5 Opinions on Distroless Images for Java Apps in 4 Minutes

Catherine Edelveis
Catherine Edelveis

Transcript

Hi friends! Let’s discuss facts and fiction related to distroless images.

There’s no Linux in distroless.

Fact or fiction?

Truly distroless images are made FROM scratch, but they are suitable for simple statically linked apps. Not all enterprise apps can be run from scratch as there is no certificate data or other necessary components.

So, ready distroless images do contain a Linux distro, but a very stripped-down one, without a package manager, shell, or other typical Linux components. This approach is in line with the modern practices of running an application in the immutable container.

The answer is: fiction

Distroless are smaller than the usual Docker images.

Fact or fiction?

There are distroless images as small as two MB. They are great for statically linked apps. For the applications with dynamic features, there are distroless images with libc: Debian glibc from google, and Wolfi glibc and Alpine musl from Chainguard, for instance. They, too, are quite small. But If you have a Java app, you need a JRE. So the distroless image for Java includes a libc plus an OpenJDK distribution, and so it is a lot bigger.

The answer is: fact, but not for Java apps

Distroless are more secure than the usual Docker images.

Fact or fiction?

It is said that distroless have a smaller attack surface. However, the attack surface is not the sum of all software components but of attack vectors — the potentially exploitable paths. It means that not all files in your container can be used by attackers. Files in the direct execution path, such as libc, for instance, are at a higher risk of exploits.

Even though distroless are smaller, they are still not foolproof. They contain a Linux distro and an OpenJDK distribution in the case of Java apps, so if these components are not secure - the image will be insecure too. The answer is: fiction

Distroless are difficult to debug.

Fact or fiction?

Distroless containers are hard to debug due to the absence of shell access. You need to master advanced Kubernetes techniques or introduce other technologies into your project, such as ephemeral containers. Besides, if your app doesn’t fit perfectly into a ready image, configuration of distroless images is not that simple either. To adjust Google's images, for example, you need to know bazel, and adding new packages is complicated without a package manager. The answer is: fact

Distroless images are a good choice for enterprise applications.

Fact or fiction?

Distroless are good for specific cases. Statically linked applications will benefit from small images, plus popular distroless images from Google or Chainguard are established and reliable.

But in the case of Java, choosing a right base image for your Java app might be better. Consider a secure Liberica Runtime Container, which is only about 40 MB in size and based on Liberica JDK and Alpaquita Linux. The answer is: fact, but not for all use cases

And these were five opinions on distroless images. To find out more, read our FAQ on this solution. The link is in the description.

Do you consider using distroless for your application? What do you think is better, distroless or a lightweight base OS image for containers? Share your thoughts in the comments.

About Catherine

Java developer passionate about Spring Boot. Writer. Developer Advocate at BellSoft

Social Media

Videos
card image
Mar 9, 2026
jOOQ Deep Dive: CTE, MULTISET, and SQL Pipelines

Some backend developers reach the point where the ORM stops being helpful. Complex joins, nested result graphs, or CTE pipelines quickly push frameworks like Hibernate to their limits. And when that happens, teams often end up writing fragile raw SQL strings or fighting performance issues like the classic N+1 query problem. In this video, we build a healthcare scheduling application NeonCare using jOOQ, Spring Boot 4, and PostgreSQL, and show how to write production-grade SQL directly in Java while keeping full compile-time type safety.

Watch Now
Videos
card image
Feb 27, 2026
Spring Developer Roadmap 2026: What You Need to Know

Spring Boot is powerful. But knowing the framework isn’t the same as understanding backend engineering. In this video, I walk through the roadmap I believe matters for a Spring developer in 2026. We start with data. That means real SQL — CTEs, window functions, normalization trade-offs — and understanding what ACID and BASE actually imply for system guarantees. Spring Data JPA is useful, but you still need to know what happens underneath. Then architecture: microservices vs modular monolith, serverless, CQRS, and when HTTP, gRPC, Kafka, or WebSockets make sense. Not as buzzwords — but as design choices with trade-offs. Security and infrastructure follow: OWASP Top 10, AuthN vs AuthZ, encryption in transit and at rest, Docker, Kubernetes, Infrastructure as Code, and observability with Micrometer, OpenTelemetry, and Grafana. This roadmap isn’t about mastering every tool. It’s about knowing what affects reliability in production.

Watch Now

Further watching

Videos
card image
Apr 2, 2026
Java Memory Options You Need in Production

JVM memory tuning can be tricky. Teams increase -Xmx and assume the problem is solved. Then the app still hits OOM. Because maximum heap size is not the only thing that affects memory footprint. The JVM uses RAM for much more than heap: metaspace, thread stacks, JIT/code cache, direct buffers, and native allocations. That’s why your process can run out of memory while heap still looks “fine”. In this video, we break down how JVM memory actually works and how to control it with a minimal, production-safe set of flags. We cover heap sizing (-Xms, -Xmx), dynamic resizing, direct memory (-XX:MaxDirectMemorySize), and total RAM limits (-XX:MaxRAMPercentage) — especially in containerized environments like Docker and Kubernetes. We also explain GC choices such as G1, ZGC, and Shenandoah, when defaults are enough, and why GC logging (-Xlog:gc*) is mandatory before tuning. Finally, we show how to diagnose failures with heap dumps and OOM hooks. This is not about adding more flags. It’s about understanding what actually consumes memory — and making decisions you can justify in production.

Watch Now
Videos
card image
Mar 26, 2026
Java Developer Roadmap 2026: From Basics to Production

Most Java roadmaps teach tools. This one teaches order — the only thing that actually gets you to production. You don’t need to learn everything. You need to learn the right things, in the right sequence. In this video, we break down a practical Java developer roadmap for 2026 — from syntax and OOP to Spring, databases, testing, and deployment. Structured into 8 levels, it shows how real engineers grow from fundamentals to production-ready systems. We cover what to learn and what to ignore: core Java, collections, streams, build tools, Git, SQL and JDBC before Hibernate, the Spring ecosystem, testing with JUnit, and deployment with Docker and CI/CD. You’ll also understand why most developers get stuck — jumping into frameworks too early, skipping SQL, or treating tools as knowledge. This roadmap gives you a clear path into real-world Java development — with priorities, trade-offs, and production context.

Watch Now
Videos
card image
Mar 19, 2026
TOP-5 Lightweight Linux Distributions for Containers

In this video, we compare five lightweight Linux distributions commonly used as base images: Alpine, Alpaquita, Chiseled Ubuntu, RHEL UBI Micro, and Wolfi. There are no rankings or recommendations — just a structured look at how these distros differ so you can evaluate them in your own context.

Watch Now