SlideShare a Scribd company logo
Why was nerdctl made?
https://github.com/containerd/nerdctl
Akihiro Suda, NTT
Container Plumbing Days 2023 (March 23)
2
nerdctl: contaiNERD CTL
• Docker-compatible CLI for containerd (and buildkitd)
alias docker=nerdctl
• Made for facilitating new experiments in the containerd platform
• The experimental features can be safely turned off for production
environments (export NERDCTL_EXPERIMENTAL=0)
• Useful for debugging Kubernetes nodes too
https://github.com/containerd/nerdctl
3
Demo
$ nerdctl run ...
$ nerdctl compose up ...
• Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD
• Registry-less P2P image distribution with IPFS *
• Image encryption with OCIcrypt *
• Image signing with Cosign / Notation *
• “Real” read-only mounts with mount_setattr
• Slirp-less rootless containers with bypass4netns *
• Interactive debugging of Dockerfiles, with buildg *
4
Novel features of containerd & nerdctl
* = Experimental
• Lazy-pulling: pulling image contents on demand
• No need to pull an entire image
• Several formats are being proposed
5
Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD
Format Implementation for containerd Description
eStargz github.com/containerd/stargz-snapshotter
Optimizes gzip granularity for seek()-ability;
Forward compatible with OCI v1 tar.gz
SOCI github.com/awslabs/soci-snapshotter
Captures a checkpoint of tar.gz decoder state;
Forward compatible with OCI v1 tar.gz
Nydus github.com/containerd/nydus-snapshotter
An alternate image format;
Not compatible with OCI v1 tar.gz
OverlayBD github.com/containerd/overlaybd
Block devices as container images;
Not compatible with OCI v1 tar.gz
https://github.com/containerd/nerdctl/blob/main/docs/stargz.md
6
Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD
https://github.com/containerd/stargz-snapshotter/blob/v0.14.3/docs/images/benchmarking-result-ecdb227.png
7
Registry-less P2P image distribution with IPFS
Experimental
https://medium.com/nttlabs/nerdctl-ipfs-975569520e3d
https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md
$ nerdctl pull ipfs://<CID>
• OCI Image Layers can be encrypted to protect secret files
(OCI Image Config, e.g., env vars, are not encrypted)
• Encrypted layers can be decrypted transparently
8
Image encryption with OCIcrypt
Experimental
$ nerdctl image encrypt --recipient=jwe:mypubkey.pem foo example.com/foo:encrypted
$ nerdctl push example.com/foo:encrypted
https://github.com/containerd/nerdctl/blob/main/docs/ocicrypt.md
$ nerdctl pull example.com/foo:encrypted
• Docker CLI supports DOCKER_CONTENT_TRUST (Notary v1), but it
didn’t see wide adoption
• DOCKER_CONTENT_TRUST is not implemented for nerdctl
• Instead, nerdctl supports Cosign and Notation (“Notary v2”)
9
Image signing with Cosign / Notation
Experimental
$ nerdctl pull --verify=(cosign|notation)
https://github.com/containerd/nerdctl/blob/main/docs/cosign.md
https://github.com/containerd/nerdctl/blob/main/docs/notation.md
• Surprisingly docker run -v /mnt:/mnt:ro doesn’t really make
/mnt inside the container read-only
• Submounts like /mnt/usbdisk are writable
• nerdctl supports RRO: recursively-read-only mounts
nerdctl run -v /mnt:/mnt:rro
– Implemented using MOUNT_ATTR_RDONLY (kernel >= 5.12)
10
“Real” read-only mounts with mount_setattr
• Bypass slirp4netns (usermode TCP/IP), by using SECCOMP_IOCTL_NOTIF_ADDFD
• Even faster than rootful
11
Slirp-less rootless containers with bypass4netns
Experimental
https://github.com/containerd/nerdctl/blob/main/docs/rootless.md#bypass4netns
https://speakerdeck.com/mt2naoki/ip-communications-in-rootless-containers-by-socket-switching?slide=4
