Skip to content
πŸ₯‘ Language focused docker images, minus the operating system.
Python Shell
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
base Upgrade BusyBox to 1.31.0 (#437) Nov 22, 2019
cacerts Format .bzl files as well as BUILD and WORKSPACE Aug 25, 2019
cc Rename -debian(9|10) to _debian(9|10) to match Bazel conventions (#416) Oct 14, 2019
examples Upgrade Node.js example Oct 29, 2019
experimental Rename -debian(9|10) to _debian(9|10) to match Bazel conventions (#416) Oct 14, 2019
hack Fix bash script Jan 18, 2019
java Fix image repository inconsistencies Oct 30, 2019
package_manager package_manager.bzl: Use newest version to support Debian 10 Oct 13, 2019
.bazelrc Fix the workspace status issue by moving the file. (#184) Apr 17, 2018
.gitignore Add glibc + ca-certs base image May 10, 2017
.travis.yml .travis.yml: Use Bazel 1.0.0 Oct 13, 2019
BUILD Fix image repository inconsistencies Oct 30, 2019
BUILD.jetty Remove the .tar.gz's from the dotnet, jetty and nodejs images. (#147) Dec 5, 2017 Add link to the CLA about page (#363) May 15, 2019
LICENSE Initial license boilerplate. Apr 12, 2017 Link to Google group, slack Nov 2, 2019 Add the start of a README. (#39) May 25, 2017
WORKSPACE Upgrade BusyBox to 1.31.0 (#437) Nov 22, 2019 Format .bzl files as well as BUILD and WORKSPACE Aug 25, 2019
cloudbuild.yaml Rename -debian(9|10) to _debian(9|10) to match Bazel conventions (#416) Oct 14, 2019 Fix build (#389) Jul 25, 2019

"Distroless" Docker Images

Build Status

"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.

For more information, see this talk (video).

Why should I use distroless images?

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

How do I use distroless images?

These images are built using the bazel tool, but they can also be used through other Docker image build tooling.


Note that distroless images by default do not contain a shell. That means the Dockerfile ENTRYPOINT command, when defined, must be specified in vector form, to avoid the container runtime prefixing with a shell.

This works:

ENTRYPOINT ["myapp"]

But this does not work:


For the same reasons, if the entrypoint is left to the default empty vector, the CMD command should be specified in vector form (see examples below).


Docker multi-stage builds make using distroless images easy. Follow these steps to get started:

Examples with Docker

Here's a quick example for go:

# Start by building the application.
FROM golang:1.13-buster as build

WORKDIR /go/src/app
ADD . /go/src/app

RUN go get -d -v ./...

RUN go build -o /go/bin/app

# Now copy it into our base image.
COPY --from=build /go/bin/app /
CMD ["/app"]

You can find other examples here:

To run any example, go the the directory for the language and run

docker build -t myapp .
docker run -t myapp

To run the Node.js Express app node-express and expose the container's ports:

npm install #Install express and its transitive dependencies
docker build -t myexpressapp . # Normal build command
docker run -p 3000:3000 -t myexpressapp

This should expose the Express application to your localhost:3000


For full documentation on how to use bazel to generate Docker images, see the bazelbuild/rules_docker repository.

For documentation and examples on how to use the bazel package manager rules, see ./package_manager

Examples can be found in this repository in the examples directory.

Examples with Bazel

We have some examples on how to run some common application stacks in the /examples directory. See here for:

See here for examples on how to complete some common tasks in your image:

See here for more information on how these images are built and released.


For full documentation on how to use Jib to generate Docker images from Maven and Gradle, see the GoogleContainerTools/jib repository.

Base Operating System

Originally these images were based on Debian 9 (stretch). We now also provide images based on Debian 10 (buster), and tag images with -debian9 or -debian10 suffixes. We recommend referencing the appropriate distribution explicitly, since otherwise your build will break when the next Debian version is released.

CVE and Patching

Distroless tracks Debian 9 (stretch, oldstable currently) and Debian 10. A commit is needed in this repository to update the snapshot version when security fixes are release. Check for any patches to address security issues and update. Check issues and PRs for the patch and update your builds.

Debug Images

Distroless images are minimal and lack shell access. The :debug image set for each language provides a busybox shell to enter.

For example:

cd examples/python2.7/

edit the Dockerfile to change the final image to :debug:

COPY . /app
CMD ["", "/etc"]

then build and launch with an shell entrypoint:

$ docker build -t my_debug_image .
$ docker run --entrypoint=sh -ti my_debug_image

/app # ls
BUILD       Dockerfile

Note: If the image you are using already has a tag, for example, use the tag <existing tag>-debug instead, for example

Note: ldd is not installed in the base image as it's a shell script, you can copy it in or download it.

Community Discussion

You can’t perform that action at this time.