Code & Sundry

Tiny Container Images With Distroless Containers

281 words, 2 minutes to read

When deploying applications using containers, it's usually a goal to minimize the size of the container image.

Achieving a small container size varies a lot between different languages and technologies. There is no single solution that will work for everyone, as usual, but there’s a pretty interesting alternative if you’re deploying Rust, D, Go, Java or node.js applications.

Google maintains a repo of what they call distroless containers. These are container base images that contain as little as possible. They’ve stripped away pretty much everything until you’re basically left with libc and not much more. There isn’t even a shell included!

Another nice benefit of the distroless images, apart from the size consideration, is the security. With so few tools and executables inside the container it increases the difficulty of being able to do much if you manage to get access to it. Less code, means less bugs and vulnerabilities.

To start using one is pretty simple. Build your application and copy the final binary into the image based on one of the distroless images:

FROM golang:1.13-buster as build

WORKDIR /src

COPY . /src

RUN go get -d -v ./...

RUN go build -o /go/bin/app

FROM gcr.io/distroless/base-debian10

COPY --from=build /go/bin/app /

CMD ["/app"]

It’s important to note that you have to use the for [“/app”] when defining a CMD or ENTRYPOINT command in the docker file. If you use the “bare” form, e.g. CMD “/app” , Docker will prepend the command with a shell which will not work, as there’s not shell inside the distroless container.

And that’s it!

Check out their repo on Github for more information.


Happy coding!