The Prometheus image bundles the Prometheus server binary and its runtime dependencies, the TSDB engine, rule evaluation and alerting components, the built-in web UI, and service-discovery adapters. It exposes configuration, rule and storage mount points and runs the Prometheus process as the container entrypoint.
In containerized and production deployments teams run the image as a scrape/ingest node—handling thousands of scrape targets, rule evaluation, alert generation and remote_write to long-term storage—often sharded or paired for HA with external durable storage. For secure or regulated environments teams may evaluate a Prometheus hardened image that enforces non-root execution, minimal OS libraries, reproducible builds, signed artifacts and timely CVE patches to reduce attack surface and support compliance validation.
Unlike many typical Prometheus container images that layer a general-purpose base distribution, package managers, and extra tooling, the Minimus Prometheus image is built from scratch and includes only the Prometheus binary and the minimal runtime components required to operate. That reduced attack surface makes it faster to start, lighter in footprint, and easier to maintain and patch, while minimizing the number of packages and services that require monitoring or hardening.
Minimus images are hardened to industry standards, and the Minimus hardened Prometheus image incorporates guidance from NIST SP 800-190 and applicable CIS Benchmarks—applying secure defaults, least-privilege runtime settings, stripped tooling, and configuration hardening to simplify compliance assessments and improve operational security for engineering and security teams.
Prometheus is an open-source monitoring and alerting system designed for reliability and scale. It collects metrics from services via instrumented endpoints, stores them as time series, and uses PromQL for flexible querying and alerting.
In container environments, you deploy it as a container image and configure targets, scrapes, and alerting rules. For security and compliance, you can run a hardened Prometheus image with reduced privileges and minimal surface area.
Loki is a log aggregation system that complements Prometheus by indexing and querying logs alongside metrics. Prometheus collects time-series metrics by scraping endpoints and uses PromQL for analysis. Loki stores logs as streams with labels and uses LogQL to filter and enrich logs. Used together with Grafana, they provide end-to-end observability: metrics, logs, and traces when tracing data is available.
Deployment typically uses separate container images: use a Prometheus image to run the metrics server and Loki's image for log ingestion. For production security, consider a hardened Prometheus image.
A Prometheus container is a containerized instance of the Prometheus server, packaged as a container image.
It runs inside a container runtime (Docker, containerd), exposes the Prometheus web UI on port 9090, and stores time-series data locally.
This setup scrapes targets, stores metrics, and serves queries from its endpoint. For production, use a hardened Prometheus image to reduce attack surface and improve security.
docker run -d --name prometheus -p 9090:9090 -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml prom/prometheus:latest