BellSoft Hardened Container Images

BellSoft provides hardened container images designed for production environments that require enhanced security, predictable vulnerability management, and transparent build processes. These minimal, regularly updated images come with a comprehensive Security Advisory and represent a unified vendor approach to container hardening.

BellSoft hardened images are available on Docker Hub for the following programming languages and runtimes:

Advanced Security

Proactive CVE patching and comprehensive image hardening

Languages/Runtime

Hardened containers for Java, Go, Python, GCC/C++, and GraalVM

Enterprise Reliability

24/7 support with proven performance and LTS commitment

How to use BellSoft Hardened Container Images

Getting Started

Pull an image from Docker Hub

docker pull bellsoft/<repository>:<image_tag>

Start a container

docker run --name my-app bellsoft/<repository>:<image_tag>

Specify as a base image in a Dockerfile:

FROM bellsoft/<repository>:<image_tag>

Example usage

# Pull the latest hardened Java runtime
docker pull bellsoft/hardened-liberica-runtime-container:jdk-21-glibc
# Run with your application
docker run -v /path/to/app:/app bellsoft/hardened-liberica-runtime-container:jdk-21-glibc java -jar /app/myapp.jar
# Use in a Dockerfile
FROM bellsoft/hardened-liberica-runtime-container:jdk-21-glibc

Available Repositories

Repository	Description	Use Case
bellsoft/hardened-base	Minimal hardened base images for running pre-built applications	Runtime base for compiled applications

Tags:

glibc - Base image with glibc
musl, latest - Base image with musl (default)

Repository	Description	JDK Types Available
bellsoft/hardened-liberica-runtime-container	Hardened Liberica JDK Lite and JRE Lite optimized for Cloud	jdk, jdk-all, jre

Java images follow the <JDK type>-<Java version>-[crac]-[cds]-<libc> pattern:

JDK Types:

jdk - Liberica JDK Lite optimized for Cloud
jdk-all - Full JDK for creating custom runtimes with jlink
jre - JRE Lite for running Java applications only

Optional Features:

crac - Coordinated Restore at Checkpoint support for instant startup
cds - Class Data Sharing archives for faster JRE startup

Examples:

jdk-21-glibc - JDK 21 Lite with glibc
jre-17-cds-musl - JRE 17 with Class Data Sharing and musl
jdk-21-crac-glibc - JDK 21 with CRaC support and glibc
jdk-21.0.7_9-glibc - Specific JDK version 21.0.7+9

Java Runtime Tags:

Tags follow the <JDK type>-<Java version>-[crac]-[cds]-<libc> structure:

Available Java Versions:

8, 11, 17, 21, 24

Examples:

jdk-21-glibc - Liberica JDK Lite 21 with glibc
jre-17-musl - Liberica JRE Lite 17 with musl
jdk-11-crac-glibc - JDK 11 with CRaC support and glibc
jdk-17-cds-musl - JDK 17 with Class Data Sharing and musl
jre-8-glibc - Liberica JRE Lite 8 with glibc
jdk-24-musl - Liberica JDK Lite 24 with musl
jdk-21.0.7_9-glibc - Specific JDK version 21.0.7+9

Repository	Description
bellsoft/hardened-liberica-native-image-kit-container	Hardened Liberica Native Image Kit (NIK)

NIK images follow the jdk-<Java version>-nik-<NIK version>-<libc> pattern:

Examples:

jdk-21-nik-24-glibc - NIK 24 for Java 21 with glibc
jdk-17-nik-24.1.2-musl - NIK 24.1.2 for Java 17 with musl

Native Image Kit Tags: Tags follow the jdk-<Java version>-nik-<NIK version>-<libc> structure:

jdk-21-nik-24-glibc - NIK 24 for Java 21 with glibc
jdk-17-nik-24.1.2-musl - NIK 24.1.2 for Java 17 with musl

Repository	Description	Language/Runtime
bellsoft/hardened-python	Hardened Python with basic utilities (pip, setuptools, wheel)	Python 3.x

Python Tags:

X.Y-glibc - specified version of Python with glibc
X.Y-musl - specified version of Python with musl
glibc - latest Python version with glibc
musl, latest - latest Python version with musl

Repository	Description	Language/Runtime
bellsoft/hardened-go	Hardened Go compiler and runtime for building applications	Go 1.x

Go Tags:

