Add minimal package list for marketplace image

[liunan-ms]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?
This PR trims the marketplace image package list from 340 to 84 by removing the dependency packages.
This marketplace image package list contains all the packages that are intentionally included in marketplace image.
Validated in both QEMU and azl4 azure VM that the total count of installed packages is 407.

Change Log

• Change
• Change
• Change

Does this affect the toolchain?

YES/NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXX

Test Methodology

• Pipeline build id: xxxx

[Copilot]

Pull request overview

This PR simplifies the marketplace image package list by removing dependency packages that are automatically installed by the package manager. The package list is reduced from a format that included 340+ entries (mixing explicit and dependency packages) to a minimal list of 114 explicitly required packages. The PR author has validated that the same total number of packages are installed using both the full and minimal lists.

Changes:

• Removed all dependency packages from the package list (e.g., bash, coreutils, systemd, glibc, openssh, etc.)
• Retained all originally numbered explicit packages
• Added select packages that should be explicit despite being dependencies (shim, cronie)
• Reformatted with clean sequential numbering from 1-114

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The package list includes openssh-clients but does not explicitly include openssh-server, which was present in the previous version. While the PR description states validation was performed, SSH server functionality is critical for Azure marketplace VMs. Please verify that openssh-server is indeed automatically installed as a dependency of another package in this list. If not, it should be explicitly included. Reference: vm-base.kiwi explicitly lists both openssh-clients and openssh-server (lines 73-74).

Suggested change

	openssh-clients
	openssh-clients
	openssh-server

[tobiasb-ms]

I agree -- we probably need oenssh-server

[liunan-ms]

For openssh-server, it is automatically installed as a dependency of WALinuxAgent.
The current list only has head packages. Nothing gets added here if it is a dependency. For example, systemd and bash are not included in the list as they are both dependencies of some other packages.
But we eventually want it to be a list of packages that are intentionally needed, explicitly include intentional packages no matter if they're dependencies of others.

@tobiasb-ms May I have your review of all of them and suggest the ones that we need to explicitly include in the marketplace image? I'll collect the feedback and integrate the next version of the list. Thanks!

[binujp]

We need this. It has to come from azurelinux-official-ms-non-oss repo. Can we add a comment to that effect to enable it when appropriate?

[binujp]

I am not sure fedora provides this. It is the client and libraries for postgres provided by postgreql and libpq5 packages. In azl3 rsyslog needs it. I am not sure the same holds true for Fedora.

[liunan-ms]

will double check in Fedora.

[liunan-ms]

Removed postgresql-libs from the list. If any package needs it as a dependency, it'll be installed but not explicitly included in this list.

[binujp]

I would make it explicit that this is dnf5 which provides dnf.

[binujp]

I will follow up separately.

[tobiasb-ms]

I agree -- we probably need oenssh-server

[tobiasb-ms]

Do we really not need oenssl-libs?