# containerd/nerdctl **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/containerd-nerdctl).** 10,172 stars · 793 forks · Go · Apache-2.0 ## Links - GitHub: https://github.com/containerd/nerdctl - awesome-repositories: https://awesome-repositories.com/repository/containerd-nerdctl.md ## Topics `containerd` ## Description nerdctl is a command-line tool that manages containers and images using containerd as the runtime, providing a Docker-compatible interface for container lifecycle management. It supports running containers with the same command syntax and flags as Docker, including multi-container Compose workflows, and enables rootless container execution without host kernel escalation. The tool extends beyond basic container management with several advanced distribution and security capabilities. It can start containers before full image download by fetching only metadata and on-demand layers from eStargz-formatted images, and can pull and run images from content-addressed identifiers on a peer-to-peer IPFS network. For security, it encrypts and decrypts image layers using OCIcrypt specifications with configurable cryptographic keys, and signs and verifies images using cosign. nerdctl also integrates with Kubernetes for debugging and image management, allowing inspection of running containers and reading their logs by targeting the k8s.io containerd namespace, as well as loading image archives directly into a local cluster without needing a registry. Image building is handled through BuildKit delegation, supporting standard build commands and output options from a Dockerfile. ## Tags ### DevOps & Infrastructure - [Docker-Compatible CLI Tools](https://awesome-repositories.com/f/devops-infrastructure/container-image-registries/registry-discovery/containerd-runtime-discovery/docker-compatible-cli-tools.md) — A command-line tool that manages containers and images using containerd as the runtime, with Docker-compatible syntax and Compose support. - [Containerd gRPC API Bridges](https://awesome-repositories.com/f/devops-infrastructure/container-image-registries/registry-discovery/containerd-runtime-discovery/containerd-grpc-api-bridges.md) — Translates Docker CLI commands into containerd's native gRPC API calls for container lifecycle management. - [Docker Container Execution](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/container-runtimes/runtime-configuration-interfaces/docker-socket-orchestrators/docker-target-configurators/docker-container-deployments/docker-container-execution.md) — Runs and manages containers with the same command-line interface and flags as Docker, including support for Compose workflows. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) - [BuildKit Build Delegations](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/image-management-tools/container-image-caching/build-layer-caching/buildkit-build-delegations.md) — Delegates image building to BuildKit's concurrent, cache-efficient build engine through a dedicated client-server protocol. - [Compose Orchestrators](https://awesome-repositories.com/f/devops-infrastructure/compose-orchestrators.md) — Orchestrates multi-container applications defined in a docker-compose.yaml file with a single command. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) - [On-Demand Layer Loading](https://awesome-repositories.com/f/devops-infrastructure/container-image-layering/on-demand-layer-loading.md) — Pulls image layers only when a container starts, reducing initial download time and storage use. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) - [eStargz Lazy Pulling Clients](https://awesome-repositories.com/f/devops-infrastructure/container-image-management/remote-image-pulling/estargz-lazy-pulling-clients.md) — Starts containers before full image download by fetching only the metadata and on-demand layers from eStargz-formatted images. - [Image Encryption](https://awesome-repositories.com/f/devops-infrastructure/container-images/image-decryption/image-encryption.md) — Encrypts image layers during push and decrypts them on pull, protecting sensitive content at rest and in transit. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) - [Image Encryptions](https://awesome-repositories.com/f/devops-infrastructure/container-images/image-decryption/image-encryptions.md) — Encrypts and decrypts container image layers using OCIcrypt specifications with configurable cryptographic keys. - [IPFS-Based Distribution](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/image-management-tools/container-image-distribution/peer-to-peer-mirrors/ipfs-based-distribution.md) — A container image distribution tool that pulls and runs images from content-addressed identifiers on a peer-to-peer network. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) - [Local Image Loading](https://awesome-repositories.com/f/devops-infrastructure/local-image-loading.md) — Loads container image archives in Docker or OCI format directly into a local Kubernetes cluster without needing a registry. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) ### Part of an Awesome List - [BuildKit-Based Builds](https://awesome-repositories.com/f/awesome-lists/devtools/image-build-and-analysis/custom-image-builds/buildkit-based-builds.md) — Builds container images from a Dockerfile using BuildKit with standard build commands and output options. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) ### Operating Systems & Systems Programming - [Docker CLI Compatibility Layers](https://awesome-repositories.com/f/operating-systems-systems-programming/api-compatibility-layers/docker-cli-compatibility-layers.md) — Maps Docker command syntax and flags to containerd's native API calls for seamless migration. ### Security & Cryptography - [Rootless Container Runtimes](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/container-security/rootless-container-runtimes.md) — Launches and manages containers without root privileges to reduce the attack surface of the container runtime. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) - [Container Image Signing](https://awesome-repositories.com/f/security-cryptography/code-signing/container-image-signing.md) — Signs images during push and verifies signatures on pull using cosign, ensuring image integrity and authenticity. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) - [Image Signing and Encryption](https://awesome-repositories.com/f/security-cryptography/code-signing/container-image-signing/image-signing-and-encryption.md) — Encrypts, decrypts, signs, and verifies container images to protect content at rest and in transit. - [Transport Layer Encryption](https://awesome-repositories.com/f/security-cryptography/transport-layer-encryption.md) — Encrypts and decrypts container image layers using OCIcrypt specifications with configurable keys. ### Software Engineering & Architecture - [BuildKit Client Integrations](https://awesome-repositories.com/f/software-engineering-architecture/client-server-architecture/buildkit-client-integrations.md) — Delegates image building to BuildKit's concurrent build engine through a dedicated client-server protocol. - [Rootless Container Runtimes](https://awesome-repositories.com/f/software-engineering-architecture/execution-control/namespace-isolation/user-namespace-mappings/rootless-container-runtimes.md) — Maps container processes to unprivileged user namespaces, enabling rootless container execution without host kernel escalation. ### Web Development - [Container Image Layer Loaders](https://awesome-repositories.com/f/web-development/data-fetching-caching/on-demand-loaders/container-image-layer-loaders.md) — Starts containers before full image download by fetching only metadata and on-demand layers. ### Development Tools & Productivity - [Containerd Namespace Debugging](https://awesome-repositories.com/f/development-tools-productivity/application-debugging/remote-debugging/kubernetes-pod-debugging/containerd-namespace-debugging.md) — Provides direct debugging of Kubernetes containers by targeting the containerd namespace. ([source](https://cdn.jsdelivr.net/gh/containerd/nerdctl@main/README.md)) ### Networking & Communication - [Container Image Distributions](https://awesome-repositories.com/f/networking-communication/content-addressable-transfers/container-image-distributions.md) — Pulls and runs container images from IPFS using content-addressed hashes instead of registry-based references.