What Is a Distroless Image? Containers Without an OS
A distroless image ships only your application and its runtime dependencies - no shell, no package manager, no general-purpose OS userland.
Most base images include a full Linux userland: a shell, a package manager, coreutils. A distroless image throws all of that away and keeps only what your app needs to run. The payoff is a smaller, more secure image; the cost is that you lose the familiar debugging tools inside the container.
What gets removed
- No shell (
/bin/sh,bash). - No package manager (
apt,apk). - No coreutils or general-purpose binaries.
- Just your app, its runtime, and minimal supporting libraries.
Why it is more secure
A smaller image has fewer packages and therefore fewer CVEs. And with no shell, a common post-exploitation step - popping a shell inside the container - simply has nothing to work with.
The debugging trade-off
You cannot docker exec into a distroless container and poke around, because there is no shell. You debug instead with logs, an ephemeral debug container, or distroless :debug variants that re-add a shell only when needed.
Pairs naturally with multi-stage builds
Distroless shines as the final stage of a multi-stage build: compile in a full toolchain stage, then COPY --from the binary into a distroless final stage.
Distroless in CI/CD
CI pipelines build distroless images to ship lean, scan-clean artifacts to production. Because the final image is tiny, it pushes and pulls fast - and on managed runners the heavy builder stage stays cached between builds.
Key takeaways
- Distroless images contain only your app and runtime - no shell or package manager.
- Fewer packages mean fewer vulnerabilities and a smaller attack surface.
- You trade in-container debugging for security; pair it with multi-stage builds.