Understand how Minimus images, as distroless container images, drastically reduce their package count and attack surface
Distroless container images are minimal container images that exclude a traditional Linux distribution such as Debian, Ubuntu, or Alpine. Instead, they contain only the essential runtime dependencies required for an application to run. Distroless images do not contain a package manager, shell, or debugging tools.Minimus images are built from packages built directly from source by the Minimus service. Since they are not dependent on a third-party operating system like Alpine or Debian, Minimus is able to release the updated packages within hours of the change in the upstream code and build images with the updated packages on a daily basis.
Minimus production image, like any distroless image, contains only the essentials to run:
The application binary and its required dependencies
Core runtime libraries (e.g., glibc)
Certificates (for TLS)
Language runtimes, if required (e.g., Python, Java, Node.js)
Since the fully distroless image is often too slim to work with during development, every Minimus production image has a complementary dev image variant that includes required developer tools, such as a package manager, shell, etc. See more below.
The necessary packages to build an app are often somewhat different from the packages merely necessary to run the app. As a result, Minimus has expanded its distroless approach to building two complementary images for every version: a production image which is fully distroless and a dev image for development and debugging purposes. Learn more about dev imagesThe dev image variant is still much leaner and cleaner than the typical public image, but it does include a shell, package manager, and other relevant tooling. Minimus dev images are updated daily according to the same principles of the Minimus service used to build production images. See Minimus architecture
The SBOM of Minimus production images will (almost) always show a drastic reduction in the number of packages compared to the equivalent Ubuntu, Debian, or even Alpine image.
Minimus production images, in keeping with the theory of distroless images exclude:
Shells (/bin/sh, bash)
Package managers (apt, apk, yum)
Core utilities (ls, cat, cp, etc.)
Compilers and interpreters (unless essential for the application)
System services or init systems
As shown above, the dev variant of Minimus images do include these tools to allow users to leverage multi-stage build techniques to produce more secure apps. Learn more
The nginx image is an interesting case in point. The standard image on Docker Hub has 231 packages. The Minimus nginx image has 15 packages. That’s well over a 90% reduction in the number of packages.The SBOM for the nginx latest image shows the packages in the image include nginx-{version} and associated packages, ca-certificates-bundle, the core runtime library glibc and associated packages, and zlib for compression.
