Last week, I joined a fun Dockerfile writing contest. The task was to create one for a Spring Boot project, which you can download from the following link.
Key points:
- Multi-stage build
- Non-root user for runtime security
- Build cache enabled for Gradle
- LABEL metadata for traceability
Dockerfile
ARG BUILD_IMAGE=eclipse-temurin:21-jdk-alpine
ARG RUNTIME_IMAGE=gcr.io/distroless/java21-debian12:nonroot
# ---------- Build Stage ----------
FROM ${BUILD_IMAGE} AS builder
WORKDIR /workspace
COPY gradlew ./
COPY gradle ./gradle
COPY build.gradle ./
COPY src ./src
RUN apk add --no-cache bash unzip curl ca-certificates && chmod +x ./gradlew
ENV GRADLE_USER_HOME=/home/gradle/.gradle
RUN --mount=type=cache,target=/home/gradle/.gradle \
bash ./gradlew --no-daemon bootJar -x test
RUN cp build/libs/*.jar app.jar
# ---------- Runtime Stage ----------
FROM ${RUNTIME_IMAGE} AS runtime
WORKDIR /app
COPY --from=builder /workspace/app.jar ./app.jar
USER nonroot
EXPOSE 8080
ENTRYPOINT ["/usr/bin/java", "-jar", "/app/app.jar"]
LABEL org.opencontainers.image.title="Spring Boot App" \
org.opencontainers.image.description="Minimal and secure Distroless image for Spring Boot with Gradle and JDK 21" \
org.opencontainers.image.licenses="MIT"
If you have any tips to make the image lighter and more secure, please share them with me!
If you found this helpful, you can buy me a coffee and keep me going. Thank you!
https://buymeacoffee.com/vohongnhuy1996
Y – 12/11/2025
vohongnhuy1996 blog 
Leave a comment