Container base images serve as the foundation layer for every containerized application, defining the operating system, libraries, and utilities available to your application at runtime. These images range from full-featured Linux distributions to stripped-down minimal images containing only essential components. Choosing the right base image directly impacts your application's security posture, image size, build time, compatibility, and runtime performance — making it one of the most critical decisions in container architecture. The key mental model: smaller attack surface equals fewer vulnerabilities, but compatibility trade-offs must be carefully evaluated against your specific application dependencies and deployment environment.
What This Cheat Sheet Covers
This topic spans 16 focused tables and 124 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Common Base Image Types
Understanding the major families of base images — their size, runtime, and security trade-offs — is the starting point for every container architecture decision.
| Type | Example | Description |
|---|---|---|
FROM alpine:3.21 | • Minimal Linux distribution (~5 MB) using musl libc and BusyBox • popular for small images but requires careful handling of glibc dependencies | |
FROM debian:trixie-slim | • Stripped Debian variant (~75 MB) removing documentation and uncommon utilities while maintaining glibc compatibility • balanced choice for most applications | |
FROM ubuntu:24.04 | • Full-featured distribution (~124 MB) with extensive package availability via apt • preferred when compatibility and developer familiarity outweigh size concerns | |
FROM gcr.io/distroless/base-debian13 | • Google's minimal images (~20 MB) containing only application runtime with no shell, package manager, or OS utilities • maximizes security by eliminating attack surface | |
FROM scratch | • Empty image (0 bytes) signaling Docker to start from nothing • used exclusively for static binaries compiled with all dependencies embedded | |
FROM cgr.dev/chainguard/wolfi-base | • Undistro Linux built specifically for containers with glibc, apk package manager, and designed for near-zero CVEs • continuously rebuilt when vulnerabilities discovered |