I want to talk nerdy to you about a tool that could make your life much easier. It's called "nerdctl" and it's a Docker-compatible CLI for containerd. With support for Compose, Rootless, eStargz, OCIcrypt, IPFS, and more, it's the perfect tool for managing your containers.
Why use nerdctl?
- Simplicity: nerdctl is a lightweight, easy-to-use CLI tool that follows the same UI/UX as Docker, which makes it simple and intuitive to use.
- Compatibility: nerdctl is fully Docker-compatible, so if you're already familiar with Docker, you'll have no trouble using nerdctl. This also means you can use it with existing Docker images and containers.
- Additional features: nerdctl comes with some additional features that aren't available in Docker, such as support for rootless mode, lazy-pulling, encrypted images, P2P image distribution, container image signing and verifying, and more.
- Security: Because nerdctl is a sub-project of containerd, it benefits from the security and stability of the containerd runtime, which has been designed with security in mind.
With the rootless mode in nerdctl, users can create and run containers without root privileges, which removes the need for the security risks associated with running containers as root. This is achieved by using new technologies like bypass4netns, which allows processes to run in namespaces without root capabilities.
Nerdctl is not a full alternative for Docker, but rather a CLI that works alongside containerd, which is the basic technology that operates Docker. In other words, containerd can be interpreted as the "heart" of the Docker containers, while nerdctl is a utility that allows you to smoothly and efficiently communicate with it. Therefore, nerdctl provides various options that accomplish tasks similar to Docker, but it is not intended to replace Docker.
As a user of Docker, I'm always looking for ways to simplify my workflow. That's why I'm excited to tell you about nerdctl. Not only does it have the same UI/UX as Docker, but it also supports Docker Compose, which is a great feature for anyone who needs to manage multiple containers.
One of the things that really stands out for me is the optional support for rootless mode. This means that I can use nerdctl without the overhead of slirp, which can be a real pain when it comes to networking. Lazy-pulling is supported too, which means I can use Stargz, Nydus, OverlayBD, and other formats without any additional hassle.
Watch a short video of nerdctl in action
Docker-compatible CLI for containerd
Slirp is a way for containers to connect to your computer's internet connection. It creates a virtual network that connects containers to the host machine. However, using Slirp can slow down the performance of containers because it adds extra work for the computer to do. In rootless mode, nerdctl uses a different way to connect containers to the host network that doesn't slow things down as much.
Here are a few examples of command lines you can use with nerdctl:
nerdctl pull: This downloads a container image from a container registry.
nerdctl run: This starts a new container and runs a command inside it.
nerdctl ps: This lists all running containers.
nerdctl stop: This stops a running container.
nerdctl compose up: This starts all the containers defined in your Docker Compose file.
Another great feature is the support for encrypted images. With ocicrypt, I can ensure that my images are secure and protected from prying eyes. And if I need to distribute my images, I can use P2P image distribution with IPFS. It's completely optional, so I don't have to worry about my host being connected to any P2P network unless I opt in to install and run the IPFS daemon.
I love that nerdctl supports container image signing and verifying with cosign. It's an added layer of security that gives me peace of mind knowing that my images are authentic.
The term "container image signing" refers to digital signature generation via a specific cryptographic key. This process ensures authenticity and prevents any unauthorized modification or tampering with the image during transit or storage. By leveraging this security approach, container deployments can be safeguarded from security breaches, unauthorized access, or file corruption. This technique is essential in ensuring the safety and reliability of container deployments particularly in production environments.
Final Notes and Thoughts
If you're looking for a tool that can simplify your container management, nerdctl is definitely worth checking out. As a user, I can attest to its ease of use and effectiveness. Give it a try and let me know what you think! If you find it useful, swing by the nerdctl Github repo and give it a star!