containerd/nerdctl

★ 10,086GoAudience · ops devopsComplexity · 3/5Setup · moderate

Mindmap

mindmap
  root((nerdctl))
    What it does
      Docker-compatible CLI
      containerd runtime
      Rootless containers
    Extra Features
      Lazy image pulling
      Encrypted images
      IPFS distribution
    Tech Stack
      Go
      containerd
      Linux
    Audience
      DevOps engineers
      Kubernetes users
      SRE teams

mindmap root((nerdctl)) What it does Docker-compatible CLI containerd runtime Rootless containers Extra Features Lazy image pulling Encrypted images IPFS distribution Tech Stack Go containerd Linux Audience DevOps engineers Kubernetes users SRE teams

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Run Docker-compatible commands against the containerd runtime without learning new CLI syntax.

USE CASE 2

Start a container before its full image has finished downloading to reduce startup time for large images using lazy-pulling.

USE CASE 3

Run containers without root privileges on Linux hosts to improve security in shared or multi-tenant environments.

USE CASE 4

Inspect and manage containers running inside a Kubernetes cluster by connecting directly to its containerd namespace.

Tech stack

GocontainerdLinuxDocker Compose

Getting it running

Difficulty · moderate Time to first run · 30min

Native Linux only, macOS requires the Lima virtual machine and Windows requires WSL2.

In plain English

nerdctl is a command-line tool for running containers on Linux that is intentionally designed to work the same way as the Docker CLI. If you already know Docker commands, you can use nerdctl with the same flags and syntax. It supports Docker Compose files (nerdctl compose up), image builds, and most other day-to-day Docker workflows. Under the hood, nerdctl uses containerd as its container runtime rather than the Docker daemon. Containerd is the same runtime that Kubernetes uses internally, so nerdctl is sometimes useful for inspecting or debugging containers running in a Kubernetes cluster by connecting to the k8s.io containerd namespace directly. The project exists primarily to expose features in containerd that Docker does not yet support. The most notable is lazy-pulling, also called on-demand image pulling: a container can start running before its full image has finished downloading, which reduces startup time for large images. Other optional features include encrypted images, peer-to-peer image distribution using IPFS, and container image signing and verification via cosign. These are all opt-in and do not affect standard usage. nerdctl also supports running containers in rootless mode, meaning without root privileges on the host system. A performance optimization called bypass4netns reduces the networking overhead that rootless containers normally carry. On Linux, nerdctl can be installed from release binaries on the GitHub releases page or via Homebrew. On macOS, it runs inside a Linux virtual machine managed by Lima, which handles the integration. Windows is supported on WSL2. A full release archive includes all required dependencies, a minimal archive includes only the nerdctl binary itself.

Copy-paste prompts

Prompt 1

I already know Docker commands. Show me the nerdctl equivalents for build, run, push, and docker-compose up, highlighting any flag differences.

Prompt 2

How do I set up nerdctl in rootless mode on Ubuntu so I can run containers without needing sudo?

Prompt 3

Use nerdctl to pull and run a container with lazy-pulling enabled so the container starts before the full image has downloaded.

Prompt 4

How do I connect nerdctl to the k8s.io containerd namespace to inspect containers running inside my Kubernetes cluster?

Prompt 5

Install nerdctl on macOS using Lima and run a basic nginx container to confirm the setup is working.

Open on GitHub → Explain another repo

← containerd on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.