BellSoft Hardened Container Images

BellSoft provides hardened container images designed for production environments that require enhanced security, predictable vulnerability management, and transparent build processes. These minimal, regularly updated images come with a comprehensive Security Advisory and represent a unified vendor approach to container hardening.
BellSoft hardened images are available on Docker Hub for the following programming languages and runtimes:
Advanced Security

Advanced Security

Proactive CVE patching and comprehensive image hardening
Languages/Runtime

Languages/Runtime

Hardened containers for Java, Go, Python, GCC/C++, and GraalVM
Enterprise Reliability

Enterprise Reliability

24/7 support with proven performance and LTS commitment

Getting Started

Pull an image from Docker Hub

docker pull bellsoft/<repository>:<image_tag>

Start a container

docker run --name my-app bellsoft/<repository>:<image_tag>

Specify as a base image in a Dockerfile:

FROM bellsoft/<repository>:<image_tag>

Example usage

# Pull the latest hardened Java runtime
docker pull bellsoft/hardened-liberica-runtime-container:jdk-21-glibc
# Run with your application
docker run -v /path/to/app:/app bellsoft/hardened-liberica-runtime-container:jdk-21-glibc java -jar /app/myapp.jar
# Use in a Dockerfile
FROM bellsoft/hardened-liberica-runtime-container:jdk-21-glibc

Available Repositories

Hardened Base Images
RepositoryDescriptionUse Case

bellsoft/hardened-base

Minimal hardened base images for running pre-built applicationsRuntime base for compiled applications

Tags:

  • glibc - Base image with glibc
  • musl, latest - Base image with musl (default)
Hardened Java Runtime Images
RepositoryDescriptionJDK Types Available

bellsoft/hardened-liberica-runtime-container

Hardened Liberica JDK Lite and JRE Lite optimized for Cloudjdk, jdk-all, jre

bellsoft/hardened-liberica-native-image-kit-container

Hardened Liberica Native Image Kit (NIK)jdk, jdk-all, jre
Other Language Hardened Images
RepositoryDescriptionLanguage/Runtime

bellsoft/hardened-python

Hardened Python with basic utilities (pip, setuptools, wheel)Python 3.x

bellsoft/hardened-go

Hardened Go compiler and runtime for building applicationsGo 1.x

bellsoft/hardened-gcc

Hardened GCC compiler, tools, and libraries for C/C++ developmentGCC

Python Tags:

  • X.Y-glibc - specified version of Python with glibc
  • X.Y-musl - specified version of Python with musl
  • glibc - latest Python version with glibc
  • musl, latest - latest Python version with musl

Go Tags:

  • 1.X-glibc, 1.X.Y-glibc - specified version of Go with glibc
  • 1.X-musl, 1.X.Y-musl - specified version of Go with musl
  • glibc - latest Go version with glibc
  • musl, latest - latest Go version with musl

GCC Tags:

  • X.Y-glibc - specified version of GCC with glibc
  • X.Y-musl - specified version of GCC with musl
  • glibc - latest GCC version with glibc
  • musl, latest - latest GCC version with musl

Java Runtime Tags:

Tags follow the <JDK type>-<Java version>-[crac]-[cds]-<libc> structure:


Available Java Versions:

8, 11, 17, 21, 24

Examples:

  • jdk-21-glibc - Liberica JDK Lite 21 with glibc
  • jre-17-musl - Liberica JRE Lite 17 with musl
  • jdk-11-crac-glibc - JDK 11 with CRaC support and glibc
  • jdk-17-cds-musl - JDK 17 with Class Data Sharing and musl
  • jre-8-glibc - Liberica JRE Lite 8 with glibc
  • jdk-24-musl - Liberica JDK Lite 24 with musl
  • jdk-21.0.7_9-glibc - Specific JDK version 21.0.7+9

Native Image Kit Tags: Tags follow the jdk-<Java version>-nik-<NIK version>-<libc> structure:

