SumGuy's Ramblings
Go back

Distroless: How to Build Slim, Secure Containers

Ever looked at your Docker image and wondered why a simple Python script needs a full Debian install tagging along? Google’s “Distroless” images strip away the bloat, leaving only what your app needs to run. No shell, no package manager, just pure performance.

Key Takeaways

The “Dad Bod” of Containers

Most developers start with base images like ubuntu or debian. They’re comfortable, familiar, and come packed with everything—including a kitchen sink you’ll never use. This is the “Dad Bod” of containerization.

While convenient for development, these extra tools (like apt, bash, or curl) are just open invitations for hackers. If a bad actor finds a way into your app, the first thing they’ll do is use those built-in tools to download more malware.

Enter: Distroless

Google’s DistrolessDistroless project provides images that contain only your application and its runtime dependencies. They do not contain shell programs, package managers, or any other programs you would expect to find in a standard Linux distribution.

It’s like a race car: no radio, no AC, no passenger seat. Just the engine and the driver.

How to Use It (The Multi-Stage Secret)

Since Distroless doesn’t have a package manager, you can’t just apt-get install your way to victory. You must use Multi-Stage Builds. You build your app in a “heavy” environment and then copy the final binary or runtime files into the “slim” Distroless image.

Example 1: The Go Specialist (Static Binary)

Perfect for Go or Rust where you just need a single executable.

# Stage 1: Build
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN CGO_ENABLED=0 go build -o myapp main.go

# Stage 2: Distroless Run
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app/myapp /
CMD ["/myapp"]
# Stage 1: Build
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN CGO_ENABLED=0 go build -o myapp main.go

# Stage 2: Distroless Run
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app/myapp /
CMD ["/myapp"]

Example 2: The Node.js Modernist

Distroless provides a specific runtime image for Node.js.

# Stage 1: Build
FROM node:20-slim AS builder
WORKDIR /app
COPY package*.json ./
RUN npm install --production
COPY . .

# Stage 2: Distroless Run
FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app .
CMD ["index.js"]
# Stage 1: Build
FROM node:20-slim AS builder
WORKDIR /app
COPY package*.json ./
RUN npm install --production
COPY . .

# Stage 2: Distroless Run
FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app .
CMD ["index.js"]

Example 3: The Python Minimalist

Python is slightly trickier because it expects certain paths. We copy the site-packages from the builder.

# Stage 1: Build
FROM python:3.11-slim AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --prefix=/install -r requirements.txt
COPY . .

# Stage 2: Distroless Run
FROM gcr.io/distroless/python3-debian12
WORKDIR /app
COPY --from=builder /install /usr/local
COPY --from=builder /app /app
ENV PYTHONPATH=/usr/local/lib/python3.11/site-packages
CMD ["main.py"]
# Stage 1: Build
FROM python:3.11-slim AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --prefix=/install -r requirements.txt
COPY . .

# Stage 2: Distroless Run
FROM gcr.io/distroless/python3-debian12
WORKDIR /app
COPY --from=builder /install /usr/local
COPY --from=builder /app /app
ENV PYTHONPATH=/usr/local/lib/python3.11/site-packages
CMD ["main.py"]

Advanced Tips & Tricks

Handling CA Certificates (SSL/TLS)

If your app needs to make HTTPS requests, it needs root certificates. While most distroless/base images include them, distroless/static is barebones. You can copy them from your builder stage:

# Copy CA certificates from the builder stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# Copy CA certificates from the builder stage
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

Time Zones (The UTC Trap)

Distroless images default to UTC. If your app relies on local time logic, you need to copy the zoneinfo database:

# Copy timezone data from the builder
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
ENV TZ=America/New_York
# Copy timezone data from the builder
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
ENV TZ=America/New_York

Non-Root Users

Security isn’t just about what’s in the image, but who runs it. Google Distroless images usually include a nonroot user (UID 65532). Always use it:

USER nonroot:nonroot
USER nonroot:nonroot

The Do’s and Don’ts

Do: Use for Production

This is where Distroless shines. The smaller the image, the faster it pulls from your registry, and the less likely it is to have a critical CVE (Common Vulnerabilities and Exposures) waiting to bite you.

Don’t: Use for Development

You will hate your life if you use Distroless while coding. You can’t docker exec into it to poke around. Stick to your standard Open Source favorites like Alpine or Debian for local dev work.

Do: Check Your Logs

Since you can’t “login” to the container to see what’s happening, your application’s logging must be top-tier. Send everything to stdout so you can read it via docker logs.

Don’t: Forget the “Debug” Tag

If you absolutely must debug a Distroless container, Google provides a :debug version of every image. These include a busybox shell so you can actually see what’s going on inside.

Use Cases: When to Go Distroless

The Open Source Advantage

While Google maintains these, the project is fully Open Source. It leverages the security of Debian but strips it down to the essentials. It’s the ultimate “less is more” philosophy applied to the cloud.

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
Alpine vs. Distroless: Choosing Your Minimalist Base
Next Post
Certificate Pinning: The Nuclear Option for TLS Security (Use With Caution)