"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.

For more information, see this talk (video).

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

These images are built using the bazel tool, but they can also be used through other Docker image build tooling.

Note that distroless images by default do not contain a shell. That means the Dockerfile ENTRYPOINT command must be specified in vector form, to avoid the container runtime prefixing with a shell.

This works:

ENTRYPOINT ['myapp']

But this does not work:

ENTRYPOINT 'myapp'

Docker multi-stage builds make using distroless images easy. Follow these steps to get started:

• Pick the right base image for your application stack. We publish the following distroless base images on gcr.io:

  • gcr.io/distroless/base
  • gcr.io/distroless/java
  • gcr.io/distroless/cc

• The following images are also published on gcr.io, but are considered experimental and not recommended for production usage:

  • gcr.io/distroless/python2.7
  • gcr.io/distroless/python3
  • gcr.io/distroless/nodejs
  • gcr.io/distroless/java/jetty
  • gcr.io/distroless/dotnet

• Write a multi-stage docker file. Note: This requires Docker 17.05 or higher.

  The basic idea is that you'll have one stage to build your application artifacts, and insert them into your runtime distroless image. If you'd like to learn more, please see the documentation on multi-stage builds.

Here's a quick example for go:

# Start by building the application.
FROM golang:1.8 as build

WORKDIR /go/src/app
COPY . .

RUN go get -d -v ./...
RUN go install -v ./...

# Now copy it into our base image.
FROM gcr.io/distroless/base
COPY --from=build /go/bin/app /
CMD ["/app"]

You can find other examples here:

• Java
• Python
• Python 3
• Golang
• Node.js
• dotnet

To run any example, go the the directory for the language and run

docker build -t myapp .
docker run -t myapp

For full documentation on how to use bazel to generate Docker images, see the bazelbuild/rules_docker repository.

For documentation and examples on how to use the bazel package manager rules, see ./package_manager

Examples can be found in this repository in the examples directory.

We have some examples on how to run some common application stacks in the /examples directory. See here for:

• Java
• Python
• Python 3
• Golang
• Node.js
• dotnet

See here for examples on how to complete some common tasks in your image:

• Adding and running as a non-root user
• Including debian packages
• Including CA certificates

See here for more information on how these images are built and released.

For full documentation on how to use Jib to generate Docker images from Maven and Gradle, see the GoogleContainerTools/jib repository.

Distroless images are minimal and lack shell access. The :debug image set for each language provides a busybox shell to enter.

For example:

cd examples/python2.7/

edit the Dockerfile to change the final image to :debug:

FROM python:2.7-slim AS build-env
ADD . /app
WORKDIR /app

FROM gcr.io/distroless/python2.7:debug
COPY --from=build-env /app /app
WORKDIR /app
CMD ["hello.py", "/etc"]

then build and launch with an shell entrypoint:

$ docker build -t my_debug_image .

$ docker run --entrypoint=sh -ti my_debug_image

/app # ls
BUILD       Dockerfile  hello.py

Note: ldd is not installed in the base image as it's a shell script, you can copy it in or download it.