Sudhanva and David Weston present Azure Linux with OS Guard, a new immutable and secure container host for AKS. They explore its core security features and Microsoft’s open source and compliance initiatives.

Azure Linux with OS Guard: Immutable Container Host with Code Integrity and Open Source Transparency

Authors: David Weston (Corporate Vice President, Security @ Microsoft) and Sudhanva Huruli (Principal PM Core OS @ Microsoft)

Overview

Azure Linux is Microsoft’s trusted Linux OS, built from the ground up for cloud-native workloads, powering essential infrastructure such as Azure Kubernetes Service (AKS). Over 80% of Microsoft’s own AKS workloads run on Azure Linux due to its performance, reliability, and strong security guarantees.

Introducing Azure Linux with OS Guard

Azure Linux with OS Guard, announced at Microsoft Build 2025, is a container host OS designed for hardened cloud-native deployments. It builds on the FedRAMP-certified Azure Linux base (version 3.0) and enforces advanced protection mechanisms:

  • Immutability: The /usr directory is mounted via a dm-verity protected, signed root hash, making it read-only and guarding against tampering.
  • Code Integrity Enforcement (IPE): Integrity Policy Enforcement ensures only trusted binaries from dm-verity volumes run, even in container layers. Policies can be fine-tuned for specific volumes/files.
  • Mandatory Access Control (SELinux): Limits access to sensitive parts of the filesystem to only trusted users and processes.
  • Trusted Launch: Ensures measured integrity of boot components, backed by vTPM-secured keys.

Threat Mitigation

Azure Linux with OS Guard addresses threats such as:

  • Rootkits & Tampering: Secure Boot and measured boot protect from the earliest boot stages.
  • Container Escapes & User Tampering: Read-only root filesystem, signed container layers, and enforcement by dm-verity hashes prevent core system manipulation.
  • Unauthorized Code Execution: IPE policy and SELinux enforcement only allow trusted code to execute, blocking tampered binaries—even inside a container image.

Inherited Benefits from Azure Linux

  • Sovereign Supply Chain Security: Signed Unified Kernel Images, official build pipelines, and a full SBOM provide transparency and trust.
  • Compliance: FIPS 140-3 cryptographic modules, FedRAMP certification, with upcoming support for NIST-approved post-quantum algorithms.
  • Enterprise Security & SLAs: Regular critical CVE patching and constant security assessments by Microsoft’s researchers.

Open Source Commitment

Azure Linux with OS Guard uses open source technologies (dm-verity, SELinux, IPE), and Microsoft staff actively contribute upstream, including:

  • Script integrity enforcement in interpreters (Bash, Python).
  • SELinux policy hardening under immutable paths.
  • Code integrity contributions to containerd via erofs-snapshotter.
  • Public release of image tooling: microsoft/azure-linux-image-tools.

Availability & Try it Yourself

Azure Linux with OS Guard will soon be an official OS SKU on AKS, deployable with a feature flag and preview CLI. Practitioners can already explore the community image via the Microsoft Container Registry and deploy it to Azure VMs by following these instructions. The preview includes:

  • Secure Boot with Trusted Launch VMs.
  • Read-only /usr via dm-verity.
  • IPE and SELinux in enforcing mode.

For further details and updates, follow the Linux and Open Source Blog on Microsoft Tech Community.

This post appeared first on “Microsoft Tech Community”. Read the entire article here