Containers have transformed the way applications are developed and deployed. They provide isolation, portability, and scalability — making them the backbone of modern cloud and Kubernetes environments.
But as the container ecosystem has evolved, so has its tooling. Two names that often appear side by side today are Docker and nerdctl. Both let you run containers, pull images, and build applications, yet they differ deeply under the hood.
This article breaks down what each tool is, how they’re connected, and why nerdctl is becoming increasingly important in the Kubernetes era.
🧩 1. The Background: Why Containers Exist
Before diving into tools, it helps to understand why containers exist in the first place.
Traditional virtual machines (VMs) package everything — the OS, binaries, libraries, and application — into one heavy unit. Containers take a lighter approach. They share the host’s kernel but isolate processes and filesystems, allowing you to run multiple lightweight workloads on the same machine.
That’s where Docker entered the story. Around 2013, Docker made containers accessible to everyone with an easy CLI and image format. What used to require manual chroot and cgroups configurations could now be done with a simple:
docker run nginx
⚙️ 2. How Docker Works Behind the Scenes
Docker isn’t just a single tool — it’s a platform made up of multiple components:
Docker CLI → Docker Daemon (dockerd) → containerd → runc
-
Docker CLI: The command-line interface you interact with (
docker run,docker ps, etc.). - dockerd: The Docker daemon, which handles image pulls, builds, networking, and lifecycle management.
- containerd: A lower-level runtime responsible for managing containers and images.
- runc: The OCI (Open Container Initiative) runtime that actually creates and runs the container processes.
So, even when you type docker run, the heavy lifting is done by containerd and runc — Docker just wraps them with a developer-friendly interface.
⚡ 3. Kubernetes Steps In
When Kubernetes was introduced, it needed a way to talk to container runtimes like Docker, CRI-O, or containerd. Initially, Kubernetes used a “bridge” called dockershim to communicate with Docker.
However, this added complexity. Kubernetes was talking to Docker → which talked to containerd → which talked to runc. Too many layers, too much overhead.
So, in 2022, Kubernetes deprecated dockershim and started using containerd directly through the Container Runtime Interface (CRI). From Kubernetes v1.24 onward, Docker is no longer the default runtime — containerd is.
🧠 4. Enter nerdctl — The Native CLI for containerd
The shift away from Docker created a practical problem:
Containerd doesn’t come with a user-friendly CLI. Its default tool, ctr, is low-level and difficult to use.
To fill that gap, the containerd project introduced nerdctl — a lightweight, Docker-compatible CLI that speaks directly to containerd.
Here’s the new flow:
nerdctl → containerd → runc
It does almost everything Docker can do — pull images, run containers, show logs, build images, and even run Compose files — without needing the Docker daemon.
🔍 5. Feature Comparison
| Feature | Docker | nerdctl |
|---|---|---|
| Daemon | Requires dockerd service |
Talks directly to containerd
|
| Used by Kubernetes | Deprecated since v1.24 | Native default runtime |
| Command Compatibility | Full CLI | Nearly identical |
| Rootless Containers | Limited | Fully supported |
| Networking | Custom Docker bridge | CNI plugins (like Kubernetes) |
| Compose Support | Built-in | Optional (nerdctl compose) |
| Performance | Slightly slower (extra layer) | Faster (no dockerd) |
| Resource Footprint | Heavier | Lightweight |
| Integration | Best for developers | Best for clusters & DevOps |
🔧 6. Real-World Examples
Using Docker:
docker pull nginx
docker run -d -p 8080:80 --name web nginx
docker ps
Using nerdctl:
sudo nerdctl pull nginx
sudo nerdctl run -d -p 8080:80 --name web nginx
sudo nerdctl ps
You’ll notice the syntax is practically identical.
The difference is who the CLI talks to — Docker CLI sends instructions to the Docker daemon, while nerdctl communicates directly with containerd’s socket (/run/containerd/containerd.sock).
🧩 7. Why nerdctl Matters for Kubernetes Users
If you’re managing Kubernetes clusters, nerdctl is invaluable.
It lets you:
- Inspect containerd namespaces (like
k8s.io) - View the exact containers Kubernetes has launched
- Debug workloads without relying on Docker
- Run rootless containers for enhanced security
For example:
sudo nerdctl --namespace k8s.io ps
This shows you the containers running under Kubernetes — something docker ps can’t do on a containerd-based node.
🔐 8. Rootless Containers: The Security Edge
Rootless mode is one of nerdctl’s biggest advantages. It allows users to run containers without root privileges, improving isolation and minimizing attack surface — something Docker still struggles with in production environments.
With nerdctl:
nerdctl run --name demo --net host --privileged=false alpine echo "Hello Rootless"
The container runs fully isolated under your user account, not as root.
🚀 9. The Future of Containers
Docker isn’t going away — it remains a fantastic developer tool, especially for local environments, CI pipelines, and small-scale deployments. But for production Kubernetes clusters, containerd and nerdctl represent the modern, lightweight, standards-based future.
Most managed Kubernetes platforms (EKS, GKE, AKS, OpenShift, K3s, etc.) now use containerd underneath. So understanding nerdctl is essential for any Kubernetes administrator or DevOps engineer.
🏁 10. Final Thoughts
Docker revolutionized the container world; it made containers accessible and usable.
But as infrastructure matured, the industry moved toward more modular, open runtimes.
nerdctl is the natural next step — a bridge between developer convenience and Kubernetes-native simplicity.
In simple words:
Docker is where containers started.
nerdctl is where Kubernetes wants them to be.
Top comments (0)