1.X-glibc, 1.X.Y-glibc - specified version of Go with glibc
1.X-musl, 1.X.Y-musl - specified version of Go with musl
glibc - latest Go version with glibc
musl, latest - latest Go version with musl

Repository	Description	Language/Runtime
bellsoft/hardened-gcc	Hardened GCC compiler, tools, and libraries for C/C++ development	GCC

GCC Tags:

X.Y-glibc - specified version of GCC with glibc
X.Y-musl - specified version of GCC with musl
glibc - latest GCC version with glibc
musl, latest - latest GCC version with musl

Architecture Support

All hardened images support multiple architectures:

- amd64 (x86_64)
- arm64 (aarch64)

The appropriate architecture will be automatically selected based on your platform.

Note: All hardened images support multiple architectures. The appropriate architecture will be automatically selected based on your platform.

License Information

Important: It is the image user's responsibility to ensure that any use of BellSoft hardened container images complies with all relevant licenses for software contained within the images.

All BellSoft hardened container images contain various software components distributed under different licenses. The table below summarizes the primary licenses for each image type:

License Summary by Image Type

Repository	Primary Components	Main Licenses
bellsoft/hardened-base	Base system libraries, musl/glibc	MIT, LGPL-2.1+
bellsoft/hardened-liberica-runtime-container	Liberica JDK/JRE, base system	GPL-2.0 with Classpath Exception, MIT
bellsoft/hardened-liberica-native-image-kit-container	Liberica NIK, GraalVM components	GPL-2.0 with Classpath Exception, UPL-1.0
bellsoft/hardened-python	Python runtime, pip, setuptools	Python Software Foundation License, MIT
bellsoft/hardened-go	Go compiler and runtime	BSD-3-Clause
bellsoft/hardened-gcc	GCC compiler, C/C++ libraries	GPL-3.0+, LGPL-3.0+

License Compliance Commands

Inspect All Licenses in an Image

# List all installed packages with licenses 
docker run --rm bellsoft/hardened-liberica-runtime-container:jdk-21-glibc \
  grep -E '^[PVL]:' /var/lib/apk/db/installed

Extract License Information by Component

# Get package information (P), version (V), and license (L)
docker run --rm bellsoft/hardened-python:3.12-glibc \
  awk '/^P:/{pkg=$2} /^V:/{ver=$2} /^L:/{lic=$2; print pkg, ver, lic}' \
  /var/lib/apk/db/installed

Search for Specific License Types

# Find all GPL-licensed components
docker run --rm bellsoft/hardened-gcc:14.3-glibc \
  grep -A2 -B2 "GPL" /var/lib/apk/db/installed

How to Fix Liberica NIK Not Starting on macOS Catalina and Later

If you use macOS Catalina and later you may encounter the issue that prevents Liberica NIK from starting. To fix it, run the following:

sudo xattr -r -d com.apple.quarantine path/to/graalvm/folder/

If you need more help, check out the FAQ at the bottom of this page or contact us.

Download Alpaquita Linux

Download Liberica JDK

Download Liberica Native Image Kit

Alpaquita Cloud Native Platform

Pricing

Alpaquita

Containers for Spring Boot

Liberica JDK

Liberica JDK 6&7

Liberica JDK for Embedded

Liberica JDKPerformance Edition

Liberica JDK with CRaC

Liberica Native Image Kit

Liberica Mission Control

Liberica Administration Center

Blog

Documentation

Content Library

Support for Liberica JDK

Support for Alpaquita Linux

Support for Liberica Native Image Kit

Company

Newsroom

Careers

BellSoft Hardened Container Images

BellSoft hardened images are available on Docker Hub for the following programming languages and runtimes:Java (JDK/JRE)GoPythonC/C++ (GCC)GraalVM Native Image Kit

Advanced Security

Languages/Runtime

Enterprise Reliability

How to use BellSoft Hardened Container Images

Getting Started

Available Repositories

Hardened Base Images

Java Runtime Container

Java Runtime Tag Structure

Java Native Image (NIK)

Native Image Kit Tag Structure

Python Language Hardened Images

Go Language Hardened Images

GCC Language Hardened Images

Architecture Support

License Information

License Summary by Image Type

License Compliance Commands

Alpaquita Cloud
Native Platform

Liberica JDK
Performance Edition

BellSoft hardened images are available on Docker Hub for the following programming languages and runtimes: