SlideShare une entreprise Scribd logo

[Container Plumbing Days 2023] Why was nerdctl made?

A
Akihiro Suda

nerdctl (contaiNERD CTL) was made to facilitate development of new technologies in the containerd platform. Such technologies include: - Lazy-pulling with Stargz/Nydus/OverlayBD - P2P image distribution with IPFS - Image encryption with OCIcrypt - Image signing with Cosign - “Real” read-only mounts with mount_setattr - Slirp-less rootless containers with bypass4netns - Interactive debugging of Dockerfiles, with buildg nerdctl is also useful for debugging Kubernetes nodes that are running containerd. Through this session, the audiences will learn these functionalities of nerdctl, relevant projects, and the roadmap for the future. https://containerplumbing.org/sessions/2023/why_was_nerdctl_

Logiciels
1  sur  20
Télécharger pour lire hors ligne
Why was nerdctl made? https://github.com/containerd/nerdctl Akihiro Suda, NTT Container Plumbing Days 2023 (March 23)
2 nerdctl: contaiNERD CTL • Docker-compatible CLI for containerd (and buildkitd) alias docker=nerdctl • Made for facilitating new experiments in the containerd platform • The experimental features can be safely turned off for production environments (export NERDCTL_EXPERIMENTAL=0) • Useful for debugging Kubernetes nodes too https://github.com/containerd/nerdctl
3 Demo $ nerdctl run ... $ nerdctl compose up ...
• Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD • Registry-less P2P image distribution with IPFS * • Image encryption with OCIcrypt * • Image signing with Cosign / Notation * • “Real” read-only mounts with mount_setattr • Slirp-less rootless containers with bypass4netns * • Interactive debugging of Dockerfiles, with buildg * 4 Novel features of containerd & nerdctl * = Experimental
• Lazy-pulling: pulling image contents on demand • No need to pull an entire image • Several formats are being proposed 5 Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD Format Implementation for containerd Description eStargz github.com/containerd/stargz-snapshotter Optimizes gzip granularity for seek()-ability; Forward compatible with OCI v1 tar.gz SOCI github.com/awslabs/soci-snapshotter Captures a checkpoint of tar.gz decoder state; Forward compatible with OCI v1 tar.gz Nydus github.com/containerd/nydus-snapshotter An alternate image format; Not compatible with OCI v1 tar.gz OverlayBD github.com/containerd/overlaybd Block devices as container images; Not compatible with OCI v1 tar.gz https://github.com/containerd/nerdctl/blob/main/docs/stargz.md
6 Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD https://github.com/containerd/stargz-snapshotter/blob/v0.14.3/docs/images/benchmarking-result-ecdb227.png
7 Registry-less P2P image distribution with IPFS Experimental https://medium.com/nttlabs/nerdctl-ipfs-975569520e3d https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md $ nerdctl pull ipfs://<CID>
• OCI Image Layers can be encrypted to protect secret files (OCI Image Config, e.g., env vars, are not encrypted) • Encrypted layers can be decrypted transparently 8 Image encryption with OCIcrypt Experimental $ nerdctl image encrypt --recipient=jwe:mypubkey.pem foo example.com/foo:encrypted $ nerdctl push example.com/foo:encrypted https://github.com/containerd/nerdctl/blob/main/docs/ocicrypt.md $ nerdctl pull example.com/foo:encrypted
• Docker CLI supports DOCKER_CONTENT_TRUST (Notary v1), but it didn’t see wide adoption • DOCKER_CONTENT_TRUST is not implemented for nerdctl • Instead, nerdctl supports Cosign and Notation (“Notary v2”) 9 Image signing with Cosign / Notation Experimental $ nerdctl pull --verify=(cosign|notation) https://github.com/containerd/nerdctl/blob/main/docs/cosign.md https://github.com/containerd/nerdctl/blob/main/docs/notation.md
• Surprisingly docker run -v /mnt:/mnt:ro doesn’t really make /mnt inside the container read-only • Submounts like /mnt/usbdisk are writable • nerdctl supports RRO: recursively-read-only mounts nerdctl run -v /mnt:/mnt:rro – Implemented using MOUNT_ATTR_RDONLY (kernel >= 5.12) 10 “Real” read-only mounts with mount_setattr
