5 Opinions on Distroless Images for Java Apps in 4 Minutes

Catherine Edelveis
Catherine Edelveis

Transcript

Hi friends! Let’s discuss facts and fiction related to distroless images.

There’s no Linux in distroless.

Fact or fiction?

Truly distroless images are made FROM scratch, but they are suitable for simple statically linked apps. Not all enterprise apps can be run from scratch as there is no certificate data or other necessary components.

So, ready distroless images do contain a Linux distro, but a very stripped-down one, without a package manager, shell, or other typical Linux components. This approach is in line with the modern practices of running an application in the immutable container.

The answer is: fiction

Distroless are smaller than the usual Docker images.

Fact or fiction?

There are distroless images as small as two MB. They are great for statically linked apps. For the applications with dynamic features, there are distroless images with libc: Debian glibc from google, and Wolfi glibc and Alpine musl from Chainguard, for instance. They, too, are quite small. But If you have a Java app, you need a JRE. So the distroless image for Java includes a libc plus an OpenJDK distribution, and so it is a lot bigger.

The answer is: fact, but not for Java apps

Distroless are more secure than the usual Docker images.

Fact or fiction?

It is said that distroless have a smaller attack surface. However, the attack surface is not the sum of all software components but of attack vectors — the potentially exploitable paths. It means that not all files in your container can be used by attackers. Files in the direct execution path, such as libc, for instance, are at a higher risk of exploits.

Even though distroless are smaller, they are still not foolproof. They contain a Linux distro and an OpenJDK distribution in the case of Java apps, so if these components are not secure - the image will be insecure too. The answer is: fiction

Distroless are difficult to debug.

Fact or fiction?

Distroless containers are hard to debug due to the absence of shell access. You need to master advanced Kubernetes techniques or introduce other technologies into your project, such as ephemeral containers. Besides, if your app doesn’t fit perfectly into a ready image, configuration of distroless images is not that simple either. To adjust Google's images, for example, you need to know bazel, and adding new packages is complicated without a package manager. The answer is: fact

Distroless images are a good choice for enterprise applications.

Fact or fiction?

Distroless are good for specific cases. Statically linked applications will benefit from small images, plus popular distroless images from Google or Chainguard are established and reliable.

But in the case of Java, choosing a right base image for your Java app might be better. Consider a secure Liberica Runtime Container, which is only about 40 MB in size and based on Liberica JDK and Alpaquita Linux. The answer is: fact, but not for all use cases

And these were five opinions on distroless images. To find out more, read our FAQ on this solution. The link is in the description.

Do you consider using distroless for your application? What do you think is better, distroless or a lightweight base OS image for containers? Share your thoughts in the comments.

About Catherine

Java developer passionate about Spring Boot. Writer. Developer Advocate at BellSoft

Social Media

Videos
card image
Dec 12, 2025
Will AI Replace Developers? A Vibe Coding Reality Check 2025

Can AI replace software engineers? ChatGPT, Copilot, and LLM-powered vibe coding tools promise to automate development—but after testing them against 17 years of production experience, the answer is more nuanced than the hype suggests. Full project generation produces over-engineered code that's hard to refactor. AI assistants excel at boilerplate but fail at business logic. MCP servers solve hallucination problems but create context overload. Meanwhile, DevOps automation actually works. This breakdown separates AI capabilities from marketing promises—essential for teams integrating LLMs and copilots without compromising code quality or architectural decisions.

Watch Now
Videos
card image
Dec 12, 2025
JRush | Container Essentials: Fast Builds, Secure Images, Zero Vulnerabilities

Web-conference for Java developers focused on hands-on strategies for building high-performance containers, eliminating CVEs, and detecting security issues before production.

Watch Now

Further watching

Videos
card image
Dec 30, 2025
Java in 2025: LTS Release, AI on JVM, Framework Modernization

Java in 2025 isn't about headline features, it's about how production systems changed under the hood. While release notes focus on individual JEPs, the real story is how the platform, frameworks, and tooling evolved to improve stability, performance, and long-term maintainability. In this video, we look at Java from a production perspective. What does Java 25 LTS mean for teams planning to upgrade? How are memory efficiency, startup time, and observability getting better? Why do changes like Scoped Values and AOT optimizations matter beyond benchmarks? We also cover the broader ecosystem: Spring Boot 4 and Framework 7, AI on the JVM with Spring AI and LangChain4j, Kotlin's growing role in backend systems, and tooling updates that make upgrades easier. Finally, we touch on container hardening and why runtime and supply-chain decisions matter just as much as language features.

Watch Now
Videos
card image
Dec 24, 2025
I Solved Advent of Code 2025 in Kotlin: Here's How It Went

Every year, Advent of Code spawns thousands of solutions — but few engineers step back to see the bigger picture. This is a complete walkthrough of all 12 days from 2025, focused on engineering patterns rather than puzzle statements. We cover scalable techniques: interval math without brute force, dynamic programming, graph algorithms (JGraphT), geometry with Java AWT Polygon, and optimization problems that need constraint solvers like ojAlgo. You'll see how Java and Kotlin handle real constraints, how visualizations validate assumptions, and when to reach for libraries instead of writing everything from scratch. If you love puzzles, programming—or both—and maybe want to learn how to solve them on the JVM, this is for you.

Watch Now
Videos
card image
Dec 18, 2025
Java 26 Preview: New JEPs and What They Mean for You

Java 26 is the next feature release that brings features for enhanced performance, security, and developer experience. This video discusses the upcoming JDK 26 release, highlighting ten JEPs including JEP 500. JEP 500 focuses on preparing developers for future restrictions on mutating final fields in Java, emphasizing their role in maintaining immutable state. This is crucial for robust programming and understanding the nuances of mutable vs immutable data, especially concerning an immutable class in java. We also touch upon the broader implications for functional programming in Java.

Watch Now