You can use the "dockerception" method: build in a container with devtools, then import the resulting binaries into a container with no devtools. https://github.com/jamiemccrindle/dockerception

The resulting images can be very small: https://hub.docker.com/r/jjclark/nethack/tags/

It's currently a little difficult because of a bug with building from a tarball: https://github.com/docker/docker/issues/15785

I kinda solve that by doing something like this:

    # install runtime deps
    dpkg -l | awk '{print $2}' | sort > old.txt
    # install build deps
    # build software
    dpkg -l | awk '{print $2}' | sort > new.txt
    apt-get -y remove --purge $(comm -13 old.txt  new.txt)

Probably a better way to accomplish that, but it was the easiest way I could see to implement an 'undo'

If doing this sort of thing, make sure to accomplish it in a single step (image layer) in the Dockerfile. Otherwise you won't be doing any good as the "removed" files actually persist behind a layer which specifies them as removed.

I've been using docker-squash for that. This way I can take advantage of layer caching during development, and still have a small image for uploading.

If you installed build-essential, then removed it, then apt-get --purge autoremove should remove the packages that build-essential pulled in that were not already installed.

The problem is by default this will remove runtimes like libtool as well. Sure, I could figure out what these are and keep them around, but the problem is the time-crunch aspect - it takes time, and if the program changes then you still need to take the time.