• Bypass slirp4netns (usermode TCP/IP), by using SECCOMP_IOCTL_NOTIF_ADDFD • Even faster than rootful 11 Slirp-less rootless containers with bypass4netns Experimental https://github.com/containerd/nerdctl/blob/main/docs/rootless.md#bypass4netns https://speakerdeck.com/mt2naoki/ip-communications-in-rootless-containers-by-socket-switching?slide=4 $ nerdctl run --label=nerdctl/bypass4netns=1
• Breakpoints for Dockerfiles 12 Interactive debugging of Dockerfiles, with buildg Experimental https://github.com/containerd/nerdctl/blob/main/docs/builder-debug.md https://github.com/ktock/buildg $ nerdctl builder debug . .... => 1| FROM ubuntu AS dev 2| RUN echo hello > /hello 3| RUN echo world > /world 4| (buildg) break 3 (buildg) continue ... Breakpoint[0]: reached line: Dockerfile:3 (buildg) exec /bin/sh #
• Namespacing: nerdctl --namespace=<NS> ps • Connecting a container to multiple networks at once: nerdctl run --net foo --net bar ... • AppArmor for rootless containers ( Although still needs sudo nerdctl apparmor load ) • FreeBSD containers • Windows containers • And more... 13 Other features
• ctr: a CLI included in containerd • ctr is often misbelieved to be the standard CLI for containerd • But ctr is just a debugging tool written for containerd developers • ctr lacks lots of high-level features that are present in Docker and nerdctl • Exposing ports (nerdctl run -p <PORT>) • Re-startable containers w/ networking (nerdctl run --restart=always) • Support for ~/.docker/config.json , docker-credential-ecr-login, etc. • Reading logs of background containers (nerdctl logs) 14 FAQ: Why not ctr?
• crictl is similar to ctr but uses a different API • crictl has similar restrictions as ctr • CRI API has very tight scope compared to the containerd native API • Negotiation for modifying the CRI API is relatively hard 15 FAQ: Why not crictl? containerd CRI API Native API kubelet crictl nerdctl ctr
• Docker doesn’t/didn’t use the containerd API for image management • Can’t/Couldn’t be used for experimenting lazy-pulling, etc. • Work is in progress toward Docker v24+ • Release cycle is/was slow – Docker v19.03: Jul 2019 – Docker v20.10: Dec 2020 – Docker v23: Feb 2023 • Not trying to “defeat” Docker; Experiments in nerdctl are being ported to Docker too 16 FAQ: Why not Docker?
• Podman doesn’t work as a Kubernetes runtime • CRI-O doesn’t support non-CRI API, and lacks Docker-like CLI • podman ps , etc. works for CRI-O too, but still Podman != CRI-O • Not trying to “defeat” Podman/CRI-O either; Experiments in containerd/nerdctl are being ported to Podman/CRI-O too – e.g., eStargz 17 FAQ: Why not Podman/CRI-O ?
• https://github.com/containerd/nerdctl/releases • nerdctl-full-<VERSION>-linux-amd64.tar.gz contains all the dependencies (containerd, runc, …) 18 Getting started $ sudo systemctl enable --now containerd $ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine $ containerd-rootless-setuptool.sh install $ nerdctl run -d --name nginx -p 8080:80 nginx:alpine
• macOS users should try Lima • Lima: Linux Machine, originally designed as “nerdctl Machine” • CNCF Sandbox Project • Automatic port forwarding & host filesystem mounting • nerdctl is also included in AWS Finch, Colima, Rancher Desktop, ... 19 Getting started $ brew install lima $ alias nerdctl=nerdctl.lima $ nerdctl run -d --name nginx -p 80:80 nginx:alpine Colima
• nerdctl = contaiNERD CTL • Made for facilitating new experiments in the containerd platform 20 Wrap-up https://github.com/containerd/nerdctl Slack: #containerd at slack.cncf.io • Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD • Registry-less P2P image distribution with IPFS • Image encryption with OCIcrypt • Image signing with Cosign / Notation • “Real” read-only mounts with mount_setattr • Slirp-less rootless containers with bypass4netns • Interactive debugging of Dockerfiles, with buildg • And more!

