nerdctl is a Docker-compatible CLI for containerd.
- Examples
- Install
- Motivation
- Features present in
nerdctlbut not present in Docker - Similar tools
- Developer guide
- Command reference
- Additional documents
To run a container with the default CNI network (10.4.0.0/24):
# nerdctl run -it --rm alpineTo build an image using BuildKit:
# nerdctl build -t foo .
# nerdctl run -it --rm fooTo list Kubernetes containers:
# nerdctl --namespace k8s.io ps -aTo launch rootless containerd:
$ containerd-rootless-setuptool.sh installTo run a container with rootless containerd:
$ nerdctl run -d -p 8080:80 --name nginx nginx:alpineSee ./docs/rootless.md.
Binaries are available for amd64, arm64, and arm-v7: https://github.com/AkihiroSuda/nerdctl/releases
In addition to containerd, the following components should be installed (optional):
- CNI plugins: for using
nerdctl run. - CNI isolation plugin: for isolating bridge networks (
nerdctl network create) - BuildKit: for using
nerdctl build. BuildKit daemon (buildkitd) needs to be running. - RootlessKit and slirp4netns: for Rootless mode
- RootlessKit needs to be v0.10.0 or later
- slirp4netns needs toe be v0.4.0 or later
To run nerdctl inside Docker:
docker build -t nerdctl .
docker run -it --rm --privileged nerdctlThe goal of nerdctl is to facilitate experimenting the cutting-edge features of containerd that are not present in Docker.
Such features includes, but not limited to, lazy-pulling and encryption of images.
Note that competing with Docker is not the goal of nerdctl. Those cutting-edge features are expected to be eventually available in Docker as well.
Also, nerdctl might be potentially useful for debugging Kubernetes clusters, but it is not the primary goal.
- Namespacing:
nerdctl --namespace=<NS> ps. (NOTE: All Kubernetes containers are in thek8s.iocontainerd namespace regardless to Kubernetes namespaces) - Lazy-pulling using Stargz Snapshotter:
nerdctl --snapshotter=stargz run. - Exporting Docker/OCI dual-format archives:
nerdctl save. - Importing OCI archives as well as Docker archives:
nerdctl load. - Specifying a non-image rootfs:
nerdctl run -it --rootfs <ROOTFS> /bin/sh. The CLI syntax conforms to Podman convention. - Inspecting raw OCI config:
nerdctl container inspect --mode=native.
-
ctr: incompatible with Docker CLI, and not friendly to users. Notably,ctrlacks the equivalents of the following Docker CLI commands:docker run -p <PORT>docker run --restart=always --net=bridgedocker pullwith~/.docker/config.jsonand credential helper binaries such asdocker-credential-ecr-logindocker logs
-
crictl: incompatible with Docker CLI, not friendly to users, and does not support non-CRI features -
k3c v0.2 (abandoned): needs an extra daemon, and does not support non-CRI features
-
Rancher Kim (nee k3c v0.3): needs Kubernetes, and only focuses on image management commands such as
kim buildandkim push -
PouchContainer (abandoned?): needs an extra daemon
Run make && sudo make install.
Using go get github.com/AkihiroSuda/nerdctl is possible, but unrecommended because it does not fill version strings printed in nerdctl version
Run go test -exec sudo -v ./... after make && sudo make install.
For testing rootless mode, -exec sudo is not needed.
To run tests in a container:
docker build -t test --target test .
docker run -t --rm --privileged testRun go test -exec sudo -test.target=docker . to ensure that the test suite is compatible with Docker.
Lots of commands and flags are currently missing. Pull requests are highly welcome.
Please certify your Developer Certificate of Origin (DCO), by signing off your commit with git commit -s and with your real name.
π³ = Docker compatible
π€ = nerdctl specific
Unlisted docker CLI flags are unimplemented yet in nerdctl CLI.
It does not necessarily mean that the corresponding features are missing in containerd.
