containerd/nerdctl

Features

• Docker-Compatible CLI Tools - A command-line tool that manages containers and images using containerd as the runtime, with Docker-compatible syntax and Compose support.
• BuildKit-Based Builds - Builds container images from a Dockerfile using BuildKit with standard build commands and output options.
• Containerd gRPC API Bridges - Translates Docker CLI commands into containerd's native gRPC API calls for container lifecycle management.
• Docker Container Execution - Runs and manages containers with the same command-line interface and flags as Docker, including support for Compose workflows.
• BuildKit Build Delegations - Delegates image building to BuildKit's concurrent, cache-efficient build engine through a dedicated client-server protocol.
• Docker CLI Compatibility Layers - Maps Docker command syntax and flags to containerd's native API calls for seamless migration.
• Rootless Container Runtimes - Launches and manages containers without root privileges to reduce the attack surface of the container runtime.
• BuildKit Client Integrations - Delegates image building to BuildKit's concurrent build engine through a dedicated client-server protocol.
• Rootless Container Runtimes - Maps container processes to unprivileged user namespaces, enabling rootless container execution without host kernel escalation.
• Container Image Layer Loaders - Starts containers before full image download by fetching only metadata and on-demand layers.
• Containerd Namespace Debugging - Provides direct debugging of Kubernetes containers by targeting the containerd namespace.
• Compose Orchestrators - Orchestrates multi-container applications defined in a docker-compose.yaml file with a single command.
• On-Demand Layer Loading - Pulls image layers only when a container starts, reducing initial download time and storage use.
• eStargz Lazy Pulling Clients - Starts containers before full image download by fetching only the metadata and on-demand layers from eStargz-formatted images.
• Image Encryption - Encrypts image layers during push and decrypts them on pull, protecting sensitive content at rest and in transit.
• Image Encryptions - Encrypts and decrypts container image layers using OCIcrypt specifications with configurable cryptographic keys.
• IPFS-Based Distribution - A container image distribution tool that pulls and runs images from content-addressed identifiers on a peer-to-peer network.
• Local Image Loading - Loads container image archives in Docker or OCI format directly into a local Kubernetes cluster without needing a registry.
• Container Image Distributions - Pulls and runs container images from IPFS using content-addressed hashes instead of registry-based references.
• Container Image Signing - Signs images during push and verifies signatures on pull using cosign, ensuring image integrity and authenticity.
• Image Signing and Encryption - Encrypts, decrypts, signs, and verifies container images to protect content at rest and in transit.
• Transport Layer Encryption - Encrypts and decrypts container image layers using OCIcrypt specifications with configurable keys.

Star history