Recommandé

containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
Kohei Tokunaga
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
Ceph アーキテクチャ概説
Ceph アーキテクチャ概説Ceph アーキテクチャ概説
Ceph アーキテクチャ概説
Emma Haruka Iwao
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctl
Kohei Tokunaga
 
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動するStargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Kohei Tokunaga
 
急速に進化を続けるCNIプラグイン Antrea
急速に進化を続けるCNIプラグイン Antrea 急速に進化を続けるCNIプラグイン Antrea
急速に進化を続けるCNIプラグイン Antrea
Motonori Shindo
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27
Kentaro Ebisawa
 
最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみよう最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみよう
Takashi Kajinami
 

Recommandé

containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
Kohei Tokunaga
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
Ceph アーキテクチャ概説
Ceph アーキテクチャ概説Ceph アーキテクチャ概説
Ceph アーキテクチャ概説
Emma Haruka Iwao
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctl
Kohei Tokunaga
 
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動するStargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Kohei Tokunaga
 
急速に進化を続けるCNIプラグイン Antrea
急速に進化を続けるCNIプラグイン Antrea 急速に進化を続けるCNIプラグイン Antrea
急速に進化を続けるCNIプラグイン Antrea
Motonori Shindo
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27
Kentaro Ebisawa
 
最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみよう最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみよう
Takashi Kajinami
 
TripleOの光と闇
TripleOの光と闇TripleOの光と闇
TripleOの光と闇
Manabu Ori
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
Kubernetes雑にまとめてみた 2020年8月版
Kubernetes雑にまとめてみた 2020年8月版Kubernetes雑にまとめてみた 2020年8月版
Kubernetes雑にまとめてみた 2020年8月版
VirtualTech Japan Inc.
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
Kohei Tokunaga
 
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Motonori Shindo
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
Motonori Shindo
 
CloudNativePGを動かしてみた! ~PostgreSQL on Kubernetes~(第34回PostgreSQLアンカンファレンス@オンライ...
CloudNativePGを動かしてみた! ~PostgreSQL on Kubernetes~(第34回PostgreSQLアンカンファレンス@オンライ...CloudNativePGを動かしてみた! ~PostgreSQL on Kubernetes~(第34回PostgreSQLアンカンファレンス@オンライ...
CloudNativePGを動かしてみた! ~PostgreSQL on Kubernetes~(第34回PostgreSQLアンカンファレンス@オンライ...
NTT DATA Technology & Innovation
 
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
Kohei Tokunaga
 
YoctoをつかったDistroの作り方とハマり方
YoctoをつかったDistroの作り方とハマり方YoctoをつかったDistroの作り方とハマり方
YoctoをつかったDistroの作り方とハマり方
wata2ki
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
Kohei Tokunaga
 
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
VirtualTech Japan Inc.
 
KubeEdgeを触ってみた
KubeEdgeを触ってみたKubeEdgeを触ってみた
KubeEdgeを触ってみた
Tomoyuki Tanigaki
 
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
Akihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Akihiro Suda
 
知っているようで知らないNeutron -仮想ルータの冗長と分散- - OpenStack最新情報セミナー 2016年3月
知っているようで知らないNeutron -仮想ルータの冗長と分散- - OpenStack最新情報セミナー 2016年3月 知っているようで知らないNeutron -仮想ルータの冗長と分散- - OpenStack最新情報セミナー 2016年3月
知っているようで知らないNeutron -仮想ルータの冗長と分散- - OpenStack最新情報セミナー 2016年3月
VirtualTech Japan Inc.
 
