nerdctl

List all containers (running and stopped)

$ nerdctl ps [[-a|--all]]

$ nerdctl run --name [container_name] [image]

$ nerdctl [start|stop] [container_name]

$ nerdctl pull [image]

$ nerdctl images

$ nerdctl exec [[-it|--interactive --tty]] [container_name] sh

$ nerdctl rm [container1 container2 ...]

$ nerdctl logs [[-f|--follow]] [container_name]

nerdctl [global options] command [command options] [arguments...]

Examples:
nerdctl run -p 8080:80 nginx
nerdctl build -t myapp .
nerdctl ps -a
nerdctl compose up -d

--debug
    Enable debug output for detailed troubleshooting.

--address / -a
    Specify the address of the containerd socket (e.g., /run/containerd/containerd.sock).

--namespace / -n
    Set the containerd namespace to use for commands (e.g., default, k8s.io). Isolates resources.

--snapshotter
    Define the containerd snapshotter to use (e.g., overlayfs, btrfs, aufs, native). Controls image layering.

--storage-backend
    Select the storage backend (e.g., containerd, ipsw, nydus). Note: Only containerd is stable and recommended for general use.

--data-root
    Specify the root directory for containerd data and configuration (defaults to /var/lib/containerd).

--cni-path
    Provide the path to CNI plugin binaries (e.g., /opt/cni/bin), essential for network functionality.

--cni-netconfpath
    Define the path to CNI network configuration files (e.g., /etc/cni/net.d).

--insecure-registry
    Skip TLS certificate verification for the specified image registry, useful for local or private registries.

--host-gateway
    Set the IP address to be used for the host.docker.internal entry within container's /etc/hosts.

--help / -h
    Display help information for global options or a specific subcommand.

--version / -v
    Print the nerdctl client version and containerd server information.

(Subcommand-specific Options)
    Each nerdctl subcommand (e.g., run, build, pull, exec) has its own extensive set of specific options. For instance, nerdctl run includes options like -p (publish ports), -v (bind mounts), --name (assign a name), --rm (auto-remove container), --net (network mode), etc. For detailed information on a specific command's options, use nerdctl [command] --help (e.g., nerdctl run --help).

nerdctl is a command-line interface (CLI) tool that provides a user experience highly similar to the Docker CLI, but it interacts directly with the containerd runtime. Developed as part of the containerd project itself, its primary goal is to offer a familiar and intuitive way for users to manage containers and images without relying on the traditional Docker daemon.

It supports a wide range of common container operations, including pulling and pushing images, running and stopping containers, managing volumes and networks, inspecting resources, and even orchestrating multi-container applications via nerdctl compose. nerdctl leverages containerd's robust and OCI-compliant capabilities, making it a powerful and lightweight alternative for container management, particularly in environments where direct interaction with containerd is preferred, such as Kubernetes nodes or minimalist server setups. It aims for a high degree of compatibility with Docker CLI commands, making the transition for Docker users relatively seamless while providing the architectural benefits of containerd.

While nerdctl strives for high compatibility, it is not 100% feature-complete or behaviorally identical to the Docker CLI in every edge case or obscure scenario. Users might encounter minor differences, especially with advanced inspection output or highly specific networking configurations.

It functions as a client to containerd and therefore requires a running containerd daemon to operate; nerdctl itself does not replace the daemon.

Network management within nerdctl typically leverages CNI (Container Network Interface) plugins, which might require separate setup and configuration compared to Docker's native networking stack. This can be a point of difference for users accustomed to Docker's integrated network capabilities.

nerdctl integrates a compose subcommand (e.g., nerdctl compose up, nerdctl compose down) that mirrors the functionality of docker compose. This allows users to define and run multi-container applications using standard Compose files (typically named docker-compose.yaml or compose.yaml), providing a consistent experience for application orchestration.

A significant feature of nerdctl is its robust support for rootless mode. This enables non-root users to create, run, and manage containers without requiring elevated privileges on the host system. Running containers in rootless mode greatly enhances security by minimizing the potential impact of container escapes or vulnerabilities.

For building container images, nerdctl build leverages BuildKit, a powerful and highly efficient toolkit for building container images from Dockerfiles. This integration provides advanced build features such as improved caching, parallel build steps, multi-stage build optimizations, and enhanced security, leading to faster and more reliable image creation.

nerdctl was developed by the containerd project maintainers and contributors to provide a user-friendly, Docker-compatible command-line interface directly for containerd. Its creation was motivated by the evolving container ecosystem, where containerd became the industry-standard core container runtime (even used by the Docker daemon itself).

Recognizing the need for a familiar CLI that could operate independently of the Docker daemon, nerdctl was designed to fill this gap, offering a lightweight and direct interface to containerd's capabilities. It has become particularly popular in Kubernetes environments, where containerd is often the chosen container runtime, and for users who prefer a more direct and efficient way to manage their container infrastructure.

containerd(1), ctr(1), docker(1), crictl(8)