The Ninjaneer Blog

Distroless Images

Photo by Ian Taylor on Unsplash

Distroless Images

Improving Container Security and Efficiency

Adham Salama's photo
Adham Salama
·

2 min read

What Are Distroless Images?

Distroless images are docker images that contain only your application and its runtime dependencies. They do not contain package managers, shells, or any other programs you would expect to find in a standard Linux distribution.
They are created and maintained by Google.

Why you should use them

1. Security

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years.
The idea behind distroless images is to reduce the attack surface of a container, by removing unnecessary components and dependencies that could potentially be exploited by attackers, like shells or package managers.

2. Efficiency

Distroless images are very small.
The smallest distroless image, gcr.io/distroless/static-debian11, is around 2 MiB. That's about 50% of the size of alpine (~5 MiB), and less than 2% of the size of debian (124 MiB).

Because they are smaller and contain only the necessary components, they can be faster to build and deploy. This can improve the overall efficiency of a containerized application, and reduce resource usage.

How to use them

Let's see how a Dockerfile looks using distroless images.

I'll use my Redis clone as an example of dockerizing a Rust app.
Here's how to Dockerize it:

FROM rust:1.68-alpine
WORKDIR /app
COPY . /app
RUN cargo build --release

CMD ["./target/release/sider"]

Even though this is a very small app, the size of this image is a whopping 1.02GB!
This is mainly due to the size of the Rust image, which is 826MB, and this is the alpine version, which is smaller in size compared to other images!

But I only need the compiled binary, I don't need the shell, package manager, or even the Rust compiler for the image!

We can use distroless images to hugely decrease the image size.
Here's the Dockerfile for it:

FROM rust:1.68-alpine AS build-env
WORKDIR /app
COPY . /app
RUN cargo build --release

FROM gcr.io/distroless/cc
COPY --from=build-env /app/target/release/sider /

CMD ["./sider"]

In this Dockerfile, we use the Rust image as a base image to build the app, then copy the files to the distroless image, and use it as a final image.
The size of this image is 27.5MB!
This is an amazing improvement, compared to the initial 1.02GB size, approximately 38 times less!

Here's the repo for distroless images if you want to know more about them.
https://github.com/GoogleContainerTools/distroless

DevopscontainersDocker