nerdctl: Docker-compatible CLI for containerd

nerdctl is a Docker-compatible CLI for containerd.

Examples

To run a container with the default CNI network (10.4.0.0/16):

# nerdctl run -it --rm alpine

To build an image using BuildKit:

# nerdctl build -t foo .
# nerdctl run -it --rm foo

To list Docker containers:

# nerdctl --namespace moby ps -a

To list Kubernetes containers:

# nerdctl --namespace k8s.io ps -a

Run make && sudo make install, or just use go get:

# go get github.com/AkihiroSuda/nerdctl

In addition to containerd, the following components should be installed (optional):

CNI plugins: for internet connectivity.
BuildKit: for using nerdctl build. BuildKit daemon (buildkitd) needs to be running.

The goal of nerdctl is to facilitate experimenting the cutting-edge features of containerd that are not present in Docker.

Such features includes, but not limited to, lazy-pulling and encryption of images.

Also, nerdctl might be potentially useful for debugging Kubernetes clusters, but it is not the primary goal.

ctr: incompatible with Docker, and not friendly to users
crictl: incompatible with Docker, not friendly to users, and does not support non-CRI features
k3c: needs an extra daemon, and does not support non-CRI features
PouchContainer: needs an extra daemon

nerdctl build
- -t
nerdctl ps
- -a, --all: Show all containers (default shows just running)
- --no-trunc
nerdctl pull
nerdctl rm
- -f
nerdctl run
- -i (WIP: always needs to be true)
- -t (WIP: always needs to be true)
- --rm
- --network=(bridge|host|none)
- --dns
- --pull=(always|missing|never)
- --security-opt seccomp
- --security-opt apparmor
- --security-opt no-new-privileges
- --privileged

Lots of commands and flags are currently missing. Pull requests are highly welcome.

Please certify your Developer Certificate of Origin (DCO), by signing off your commit with git commit -s and with your real name.