Dockerクイックツアー
DockerクイックツアーDockerクイックツアー
Dockerクイックツアー
Etsuji Nakai
 
Linux女子部 systemd徹底入門
Linux女子部 systemd徹底入門Linux女子部 systemd徹底入門
Linux女子部 systemd徹底入門
Etsuji Nakai
 
root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす
Akihiro Suda
 
Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向
Taira Hajime
 
Pod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from DockershimPod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from Dockershim
Victor Morales
 
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes][HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
Wong Hoi Sing Edison
 

Contenu connexe

Tendances

今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Motonori Shindo
 

Tendances (20)

TripleOの光と闇
TripleOの光と闇TripleOの光と闇
TripleOの光と闇
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
 
Kubernetes雑にまとめてみた 2020年8月版
Kubernetes雑にまとめてみた 2020年8月版Kubernetes雑にまとめてみた 2020年8月版
Kubernetes雑にまとめてみた 2020年8月版
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
 
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
Cluster API によるKubernetes環境のライフサイクル管理とマルチクラウド環境での適用
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
 
CloudNativePGを動かしてみた! ~PostgreSQL on Kubernetes~(第34回PostgreSQLアンカンファレンス@オンライ...
CloudNativePGを動かしてみた! ~PostgreSQL on Kubernetes~(第34回PostgreSQLアンカンファレンス@オンライ...CloudNativePGを動かしてみた! ~PostgreSQL on Kubernetes~(第34回PostgreSQLアンカンファレンス@オンライ...
CloudNativePGを動かしてみた! ~PostgreSQL on Kubernetes~(第34回PostgreSQLアンカンファレンス@オンライ...
 
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
 
YoctoをつかったDistroの作り方とハマり方
YoctoをつかったDistroの作り方とハマり方YoctoをつかったDistroの作り方とハマり方
YoctoをつかったDistroの作り方とハマり方
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
 
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
 
KubeEdgeを触ってみた
KubeEdgeを触ってみたKubeEdgeを触ってみた
KubeEdgeを触ってみた
 
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
知っているようで知らないNeutron -仮想ルータの冗長と分散- - OpenStack最新情報セミナー 2016年3月
知っているようで知らないNeutron -仮想ルータの冗長と分散- - OpenStack最新情報セミナー 2016年3月 知っているようで知らないNeutron -仮想ルータの冗長と分散- - OpenStack最新情報セミナー 2016年3月
知っているようで知らないNeutron -仮想ルータの冗長と分散- - OpenStack最新情報セミナー 2016年3月
 
Dockerクイックツアー
DockerクイックツアーDockerクイックツアー
Dockerクイックツアー
 
Linux女子部 systemd徹底入門
Linux女子部 systemd徹底入門Linux女子部 systemd徹底入門
Linux女子部 systemd徹底入門
 
root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす
 
Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向
 

Similaire à [Container Plumbing Days 2023] Why was nerdctl made?

Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
Docker, Inc.
 
Docker for Developers
Docker for DevelopersDocker for Developers
Docker for Developers
James Turnbull
 
Pydata 2020 containers meetup
Pydata 2020 containers meetup Pydata 2020 containers meetup
Pydata 2020 containers meetup
Walid Shaari
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
Docker, Inc.
 

Similaire à [Container Plumbing Days 2023] Why was nerdctl made? (20)

Pod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from DockershimPod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from Dockershim
 
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes][HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]
 
Docker for Deep Learning (Andrea Panizza)
Docker for Deep Learning (Andrea Panizza)Docker for Deep Learning (Andrea Panizza)
Docker for Deep Learning (Andrea Panizza)
 
Kubernetes from the ground up
Kubernetes from the ground upKubernetes from the ground up
Kubernetes from the ground up
 
Building images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitBuilding images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKit
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on Docker
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
 
Docker for Developers
Docker for DevelopersDocker for Developers
Docker for Developers
 
Running .NET on Docker
Running .NET on DockerRunning .NET on Docker
Running .NET on Docker
 
Pydata 2020 containers meetup
Pydata 2020 containers meetup Pydata 2020 containers meetup
Pydata 2020 containers meetup
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 

Plus de Akihiro Suda

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
Akihiro Suda
 

Plus de Akihiro Suda (20)

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
 

Dernier

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Dernier (20)

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

[Container Plumbing Days 2023] Why was nerdctl made?

