Add azurelinux/upgrade distroless to azurelinux

[Seanstoppable]

Adds images for Azure Linux

[Seanstoppable]

@microsoft-github-policy-service agree company="Microsoft"

[haidvo]

@Seanstoppable - Will we be able to keep Azure Linux 2 and 3 side by side?
IMHO, this would smooth out the transition for users.

[Seanstoppable]

Sure, want me to just make copies of distroless into distroless-azurelinux, or azurelinux-distroless, or something else?

[haidvo]

IMHO, we should have tags differentiation between images based on Azure Linux 2 and Azure Linux 3, this will also require pipelines change, most probably.
I suggest to wait for the main contributors to share their opinion here as well, as this is a major change.

[brunoborges]

This looks good in general. I'd like @joe-braley and his team to verify the images. Test them as well, and then we should be good to go. In terms of tagging, we want to publish these under <JDK version>-azurelinux (e.g., 21-azurelinux).

As for the *-mariner tags, they should point to the same hashes as the images with *-azurelinux so that users get upgraded to Azure Linux 3.0.

At the time of this change, we would also be publishing *-mariner-cm2 so users can rollback to CBL-Mariner 2.0 if needed.

[Seanstoppable]

Any updates here? My understanding is that Mariner 2.0 is reaching EOL in July

[d3r3kk]

Hey all, apologies for not pushing this through more quickly - that's on me for not communicating properly!

Our team is currently finishing up the release for April 2025 PSU, and once that is out the door we will focus on this (and all of our other touch points with Mariner / Azure Linux 3.0).

[Seanstoppable]

Awesome, thanks!

[Luigi96]

Hi @Seanstoppable. According to our blog post Important Updates to Container Images of Microsoft Build of OpenJDK, we are not going to upgrade our distroless images to Azure Linux 3.0 until the 30th of June.

Could you remove the distroless updates? The Azure Linux Dockerfiles are correct so we can proceed with those.

[Seanstoppable]

Can we release them on a different tag, like azurelinux-distroless?
Per your own blog post, mariner 2.0 becomes EOL on July 1st. It would be beneficial to have new images available prior to that. In particular I have several services I need to usher through SDP.

[d3r3kk]

Our plan was to not create a separate tag as the distroless stuff shouldn't care (or at the very least a "distroless" container having the distro in its name is odd). @brunoborges to weigh in, but I'd like to stick to our plan in the blog post.

[brunoborges]

@Seanstoppable if we give you a Dockerfile to produce the image for your tests, would that be sufficient?

[Seanstoppable]

I mean, I've already done some tests with these for a subset of my containers.
I'd just like to be able to migrate and be 'done' in a reasonable timeframe before the deadline, rather than having to deploy everything after the drop dead date.

[brunoborges]

@Seanstoppable as we do not plan to have two versions of Distroless (one for Mariner 2.0 and one for Azure Linux 3.0), we can't publish a distroless-3.0 at any time.

Our commitment to updating the distroless image with Azure Linux 3.0 is by the planned timeframe as indicated in our announcement.

Keep in mind that EOL of Mariner 2.0 just means that after the EOL date, the Linux distribution may no longer receive updates. It will continue working.

[Seanstoppable]

@brunoborges Yeah, I understand that. Even with distroless, I still have to deploy updates regularly for underlying OS vulnerabilities, so I am expecting being forced to upgrade pretty quickly. It would have been easier/more convenient if I could have rolled out updates across my multiple services more gradually, rather than having those upgrades dictated by S360.

Since the one part of this PR we could agree on has been extracted, I'll close this out.