5.3.2.3 Final Runtime Dependencies
A focused guide to Final Runtime Dependencies, connecting core concepts with practical Docker and container operations.
Final runtime dependencies are the libraries, shared objects, or other supporting files a compiled application genuinely needs present at runtime, distinct from the build-time dependencies needed only to produce it — correctly identifying and including these is essential for a minimal final stage to actually work.
The Risk of Over-Minimizing
Choosing too minimal a final base — scratch, for instance — without accounting for a binary's actual runtime dependencies can produce an image that fails to run at all, because something the application genuinely needs (a dynamically linked library, certificate authority bundles) is simply not present.
FROM scratch
COPY --from=builder /out/app /app
If /out/app is dynamically linked against a C library not present in scratch, this container fails immediately upon attempting to run.
Identifying Actual Runtime Dependencies
Determining exactly what a binary depends on at runtime, before choosing how minimal the final base can actually be, avoids discovering a missing dependency only after deployment.
ldd /out/app
This reveals dynamically linked library dependencies, which is essential information for deciding whether scratch is actually viable or whether a base image with those libraries present is required instead.
Including Needed Runtime Files Explicitly
When a fully static binary isn't feasible, or when other runtime files (certificate bundles, timezone data) are genuinely needed, these can be explicitly copied into the final stage even when using an otherwise minimal base.
FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /out/app /app
This explicitly includes certificate authority data the application needs to validate HTTPS connections, which scratch would not otherwise provide.
Why Correctly Identifying Runtime Dependencies Matters
A final stage that is minimal but missing something the application genuinely needs at runtime is not actually usable — correctly identifying and including exactly the necessary runtime dependencies, no more and no less, is what makes the minimalism of a final stage both safe and functional rather than merely aspirational.