Container Images: When Slimming Hurts Debuggability

Distroless images are attractive until on-call needs a shell that is not there. We teach a decision grid: if the service is stateless and heavily automated, slim aggressively; if operators routinely exec in, keep a debug sidecar pattern documented. Layer counts still matter for pull times. Students run dive-style inspections and record byte savings per layer. The numbers make the trade-off conversation grounded. We also cover signal loss: removing package managers can block emergency openssl updates. The capstone track asks learners to propose how they would handle that scenario under time pressure. Honest takeaway: the smallest image is not always the most operable. We reward narratives that acknowledge that tension.