Run a command in a new container.
Basic flags:
- π³
-i, --interactive: Keep STDIN open even if not attached" - π³
-t, --tty: Allocate a pseudo-TTYβ οΈ WIP: currently-trequires-i, and conflicts with-d
- π³
-d, --detach: Run container in background and print container ID - π³
--restart=(no|always): Restart policy to apply when a container exits- Default: "no"
β οΈ No support foron-failureandunless-stopped
- π³
--rm: Automatically remove the container when it exits - π³
--pull=(always|missing|never): Pull image before running- Default: "missing"
Network flags:
- π³
--network=(bridge|host|none): Connect a container to a network- Default: "bridge"
- π³
-p, --publish: Publish a container's port(s) to the host - π³
--dns: Set custom DNS servers - π³
-h, --hostname: Container host name
Cgroup flags:
- π³
--cpus: Number of CPUs - π³
--memory: Memory limit - π³
--pids-limit: Tune container pids limit - π³
--cgroupns=(host|private): Cgroup namespace to use- Default: "private" on cgroup v2 hosts, "host" on cgroup v1 hosts
User flags:
- π³
-u, --user: Username or UID (format: <name|uid>[:<group|gid>])
Security flags:
- π³
--security-opt seccomp=<PROFILE_JSON_FILE>: specify custom seccomp profile - π³
--security-opt apparmor=<PROFILE>: specify custom AppArmor profile - π³
--security-opt no-new-privileges: disallow privilege escalation, e.g., setuid and file capabilities - π³
--cap-add=<CAP>: Add Linux capabilities - π³
--cap-drop=<CAP>: Drop Linux capabilities - π³
--privileged: Give extended privileges to this container
Runtime flags:
- π³
--runtime: Runtime to use for this container, e.g. "crun", or "io.containerd.runsc.v1".
Volume flags:
- π³
-v, --volume: Bind mount a volume
Rootfs flags:
- π³
--read-only: Mount the container's root filesystem as read only - π€
--rootfs: The first argument is not an image but the rootfs to the exploded container. Corresponds to Podman CLI.
Env flags:
- π³
-w, --workdir: Working directory inside the container - π³
-e, --env: Set environment variables
Metadata flags:
- π³
--name: Assign a name to the container - π³
-l, --label: Set meta data on a container - π³
--label-file: Read in a line delimited file of labels
Run a command in a running container.
- π³
-i, --interactive: Keep STDIN open even if not attached - π³
-t, --tty: Allocate a pseudo-TTYβ οΈ WIP: currently-trequires-i, and conflicts with-d
- π³
-d, --detach: Detached mode: run command in the background - π³
-w, --workdir: Working directory inside the container - π³
-e, --env: Set environment variables - π³
--privileged: Give extended privileges to the command
List containers.
Flags:
- π³
-a, --all: Show all containers (default shows just running) - π³
--no-trunc: Don't truncate output - π³
-q, --quiet: Only display container IDs
Display detailed information on one or more containers.
Flags:
- π€
--mode=(dockercompat|native): Inspection mode. "native" produces more information.
Fetch the logs of a container.
nerdctl run -d are supported.
List port mappings or a specific mapping for the container.
Remove one or more containers.
Flags:
- π³
-f: Force the removal of a running|paused|unknown container (uses SIGKILL)
Stop one or more running containers.
Kill one or more running containers.
Pause all processes within one or more containers.
Unpause all processes within one or more containers.
Build an image from a Dockerfile.
βΉοΈ Needs buildkitd to be running.