$ nerdctl run --label=nerdctl/bypass4netns=1
• Breakpoints for Dockerfiles
12
Interactive debugging of Dockerfiles, with buildg
Experimental
https://github.com/containerd/nerdctl/blob/main/docs/builder-debug.md
https://github.com/ktock/buildg
$ nerdctl builder debug .
....
=> 1| FROM ubuntu AS dev
2| RUN echo hello > /hello
3| RUN echo world > /world
4|
(buildg) break 3
(buildg) continue
...
Breakpoint[0]: reached line: Dockerfile:3
(buildg) exec /bin/sh
#
• Namespacing: nerdctl --namespace=<NS> ps
• Connecting a container to multiple networks at once:
nerdctl run --net foo --net bar ...
• AppArmor for rootless containers
( Although still needs sudo nerdctl apparmor load )
• FreeBSD containers
• Windows containers
• And more...
13
Other features
• ctr: a CLI included in containerd
• ctr is often misbelieved to be the standard CLI for containerd
• But ctr is just a debugging tool written for containerd developers
• ctr lacks lots of high-level features that are present in Docker and nerdctl
• Exposing ports (nerdctl run -p <PORT>)
• Re-startable containers w/ networking (nerdctl run --restart=always)
• Support for ~/.docker/config.json , docker-credential-ecr-login, etc.
• Reading logs of background containers (nerdctl logs)
14
FAQ: Why not ctr?
• crictl is similar to ctr but uses a different API
• crictl has similar restrictions as ctr
• CRI API has very tight scope compared to the containerd native API
• Negotiation for modifying the CRI API is relatively hard
15
FAQ: Why not crictl?
containerd
CRI API Native API
kubelet crictl nerdctl ctr
• Docker doesn’t/didn’t use the containerd API for image management
• Can’t/Couldn’t be used for experimenting lazy-pulling, etc.
• Work is in progress toward Docker v24+
• Release cycle is/was slow
– Docker v19.03: Jul 2019
– Docker v20.10: Dec 2020
– Docker v23: Feb 2023
• Not trying to “defeat” Docker; Experiments in nerdctl are being ported to Docker too
16
FAQ: Why not Docker?
• Podman doesn’t work as a Kubernetes runtime
• CRI-O doesn’t support non-CRI API, and lacks Docker-like CLI
• podman ps , etc. works for CRI-O too, but still Podman != CRI-O
• Not trying to “defeat” Podman/CRI-O either;
Experiments in containerd/nerdctl are being ported to Podman/CRI-O too
– e.g., eStargz
17
FAQ: Why not Podman/CRI-O ?
• https://github.com/containerd/nerdctl/releases
• nerdctl-full-<VERSION>-linux-amd64.tar.gz contains all the
dependencies (containerd, runc, …)
18
Getting started
$ sudo systemctl enable --now containerd
$ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine
$ containerd-rootless-setuptool.sh install
$ nerdctl run -d --name nginx -p 8080:80 nginx:alpine
• macOS users should try Lima
• Lima: Linux Machine, originally designed as “nerdctl Machine”
• CNCF Sandbox Project
• Automatic port forwarding & host filesystem mounting
• nerdctl is also included in AWS Finch, Colima, Rancher Desktop, ...
19
Getting started
$ brew install lima
$ alias nerdctl=nerdctl.lima
$ nerdctl run -d --name nginx -p 80:80 nginx:alpine
Colima
• nerdctl = contaiNERD CTL
• Made for facilitating new experiments in the containerd platform
20
Wrap-up
https://github.com/containerd/nerdctl Slack: #containerd at slack.cncf.io
• Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD
• Registry-less P2P image distribution with IPFS
• Image encryption with OCIcrypt
• Image signing with Cosign / Notation
• “Real” read-only mounts with mount_setattr
• Slirp-less rootless containers with bypass4netns
• Interactive debugging of Dockerfiles, with buildg
• And more!

