nerdctl: Docker-compatible CLI for contaiNERD

This month we contributed nerdctl— Docker compatible CLI — to the containerd community.

containerd/nerdctl

The UI/UX of nerdctl is same as docker and podman. So, if you are already familiar with docker or podman , you are already familiar with nerdctl as well:

$ nerdctl run -d -p 8080:80 --name=nginx --restart=always nginx

But unlike Docker and Podman, nerdctl has several interesting features, such as:

• Running a container ahead of the completion of pulling the image (lazy-pulling)
• Running a container from an encrypted image (ocicrypt)

nerdctl supports rootless mode as well, of course.

Why another CLI?

containerd already has its own CLI called ctr . However, ctr was made only for testing very low-level functionality of containerd, and hence its CLI design is not friendly to humans. So we had to create another CLI with high-level functionalities and with human-friendly UI/UX.

Notably, ctr lacks the equivalents of the following Docker CLI commands:

• docker run -p <PORT>
• docker run --restart=always
• docker pull with ~/.docker/config.json and credential helper binaries such as docker-credential-ecr-login
• docker logs

All these features are present in nerdctl .

There is also another CLI called crictl, but its functionality and UI/UX have restrictions similar to ctr.

A new competitor for Docker?

No. While nerdctl has same UI/UX as Docker, competing with Docker is not the goal of nerdctl.

The goal of nerdctl is to facilitate experimenting the cutting-edge features of containerd that are not present in Docker. Such features include, but not limited to, lazy-pulling (stargz) and encryption of images (ocicrypt).

Docker partially uses containerd; nerdctl fully uses containerd

These features are expected to be eventually available in Docker as well, however, it is likely to take several months, or perhaps years, as Docker is currently designed to use only a small portion of the containerd subsystems. Refactoring Docker to use the entire containerd would be possible, but not straightforward. So we decided to create a new CLI that fully uses containerd, but we do not intend to complete with Docker. We have been contributing to Docker/Moby as well as containerd, and will continue to do so.

Getting started with nerdctl

The latest binary release of nerdctl can be downloaded from https://github.com/containerd/nerdctl/releases .

Two types of distributions are available:

• nerdctl-<VERSION>-linux-amd64.tar.gz : nerdctl only. Should be extracted under /usr/local/bin .
• nerdctl-full-<VERSION>-linux-amd64.tar.gz : nerdctl with dependencies (containerd, runc, CNI, …). Should be extracted under /usr/local .

If you already have containerd, you should use the former one. Otherwise the latter one is the best choice.

To run containerd and nerdctl as the root user:

$ sudo systemctl enable --now containerd
$ sudo nerdctl run -d -p 80:80 --name=nginx --restart=always nginx

To run containerd and nerdctl as a non-root user:

$ containerd-rootless-setuptool.sh install
$ nerdctl run -d -p 8080:80 --name=nginx --restart=always nginx

For further information, please refer to the documentation.

NTT is hiring!

We NTT are looking for engineers who work in Open Source communities like containerd, Docker/Moby, Kubernetes, and their relevant projects. Visit https://www.rd.ntt/e/sic/recruit/ to see how to join us.

私たちNTTは、containerd 、Docker/Moby、 Kubernetes などのオープンソースコミュニティで共に活動する仲間を募集しています。ぜひ弊社採用情報ページをご覧ください: https://www.rd.ntt/sic/recruit/