Nerdctl: Docker compatible containerd command line tool

Most know and use the Docker command line tool working with Docker containers. However, let’s get familiar with the defacto tool working with containerd containers, nerdctl, a robust docker compatible cli. Nerdctl works in tandem with containerd, serving as a compatible cli for containerd and offering support for many docker cli commands. This makes it a viable option when looking to replace Docker in many scenarios. For example, the simple docker command to list containers, docker ps, translates directly into nerdctl ps in nerdctl.

What is Nerdctl?

Nerdctl is a command-line interface (CLI) that is designed to be a docker compatible cli for containerd, a widely-used open-source container runtime. It serves as a bridge between users and the functionalities of containerd, providing a familiar and intuitive interface that many developers have come to know through their experience with Docker.

The name “nerdctl” is a play on words, stemming from “nerd control”. Its primary goal is to make interacting with containerd as easy and as intuitive as possible for developers, IT professionals, and hobbyists alike.

Its design centers on maintaining compatibility with Docker, thus, a large majority of the commands you would use in Docker can be used interchangeably in nerdctl.

Rootless containers, lazy pulling, and Docker Compose support

What sets it apart are some of its unique features, courtesy of containerd when deploying containers. This includes rootless mode, which enables containers to be run without superuser privileges, adding an extra layer of security to your container operations.

Another interesting feature is “lazy pulling,” where only the necessary parts of a container image are pulled when you’re running a container, resulting in more efficient resource use and quicker start times.

It also includes support for Docker Compose through nerdctl compose commands, which makes it easier to define and run multi-container Docker applications.

This compatibility is a significant advantage for teams transitioning from Docker, as it allows them to continue using their existing Docker Compose files without any modifications.

Moreover, it supports encrypted container images, an added security feature that ensures your images are safe during transfer and storage. It’s also compatible with various Linux distributions and supports a wide range of plug-ins, giving it versatility in different operating environments.

The bottom line is this – if you are installing containerd, this is the de facto tool you should use.

Setting Up Nerdctl

To incorporate nerdctl into your system, you need to first install nerdctl along with containerd. The installation process might vary depending on your host system, such as an Ubuntu server. It requires sudo privileges.

You can download the tool from the Github repo releases page here: Releases ยท containerd/nerdctl (

Download nerdctl executable from the Github repository
Download nerdctl executable from the Github repository

This will pull down the archive package. You will need to unzip the file using:

tar -xzf nerdctl-1.4.0-linux-amd64.tar.gz

After unpacking the downloaded file, you can add nerdctl to your local executable directory using:

sudo mv ./nerdctl /usr/local/bin

You should then be able to execute nerdctl:

Nerdctl tool running in Ubuntu Server
Nerdctl tool running in Ubuntu Server

Below is a view of running the tool in a Windows environment.

Nerdctl command line tool running in Windows
Nerdctl command line tool running in Windows

Nerdctl Vs. Docker Desktop and Rancher Desktop

Docker Desktop, Nerdctl, and Rancher Desktop are all formidable tools in the realm of container management. They all support docker compose files, thereby enabling the running of docker containers. A docker compose file can be executed using nerdctl compose up, much like you would do with Docker.

Rancher Desktop includes nerdctl to interact with containerd
Rancher Desktop includes nerdctl to interact with containerd

Nerdctl Compose: A Docker Compose Alternative

Nerdctl compose offers the ability to deploy containers similar to docker compose. This compatibility is highlighted when you use commands like nerdctl compose up -d to start all services defined in a docker compose file in detached mode.

Working with Images and Containers

Working with container images is another aspect where nerdctl performs excellently. Nerdctl commands, like the following to pull an image from a container registry:

nerdctl pull nginx

You can also use the following to run an nginx container with port forwarding, mirror docker cli commands, adding to its compatibility:

nerdctl run -d -p 8080:80 nginx 
Pulling a container image and running the image with nerdctl 1
Pulling a container image and running the image with nerdctl

Exactly as you would expect with the Docker command line, you can issue the nerdctl ps command to view running containers.

Getting containers with nerdctl
Getting containers with nerdctl

Edge Features of Nerdctl: Rootless Mode and Lazy Pulling

Rootless mode, a feature allowing you to run containers without sudo privileges, and lazy pulling, which pulls only the necessary parts of the container image when running containers, are unique features to nerdctl. For example, you can use rootless mode:

 nerdctl --rootless run

Transitioning from Docker

Transitioning from Docker to nerdctl is facilitated by the similarity of nerdctl commands to docker cli commands. As shown above, the command nerdctl run -d -p 8080:80 nginx, used to deploy an nginx container, is quite similar to the corresponding Docker command.

It makes transitioning to the nerdctl equivalent very easy and seamless as the “muscle memory” is basically the same.

Frequently Asked Questions about Nerdctl

1. How does support for Docker Compose add value for developers?

One of the key strengths is its support for Docker Compose through nerdctl compose commands. If a developer has existing Docker Compose files from their projects, they can seamlessly transition to using it without needing to rewrite or adjust these files. This saves significant time and reduces the learning curve when adopting it as a new tool.

2. Can I use it on my existing Docker Desktop setup?

Yes, it can be used alongside Docker Desktop. However, a more direct comparison would be between nerdctl and Docker CLI, as both are command-line interfaces for container management. If you’re already using Docker Desktop, you may want to explore Rancher Desktop as well, which offers integrated support for containerd and Kubernetes.

3. What does it mean that it supports running encrypted images?

Running encrypted images is a unique security feature offered. It means that the container images are encrypted at rest and during transfer, safeguarding sensitive data. This is a great feature for environments where data privacy and security are crucial.

4. Is there a performance difference between Docker and nerdctl?

While the performance of nerdctl and Docker largely depends on the specific use case, its feature of lazy pulling can offer significant performance improvements in certain scenarios. Lazy pulling only pulls necessary parts of a container image, which can lead to faster start times and more efficient resource use.

5. Why is it said that nerdctl is in ‘rootless mode’?

Running it in rootless mode means that containers can be run without superuser or sudo privileges. This is an important security advantage as it minimizes the potential damage in case of a container breakout.

6. How does it handle port forwarding for running containers?

It handles port forwarding similarly to Docker. For instance, the command nerdctl run -d -p 8080:80 nginx runs an nginx container and maps the host’s port 8080 to the container’s port 80. This makes the container’s service accessible from the host system on port 8080.

7. Is installing nerdctl and containerd a complex process?

While there are a few more steps compared to installing Docker, the process is straightforward. You would need to install containerd, followed by nerdctl. For Linux systems, this typically involves downloading the release package from the GitHub repository using wget, unpacking the package, and installing the binary.

8. What makes nerdctl a ‘cutting edge’ tool in container management?

It brings unique features of containerd like lazy pulling, support for running encrypted images, and rootless mode to users in a familiar command-line interface. Furthermore, it offers Docker compatibility, enabling developers to leverage their existing knowledge and Docker Compose files. This balance of new features and familiarity positions it as a cutting edge tool in the realm of container management.

The Future of Container Management with Nerdctl

Nerdctl serves as a significant leap forward in container management. Balancing Docker compatibility with containerd’s innovative features, it offers a streamlined, secure, and efficient solution for managing and deploying containers.

With its support for Docker Compose files and cutting-edge features like lazy pulling, rootless mode, and running encrypted images, it stands as a powerful and future-proof tool in the realm of containerization. Whether replacing Docker or simply expanding your toolbox, embracing nerdctl opens a promising pathway towards enhanced container management.

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.