How to Move From Distribution-Based Images to Distroless With Minimus

Container images built on traditional Linux distributions like Red Hat UBI, Debian, Ubuntu, and Fedora have long been the standard for application deployment. However, these images come with significant security and operational overhead. 

In this blog, we take a closer look at why distroless images offer a more secure foundation and what teams can do to migrate without disrupting their workflows.

‍

The Limitations of Traditional Distribution-Based Images

Traditional distribution-based images include many components that are unnecessary for production runtime environments, such as package managers, shells, and numerous utilities that expand the attack surface and increase image size. 

These components are often configured without secure defaults in order to allow the team developing on top of them the most flexibility for the applications that will run inside the container. 

This leads to several disadvantages:

• Higher CVE exposure across libraries and tools unrelated to the application
• More frequent and time-sensitive patching cycles driven by the underlying distribution
• Larger images that increase registry storage costs and slow CI/CD pipelines
• Greater risk of configuration drift and inconsistent hardening across teams
• More complex vulnerability reports and SBOMs due to the volume of bundled components
  
  

Why Distroless Images Are Better for Container Security

Distroless images are container images that remove the full Linux distribution and include only the application and its required runtime libraries, nothing more. 

By removing everything except the runtime requirements and direct dependencies, distroless images dramatically reduce the attack surface. Without shells, package managers, or development utilities, these images provide a minimal, hardened foundation for production workloads. Key security advantages include:

• Distroless images have significantly fewer vulnerabilities (Minimus specifically has 97% fewer on average)
• No shell access makes post-exploitation significantly harder
• Fewer dependencies simplify vulnerability management and auditing
• Consistent, minimal environments reduce drift and improve reliability

Security best practices are clear: every additional component is another potential vulnerability. Distroless images remove that unnecessary exposure, making them superior for container security. 

‍

The Migration Challenge from Distro-Based to Distroless Images

Even though distroless images offer clear security and operational benefits, migrating to them can be difficult. The primary challenge when adopting distroless images is the build process itself. 

Traditional Dockerfiles rely on distribution package managers like `apt-get`, `yum`, or `dnf` to install dependencies during image construction. A pure distroless image cannot accommodate these commands, creating a migration barrier for teams accustomed to traditional workflows, often forcing teams to rethink pipelines or maintain two separate images for the same application.

‍

Using Minimus Images to Make Migration Easier

Minimus solves this challenge through its complementary image pair strategy. Every Minimus image version comes in two variants: a production image and a dev image. 

The production image is lean and distroless, containing only runtime essentials. The dev variant includes development tools, a shell, and a package manager: everything needed to build and test applications using familiar workflows. 

This pairing gives the flexibility of traditional images during development while delivering the security and efficiency of distroless images in production. 

‍

How to Switch To Distroless Using Minimus Images

You can migrate to Minimus images in two phases. The first is a simple drop-in change: swap your build stage for the Minimus -dev image and your final stage for the production image. This delivers immediate wins, letting you ship distroless images without rewriting pipelines or changing development habits. 

The second phase involves using the Minimus Image Creator to build fully customized, pre-configured distroless images tailored to your exact needs.

Phase 1: Multi-Stage Builds with DEV Variants

Start your migration by leveraging Minimus dev images in multi-stage Dockerfiles. Use the `-dev` variant (e.g., `dotnet-sdk:latest-dev`) for build stages where you need package managers and development tools. Then copy your artifacts into the production Minimus image for the final runtime stage.

This approach allows you to maintain your existing build processes while immediately benefiting from distroless production images. You can continue using `apk`, `curl`, and other familiar commands in your build stages, while your final image remains minimal and secure.

‍

Phase 2: Customization with Minimus Image Creator

Next, you can use the Minimus Image Creator to create private, customized images by selecting a Minimus starter image and adding only the specific packages your application requires. Instead of installing packages at build time, you pre-configure your image with exactly what you need. This simplifies Dockerfiles, reduces build complexity, and further optimizes your container security posture. 

The Image Creator supports up to 100 added packages and allows you to define custom environment variables, creating images tailored to your exact requirements. It builds your custom image, maintains it over time, and provides a complete SBOM for security and compliance.

‍

Get Started with Distroless the Easy Way

Migrating to distroless images doesn't require abandoning your current workflows. Minimus dev variants provide a bridge that lets you build the way you do today while deploying more secure production images. As you mature your container strategy, the Minimus Image Creator offers a path to fully optimized, custom distroless images that combine security, simplicity, and maintainability.

For smaller, faster, more secure containers without disrupting developer workflows, try Minimus today.

‍