Container base images serve as the foundation layer for every containerized application, defining the operating system, libraries, and utilities available to your application at runtime. These images range from full-featured Linux distributions to stripped-down minimal images containing only essential components. Choosing the right base image directly impacts your application's security posture, image size, build time, compatibility, and runtime performance — making it one of the most critical decisions in container architecture. The key mental model: smaller attack surface equals fewer vulnerabilities, but compatibility trade-offs must be carefully evaluated against your specific application dependencies and deployment environment.
What This Cheat Sheet Covers
This topic spans 15 focused tables and 96 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Common Base Image Types
| Type | Example | Description |
|---|---|---|
FROM alpine:3.20 | • Minimal Linux distribution (~5 MB) using musl libc and BusyBox • popular for small images but requires careful handling of glibc dependencies | |
FROM debian:trixie-slim | • Stripped Debian variant (~75 MB) removing documentation and uncommon utilities while maintaining glibc compatibility • balanced choice for most applications | |
FROM ubuntu:24.04 | • Full-featured distribution (124 MB) with extensive package availability via apt • preferred when compatibility and familiarity outweigh size concerns | |
FROM gcr.io/distroless/base-debian12 | • Google's minimal images (~2 MB) containing only application runtime with no shell, package manager, or OS utilities • maximizes security by eliminating attack surface | |
FROM scratch | • Empty image (0 bytes) signaling Docker to start from nothing • used exclusively for static binaries compiled with all dependencies embedded |