5 Opinions on Distroless Images for Java Apps in 4 Minutes

Catherine Edelveis
Catherine Edelveis

Transcript

Hi friends! Let’s discuss facts and fiction related to distroless images.

There’s no Linux in distroless.

Fact or fiction?

Truly distroless images are made FROM scratch, but they are suitable for simple statically linked apps. Not all enterprise apps can be run from scratch as there is no certificate data or other necessary components.

So, ready distroless images do contain a Linux distro, but a very stripped-down one, without a package manager, shell, or other typical Linux components. This approach is in line with the modern practices of running an application in the immutable container.

The answer is: fiction

Distroless are smaller than the usual Docker images.

Fact or fiction?

There are distroless images as small as two MB. They are great for statically linked apps. For the applications with dynamic features, there are distroless images with libc: Debian glibc from google, and Wolfi glibc and Alpine musl from Chainguard, for instance. They, too, are quite small. But If you have a Java app, you need a JRE. So the distroless image for Java includes a libc plus an OpenJDK distribution, and so it is a lot bigger.

The answer is: fact, but not for Java apps

Distroless are more secure than the usual Docker images.

Fact or fiction?

It is said that distroless have a smaller attack surface. However, the attack surface is not the sum of all software components but of attack vectors — the potentially exploitable paths. It means that not all files in your container can be used by attackers. Files in the direct execution path, such as libc, for instance, are at a higher risk of exploits.

Even though distroless are smaller, they are still not foolproof. They contain a Linux distro and an OpenJDK distribution in the case of Java apps, so if these components are not secure - the image will be insecure too. The answer is: fiction

Distroless are difficult to debug.

Fact or fiction?

Distroless containers are hard to debug due to the absence of shell access. You need to master advanced Kubernetes techniques or introduce other technologies into your project, such as ephemeral containers. Besides, if your app doesn’t fit perfectly into a ready image, configuration of distroless images is not that simple either. To adjust Google's images, for example, you need to know bazel, and adding new packages is complicated without a package manager. The answer is: fact

Distroless images are a good choice for enterprise applications.

Fact or fiction?

Distroless are good for specific cases. Statically linked applications will benefit from small images, plus popular distroless images from Google or Chainguard are established and reliable.

But in the case of Java, choosing a right base image for your Java app might be better. Consider a secure Liberica Runtime Container, which is only about 40 MB in size and based on Liberica JDK and Alpaquita Linux. The answer is: fact, but not for all use cases

And these were five opinions on distroless images. To find out more, read our FAQ on this solution. The link is in the description.

Do you consider using distroless for your application? What do you think is better, distroless or a lightweight base OS image for containers? Share your thoughts in the comments.

About Catherine

Java developer passionate about Spring Boot. Writer. Developer Advocate at BellSoft

Social Media

Videos
card image
Feb 6, 2026
Backend Developer Roadmap 2026: What You Need to Know

Backend complexity keeps growing, and frameworks can't keep up. In 2026, knowing React or Django isn't enough. You need fundamentals that hold up when systems break, traffic spikes, or your architecture gets rewritten for the third time.I've been building production systems for 15 years. This roadmap covers three areas that separate people who know frameworks from people who can actually architect backend systems: data, architecture, and infrastructure. This is about how to think, not what tools to install.

Watch Now
Videos
card image
Jan 29, 2026
JDBC Connection Pools in Microservices. Why They Break Down (and What to Do Instead)

In this livestream, Catherine is joined by Rogerio Robetti, the founder of Open J Proxy, to discuss why traditional JDBC connection pools break down when teams migrate to microservices, and what is a more efficient and reliable approach to organizing database access with microservice architecture.

Watch Now

Further watching

Videos
card image
Feb 27, 2026
Spring Developer Roadmap 2026: What You Need to Know

Spring Boot is powerful. But knowing the framework isn’t the same as understanding backend engineering. In this video, I walk through the roadmap I believe matters for a Spring developer in 2026. We start with data. That means real SQL — CTEs, window functions, normalization trade-offs — and understanding what ACID and BASE actually imply for system guarantees. Spring Data JPA is useful, but you still need to know what happens underneath. Then architecture: microservices vs modular monolith, serverless, CQRS, and when HTTP, gRPC, Kafka, or WebSockets make sense. Not as buzzwords — but as design choices with trade-offs. Security and infrastructure follow: OWASP Top 10, AuthN vs AuthZ, encryption in transit and at rest, Docker, Kubernetes, Infrastructure as Code, and observability with Micrometer, OpenTelemetry, and Grafana. This roadmap isn’t about mastering every tool. It’s about knowing what affects reliability in production.

Watch Now
Videos
card image
Feb 18, 2026
Build Typed AI Agents in Java with Embabel

Most Java AI demos stop at prompt loops. That doesn't scale in production. In this video, we integrate Embabel into an existing Spring Boot application and build a multi-step, goal-driven agent for incident triage. Instead of manually orchestrating prompt → tool → prompt cycles, we define typed actions and let the agent plan across deterministic and LLM-powered steps. We parse structured input with Ollama, query MongoDB deterministically, classify risk using explicit thresholds, rank affected implants, generate a constrained root cause hypothesis, and produce a bounded containment plan. LLM handles reasoning. Java enforces rules. This is about controlled AI workflows on the JVM — not prompt glue code.

Watch Now
Videos
card image
Feb 12, 2026
Spring Data MongoDB: From Repositories to Aggregations

Spring Data MongoDB breaks down fast once CRUD meets production—real queries, actual data volumes, analytics. What looks simple at first quickly turns into unreadable repository methods, overfetching, and slow queries. In this video, I walk through building a production-style Spring Boot application using Spring Data MongoDB — starting with basic setup and repositories, then moving into indexing, projections, custom queries, and aggregation pipelines. You'll see how MongoDB's document model changes data design compared to SQL, when embedding helps, and when it becomes a liability. We cover where repository method naming stops scaling, how to use @Query safely, when to switch to MongoTemplate, and how to reduce payload size with projections and DTOs. Finally, we implement real MongoDB aggregations to calculate analytics directly in the database and test everything against a real MongoDB instance using Testcontainers. This is not another MongoDB overview. It's a practical guide to actually using Spring Data MongoDB in production without fighting the database.

Watch Now