  • jdk-21-nik-24-glibc - NIK 24 for Java 21 with glibc
  • jdk-17-nik-24.1.2-musl - NIK 24.1.2 for Java 17 with musl

Tag Structure

Libc Variants

All hardened images are available in two libc implementations:

  • glibc - Standard GNU C Library, better compatibility with existing applications
  • musl - Lightweight, security-focused C library, smaller image sizes
Java Runtime Tag Structure

Java images follow the <JDK type>-<Java version>-[crac]-[cds]-<libc> pattern:


JDK Types:

  • jdk - Liberica JDK Lite optimized for Cloud
  • jdk-all - Full JDK for creating custom runtimes with jlink
  • jre - JRE Lite for running Java applications only

Optional Features:

  • crac - Coordinated Restore at Checkpoint support for instant startup
  • cds - Class Data Sharing archives for faster JRE startup

Examples:

  • jdk-21-glibc - JDK 21 Lite with glibc
  • jre-17-cds-musl - JRE 17 with Class Data Sharing and musl
  • jdk-21-crac-glibc - JDK 21 with CRaC support and glibc
  • jdk-21.0.7_9-glibc - Specific JDK version 21.0.7+9
Native Image Kit Tag Structure

NIK images follow the jdk-<Java version>-nik-<NIK version>-<libc> pattern:


Examples:

  • jdk-21-nik-24-glibc - NIK 24 for Java 21 with glibc
  • jdk-17-nik-24.1.2-musl - NIK 24.1.2 for Java 17 with musl
Other Language Tag Structure

Other languages follow the <version>-<libc> pattern:


Examples:

  • 3.10-glibc - Python 3.10 with glibc
  • 1.21-musl - Go 1.21 with musl
  • 11.2-glibc - GCC 11.2 with glibc

Architecture Support

All hardened images support multiple architectures:

  • amd64 (x86_64) - Default if no architecture specified
  • arm64 (aarch64) - ARM 64-bit architecture
  • armv7 - ARM 32-bit architecture (selected images)

Multi-arch examples:**


bash

docker pull bellsoft/hardened-liberica-runtime-container:jdk-21-glibc
docker pull bellsoft/hardened-go:1.21-musl

Note: All hardened images support multiple architectures. The appropriate architecture will be automatically selected based on your platform.

License Information

Important: It is the image user's responsibility to ensure that any use of BellSoft hardened container images complies with all relevant licenses for software contained within the images.

All BellSoft hardened container images contain various software components distributed under different licenses. The table below summarizes the primary licenses for each image type:

License Summary by Image Type
RepositoryPrimary ComponentsMain Licenses

bellsoft/hardened-base

Base system libraries, musl/glibcMIT, LGPL-2.1+

bellsoft/hardened-liberica-runtime-container

Liberica JDK/JRE, base systemGPL-2.0 with Classpath Exception, MIT

hardened-liberica-native-image-kit-container

Liberica NIK, GraalVM componentsGPL-2.0 with Classpath Exception, UPL-1.0

bellsoft/hardened-python

Python runtime, pip, setuptoolsPython Software Foundation License, MIT

bellsoft/hardened-go

Go compiler and runtimeBSD-3-Clause

bellsoft/hardened-gcc

GCC compiler, C/C++ librariesGPL-3.0+, LGPL-3.0+

License Compliance Commands

Inspect All Licenses in an Image

# List all installed packages with licenses 
docker run --rm bellsoft/hardened-liberica-runtime-container:jdk-21-glibc \
  grep -E '^[PVL]:' /var/lib/apk/db/installed

Extract License Information by Component

# Get package information (P), version (V), and license (L)
docker run --rm bellsoft/hardened-python:3.12-glibc \
  awk '/^P:/{pkg=$2} /^V:/{ver=$2} /^L:/{lic=$2; print pkg, ver, lic}' \
  /var/lib/apk/db/installed

Search for Specific License Types

# Find all GPL-licensed components
docker run --rm bellsoft/hardened-gcc:14.3-glibc \
  grep -A2 -B2 "GPL" /var/lib/apk/db/installed