Container Image Optimization: Reducing Size and Improving Security with Distroless Images

Insight
June 23, 2025

What if we told you that your 361MB container could become 9MB without losing any functionality? And that this transformation would eliminate 95% of your security vulnerabilities while making deployments 10x faster?

We've all reached for Ubuntu as our base image because it felt safe, familiar, and came with everything we might need. Three months later, we're wondering why our simple Go binary is shipping in a container the size of a small operating system, taking 12 minutes to deploy, and flagging 47 CVEs in our security scans.

This technical guide examines container image optimization strategies, focusing on distroless images as a method to achieve these dramatic improvements. We'll cover the technical implementation details, performance implications, and security benefits backed by real-world metrics from production deployments.

What is Distroless Containers ?

Traditional container images bundle everything an application needs to run—this includes the application itself, its runtime, required libraries, and various utilities. While this all-in-one approach is convenient, it also introduces several drawbacks:

  • Large size: These containers often include a full operating system along with the application, dependencies, utilities, and other extras. When deploying at scale, this can lead to significant resource consumption.
  • Expanded attack surface: With more software packed into the container, there are more potential vulnerabilities. This increases the likelihood of security incidents.
  • Management complexity: Traditional containers often rely on package managers and other system-level components that can introduce configuration challenges and potential security gaps.

To address these issues, many organizations are turning to distroless containers. These minimalist images strip away everything but the essentials—the application and its critical runtime dependencies. By omitting extras like package managers, shell utilities, and unnecessary libraries, distroless containers offer several key benefits: faster deployment, reduced disk usage, and enhanced security due to a smaller attack surface.

Technical Analysis of Container Image Bloat

Filesystem Layer Overhead

Traditional container images suffer from significant filesystem overhead due to package management systems and unnecessary binaries:

# Typical Ubuntu-based approach
FROM ubuntu:24.04

RUN apt-get update && apt-get install -y \
    ca-certificates \
    curl \
    wget \
    vim \
    bash \
    # Results in 200+ packages, 15+ filesystem layers

Technical Impact Analysis

  • Base layer size: Ubuntu 24.04 base layer: ~72MB compressed, ~196MB uncompressed
  • Package overhead: Each installed package adds filesystem entries, shared libraries, and metadata
  • Layer multiplication: Each RUN command creates a new filesystem layer, increasing storage overhead
  • Registry bandwidth*: Large images consume significant bandwidth during pulls and pushes

Security Surface Area Calculation

Every installed package represents potential attack vectors. Analysis of a typical Ubuntu base image reveals:

# Package analysis on ubuntu:22.04
$ dpkg -l | wc -l
247 packages

# CVE exposure analysis
$ apt list --installed | xargs -I {} sh -c 'apt-cache show {} | grep CVE' | wc -l
~50-80 potential CVEs per base image

Attack Vector Categories

  • Shell access: `/bin/bash`, `/bin/sh` enable command execution
  • Package managers: `apt`, `dpkg` allow software installation
  • Network utilities: `curl`, `wget` enable data exfiltration
  • System utilities: `ps`, `netstat`, `ss` provide system reconnaissance
  • Text editors: `vim`, `nano` allow file modification

Container Optimization Strategies

Multi-Stage Build Architecture

Multi-stage builds separate build-time dependencies from runtime requirements, reducing final image size and attack surface:

# Build stage - contains compilation tools and dependencies
FROM golang:1.21-alpine AS builder

RUN apk add --no-cache git ca-certificates
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build \
    -a -installsuffix cgo \
    -ldflags '-extldflags "-static" -s -w' \
    -o main .

# Runtime stage - minimal runtime environment
FROM alpine:3.18
RUN apk --no-cache add ca-certificates
COPY --from=builder /app/main .
CMD ["./main"]

Technical Benefits

  • Layer optimization: Build artifacts don't persist in final image
  • Dependency isolation: Build tools (compilers, dev libraries) excluded from runtime
  • Size reduction: Typically 60-80% reduction compared to single-stage builds
Alpine Linux: Technical Trade-offs

Alpine Linux uses musl libc instead of glibc, creating compatibility considerations:

FROM alpine:3.18
RUN apk add --no-cache ca-certificates
COPY app /app
CMD ["/app"]

Technical Characteristics

  • Base size: ~5MB compressed, ~15MB uncompressed
  • Package count: ~30 packages in base image
  • libc implementation: musl libc vs glibc compatibility issues
  • Security model: Hardened by default with stack smashing protection

Compatibility Considerations

  • DNS resolution: musl libc DNS resolver behavior differs from glibc
  • Threading: pthread implementation differences
  • Locale support: Limited locale support compared to glibc
  • Binary compatibility: Statically linked binaries recommended
Distroless Images: Minimal Runtime Environments

Distroless images contain only application runtime dependencies, eliminating unnecessary system components:

# Available distroless base images
gcr.io/distroless/static-debian11        # Static binaries (Go, Rust, C++)
gcr.io/distroless/base-debian11          # Dynamic binaries with glibc
gcr.io/distroless/java17-debian11        # Java 17 runtime
gcr.io/distroless/python3-debian11       # Python 3 runtime
gcr.io/distroless/nodejs18-debian11      # Node.js 18 runtime
Distroless Implementation Deep Dive

Technical Architecture

Distroless images are constructed by extracting minimal runtime components from Debian packages:

Included Components:

  • Application runtime (JVM, Python interpreter, Node.js)
  • Essential shared libraries (libc, libssl, libcrypto)
  • CA certificates for TLS verification
  • Timezone data
  • User/group configuration (nonroot user)

Excluded Components:

  • Shell interpreters (`/bin/sh`, `/bin/bash`)
  • Package managers (`apt`, `dpkg`)
  • System utilities (`ps`, `ls`, `cat`)
  • Network tools (`curl`, `wget`, `netstat`)
  • Text editors and debugging tools

Static Binary Compilation for Distroless

For Go applications, static compilation eliminates runtime dependencies:

FROM golang:1.21-alpine AS builder

WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download

COPY . .
# Static compilation flags
RUN CGO_ENABLED=0 GOOS=linux go build \
    -a -installsuffix cgo \
    -ldflags '-extldflags "-static" -s -w' \
    -tags netgo \
    -o main .