Flags:
- π€
--buildkit-host=<BUILDKIT_HOST>: BuildKit address - π³
-t, --tag: Name and optionally a tag in the 'name:tag' format - π³
-f, --file: Name of the Dockerfile - π³
--target: Set the target build stage to build - π³
--build-arg: Set build-time variables - π³
--no-cache: Do not use cache when building the image - π³
--progress=(auto|plain|tty): Set type of progress output (auto, plain, tty). Use plain to show container output - π³
--secret: Secret file to expose to the build: id=mysecret,src=/local/secret - π³
--ssh: SSH agent socket or keys to expose to the build (format:default|<id>[=<socket>|<key>[,<key>]])
Create a new image from a container's changes
Flags:
- π³
-a, --author: Author (e.g., "nerdctl contributor [email protected]") - π³
-m, --message: Commit message
List images
Flags:
- π³
-q, --quiet: Only show numeric IDs - π³
--no-trunc: Don't truncate output
Pull an image from a registry.
Pull an image from a registry.
Load an image from a tar archive or STDIN.
π€ Supports both Docker Image Spec v1.2 and OCI Image Spec v1.0.
Flags:
- π³
-i, --input: Read from tar archive file, instead of STDIN
Save one or more images to a tar archive (streamed to STDOUT by default)
π€ The archive implements both Docker Image Spec v1.2 and OCI Image Spec v1.0.
Flags:
- π³
-o, --output: Write to a file, instead of STDOUT
Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE.
Remove one or more images
Convert an image format.
e.g., nerdctl image convert --estargz --oci example.com/foo:orig example.com/foo:esgz
Flags:
--estargz: convert legacy tar(.gz) layers to eStargz for lazy pulling. Should be used in conjunction with '--oci'--estargz-record-in=<FILE>: readctr-remote optimize --record-out=<FILE>record file.β οΈ This flag is experimental and subject to change.--estargz-compression-level=<LEVEL>: eStargz compression level (default: 9)--estargz-chunk-size=<SIZE>: eStargz chunk size--uncompress: convert tar.gz layers to uncompressed tar layers--oci: convert Docker media types to OCI media types--platform=<PLATFORM>: convert content for a specific platform--all-platforms: convert content for all platforms (default: false)
Log in to a Docker registry.
Flags:
- π³
-u, --username: Username - π³
-p, --password: Password - π³
--password-stdin: Take the password from stdin
Log out from a Docker registry
Create a network
βΉοΈ To isolate CNI bridge, CNI isolation plugin needs to be installed.
Flags:
- π³
--subnet: Subnet in CIDR format that represents a network segment, e.g. "10.5.0.0/16"
List networks
Display detailed information on one or more networks
Remove one or more networks
Create a volume
List volumes
- π³
-q, --quiet: Only display volume names
Display detailed information on one or more volumes
Remove one or more volumes
Get real time events from the server.
Display system-wide information
Show the nerdctl version information
- π€
-a,--address: containerd address, optionally with "unix://" prefix - π³
-H,--host: Docker-compatible alias for-a,--address - π€
-n,--namespace: containerd namespace - π€
--snapshotter: containerd snapshotter - π€
--cni-path: CNI binary path (default:/opt/cni/bin) [$CNI_PATH] - π€
--cni-netconfpath: CNI netconf path (default:/etc/cni/net.d) [$NETCONFPATH] - π€
--data-root: nerdctl data root, e.g. "/var/lib/nerdctl" - π€
--cgroup-manager=(cgroupfs|systemd): cgroup manager
Container management:
-
docker attach -
docker cp -
docker diff -
docker rename -
docker start -
docker wait -
docker container prune -
docker checkpoint *
Stats:
docker statsdocker top
Image:
-
docker exportanddocker import -
docker history -
docker trust -
docker image prune -
docker manifest *
Network management:
docker network connectdocker network disconnectdocker network prune
Registry:
docker search
Others:
docker context- Swarm commands are unimplemented and will not be implemented:
docker swarm|node|service|config|secret|stack * - Plugin commands are unimplemented and will not be implemented:
docker plugin *
./docs/dir.md: Directory layout (/var/lib/nerdctl)./docs/registry.md: Registry authentication (~/.docker/config.json)./docs/rootless.md: Rootless mode./docs/stargz.md: Lazy-pulling using Stargz Snapshotter