nerdctl 工具（用于 containerd 但兼容 docker CLI 习惯）

简介

nerdctl 是用于 containerd 并且 兼容 docker cli 习惯的管理工具，主要适用于刚从 docker 转到 containerd 的用户，操作 containerd 的命令行工具 ctr 和 crictl 不怎么好用，所以就有了 nerdctl。

要特别说明的是：nerdctl 操作的是 containerd 而非 docker，所以 nerdctl images 和 docker images 看到的内容不同，它只是用法保持了 docker cli 的习惯，实质上操作的是 containerd。

nerdctl 的使用和 docker 一致，与 docker 具有相同的体验，主要特征如下：

✅ 与 docker 的 UI/UX 相同
✅ 支持 docker-compose ( 例如：nerdctl compose up)
✅ [可选] 支持 rootless 模式，无 slirp 开销（bypass4netns）
✅ [可选] 支持延迟拉取（Stargz、Nydus、OverlayBD）
✅ [可选] 支持加密镜像（ocicrypt）
✅ [可选] 支持 P2P 镜像分发 (IPFS) (*1)
✅ [可选] 支持容器镜像签名和验证（cosign）
✅ [可选] 支持 containerd 的命名空间查看，nerdctl不仅可以管理Docker容器，也可以直接管理本地的的Kubernetes pod。
✅ [可选] 支持将Docker Image Manifest镜像转换为OCI镜像、estargz镜像。

nerdctl 是 containerd 的非核心子项目，更多资料详见官网。

安装

nerdctl 的安装分为 Minimal 精简安装和包含一些插件的 Full 完整安装。精简版只包含 nerdctl，完整版包含 nerdctl 和 CNI 插件等依赖（当然你也可以在精简安装的基础上再自己添加 CNI 等插件）。

• Minimal (nerdctl-1.0.0-linux-amd64.tar.gz): nerdctl only
• Full (nerdctl-full-1.0.0-linux-amd64.tar.gz): Includes dependencies such as containerd, runc, and CNI

下载安装

官方下载地址： https://github.com/containerd/nerdctl/releases，在 Asset 中选择下载精简或者完全安装包（本例精简安装）。

[root@test tmp]# wget https://github.com/containerd/nerdctl/releases/download/v1.0.0/nerdctl-1.0.0-linux-amd64.tar.gz
[root@test tmp]# tar -xzvf nerdctl-*-linux-amd64.tar.gz -C /usr/local/bin/
1
2

查看版本号验证安装

[root@test tmp] nerdctl --version
nerdctl version 1.0.0
1
2

命令

输入 nerdctl -h 查看帮助，列出所有命令说明，如下：

[root@test tmp]# nerdctl -h
nerdctl is a command line interface for containerd

Config file ($NERDCTL_TOML): /etc/nerdctl/nerdctl.toml

Usage: nerdctl [flags]

Management commands:
  apparmor   Manage AppArmor profiles
  builder    Manage builds
  container  Manage containers
  image      Manage images
  ipfs       Distributing images on IPFS
  namespace  Manage containerd namespaces
  network    Manage networks
  system     Manage containerd
  volume     Manage volumes

Commands:
  build       Build an image from a Dockerfile. Needs buildkitd to be running.
  commit      Create a new image from a container's changes
  completion  Generate the autocompletion script for the specified shell
  compose     Compose
  cp          Copy files/folders between a running container and the local filesystem.
  create      Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
  events      Get real time events from the server
  exec        Run a command in a running container
  help        Help about any command
  history     Show the history of an image
  images      List images
  info        Display system-wide information
  inspect     Return low-level information on objects.
  internal    DO NOT EXECUTE MANUALLY
  kill        Kill one or more running containers
  load        Load an image from a tar archive or STDIN
  login       Log in to a container registry
  logout      Log out from a container registry
  logs        Fetch the logs of a container. Currently, only containers created with `nerdctl run -d` are supported.
  pause       Pause all processes within one or more containers
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
  push        Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to push image to IPFS.
  rename      rename a container
  restart     Restart one or more running containers
  rm          Remove one or more containers
  rmi         Remove one or more images
  run         Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
  save        Save one or more images to a tar archive (streamed to STDOUT by default)
  start       Start one or more running containers
  stats       Display a live stream of container(s) resource usage statistics.
  stop        Stop one or more running containers
  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
  top         Display the running processes of a container
  unpause     Unpause all processes within one or more containers
  update      Update one or more running containers
  version     Show the nerdctl version information
  wait        Block until one or more containers stop, then print their exit codes.

