✦ For everyone, free.

Practical knowledge for real and everyday life

Home

14.1.1.1 Production Runtime Image

A focused guide to Production Runtime Image, connecting core concepts with practical Docker and container operations.

A production runtime image is the final, minimal stage of a multi-stage build, containing only what's actually needed to run the application — no build tools, no development dependencies, no unnecessary system packages — distinct from any earlier stage used purely for compiling or building the application.

Structuring the Production Runtime Stage

The final stage starts from a clean, minimal base, copying in only the application's built output and required runtime dependencies.

FROM golang:1.22 AS build
RUN go build -o /app/server .

FROM gcr.io/distroless/static-debian12
COPY --from=build /app/server /server
ENTRYPOINT ["/server"]

This runtime image contains nothing beyond the compiled binary and the minimal distroless base, with no trace of the build stage's much larger toolchain.

Why Minimizing the Runtime Image's Contents Matters

Every additional package, tool, or file present in the runtime image represents both wasted size and additional potential attack surface — keeping this image as minimal as the application's actual runtime needs allow reduces both concerns simultaneously.

docker scout cves myapp:1.0

A minimal runtime image typically produces meaningfully fewer vulnerability findings than one carrying unnecessary additional software.

Verifying the Runtime Image Doesn't Include Build-Time Artifacts

Inspecting the final image confirms no build-time tooling or intermediate files were inadvertently carried forward.

docker run --rm myapp:1.0 which gcc

which: no gcc in ...

Confirming a build tool like a compiler is genuinely absent validates this separation was correctly maintained.

Choosing an Appropriately Minimal Base for the Runtime Stage

Selecting a base image (distroless, Alpine, or even scratch for statically linked binaries) appropriate to the application's actual runtime needs further reinforces this minimalism.

FROM gcr.io/distroless/static-debian12
Why a Production Runtime Image Matters

A properly minimized production runtime image, cleanly separated from build-time tooling, is the actual deliverable of a well-structured multi-stage build, directly supporting both the size and security goals appropriate to a genuine production deployment.

Related content