More Related Content

What's hot

DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
Akihiro Suda
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
CXL_説明_公開用.pdf
CXL_説明_公開用.pdfCXL_説明_公開用.pdf
CXL_説明_公開用.pdf
Yasunori Goto
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
Akihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Akihiro Suda
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
Kohei Tokunaga
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
Akihiro Suda
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
Kohei Tokunaga
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctl
Kohei Tokunaga
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
Akihiro Suda
 
root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす
Akihiro Suda
 
Comparing Next-Generation Container Image Building Tools
 Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools
Akihiro Suda
 
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
Kohei Tokunaga
 
TripleOの光と闇
TripleOの光と闇TripleOの光と闇
TripleOの光と闇
Manabu Ori
 
20220427-k8s-meetup-tokyo.pdf
20220427-k8s-meetup-tokyo.pdf20220427-k8s-meetup-tokyo.pdf
20220427-k8s-meetup-tokyo.pdf
VanouIshii
 
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
NTT Communications Technology Development
 
できる!並列・並行プログラミング
できる!並列・並行プログラミングできる!並列・並行プログラミング
できる!並列・並行プログラミング
Preferred Networks
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 

What's hot (20)

DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
 
CXL_説明_公開用.pdf
CXL_説明_公開用.pdfCXL_説明_公開用.pdf
CXL_説明_公開用.pdf
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctl
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 
root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす
 
Comparing Next-Generation Container Image Building Tools
 Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools
 
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
 
TripleOの光と闇
TripleOの光と闇TripleOの光と闇
TripleOの光と闇
 
20220427-k8s-meetup-tokyo.pdf
20220427-k8s-meetup-tokyo.pdf20220427-k8s-meetup-tokyo.pdf
20220427-k8s-meetup-tokyo.pdf
 
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
 
できる!並列・並行プログラミング
できる!並列・並行プログラミングできる!並列・並行プログラミング
できる!並列・並行プログラミング
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
 

Similar to [Container Plumbing Days 2023] Why was nerdctl made?

Pod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from DockershimPod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from Dockershim
Victor Morales
 
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes][HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
Wong Hoi Sing Edison
 
Docker for Deep Learning (Andrea Panizza)
Docker for Deep Learning (Andrea Panizza)Docker for Deep Learning (Andrea Panizza)
Docker for Deep Learning (Andrea Panizza)
MeetupDataScienceRoma
 
Kubernetes from the ground up
Kubernetes from the ground upKubernetes from the ground up
Kubernetes from the ground up
Sander Knape
 
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
Akihiro Suda
 
Building images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitBuilding images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKit
NTT Software Innovation Center
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
Docker, Inc.
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on Docker
RightScale
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned  Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
Docker for Developers
Docker for DevelopersDocker for Developers
Docker for Developers
James Turnbull
 
Running .NET on Docker
Running .NET on DockerRunning .NET on Docker
Running .NET on Docker
Ben Hall
 
Pydata 2020 containers meetup
Pydata  2020 containers meetup Pydata  2020 containers meetup
Pydata 2020 containers meetup
Walid Shaari
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
James Turnbull
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
corehard_by
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
TheFamily
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
Jérôme Petazzoni
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
Docker, Inc.
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
Jérôme Petazzoni
 

Similar to [Container Plumbing Days 2023] Why was nerdctl made? (20)

Pod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from DockershimPod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from Dockershim
 
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes][HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
 
Docker for Deep Learning (Andrea Panizza)
Docker for Deep Learning (Andrea Panizza)Docker for Deep Learning (Andrea Panizza)
Docker for Deep Learning (Andrea Panizza)
 
Kubernetes from the ground up
Kubernetes from the ground upKubernetes from the ground up
Kubernetes from the ground up
 
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
 
Building images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitBuilding images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKit
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on Docker
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned  Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
 
Docker for Developers
Docker for DevelopersDocker for Developers
Docker for Developers
 
Running .NET on Docker
Running .NET on DockerRunning .NET on Docker
Running .NET on Docker
 
Pydata 2020 containers meetup
Pydata  2020 containers meetup Pydata  2020 containers meetup
Pydata 2020 containers meetup
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 

More from Akihiro Suda

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
Akihiro Suda
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
Akihiro Suda
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
Akihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
Akihiro Suda
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
Akihiro Suda
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
Akihiro Suda
 

More from Akihiro Suda (20)

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
 

Recently uploaded

LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software  Development Company in Noida - DeugloEmpowering Growth with Best Software  Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Envertis Software Solutions
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 

Recently uploaded (20)

LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software  Development Company in Noida - DeugloEmpowering Growth with Best Software  Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 

[Container Plumbing Days 2023] Why was nerdctl made?

