Hi there! I'm Maneshwar. Right now, I’m building LiveAPI, a first-of-its-kind tool that helps you automatically index API endpoints across all your repositories. LiveAPI makes it easier to discover, understand, and interact with APIs in large infrastructures.
nerdctl (“contaiNERD CTL”) is a powerful command-line interface designed to work with containerd.
It offers a Docker-like user experience with full compatibility for a wide range of workflows—Compose, rootless usage, image encryption, and more (github.com).
Why nerdctl Exists
Docker UI/UX, Containerd under the hood
Enjoy the familiardocker build,run,compose,push, andpullcommands—while interfacing directly with containerd instead of Docker Engine (github.com).Bridges the Kubernetes world
As Kubernetes phases out Docker Engine (dockershim), nerdctl fills the gap for building and managing Docker images with containerd-based runtimes.Experimental and modern features
It supports optional capabilities like lazy pulling (eStargz, OverlayBD), encrypted images (ociCrypt), and IPFS-based peer-to-peer distribution—all built into nerdctl (github.com, blogs.halodoc.io, earthly.dev).
Core Features
Docker-Style CLI & Compose Support
Operate with Docker-like commands, including nerdctl compose up for multi-container stacks (github.com).
Rootless and UserNS‑Remap Modes
-
Rootless mode: Run containers entirely as an unprivileged user using helper scripts like
containerd-rootless-setuptool.sh(earthly.dev). - UserNS-Remap mode (nerdctl v2.1): Containerd runs as root, but containers execute under remapped UIDs for better security without compromising performance (medium.com).
Lazy Pulling and P2P Image Distribution
- Lazy pulling: Start containers faster by streaming image layers on demand via snapshotters like eStargz or Nydus (earthly.dev).
-
IPFS integration: Push and pull container images over IPFS for decentralized image distribution using
nerdctl push ipfs://...(earthly.dev).
Image Encryption & Signing
Secure image layers using OCIcrypt: encrypt with nerdctl image encrypt and run encrypted images directly. Signing via cosign is also supported (github.com).
Advanced Build Support
Use BuildKit via containerd and support flags like --attest, --sbom, and --provenance in newer versions like v2.x (newreleases.io).
Example Usage
Installing nerdctl
You can download nerdctl-full prebuilt binaries (Linux x86_64/ARM64), which bundle CNI, BuildKit, and rootless helpers (earthly.dev).
Optionally, on macOS or Windows, install Lima or Rancher Desktop, both of which include containerd + nerdctl (earthly.dev).
Running Containers
nerdctl run -it --rm alpine
nerdctl build -t myapp .
Using Docker Compose
nerdctl compose up -d
Setting Up Rootless
containerd-rootless-setuptool.sh install
# As a regular user:
nerdctl run -p 8080:80 nginx:alpine
Lazy Pulling
nerdctl --snapshotter=stargz run --rm ghcr.io/stargz-containers/python:3.7-esgz python3 -c 'print("fast pull")'
Image Encryption
nerdctl image encrypt --recipient=jwe:pub.pem foo foo:enc
nerdctl run foo:enc
What’s New: nerdctl v2.1 Highlights
Released in June 2025, nerdctl v2.1 introduces:
- Support for UserNS-Remap mode, offering a balanced trade-off between security and performance (github.com, medium.com).
- Experimental gomodjail sandboxing: restrict syscall use for certain Go modules to mitigate supply-chain threats (medium.com).
Meanwhile, containerd v2.1 adds EROFS filesystem support, mountable image volumes in Kubernetes, and writable cgroupfs without root privileges (medium.com).
Feature Comparison: Nerdctl vs Docker vs Podman
| Feature | Docker Engine | nerdctl (containerd) | Podman |
|---|---|---|---|
| CLI experience | Docker-native | Docker-compatible (docker alias) |
Docker-like, but not CRI |
| Compose support | Yes | Yes (nerdctl compose) |
podman-compose only |
| Rootless containers | Limited support | Fully supported | Fully supported |
| Lazy pulling / IPFS / encryption | Partial or missing | Yes | Mostly not supported |
| Kubernetes/CRI compatibility | via dockershim (deprecated) | Native | Not CRI-compatible |
Podman is popular for daemonless rootless workflows but not ideal in Kubernetes environments since it doesn’t support CRI—while nerdctl is fully CRI-compatible, making it a superior fit for containerd-based Kubernetes setups (blog.devops.dev, github.com, blogs.halodoc.io).
When Should You Use nerdctl?
- You want a Docker‑style tooling experience without Docker Engine.
- You're working in Kubernetes or K3s, where containerd is the default runtime.
- You value rootless execution, lazy pulling, image encryption, or IPFS-native distribution.
- You appreciate modern container/image management with features for supply-chain security.
Tips & Gotchas
- Ensure you install
nerdctl-fullif you rely on Compose, rootless mode, or BuildKit. - Use
containerd-rootless-setuptool.shfor rootless setup—sometimes not included in package-managed installs (like on NixOS) (blogs.halodoc.io, earthly.dev, github.com, discourse.nixos.org). - After upgrading between major versions (eg. from 1.x to 2.x), re-install rootless setup (
uninstalltheninstall) and recreate config (newreleases.io).
Conclusion
nerdctl is the go-to CLI for anyone replacing Docker with containerd: it feels familiar, supports advanced container features, and plays seamlessly with Kubernetes.
With active development and a recent v2.1 release packed with finance-grade enhancements, nerdctl is ready for modern, secure, high-performance container management.
LiveAPI helps you get all your backend APIs documented in a few minutes.
With LiveAPI, you can generate interactive API docs that allow users to search and execute endpoints directly from the browser.
If you're tired of updating Swagger manually or syncing Postman collections, give it a shot.
Top comments (1)
Love how you broke down where nerdctl shines for Kubernetes/containerd teams - lazy pulling alone is such a time saver. Did you run into any surprise hurdles migrating existing Docker Compose workflows?