nerdctl - 兼容 Docker 语法的 containerd 命令行界面-优快云博客

本文链接：https://blog.youkuaiyun.com/cui_win/article/details/149396966

核心特点

轻量级设计：作为 containerd 的原生客户端，避免了不必要的组件层级，提升性能。
Kubernetes 集成：无缝对接 Kubernetes 生态，支持 kubelet 直接调用。
兼容 Docker：大部分 Docker 命令可直接替换为 nerdctl 使用。
安全增强：默认启用 cgroups v2 和 seccomp 等安全特性。

基础命令示例

# 拉取镜像
nerdctl pull nginx:alpine

# 运行容器
nerdctl run -d -p 8080:80 --name web nginx:alpine

# 列出容器
nerdctl ps

# 构建镜像
nerdctl build -t myapp:v1 .

# 推送镜像
nerdctl push myapp:v1

与 Kubernetes 协同

Nerdctl 可直接操作 Kubernetes 节点上的容器：

# 在节点上执行命令
kubectl exec -it node-name -- bash
nerdctl ps  # 查看该节点上的所有容器

安装方法

下载地址：
https://github.com/containerd/nerdctl/releases

手动安装最新版本

# 1. 下载预编译二进制文件（替换为最新版本）
VERSION=$(curl -s https://api.github.com/repos/containerd/nerdctl/releases/latest | grep 'tag_name' | cut -d'"' -f4)
ARCH=$(uname -m)
curl -LO https://github.com/containerd/nerdctl/releases/download/${VERSION}/nerdctl-${VERSION#v}-linux-${ARCH}.tar.gz

# 2. 解压并安装
sudo tar -C /usr/local/bin -xzf nerdctl-${VERSION#v}-linux-${ARCH}.tar.gz

配置示例

完整参考：

https://github.com/containerd/nerdctl/blob/main/docs/config.md

修改 /etc/nerdctl/nerdctl.toml 配置文件：

# This is an example of /etc/nerdctl/nerdctl.toml .
# Unrelated to the daemon's /etc/containerd/config.toml .

debug          = false
debug_full     = false
address        = "unix:///run/k3s/containerd/containerd.sock"
namespace      = "k8s.io"
snapshotter    = "stargz"
cgroup_manager = "cgroupfs"
hosts_dir      = ["/etc/containerd/certs.d", "/etc/docker/certs.d"]
experimental   = true
userns_remap   = ""
dns            = ["8.8.8.8", "1.1.1.1"]
dns_opts       = ["ndots:1", "timeout:2"]
dns_search     = ["example.com", "example.org"]

Properties

TOML property	CLI flag	Env var	Description	Availability
`debug`	`--debug`		Debug mode	Since 0.16.0
`debug_full`	`--debug-full`		Debug mode (with full output)	Since 0.16.0
`address`	`--address`,`--host`,`-a`,`-H`	`$CONTAINERD_ADDRESS`	containerd address	Since 0.16.0
`namespace`	`--namespace`,`-n`	`$CONTAINERD_NAMESPACE`	containerd namespace	Since 0.16.0
`snapshotter`	`--snapshotter`,`--storage-driver`	`$CONTAINERD_SNAPSHOTTER`	containerd snapshotter	Since 0.16.0
`cni_path`	`--cni-path`	`$CNI_PATH`	CNI binary directory	Since 0.16.0
`cni_netconfpath`	`--cni-netconfpath`	`$NETCONFPATH`	CNI config directory	Since 0.16.0
`data_root`	`--data-root`		Persistent state directory	Since 0.16.0
`cgroup_manager`	`--cgroup-manager`		cgroup manager	Since 0.16.0
`insecure_registry`	`--insecure-registry`		Allow insecure registry	Since 0.16.0
`hosts_dir`	`--hosts-dir`		`certs.d` directory	Since 0.16.0
`experimental`	`--experimental`	`NERDCTL_EXPERIMENTAL`	Enable experimental features	Since 0.22.3
`host_gateway_ip`	`--host-gateway-ip`	`NERDCTL_HOST_GATEWAY_IP`	IP address that the special ‘host-gateway’ string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host	Since 1.3.0
`bridge_ip`	`--bridge-ip`	`NERDCTL_BRIDGE_IP`	IP address for the default nerdctl bridge network, e.g., 10.1.100.1/24	Since 2.0.1
`kube_hide_dupe`	`--kube-hide-dupe`		Deduplicate images for Kubernetes with namespace k8s.io, no more redundant ones are displayed	Since 2.0.3
`cdi_spec_dirs`	`--cdi-spec-dirs`		The folders to use when searching for CDI (container-device-interface) specifications.	Since 2.1.0
`userns_remap`	`--userns-remap`		Support idmapping of containers. This options is only supported on rootful linux. If `host` is passed, no idmapping is done. if a user name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively.	Since 2.1.0
`dns`			Set global DNS servers for containers	Since 2.1.3
`dns_opts`			Set global DNS options for containers	Since 2.1.3
`dns_search`			Set global DNS search domains for containers	Since 2.1.3