  • 1. Why was nerdctl made? https://github.com/containerd/nerdctl Akihiro Suda, NTT Container Plumbing Days 2023 (March 23)
  • 2. 2 nerdctl: contaiNERD CTL • Docker-compatible CLI for containerd (and buildkitd) alias docker=nerdctl • Made for facilitating new experiments in the containerd platform • The experimental features can be safely turned off for production environments (export NERDCTL_EXPERIMENTAL=0) • Useful for debugging Kubernetes nodes too https://github.com/containerd/nerdctl
  • 3. 3 Demo $ nerdctl run ... $ nerdctl compose up ...
  • 4. • Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD • Registry-less P2P image distribution with IPFS * • Image encryption with OCIcrypt * • Image signing with Cosign / Notation * • “Real” read-only mounts with mount_setattr • Slirp-less rootless containers with bypass4netns * • Interactive debugging of Dockerfiles, with buildg * 4 Novel features of containerd & nerdctl * = Experimental
  • 5. • Lazy-pulling: pulling image contents on demand • No need to pull an entire image • Several formats are being proposed 5 Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD Format Implementation for containerd Description eStargz github.com/containerd/stargz-snapshotter Optimizes gzip granularity for seek()-ability; Forward compatible with OCI v1 tar.gz SOCI github.com/awslabs/soci-snapshotter Captures a checkpoint of tar.gz decoder state; Forward compatible with OCI v1 tar.gz Nydus github.com/containerd/nydus-snapshotter An alternate image format; Not compatible with OCI v1 tar.gz OverlayBD github.com/containerd/overlaybd Block devices as container images; Not compatible with OCI v1 tar.gz https://github.com/containerd/nerdctl/blob/main/docs/stargz.md
  • 7. 7 Registry-less P2P image distribution with IPFS Experimental https://medium.com/nttlabs/nerdctl-ipfs-975569520e3d https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md $ nerdctl pull ipfs://<CID>
  • 8. • OCI Image Layers can be encrypted to protect secret files (OCI Image Config, e.g., env vars, are not encrypted) • Encrypted layers can be decrypted transparently 8 Image encryption with OCIcrypt Experimental $ nerdctl image encrypt --recipient=jwe:mypubkey.pem foo example.com/foo:encrypted $ nerdctl push example.com/foo:encrypted https://github.com/containerd/nerdctl/blob/main/docs/ocicrypt.md $ nerdctl pull example.com/foo:encrypted
  • 9. • Docker CLI supports DOCKER_CONTENT_TRUST (Notary v1), but it didn’t see wide adoption • DOCKER_CONTENT_TRUST is not implemented for nerdctl • Instead, nerdctl supports Cosign and Notation (“Notary v2”) 9 Image signing with Cosign / Notation Experimental $ nerdctl pull --verify=(cosign|notation) https://github.com/containerd/nerdctl/blob/main/docs/cosign.md https://github.com/containerd/nerdctl/blob/main/docs/notation.md
  • 10. • Surprisingly docker run -v /mnt:/mnt:ro doesn’t really make /mnt inside the container read-only • Submounts like /mnt/usbdisk are writable • nerdctl supports RRO: recursively-read-only mounts nerdctl run -v /mnt:/mnt:rro – Implemented using MOUNT_ATTR_RDONLY (kernel >= 5.12) 10 “Real” read-only mounts with mount_setattr
  • 11. • Bypass slirp4netns (usermode TCP/IP), by using SECCOMP_IOCTL_NOTIF_ADDFD • Even faster than rootful 11 Slirp-less rootless containers with bypass4netns Experimental https://github.com/containerd/nerdctl/blob/main/docs/rootless.md#bypass4netns https://speakerdeck.com/mt2naoki/ip-communications-in-rootless-containers-by-socket-switching?slide=4 $ nerdctl run --label=nerdctl/bypass4netns=1
