2 minute read

Distroless Docker images are becoming popular for deployment containers due to their small size and reduced attack surface. These images eliminate the full operating system distribution, reducing security scan noise and vulnerabilities. Google has published a set of distroless container images, which can be created using Bazel or multistage Dockerfiles. Distroless containers don’t have a shell for debugging, but debug versions with a BusyBox shell are available. However, it is mainly confined to Google-generated images and caution should be taken when using vulnerability scanners like Trivy as distroless containers are only supported in recent versions.

There are some clear advantages to using distroless:

  • Improved Security: By eliminating the full operating system distribution, distroless Docker images reduce the attack surface and the number of vulnerabilities that need to be patched, thereby improving security.
  • Smaller Image Size: Distroless Docker images are much smaller in size as compared to traditional Docker images, making them more efficient and faster to download and deploy.
  • Reduced Footprint: With the elimination of the operating system distribution, distroless Docker images have a smaller footprint, which means they require less disk space and memory.
  • Better Performance: The smaller size and reduced footprint of distroless Docker images lead to better performance as they require fewer resources to run.
  • Enhanced Compatibility: Distroless Docker images are compatible with a wide range of languages, which makes it easier to create applications that are portable and can run on different systems.

And some disadvantages:

  • Limited Debugging Capabilities: Distroless Docker images don’t have a shell for debugging, which can make it difficult to diagnose issues and resolve problems.
  • Lack of Support for Tools and Utilities: Without a full operating system distribution, distroless Docker images may not have access to the tools and utilities that are necessary for running applications.
  • Compatibility Issues: The lack of an operating system distribution in distroless Docker images can result in compatibility issues with some applications and tools.
  • Reduced Flexibility: The stripped-down nature of distroless Docker images can limit the flexibility of applications and make it more challenging to customize them to meet specific needs.
  • Dependence on Google: Currently, distroless Docker images are mainly confined to Google-generated images, which can limit the number of providers to choose from and reduce the ability to easily switch between different providers.

Based on the current trends, it is likely that distroless Docker images will continue to grow in popularity as a solution for deploying containers due to their reduced attack surface and smaller size. The trend towards smaller and more secure containers is likely to continue, and distroless Docker images align with this trend. However, the adoption and use of distroless Docker images may also be influenced by advancements in technology, changes in security needs, and the availability of alternative solutions.

In summary, when deciding whether to use distroless Docker images, it is important to consider the trade-off between security and reduced attack surface, smaller size and reduced footprint, and compatibility and support for tools and utilities. It may also be helpful to carefully evaluate the specific requirements of the application or project to determine if the limitations of distroless Docker images can be mitigated or overcome. Additionally, it is important to stay informed about the latest developments in container technology and security, as this can impact the viability and adoption of distroless Docker images over time.