Summary

Migrate runtime base images from distroless/minimal:3.0 to distroless/base:3.0 to prepare for Go 1.26 FIPS compliance.

Motivation

Go 1.26 enforces system crypto for FIPS compliance. Runtime images must include crypto libraries — distroless/minimal lacks these and will cause pod startup failures. This PR lays the groundwork before the actual Go 1.26 version bump.

Changes Required

Template-managed (auto via make dockerfiles)

• Update build/images.mk: MARINER_DISTROLESS_IMG from distroless/minimal:3.0 → distroless/base:3.0
• Regenerate Dockerfiles: make dockerfiles
  • cns/Dockerfile (+ pipeline copy)
  • azure-iptables-monitor/Dockerfile (+ pipeline copy)

Manual updates

• bpf-prog/ipv6-hp-bpf/linux.Dockerfile: cbl-mariner/distroless/minimal:2.0 → appropriate base image
• .pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile: distroless/minimal:3.0 → distroless/base:3.0

Build settings

• Add GOEXPERIMENT env var to Dockerfile templates (.tmpl files)
• Add GOEXPERIMENT export to pipeline build scripts (.pipelines/build/scripts/*.sh)
• Review MS_GO_NOSYSTEMCRYPTO=1 in npm/linux.Dockerfile and npm/windows.Dockerfile

Verification

• Verify Copacetic version is updated (ARM/AMD build correctness)
• Pipeline builds pass
• No runtime regressions

Context

• Base images without crypto libraries cause: build-time CGO errors, pod crashes at startup
• distroless/base includes the required crypto libraries while remaining minimal
• This change is safe on Go 1.24 and prepares for Go 1.26