  • 1. Why was nerdctl made? https://github.com/containerd/nerdctl Akihiro Suda, NTT Container Plumbing Days 2023 (March 23)
  • 2. 2 nerdctl: contaiNERD CTL • Docker-compatible CLI for containerd (and buildkitd) alias docker=nerdctl • Made for facilitating new experiments in the containerd platform • The experimental features can be safely turned off for production environments (export NERDCTL_EXPERIMENTAL=0) • Useful for debugging Kubernetes nodes too https://github.com/containerd/nerdctl
  • 3. 3 Demo $ nerdctl run ... $ nerdctl compose up ...
  • 4. • Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD • Registry-less P2P image distribution with IPFS * • Image encryption with OCIcrypt * • Image signing with Cosign / Notation * • “Real” read-only mounts with mount_setattr • Slirp-less rootless containers with bypass4netns * • Interactive debugging of Dockerfiles, with buildg * 4 Novel features of containerd & nerdctl * = Experimental
  • 5. • Lazy-pulling: pulling image contents on demand • No need to pull an entire image • Several formats are being proposed 5 Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD Format Implementation for containerd Description eStargz github.com/containerd/stargz-snapshotter Optimizes gzip granularity for seek()-ability; Forward compatible with OCI v1 tar.gz SOCI github.com/awslabs/soci-snapshotter Captures a checkpoint of tar.gz decoder state; Forward compatible with OCI v1 tar.gz Nydus github.com/containerd/nydus-snapshotter An alternate image format; Not compatible with OCI v1 tar.gz OverlayBD github.com/containerd/overlaybd Block devices as container images; Not compatible with OCI v1 tar.gz https://github.com/containerd/nerdctl/blob/main/docs/stargz.md
  • 7. 7 Registry-less P2P image distribution with IPFS Experimental https://medium.com/nttlabs/nerdctl-ipfs-975569520e3d https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md $ nerdctl pull ipfs://<CID>
  • 8. • OCI Image Layers can be encrypted to protect secret files (OCI Image Config, e.g., env vars, are not encrypted) • Encrypted layers can be decrypted transparently 8 Image encryption with OCIcrypt Experimental $ nerdctl image encrypt --recipient=jwe:mypubkey.pem foo example.com/foo:encrypted $ nerdctl push example.com/foo:encrypted https://github.com/containerd/nerdctl/blob/main/docs/ocicrypt.md $ nerdctl pull example.com/foo:encrypted
  • 9. • Docker CLI supports DOCKER_CONTENT_TRUST (Notary v1), but it didn’t see wide adoption • DOCKER_CONTENT_TRUST is not implemented for nerdctl • Instead, nerdctl supports Cosign and Notation (“Notary v2”) 9 Image signing with Cosign / Notation Experimental $ nerdctl pull --verify=(cosign|notation) https://github.com/containerd/nerdctl/blob/main/docs/cosign.md https://github.com/containerd/nerdctl/blob/main/docs/notation.md
  • 10. • Surprisingly docker run -v /mnt:/mnt:ro doesn’t really make /mnt inside the container read-only • Submounts like /mnt/usbdisk are writable • nerdctl supports RRO: recursively-read-only mounts nerdctl run -v /mnt:/mnt:rro – Implemented using MOUNT_ATTR_RDONLY (kernel >= 5.12) 10 “Real” read-only mounts with mount_setattr
  • 11. • Bypass slirp4netns (usermode TCP/IP), by using SECCOMP_IOCTL_NOTIF_ADDFD • Even faster than rootful 11 Slirp-less rootless containers with bypass4netns Experimental https://github.com/containerd/nerdctl/blob/main/docs/rootless.md#bypass4netns https://speakerdeck.com/mt2naoki/ip-communications-in-rootless-containers-by-socket-switching?slide=4 $ nerdctl run --label=nerdctl/bypass4netns=1
