Nerdctl 是一个专为 containerd 环境设计的容器运行时工具,它与 Docker 语法兼容,提供了类似的命令行接口,但专注于更高效的容器管理。以下是关于 Nerdctl 的详细介绍:
nerdctl 是 containerd 的一个非核心子项目。
核心特点
- 轻量级设计:作为 containerd 的原生客户端,避免了不必要的组件层级,提升性能。
- Kubernetes 集成:无缝对接 Kubernetes 生态,支持
kubelet直接调用。 - 兼容 Docker:大部分 Docker 命令可直接替换为
nerdctl使用。 - 安全增强:默认启用 cgroups v2 和 seccomp 等安全特性。
基础命令示例
# 拉取镜像
nerdctl pull nginx:alpine
# 运行容器
nerdctl run -d -p 8080:80 --name web nginx:alpine
# 列出容器
nerdctl ps
# 构建镜像
nerdctl build -t myapp:v1 .
# 推送镜像
nerdctl push myapp:v1
与 Kubernetes 协同
Nerdctl 可直接操作 Kubernetes 节点上的容器:
# 在节点上执行命令
kubectl exec -it node-name -- bash
nerdctl ps # 查看该节点上的所有容器
安装方法
下载地址:
https://github.com/containerd/nerdctl/releases
手动安装最新版本
# 1. 下载预编译二进制文件(替换为最新版本)
VERSION=$(curl -s https://api.github.com/repos/containerd/nerdctl/releases/latest | grep 'tag_name' | cut -d'"' -f4)
ARCH=$(uname -m)
curl -LO https://github.com/containerd/nerdctl/releases/download/${VERSION}/nerdctl-${VERSION#v}-linux-${ARCH}.tar.gz
# 2. 解压并安装
sudo tar -C /usr/local/bin -xzf nerdctl-${VERSION#v}-linux-${ARCH}.tar.gz
配置示例
完整参考:
https://github.com/containerd/nerdctl/blob/main/docs/config.md
修改 /etc/nerdctl/nerdctl.toml 配置文件:
# This is an example of /etc/nerdctl/nerdctl.toml .
# Unrelated to the daemon's /etc/containerd/config.toml .
debug = false
debug_full = false
address = "unix:///run/k3s/containerd/containerd.sock"
namespace = "k8s.io"
snapshotter = "stargz"
cgroup_manager = "cgroupfs"
hosts_dir = ["/etc/containerd/certs.d", "/etc/docker/certs.d"]
experimental = true
userns_remap = ""
dns = ["8.8.8.8", "1.1.1.1"]
dns_opts = ["ndots:1", "timeout:2"]
dns_search = ["example.com", "example.org"]
Properties
| TOML property | CLI flag | Env var | Description | Availability |
|---|---|---|---|---|
debug |
--debug |
Debug mode | Since 0.16.0 | |
debug_full |
--debug-full |
Debug mode (with full output) | Since 0.16.0 | |
address |
--address,--host,-a,-H |
$CONTAINERD_ADDRESS |
containerd address | Since 0.16.0 |
namespace |
--namespace,-n |
$CONTAINERD_NAMESPACE |
containerd namespace | Since 0.16.0 |
snapshotter |
--snapshotter,--storage-driver |
$CONTAINERD_SNAPSHOTTER |
containerd snapshotter | Since 0.16.0 |
cni_path |
--cni-path |
$CNI_PATH |
CNI binary directory | Since 0.16.0 |
cni_netconfpath |
--cni-netconfpath |
$NETCONFPATH |
CNI config directory | Since 0.16.0 |
data_root |
--data-root |
Persistent state directory | Since 0.16.0 | |
cgroup_manager |
--cgroup-manager |
cgroup manager | Since 0.16.0 | |
insecure_registry |
--insecure-registry |
Allow insecure registry | Since 0.16.0 | |
hosts_dir |
--hosts-dir |
certs.d directory |
Since 0.16.0 | |
experimental |
--experimental |
NERDCTL_EXPERIMENTAL |
Enable experimental features | Since 0.22.3 |
host_gateway_ip |
--host-gateway-ip |
NERDCTL_HOST_GATEWAY_IP |
IP address that the special ‘host-gateway’ string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host | Since 1.3.0 |
bridge_ip |
--bridge-ip |
NERDCTL_BRIDGE_IP |
IP address for the default nerdctl bridge network, e.g., 10.1.100.1/24 | Since 2.0.1 |
kube_hide_dupe |
--kube-hide-dupe |
Deduplicate images for Kubernetes with namespace k8s.io, no more redundant ones are displayed | Since 2.0.3 | |
cdi_spec_dirs |
--cdi-spec-dirs |
The folders to use when searching for CDI (container-device-interface) specifications. | Since 2.1.0 | |
userns_remap |
--userns-remap |
Support idmapping of containers. This options is only supported on rootful linux. If host is passed, no idmapping is done. if a user name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively. |
Since 2.1.0 | |
dns |
Set global DNS servers for containers | Since 2.1.3 | ||
dns_opts |
Set global DNS options for containers | Since 2.1.3 | ||
dns_search |
Set global DNS search domains for containers | Since 2.1.3 |