FROM gcr.io/distroless/static-debian11:nonroot
COPY --from=builder /app/main .
ENTRYPOINT ["./main"]

Compilation Flags Explained:

  • `CGO_ENABLED=0`: Disables CGO, forcing static linking
  • `-a`: Force rebuilding of packages
  • `-installsuffix cgo`: Use different install suffix
  • `-extldflags "-static"`: Pass static flag to external linker
  • `-s -w`: Strip symbol table and debug information
  • `-tags netgo`: Use pure Go network stack

Performance Analysis and Benchmarks

Image Size Comparison

Based on our reference Go web service implementation:

Container Startup Performance

Benchmark results for container initialization:

# Startup time analysis (average of 10 runs)
Ubuntu Standard:    2.3s ± 0.4s
Alpine:            1.1s ± 0.2s  
Distroless:        0.8s ± 0.1s

# Memory usage at startup
Ubuntu Standard:    45MB RSS
Alpine:            12MB RSS
Distroless:        8MB RSS
Network Transfer Analysis

Registry pull performance over 100Mbps connection:

# Pull time analysis
Ubuntu Standard:    ~45 seconds
Alpine:            ~3 seconds
Distroless:        ~1.5 seconds

# Bandwidth utilization
Ubuntu Standard:    ~80MB transferred
Alpine:            ~8MB transferred  
Distroless:        ~3.5MB transferred
Security Analysis and Hardening
Attack Surface Reduction

Quantitative analysis of security improvements:

# Executable analysis
Ubuntu Standard:    1,247 executables in $PATH
Alpine:            156 executables in $PATH
Distroless:        1 executable (application binary)

# Shared library analysis  
Ubuntu Standard:    2,341 shared libraries
Alpine:            89 shared libraries
Distroless:        23 shared libraries
CVE Exposure Analysis

Security vulnerability analysis using Trivy scanner:

# CVE scan results (example from production deployment)
$ trivy image ubuntu:24.04
Total: 127 vulnerabilities (45 HIGH, 82 MEDIUM)

$ trivy image alpine:3.18  
Total: 12 vulnerabilities (2 HIGH, 10 MEDIUM)

$ trivy image gcr.io/distroless/static-debian11
Total: 0 vulnerabilities
Runtime Security Configuration

Enhanced security through runtime configuration:

# Production security hardening
docker run -d \
  --name secure-app \
  --read-only \
  --tmpfs /tmp:rw,noexec,nosuid,size=100m \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --user 65534:65534 \
  --security-opt=no-new-privileges:true \
  --security-opt=seccomp=seccomp-profile.json \
  -p 8080:8080 \
  app:distroless

Security Configuration Explained

  • `--read-only`: Immutable root filesystem
  • `--tmpfs /tmp`: Writable temporary filesystem in memory
  • `--cap-drop=ALL`: Remove all Linux capabilities
  • `--cap-add=NET_BIND_SERVICE`: Add only required capabilities
  • `--user 65534:65534`: Run as nobody user
  • `--security-opt=no-new-privileges`: Prevent privilege escalation
  • `--security-opt=seccomp`: Apply syscall filtering

Conclusion

Container image optimization through distroless images provides significant technical benefits:

Quantified Improvements:

  • Size reduction: 90%+ smaller images (361MB → 9.27MB)
  • Security enhancement: 95%+ reduction in attack surface
  • Performance gains: 65% faster startup times
  • Resource efficiency: 80% reduction in memory footprint

Technical Implementation Requirements:

  • Static binary compilation for maximum compatibility
  • Comprehensive monitoring and observability integration
  • Security hardening through runtime configuration
  • Automated vulnerability scanning in CI/CD pipelines

Operational Considerations:

  • Modified debugging workflows using external tools
  • Enhanced logging and monitoring requirements
  • Supply chain security and image signing
  • Registry optimization and cleanup automatio

The migration to distroless images represents a fundamental shift toward minimal, secure container deployments that align with modern security best practices and operational efficiency requirements.

Continue reading

See all our news & insights

Is OSS secure enough?

Insight
June 17, 2025

Digital Sovereignty: Is Europe prepared?

Insight
May 20, 2025

Verpassen Sie nie wieder ein Update.

Abonnieren Sie Updates und Artikel ohne Spam.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Lassen Sie uns gemeinsam neue Möglichkeiten erkunden

Egal, ob Sie strategische Beratung, maßgeschneiderte Cloud-Lösungen, automatisierte Cloud-Operationen oder eine robuste Cloud-native Datenplattform benötigen, wir sind hier, um Sie in jeder Phase Ihrer Reise zu unterstützen.

Kontaktiere uns
cloud services
Cloud AssessmentCloud ModernizationCloud Cost OptimizationCloud Security
software factory
Plattform EngineeringCloud Native Engineering
Über
Über UnsInsights (English only)
Karriere
Hiring
TechnologieN
Kubernetes
© ape factory  2015 - 2025.
ImpressumDatenschutz