  • 12. • Breakpoints for Dockerfiles 12 Interactive debugging of Dockerfiles, with buildg Experimental https://github.com/containerd/nerdctl/blob/main/docs/builder-debug.md https://github.com/ktock/buildg $ nerdctl builder debug . .... => 1| FROM ubuntu AS dev 2| RUN echo hello > /hello 3| RUN echo world > /world 4| (buildg) break 3 (buildg) continue ... Breakpoint[0]: reached line: Dockerfile:3 (buildg) exec /bin/sh #
  • 13. • Namespacing: nerdctl --namespace=<NS> ps • Connecting a container to multiple networks at once: nerdctl run --net foo --net bar ... • AppArmor for rootless containers ( Although still needs sudo nerdctl apparmor load ) • FreeBSD containers • Windows containers • And more... 13 Other features
  • 14. • ctr: a CLI included in containerd • ctr is often misbelieved to be the standard CLI for containerd • But ctr is just a debugging tool written for containerd developers • ctr lacks lots of high-level features that are present in Docker and nerdctl • Exposing ports (nerdctl run -p <PORT>) • Re-startable containers w/ networking (nerdctl run --restart=always) • Support for ~/.docker/config.json , docker-credential-ecr-login, etc. • Reading logs of background containers (nerdctl logs) 14 FAQ: Why not ctr?
  • 15. • crictl is similar to ctr but uses a different API • crictl has similar restrictions as ctr • CRI API has very tight scope compared to the containerd native API • Negotiation for modifying the CRI API is relatively hard 15 FAQ: Why not crictl? containerd CRI API Native API kubelet crictl nerdctl ctr
  • 16. • Docker doesn’t/didn’t use the containerd API for image management • Can’t/Couldn’t be used for experimenting lazy-pulling, etc. • Work is in progress toward Docker v24+ • Release cycle is/was slow – Docker v19.03: Jul 2019 – Docker v20.10: Dec 2020 – Docker v23: Feb 2023 • Not trying to “defeat” Docker; Experiments in nerdctl are being ported to Docker too 16 FAQ: Why not Docker?
  • 17. • Podman doesn’t work as a Kubernetes runtime • CRI-O doesn’t support non-CRI API, and lacks Docker-like CLI • podman ps , etc. works for CRI-O too, but still Podman != CRI-O • Not trying to “defeat” Podman/CRI-O either; Experiments in containerd/nerdctl are being ported to Podman/CRI-O too – e.g., eStargz 17 FAQ: Why not Podman/CRI-O ?
  • 18. • https://github.com/containerd/nerdctl/releases • nerdctl-full-<VERSION>-linux-amd64.tar.gz contains all the dependencies (containerd, runc, …) 18 Getting started $ sudo systemctl enable --now containerd $ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine $ containerd-rootless-setuptool.sh install $ nerdctl run -d --name nginx -p 8080:80 nginx:alpine
  • 19. • macOS users should try Lima • Lima: Linux Machine, originally designed as “nerdctl Machine” • CNCF Sandbox Project • Automatic port forwarding & host filesystem mounting • nerdctl is also included in AWS Finch, Colima, Rancher Desktop, ... 19 Getting started $ brew install lima $ alias nerdctl=nerdctl.lima $ nerdctl run -d --name nginx -p 80:80 nginx:alpine Colima
  • 20. • nerdctl = contaiNERD CTL • Made for facilitating new experiments in the containerd platform 20 Wrap-up https://github.com/containerd/nerdctl Slack: #containerd at slack.cncf.io • Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD • Registry-less P2P image distribution with IPFS • Image encryption with OCIcrypt • Image signing with Cosign / Notation • “Real” read-only mounts with mount_setattr • Slirp-less rootless containers with bypass4netns • Interactive debugging of Dockerfiles, with buildg • And more!