  • 12. • Breakpoints for Dockerfiles 12 Interactive debugging of Dockerfiles, with buildg Experimental https://github.com/containerd/nerdctl/blob/main/docs/builder-debug.md https://github.com/ktock/buildg $ nerdctl builder debug . .... => 1| FROM ubuntu AS dev 2| RUN echo hello > /hello 3| RUN echo world > /world 4| (buildg) break 3 (buildg) continue ... Breakpoint[0]: reached line: Dockerfile:3 (buildg) exec /bin/sh #
  • 13. • Namespacing: nerdctl --namespace=<NS> ps • Connecting a container to multiple networks at once: nerdctl run --net foo --net bar ... • AppArmor for rootless containers ( Although still needs sudo nerdctl apparmor load ) • FreeBSD containers • Windows containers • And more... 13 Other features
  • 14. • ctr: a CLI included in containerd • ctr is often misbelieved to be the standard CLI for containerd • But ctr is just a debugging tool written for containerd developers • ctr lacks lots of high-level features that are present in Docker and nerdctl • Exposing ports (nerdctl run -p <PORT>) • Re-startable containers w/ networking (nerdctl run --restart=always) • Support for ~/.docker/config.json , docker-credential-ecr-login, etc. • Reading logs of background containers (nerdctl logs) 14 FAQ: Why not ctr?
  • 15. • crictl is similar to ctr but uses a different API • crictl has similar restrictions as ctr • CRI API has very tight scope compared to the containerd native API • Negotiation for modifying the CRI API is relatively hard 15 FAQ: Why not crictl? containerd CRI API Native API kubelet crictl nerdctl ctr
  • 16. • Docker doesn’t/didn’t use the containerd API for image management • Can’t/Couldn’t be used for experimenting lazy-pulling, etc. • Work is in progress toward Docker v24+ • Release cycle is/was slow – Docker v19.03: Jul 2019 – Docker v20.10: Dec 2020 – Docker v23: Feb 2023 • Not trying to “defeat” Docker; Experiments in nerdctl are being ported to Docker too 16 FAQ: Why not Docker?
  • 17. • Podman doesn’t work as a Kubernetes runtime • CRI-O doesn’t support non-CRI API, and lacks Docker-like CLI • podman ps , etc. works for CRI-O too, but still Podman != CRI-O • Not trying to “defeat” Podman/CRI-O either; Experiments in containerd/nerdctl are being ported to Podman/CRI-O too – e.g., eStargz 17 FAQ: Why not Podman/CRI-O ?
  • 18. • https://github.com/containerd/nerdctl/releases • nerdctl-full-<VERSION>-linux-amd64.tar.gz contains all the dependencies (containerd, runc, …) 18 Getting started $ sudo systemctl enable --now containerd $ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine $ containerd-rootless-setuptool.sh install $ nerdctl run -d --name nginx -p 8080:80 nginx:alpine
  • 19. • macOS users should try Lima • Lima: Linux Machine, originally designed as “nerdctl Machine” • CNCF Sandbox Project • Automatic port forwarding & host filesystem mounting • nerdctl is also included in AWS Finch, Colima, Rancher Desktop, ... 19 Getting started $ brew install lima $ alias nerdctl=nerdctl.lima $ nerdctl run -d --name nginx -p 80:80 nginx:alpine Colima
  • 20. • nerdctl = contaiNERD CTL • Made for facilitating new experiments in the containerd platform 20 Wrap-up https://github.com/containerd/nerdctl Slack: #containerd at slack.cncf.io • Lazy-pulling with eStargz/SOCI/Nydus/OverlayBD • Registry-less P2P image distribution with IPFS • Image encryption with OCIcrypt • Image signing with Cosign / Notation • “Real” read-only mounts with mount_setattr • Slirp-less rootless containers with bypass4netns • Interactive debugging of Dockerfiles, with buildg • And more!