Skip to content
Latchkey

What Is a Distroless Image? Containers Without an OS

A distroless image ships only your application and its runtime dependencies - no shell, no package manager, no general-purpose OS userland.

Most base images include a full Linux userland: a shell, a package manager, coreutils. A distroless image throws all of that away and keeps only what your app needs to run. The payoff is a smaller, more secure image; the cost is that you lose the familiar debugging tools inside the container.

What gets removed

  • No shell (/bin/sh, bash).
  • No package manager (apt, apk).
  • No coreutils or general-purpose binaries.
  • Just your app, its runtime, and minimal supporting libraries.

Why it is more secure

A smaller image has fewer packages and therefore fewer CVEs. And with no shell, a common post-exploitation step - popping a shell inside the container - simply has nothing to work with.

The debugging trade-off

You cannot docker exec into a distroless container and poke around, because there is no shell. You debug instead with logs, an ephemeral debug container, or distroless :debug variants that re-add a shell only when needed.

Pairs naturally with multi-stage builds

Distroless shines as the final stage of a multi-stage build: compile in a full toolchain stage, then COPY --from the binary into a distroless final stage.

Distroless in CI/CD

CI pipelines build distroless images to ship lean, scan-clean artifacts to production. Because the final image is tiny, it pushes and pulls fast - and on managed runners the heavy builder stage stays cached between builds.

Key takeaways

  • Distroless images contain only your app and runtime - no shell or package manager.
  • Fewer packages mean fewer vulnerabilities and a smaller attack surface.
  • You trade in-container debugging for security; pair it with multi-stage builds.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →