nerdctl: Docker-compatible CLI for containerd
nerdctl
is a Docker-compatible CLI for containerd.
Examples
To run a container with the default CNI network (10.4.0.0/16):
# nerdctl run -it --rm alpine
To build an image using BuildKit:
# nerdctl build -t foo .
# nerdctl run -it --rm foo
To list Docker containers:
# nerdctl --namespace moby ps -a
To list Kubernetes containers:
# nerdctl --namespace k8s.io ps -a
Install
Run make && sudo make install
, or just use go get
:
# go get github.com/AkihiroSuda/nerdctl
In addition to containerd, the following components should be installed (optional):
- CNI plugins: for internet connectivity.
- BuildKit: for using
nerdctl build
. BuildKit daemon (buildkitd
) needs to be running.
Motivation
The goal of nerdctl
is to facilitate experimenting the cutting-edge features of containerd that are not present in Docker.
Such features includes, but not limited to, lazy-pulling and encryption of images.
Also, nerdctl
might be potentially useful for debugging Kubernetes clusters, but it is not the primary goal.
Similar tools
ctr
: incompatible with Docker, and not friendly to userscrictl
: incompatible with Docker, not friendly to users, and does not support non-CRI features- k3c: needs an extra daemon, and does not support non-CRI features
- PouchContainer: needs an extra daemon
Implementation status of Docker-compatible commands and flags
-
nerdctl build
-t
-
nerdctl ps
-a, --all
: Show all containers (default shows just running)--no-trunc
-
nerdctl pull
-
nerdctl rm
-f
-
nerdctl run
-i
(WIP: always needs to be true)-t
(WIP: always needs to be true)--rm
--network=(bridge|host|none)
--dns
--pull=(always|missing|never)
--security-opt seccomp
--security-opt apparmor
--security-opt no-new-privileges
--privileged
Lots of commands and flags are currently missing. Pull requests are highly welcome.
Contributing to nerdctl
- Please certify your Developer Certificate of Origin (DCO), by signing off your commit with
git commit -s
and with your real name.