| BellSoft Introduces Hardened Container Images |
| Written by Nikos Vaggalis | |||
| Monday, 15 December 2025 | |||
|
The concept of hardened images has been picking up lately. The logic behind them is to address the issues arising from running container images. These issues are:
Thus locked down images comprising of the bare essentials capable of running your application on the Cloud are considered as the counterbalance.
The news is that Bellsoft, best know for its Liberica JDK distribution, has also jumped on the bandwagon to ship minimized images with immutable components set (meaning that installing additional packages to the final image is not possible), up to 95% fewer CVEs and a single SLA from one team that covers OS, runtime, and vulnerability management. As Catherine Edelveis DevRel at Bellsoft over at Blue Sky states: Simply put, CVE management and technical support for OS and runtime come from the same vendor. Single accountability - we stay behind our product. But there is more: migrating Java workloads to our hardened images saves up to 30% disk and ram usage. The single accountability perspective is what's the most important here - continuous monitoring and patching is handled by BellSoft. No your team or multiple vendor involvement. Just a single bulletproof point of reference. The hardened container images Bellsoft provides are for OpenJDK, Python, Go, GCC/C++, and GraalVM — all based on Alpaquita Linux. To differentiate, each image comes with the pre-fix "hardened" and then followed by the component it is about. For instance:
and the self-explanatory:
To get hold of an image and use it you need: To pull an image from any supported container registry (Docker Hub, GitHub CR, Microsoft CR, Google CR, and Amazon ECR): docker pull bellsoft/<repository>:<image_tag> Start a container from the pulled image docker run --name my-app bellsoft/<repository>:<image_tag> And specify it as a base image in your Dockerfile: FROM bellsoft/<repository>:<image_tag> Full example of using the Hardened Java Runtime: # Pull the latest hardened Java runtime # Run with your application # Use in a Dockerfile Note that as far Java is concerned you can pull an image with Crac we covered in "Liberica Alpaquita Containers Now Come With CRaC" which can be considered as the magic recipe to Java's warm up problems. Bellsoft has recently introduced CRaC into its Liberica OpeJDK builds for both Java version 17 and 21, hence developers could use it to make snapshots of their Java application at runtime in order to reduce startup times to mere milliseconds. So it was only logical that Bellsoft would also release its Alpaquita containers with CRaC support too. And the benchmarks are promising, containers with CRaC provided up to 164x faster startup and 1.1x smaller images in testing with the Petclinic app. So in addition to better startup times, now with the new hardened images you use less disk space and less memory and have fewer near-zero CVEs.
More InformationRelated ArticlesLiberica Alpaquita Containers Now Come With CRaC
To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin. 
Comments
or email your comment to: comments@i-programmer.info |
