nerdctl - 兼容 Docker 语法 的 containerd 命令行界面
目录
- 核心特点
- 基础命令示例
- 与 Kubernetes 协同
- 安装方法
- 配置示例
- 完整参考:
- Properties
Nerdctl 是一个专为 containerd 环境设计的容器运行时工具,它与 Docker 语法兼容,提供了类似的命令行接口,但专注于更高效的容器管理。以下是关于 Nerdctl 的详细介绍:
nerdctl 是 containerd 的一个非核心子项目。
核心特点
- 轻量级设计:作为 containerd 的原生客户端,避免了不必要的组件层级,提升性能。
- Kubernetes 集成:无缝对接 Kubernetes 生态,支持
kubelet直接调用。 - 兼容 Docker:大部分 Docker 命令可直接替换为
nerdctl使用。 - 安全增强:默认启用 cgroups v2 和 seccomp 等安全特性。
基础命令示例
# 拉取镜像
nerdctl pull nginx:alpine# 运行容器
nerdctl run -d -p 8080:80 --name web nginx:alpine# 列出容器
nerdctl ps# 构建镜像
nerdctl build -t myapp:v1 .# 推送镜像
nerdctl push myapp:v1
与 Kubernetes 协同
Nerdctl 可直接操作 Kubernetes 节点上的容器:
# 在节点上执行命令
kubectl exec -it node-name -- bash
nerdctl ps # 查看该节点上的所有容器
安装方法
下载地址:
https://github.com/containerd/nerdctl/releases
手动安装最新版本
# 1. 下载预编译二进制文件(替换为最新版本)
VERSION=$(curl -s https://api.github.com/repos/containerd/nerdctl/releases/latest | grep 'tag_name' | cut -d'"' -f4)
ARCH=$(uname -m)
curl -LO https://github.com/containerd/nerdctl/releases/download/${VERSION}/nerdctl-${VERSION#v}-linux-${ARCH}.tar.gz# 2. 解压并安装
sudo tar -C /usr/local/bin -xzf nerdctl-${VERSION#v}-linux-${ARCH}.tar.gz
配置示例
完整参考:
https://github.com/containerd/nerdctl/blob/main/docs/config.md
修改 /etc/nerdctl/nerdctl.toml 配置文件:
# This is an example of /etc/nerdctl/nerdctl.toml .
# Unrelated to the daemon's /etc/containerd/config.toml .debug = false
debug_full = false
address = "unix:///run/k3s/containerd/containerd.sock"
namespace = "k8s.io"
snapshotter = "stargz"
cgroup_manager = "cgroupfs"
hosts_dir = ["/etc/containerd/certs.d", "/etc/docker/certs.d"]
experimental = true
userns_remap = ""
dns = ["8.8.8.8", "1.1.1.1"]
dns_opts = ["ndots:1", "timeout:2"]
dns_search = ["example.com", "example.org"]
Properties
| TOML property | CLI flag | Env var | Description | Availability |
|---|---|---|---|---|
debug | --debug | Debug mode | Since 0.16.0 | |
debug_full | --debug-full | Debug mode (with full output) | Since 0.16.0 | |
address | --address,--host,-a,-H | $CONTAINERD_ADDRESS | containerd address | Since 0.16.0 |
namespace | --namespace,-n | $CONTAINERD_NAMESPACE | containerd namespace | Since 0.16.0 |
snapshotter | --snapshotter,--storage-driver | $CONTAINERD_SNAPSHOTTER | containerd snapshotter | Since 0.16.0 |
cni_path | --cni-path | $CNI_PATH | CNI binary directory | Since 0.16.0 |
cni_netconfpath | --cni-netconfpath | $NETCONFPATH | CNI config directory | Since 0.16.0 |
data_root | --data-root | Persistent state directory | Since 0.16.0 | |
cgroup_manager | --cgroup-manager | cgroup manager | Since 0.16.0 | |
insecure_registry | --insecure-registry | Allow insecure registry | Since 0.16.0 | |
hosts_dir | --hosts-dir | certs.d directory | Since 0.16.0 | |
experimental | --experimental | NERDCTL_EXPERIMENTAL | Enable experimental features | Since 0.22.3 |
host_gateway_ip | --host-gateway-ip | NERDCTL_HOST_GATEWAY_IP | IP address that the special ‘host-gateway’ string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host | Since 1.3.0 |
bridge_ip | --bridge-ip | NERDCTL_BRIDGE_IP | IP address for the default nerdctl bridge network, e.g., 10.1.100.1/24 | Since 2.0.1 |
kube_hide_dupe | --kube-hide-dupe | Deduplicate images for Kubernetes with namespace k8s.io, no more redundant ones are displayed | Since 2.0.3 | |
cdi_spec_dirs | --cdi-spec-dirs | The folders to use when searching for CDI (container-device-interface) specifications. | Since 2.1.0 | |
userns_remap | --userns-remap | Support idmapping of containers. This options is only supported on rootful linux. If host is passed, no idmapping is done. if a user name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively. | Since 2.1.0 | |
dns | Set global DNS servers for containers | Since 2.1.3 | ||
dns_opts | Set global DNS options for containers | Since 2.1.3 | ||
dns_search | Set global DNS search domains for containers | Since 2.1.3 |