5 Opinions on Distroless Images for Java Apps in 4 Minutes

Transcript

Hi friends! Let’s discuss facts and fiction related to distroless images.

There’s no Linux in distroless.

Fact or fiction?

Truly distroless images are made FROM scratch, but they are suitable for simple statically linked apps. Not all enterprise apps can be run from scratch as there is no certificate data or other necessary components.

So, ready distroless images do contain a Linux distro, but a very stripped-down one, without a package manager, shell, or other typical Linux components. This approach is in line with the modern practices of running an application in the immutable container.

The answer is: fiction

Distroless are smaller than the usual Docker images.

Fact or fiction?

There are distroless images as small as two MB. They are great for statically linked apps. For the applications with dynamic features, there are distroless images with libc: Debian glibc from google, and Wolfi glibc and Alpine musl from Chainguard, for instance. They, too, are quite small. But If you have a Java app, you need a JRE. So the distroless image for Java includes a libc plus an OpenJDK distribution, and so it is a lot bigger.

The answer is: fact, but not for Java apps

Distroless are more secure than the usual Docker images.

Fact or fiction?

It is said that distroless have a smaller attack surface. However, the attack surface is not the sum of all software components but of attack vectors — the potentially exploitable paths. It means that not all files in your container can be used by attackers. Files in the direct execution path, such as libc, for instance, are at a higher risk of exploits.

Even though distroless are smaller, they are still not foolproof. They contain a Linux distro and an OpenJDK distribution in the case of Java apps, so if these components are not secure - the image will be insecure too. The answer is: fiction

Distroless are difficult to debug.

Fact or fiction?

Distroless containers are hard to debug due to the absence of shell access. You need to master advanced Kubernetes techniques or introduce other technologies into your project, such as ephemeral containers. Besides, if your app doesn’t fit perfectly into a ready image, configuration of distroless images is not that simple either. To adjust Google's images, for example, you need to know bazel, and adding new packages is complicated without a package manager. The answer is: fact

Distroless images are a good choice for enterprise applications.

Fact or fiction?

Distroless are good for specific cases. Statically linked applications will benefit from small images, plus popular distroless images from Google or Chainguard are established and reliable.

But in the case of Java, choosing a right base image for your Java app might be better. Consider a secure Liberica Runtime Container, which is only about 40 MB in size and based on Liberica JDK and Alpaquita Linux. The answer is: fact, but not for all use cases

And these were five opinions on distroless images. To find out more, read our FAQ on this solution. The link is in the description.

Do you consider using distroless for your application? What do you think is better, distroless or a lightweight base OS image for containers? Share your thoughts in the comments.

About Catherine

Java developer passionate about Spring Boot. Writer. Developer Advocate at BellSoft

Social Media

Videos
card image
Aug 6, 2025
GraalVM for Java Developers: The Ultimate Beginner’s Guide

What is GraalVM and how can it improve your Java applications? In just 10 minutes, this video explains the three main components of GraalVM — the JIT compiler, Native Image, and Polyglot API. Learn how to boost performance, reduce startup time, and combine multiple languages in one app. Whether you’re building microservices, serverless apps, or just exploring modern JVM tooling, this is your quick-start guide to GraalVM.

Videos
card image
Jul 15, 2025
Java Downgrade Challenge: From JDK 8 to 1.1 (Part 2)

In Part 2 of the Java Downgrade Challenge, we continue our journey — now from Java 8 all the way to Java 1.1. No streams, no lambdas, no generics, no collections — and at one point, we even boot up Windows 98. If you thought Part 1 was painful, this one unwinds Java history line by line. By the end, the familiar Java from today will be almost gone.

Further watching

Videos
card image
Aug 27, 2025
Buildpacks for Spring Boot

Buildpacks for Spring Boot: no Dockerfiles, no hassle — just production-ready container images in one command. Tired of maintaining Dockerfiles? In this tutorial, you’ll learn how to use buildpacks to create optimized Spring Boot containers — fast, secure, and cloud-ready — with just one command. We’ll show what happens under the hood: automatic dependency detection, layered image creation, memory tuning, SBOM generation, and how to tweak builds with just a few plugin options. Need faster startup, smaller image size, or JFR monitoring? Buildpacks can handle it — and we’ll show you how.

Videos
card image
Aug 20, 2025
Flyway in Spring Boot: Step-by-Step tutorial with Maven

Learn how to use Flyway in Spring Boot with Maven for smooth and reliable database migrations. In this hands-on tutorial, we cover everything from setting up PostgreSQL in Docker, configuring Flyway in your application, writing versioned and repeatable migrations, to using Flyway in CI/CD pipelines with GitHub Actions. Whether you’re new to Flyway or want to master schema version control in Spring Boot, this video will guide you step by step.

Videos
card image
Aug 14, 2025
Stop Using DTOs – A Cleaner Way for Your Java APIs

Still creating DTOs for every API in your Spring Boot project? You might be overcomplicating things. In this video, we show why DTOs aren’t always necessary and how to replace them with @JsonIgnore, @JsonView, and Jackson Mixins. You’ll see real examples of hiding sensitive fields, creating role-based views, and cutting boilerplate — all while keeping your API safe, clean, and easy to maintain.