Return to site
Return to site

🐳🔒 DISTROLESS DOCKER IMAGES — SMALLER, SAFER, FASTER

· devops
Section image

🔸 TL;DR

Distroless images strip out shells and package managers, leaving only your app and its runtime. That slashes image size, attack surface, and CVEs—perfect for production, especially on Kubernetes. ✅

🔸 WHY CARE?

▪️ Smaller footprint: fewer layers, faster pulls & deploys

▪️ Security by subtraction: no /bin/sh, no apt/yum, fewer CVEs

▪️ Prod-ready defaults: run as non-root, read-only FS (when you configure it)

▪️ Supply chain hygiene: clear contents → better SBOMs and scanning

🔸 HOW TO USE (EXAMPLE: JAVA 17)

# 1) Build stage

FROM maven:3.9-eclipse-temurin-17 AS build

WORKDIR /app

COPY pom.xml .

RUN mvn -q -B -e -DskipTests dependency:go-offline

COPY src ./src

RUN mvn -q -B -DskipTests package

# Result: target/app.jar

# 2) Runtime stage (distroless, no shell)

FROM https://lnkd.in/eWVtmTqf

WORKDIR /app

COPY --from=build /app/target/app.jar /app/app.jar

USER nonroot:nonroot

# Optional: keep it immutable in K8s (fsGroup, readOnlyRootFilesystem, etc.)

ENTRYPOINT ["java","-jar","/app/app.jar"]

Node/Go/.NET work similarly: build in a full image, copy artifacts into a distroless runtime.

🔸 GOTCHAS & DEBUG

▪️ No shell inside: debug via sidecar/ephemeral containers (busybox), or reproduce locally with the build image

▪️ Logs/temps: write to stdout/stderr or a mounted volume (read-only root FS!)

▪️ Native libs: ensure they’re copied; distroless only ships minimal runtime

▪️ Health checks: use HTTP/TCP checks—no curl inside the image

🔸 WHEN TO USE / WHEN TO SKIP

▪️ Use for: production workloads, CI/CD speedups, tight security baselines

▪️ Skip for: images you frequently SSH/shell into (anti-pattern anyway), or complex on-box debugging requirements

🔸 TAKEAWAYS

▪️ Cut the noise: ship only what you run

▪️ Reduce risk: fewer tools = fewer exploits

▪️ Harden defaults: non-root + read-only + liveness/readiness probes

▪️ Keep DX smooth: debug from the builder or with a debug sidecar

#️⃣ s

#Docker #Distroless #Containers #DevOps #Security #Kubernetes #SupplyChain #SBOM #Java #CloudNative #Performance

Go further with Java certification:

Java👇

https://www.udemy.com/course/ocp-oracle-certified-professional-java-developer-prep/?referralCode=54114F9AD41F127CB99A

Spring👇

https://www.udemy.com/course/spring-professional-certification-6-full-tests-2v0-7222-a/?referralCode=04B6ED315B27753236AC

PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save