=0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set monitorBaseTagOs to when(isAzureLinux,
-        cat(when(find(OS_VERSION, "3.0") >= 0, "azurelinux-distroless", "cbl-mariner-distroless")),
+        "azurelinux-distroless",
         "ubuntu-chiseled") ^
     set monitorBaseTagHasOs to monitorMajor = "8" ^
     set monitorBaseTagOsSuffix to when(monitorBaseTagHasOs, cat("-", monitorBaseTagOs), "") ^
     set monitorBaseTag to
         cat("$REPO:", VARIABLES[cat("monitor|", monitorMajorMinor, "|product-version")], monitorBaseTagOsSuffix, ARCH_TAG_SUFFIX) ^
     set osVersionBase to match(OS_VERSION, ".+(?=.*-)")[0] ^
     set installerImageTag to when(isAzureLinux,
-        cat("mcr.microsoft.com/"
-            when(find(OS_VERSION, "3.0") >= 0, "azurelinux", "cbl-mariner"),
-            "/base/core:",
+        cat("mcr.microsoft.com/azurelinux/base/core:",
             OS_VERSION_NUMBER),
         cat(ARCH_VERSIONED, "/buildpack-deps:", osVersionBase, "-curl")) ^
     set extensionsTemplate to when(monitorMajor != "8" && monitorMajor != "9", "Dockerfile.linux.install-extensions.10", "Dockerfile.linux.install-extensions")

@@ -7,8 +7,7 @@
     set isAlpine to find(OS_ARCH_HYPHENATED, "Alpine") >= 0 ^
     set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^
     set isUbuntu to find(OS_ARCH_HYPHENATED, "Ubuntu") >= 0 ^
-    set isCblMariner to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+$")) ^
-    set isAzureLinux to isCblMariner || defined(match(OS_VERSION, "^azurelinux\d+\.\d+$")) ^
+    set isAzureLinux to defined(match(OS_VERSION, "^azurelinux\d+\.\d+$")) ^
 
     set baseImageRepo to when(isAlpine,
         cat(ARCH_VERSIONED, "/alpine"),
@@ -17,27 +16,17 @@
             when(isUbuntu,
                 "ubuntu.azurecr.io/ubuntu",
                 when(isAzureLinux,
-                    when(find(OS_VERSION_NUMBER, "3.0") >= 0,
-                        "mcr.microsoft.com/azurelinux/base/core",
-                        "mcr.microsoft.com/cbl-mariner/base/core"),
+                    "mcr.microsoft.com/azurelinux/base/core",
                     "<NOT-IMPLEMENTED>")))) ^
     set baseImageTag to when(isAlpine || isAzureLinux, OS_VERSION_NUMBER, OS_VERSION) ^
     set baseImage to cat(baseImageRepo, ":", baseImageTag) ^
 
-    set isMultiStage to isCblMariner ^
-    set firstStageName to "base" ^
-    set secondStageName to when(isMultiStage, "installer") ^
-
-    set stagingDir to "/staging" ^
-
-    set utilPkgs to when(isAzureLinux, ["shadow-utils"], []) ^
     set useGlobalizationInvariantMode to !ARGS["is-extra"] && (isDistroless || isAlpine) ^
     set username to "app" ^
     set uid to 1654 ^
-    set gid to uid ^
     set nonRootUserComment to "# Create a non-root user and group"
 
-}}FROM {{baseImage}}{{if isMultiStage: AS base}}
+}}FROM {{baseImage}}
 
 {{InsertTemplate("../Dockerfile.common-dotnet-envs",
     [
@@ -48,31 +37,7 @@
 
 RUN {{InsertTemplate("../Dockerfile.linux.install-deps", [
     "is-extra": ARGS["is-extra"]
-])}}{{
-if isMultiStage:
-
-
-FROM base AS installer
-
-RUN {{InsertTemplate("../Dockerfile.linux.install-pkgs", [ "pkgs": utilPkgs ])}}
-
-{{nonRootUserComment}}
-RUN {{InsertTemplate("Dockerfile.linux.non-root-user-staged",
-    [
-        "staging-dir": stagingDir,
-        "name": username,
-        "no-create-home": "true",
-        "create-dir": "true"
-    ]
-)}}
-
-
-# Final image
-FROM base
-
-COPY --from=installer {{stagingDir}}/ /
-
-RUN install -d -m 0755 -o $APP_UID -g $APP_UID "/home/{{username}}"^else:
+])}}
 
 {{nonRootUserComment}}
-RUN {{InsertTemplate("Dockerfile.linux.non-root-user", [ "name": username ])}}}}
+RUN {{InsertTemplate("Dockerfile.linux.non-root-user", [ "name": username ])}}
@@ -4,16 +4,15 @@
         is-extra (optional): Whether to include extra packages that are not needed for every app,
             for example globalization support ^
 
