A distroless image is a minimal container image that includes only the application and required runtime components without a full general-purpose operating system userland. It matters because extra shells, package managers, and utilities often enlarge attack surface without helping the workload run.
What is Distroless Image?
Distroless images can reduce exposed tooling and simplify what is present in production containers. They are not a silver bullet, but they often make post-compromise abuse and image bloat harder than in full-featured base images.
What Distroless Image Commonly Supports
Common uses include container hardening, attack-surface reduction, production image minimization, and runtime simplification.
Distroless Image vs. General-Purpose Utility-Rich Image
A distroless image strips away unnecessary OS tools. Utility-rich images are more convenient for debugging but often expose more components to attack.
Frequently Asked Questions
Why use distroless images?
Because many production workloads do not need shells or package managers, and removing them reduces clutter and risk.
Do distroless images prevent compromise?
No. They reduce some attack surface, but application flaws and privilege issues can still be exploited.
