Container images can be described as an operating system in a bottle. They run under the host Linux kernel, but often contain numerous libraries, utilities, and programs alongside the software you put in them.

As an example, the "stable" Debian base image (as of 2025-09-29) contains 111 packages, takes up slightly over 50 MiB of space and lists 21 vulnerabilities.

The "latest" Alpine base image, on the other hand, only has 20 packages, takes up less than 4 MiB of space and lists 2 vulnerabilities.

In this talk, I'll discuss what makes up a container image, a bit about how they work, and the benefits and drawbacks of these two images (and others, such as Red Hat's UBI images). I'll also talk about scratch images—what they are, when you might use them, and some caveats.