-    set isAzureLinux3 to find(OS_VERSION_NUMBER, "3.0") >= 0 ^
     set distrolessStagingDir to "/staging" ^
-    set marinerRepo to when(isAzureLinux3, "mcr.microsoft.com/azurelinux", "mcr.microsoft.com/cbl-mariner") ^
-    set baseImage to cat(marinerRepo, "/distroless/minimal:", OS_VERSION_NUMBER) ^
+    set azureLinuxRepo to "mcr.microsoft.com/azurelinux" ^
+    set baseImage to cat(azureLinuxRepo, "/distroless/minimal:", OS_VERSION_NUMBER) ^
     set username to "app" ^
-    set nonRootUser to when(isAzureLinux3, "$APP_UID", username) ^
+    set nonRootUser to "$APP_UID" ^
     set uid to 1654 ^
     set gid to uid
 }}# Installer image
-FROM {{marinerRepo}}/base/core:{{OS_VERSION_NUMBER}} AS installer
+FROM {{azureLinuxRepo}}/base/core:{{OS_VERSION_NUMBER}} AS installer
 
 RUN {{InsertTemplate("../Dockerfile.linux.install-pkgs",
     [

@@ -0,0 +1 @@
+{{InsertTemplate("Dockerfile.distroless-azurelinux", [ "is-extra": "true" ])}}
@@ -10,9 +10,8 @@
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
     set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^
     set isUbuntu to find(OS_ARCH_HYPHENATED, "Ubuntu") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "cbl-mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
-    set isAzureLinux3 to isAzureLinux && find(OS_VERSION_NUMBER, "3.0") >= 0 ^
-    set isDistrolessAzureLinux to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+-distroless$")) || defined(match(OS_VERSION, "^azurelinux\d+\.\d+-distroless$")) ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
+    set isDistrolessAzureLinux to defined(match(OS_VERSION, "^azurelinux\d+\.\d+-distroless$")) ^
     set isChiseledUbuntu to find(OS_VERSION, "chiseled") >= 0 ^
 
     set name to ARGS["name"] ^
@@ -38,7 +37,7 @@
             "--create-home",
             "")) ^
 
-    set utilPkgs to when(isAzureLinux3 && !isDistrolessAzureLinux, ["shadow-utils"], [])
+    set utilPkgs to when(isAzureLinux && !isDistrolessAzureLinux, ["shadow-utils"], [])
 
 }}{{if len(utilPkgs) > 0:{{InsertTemplate("../Dockerfile.linux.install-pkgs", [
         "pkgs": utilPkgs,

@@ -9,7 +9,7 @@
         gid: (optional) ID of the group to be created, same as uid by default
         no-create-home (optional): Indicates whether a home directory should be created for the user ^
     set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
-    set isAzureLinux to find(OS_VERSION, "cbl-mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
     set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^
     set uid to when(len(ARGS["uid"]) > 0, ARGS["uid"], "$APP_UID") ^

@@ -8,7 +8,7 @@
     set buildVersion to VARIABLES[cat("runtime|", dotnetVersion, "|build-version")] ^
 
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "mariner") >= 0 || find(OS_VERSION, "azurelinux") >=0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^
     set isFullAzureLinux to isAzureLinux && !isDistroless ^
     set isDistrolessAzureLinux to isAzureLinux && isDistroless ^
@@ -25,9 +25,7 @@
     set osVersionBase to when(isUbuntu && ARCH_VERSIONED = "arm32v7", "jammy", osVersionBase) ^
 
     set installerImageTag to when(isDistrolessAzureLinux,
-        cat("mcr.microsoft.com/"
-            when(find(OS_VERSION_NUMBER, "3.0") >= 0, "azurelinux", "cbl-mariner"),
-            "/base/core:",
+        cat("mcr.microsoft.com/azurelinux/base/core:",
             OS_VERSION_NUMBER),
         when(isAlpine || isFullAzureLinux,
             runtimeDepsBaseTag,

@@ -1,8 +1,7 @@
 {{
     set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
-    set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
-    set isAzureLinux to isMariner || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set baseUrl to VARIABLES[cat("sdk|", dotnetVersion, "|base-url|", VARIABLES["branch"])] ^
     set isInternal to find(baseUrl, "dotnetstage") >= 0 ^
     set tagVersion to VARIABLES[cat("dotnet|", dotnetVersion, "|fixed-tag")] ^
@@ -40,17 +39,11 @@
                 "tzdata",
             ]),
         when(isAzureLinux,
-            when (isMariner,
-                [
-                    "git",
-                    "libatomic_ops",
-                    "tar",
-                ],
-                [
-                    "git",
-                    "libgcc-atomic",
-                    "tar",
-                ]),
+            [
+                "git",
+                "libgcc-atomic",
+                "tar",
+            ],
             [
                 "curl",
                 "git",

@@ -3,7 +3,7 @@
     set baseImageTag to cat("$REPO:", VARIABLES[cat("sdk|", dotnetVersion, "|fixed-tag")], "-", OS_VERSION, ARCH_TAG_SUFFIX) ^
 
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
-    set isAzureLinux to find(OS_VERSION, "cbl-mariner") >= 0 || find(OS_VERSION, "azurelinux") >= 0 ^
+    set isAzureLinux to find(OS_VERSION, "azurelinux") >= 0 ^
     set isUbuntu to find(OS_ARCH_HYPHENATED, "Ubuntu") >= 0 ^
     set ubuntuVersion to when(find(OS_VERSION, "jammy") >= 0, "jammy", "noble") ^
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{{InsertTemplate("Dockerfile.distroless-azurelinux", [ "is-extra": "true" ])}}