Distroless container images are minimal container images that exclude a traditional Linux distribution such as Debian, Ubuntu, or Alpine. Instead, they contain only the essential runtime dependencies required for an application to run. Distroless images do not contain a package manager, shell, or debugging tools. Minimus images are built from packages built directly from source by the Minimus service. Since they are not not dependent on a third-party operating system like Alpine or Debian, Minimus is able to release the updated packages within hours of the change in the upstream code and build images with the updated packages on a daily basis.

What’s included in a distroless image?

Minimus production image, like any distroless image, contains only the essentials to run:
  • The application binary and its required dependencies
  • Core runtime libraries (e.g., glibc)
  • Certificates (for TLS)
  • Language runtimes, if required (e.g., Python, Java, Node.js)
Since the fully distroless image is often too slim to work with during development, every Minimus production image has a complementary dev image variant that includes required developer tools, such as a package manager, shell, etc. See more below.

Complementary DEV images

The necessary packages to build an app are often somewhat different from the packages merely necessary to run the app. As a result, Minimus has expanded its distroless approach to building two complementary images for every version: a production image which is fully distroless and a dev image for development and debugging purposes. Learn more about dev images The dev image variant is still much leaner and cleaner than the typical public image, but it does include a shell, package manager, and other relevant tooling. Minimus dev images are updated daily according to the same principles of the Minimus service used to build production images. See Minimus architecture

Package count comparison

The SBOM of Minimus production images will (almost) always show a drastic reduction in the number of packages compared to the equivalent Ubuntu, Debian, or even Alpine image.
Image TypeTypical Package Count
Ubuntu-based image~200–400+ packages
Alpine image~50–100 packages
Distroless image~10–30 packages

Why are there so few packages?

Minimus production images, in keeping with the theory of distroless images exclude:
  • Shells (/bin/sh, bash)
  • Package managers (apt, apk, yum)
  • Core utilities (ls, cat, cp, etc.)
  • Compilers and interpreters (unless essential for the application)
  • System services or init systems
As shown above, the dev variant of Minimus images do include these tools to allow users to leverage multi-stage build techniques to produce more secure apps. Learn more

NGINX image example

The nginx image is an interesting case in point. The standard image on Docker Hub has 231 packages. The Minimus nginx image has 15 packages. That’s well over a 90% reduction in the number of packages. The SBOM for the nginx latest image shows the packages in the image include nginx-{version} and associated packages, ca-certificates-bundle, the core runtime library glibc and associated packages, and zlib for compression.