0
0
Dockerdevops~10 mins

Distroless images concept in Docker - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Distroless images concept
Start with base image
Remove OS shell and package manager
Include only app runtime and dependencies
Build minimal image
Deploy smaller, secure container
Run app with minimal attack surface
End
Distroless images start from a base, remove shells and package managers, keep only app runtime and dependencies, then build a minimal, secure container image.
Execution Sample
Docker
FROM gcr.io/distroless/base
COPY app /app
CMD ["/app"]
This Dockerfile uses a distroless base, copies the app binary, and runs it without a shell.
Process Table
StepActionDetailsResult
1FROM gcr.io/distroless/baseUse distroless base imageBase image has no shell or package manager
2COPY app /appCopy app binary into imageApp binary is inside image at /app
3CMD ["/app"]Set container to run app directlyContainer runs app without shell
4Build imageDocker builds image layersImage is minimal and smaller than typical base images
5Run containerStart container from imageApp runs with minimal dependencies and attack surface
6ExitContainer stops when app finishesContainer exits cleanly
💡 Execution stops after container runs app and exits
Status Tracker
VariableStartAfter Step 2After Step 4Final
Image SizeN/AReduced (no shell)Minimal (only app + runtime)Minimal
Shell PresentYes (normal base)No (distroless base)NoNo
Package Manager PresentYesNoNoNo
App BinaryNot presentCopied to /appPresentPresent
Key Moments - 3 Insights
Why can't we run shell commands inside a distroless container?
Because the distroless base image removes the shell and package manager, as shown in execution_table step 1 and variable_tracker 'Shell Present' being 'No'.
How does the container run the app without a shell?
The CMD instruction runs the app binary directly without a shell wrapper, as seen in execution_table step 3.
Why is the image size smaller with distroless?
Because unnecessary OS tools like shells and package managers are removed, reducing image size as shown in variable_tracker 'Image Size' changes.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 1. What is missing in the distroless base image compared to a normal base?
AShell and package manager
BApp binary
CNetwork tools
DDocker daemon
💡 Hint
Check the 'Details' and 'Result' columns at step 1 in execution_table.
According to variable_tracker, after which step is the app binary present inside the image?
AAfter Step 1
BAfter Step 2
CAfter Step 4
DFinal
💡 Hint
Look at the 'App Binary' row and see when it changes from 'Not present' to 'Copied to /app'.
If we added a shell back into the image, how would the 'Shell Present' variable change in variable_tracker?
AIt would change to 'Yes' after Step 4
BIt would change to 'Yes' after Step 2
CIt would change to 'Yes' at Final
DIt would remain 'No'
💡 Hint
Think about when the shell would be added back during the build process.
Concept Snapshot
Distroless images remove shells and package managers
Include only app runtime and dependencies
Result in smaller, more secure containers
Run app binary directly without shell
Ideal for production deployments
Full Transcript
Distroless images start from a base image that has no shell or package manager. This means you cannot run shell commands inside the container. The Dockerfile copies the app binary directly into the image and sets it to run without a shell. This results in a smaller image size and reduces the attack surface, making the container more secure. The container runs the app directly and exits cleanly when the app finishes. Variables like image size and shell presence change as the image is built, showing the minimal nature of distroless images.