Flags:
  -H, --H string                 Alias of --address (default "/run/containerd/containerd.sock")
  -a, --a string                 Alias of --address (default "/run/containerd/containerd.sock")
      --address string           containerd address, optionally with "unix://" prefix [$CONTAINERD_ADDRESS] (default "/run/containerd/containerd.sock")
      --cgroup-manager string    Cgroup manager to use ("cgroupfs"|"systemd") (default "cgroupfs")
      --cni-netconfpath string   cni config directory [$NETCONFPATH] (default "/etc/cni/net.d")
      --cni-path string          cni plugins binary directory [$CNI_PATH] (default "/opt/cni/bin")
      --data-root string         Root directory of persistent nerdctl state (managed by nerdctl, not by containerd) (default "/var/lib/nerdctl")
      --debug                    debug mode
      --debug-full               debug mode (with full output)
      --experimental             Control experimental: https://github.com/containerd/nerdctl/blob/master/docs/experimental.md [$NERDCTL_EXPERIMENTAL] (default true)
  -h, --help                     help for nerdctl
      --host string              Alias of --address (default "/run/containerd/containerd.sock")
      --hosts-dir strings        A directory that contains /hosts.toml (containerd style) or /{ca.cert, cert.pem, key.pem} (docker style) (default [/etc/containerd/certs.d,/etc/docker/certs.d])
      --insecure-registry        skips verifying HTTPS certs, and allows falling back to plain HTTP
  -n, --n string                 Alias of --namespace (default "default")
      --namespace string         containerd namespace, such as "moby" for Docker, "k8s.io" for Kubernetes [$CONTAINERD_NAMESPACE] (default "default")
      --snapshotter string       containerd snapshotter [$CONTAINERD_SNAPSHOTTER] (default "overlayfs")
      --storage-driver string    Alias of --snapshotter (default "overlayfs")
  -v, --version                  version for nerdctl

Run 'nerdctl COMMAND --help' for more information on a command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

可以通过配置文件 /etc/nerdctl/nerdctl.toml 对 nerdctl 进行更多配置。

手工添加插件（按需可选）

以添加 CNI 插件为例，先到 CNI 插件的官方地址下载插件文件。

CNI 需放在指定目录，默认目录为 /opt/cni/bin （这个默认目录在 nerdctl --help 帮助中 --cni-path 后面有说明），nerdctl 会默认查找该目录。

[root@test tmp]# wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
[root@test tmp]# mkdir -p /opt/cni/bin
[root@test tmp]# tar -xzvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin
[root@test tmp]# ll /opt/cni/bin/
total 63728
-rwxr-xr-x 1 root root 3780654 Mar 10  2022 bandwidth
-rwxr-xr-x 1 root root 4221977 Mar 10  2022 bridge
-rwxr-xr-x 1 root root 9742834 Mar 10  2022 dhcp
-rwxr-xr-x 1 root root 4345726 Mar 10  2022 firewall
-rwxr-xr-x 1 root root 3811793 Mar 10  2022 host-device
-rwxr-xr-x 1 root root 3241605 Mar 10  2022 host-local
-rwxr-xr-x 1 root root 3922560 Mar 10  2022 ipvlan
-rwxr-xr-x 1 root root 3295519 Mar 10  2022 loopback
-rwxr-xr-x 1 root root 3959868 Mar 10  2022 macvlan
-rwxr-xr-x 1 root root 3679140 Mar 10  2022 portmap
-rwxr-xr-x 1 root root 4092460 Mar 10  2022 ptp
-rwxr-xr-x 1 root root 3484284 Mar 10  2022 sbr
-rwxr-xr-x 1 root root 2818627 Mar 10  2022 static
-rwxr-xr-x 1 root root 3379564 Mar 10  2022 tuning
-rwxr-xr-x 1 root root 3920827 Mar 10  2022 vlan
-rwxr-xr-x 1 root root 3523475 Mar 10  2022 vrf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

测试一下

启动一个 nginx 容器，名称为 nginx-test，将宿主机端口 10800 和容器的 80 端口映射

# 启动容器
[root@test tmp]# nerdctl run -d --name nginx-test -p 10800:80 nginx:1.22.1
docker.io/library/nginx:1.22.1:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:809f0924101d9c07322d69ab0705e1a0d85b1d0f287e320ae19b0826979c56e9:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:fa7e5dee56197a5cbb5b346b3c2c41d91ffa57eb1efcabb5ff09483c87270ccb: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:404359394820dad4c8f210f935939f5890a02ccf82302e1a1068bd0723149736:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:50b97857b95c8b58fbaa89e528105534fc73606f71e0c4866566b2d6dda2f907:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:f3c8f37c59f021e336eb6064cb5ef086a44630c8a1cd0728d9b56d584a89fbaf:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:a603fa5e3b4127f210503aaa6189abf6286ee5a73deeaab460f8f33ebc6b64e2:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:0edfe97a837abe97ce52b42da5fad5df39a3daccc47b5e4d3bc294375b481a0a:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:0bf5e07cb0afcd466f3b9f207c8cbaf77a1d483779f37d0189115282e4374dc1:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:f95a257c65b62fcb59f62f64ab3212e47226f460e9cbfa8c9187f2ab1923ca8c:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 20.9s                                                                    total:  30.0 M (1.4 MiB/s)                                       
d550e2afd0c1ac924a3047a559c38697167b6b2317a19b3336e43285c6e558dc

# 查看运行中的容器
[root@test tmp]# nerdctl ps
CONTAINER ID    IMAGE                             COMMAND                   CREATED           STATUS    PORTS                    NAMES
d550e2afd0c1    docker.io/library/nginx:1.22.1    "/docker-entrypoint.…"    32 seconds ago    Up        0.0.0.0:10080->80/tcp    nginx-test

# 根据容器名称删除容器
[root@test tmp]# nerdctl rm -f nginx-test
nginx-test
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

通过浏览器可以正常访问：

---

（END）