nerdctl v2.0 is released in unison with containerd v2.0, but it continues to work with containerd v1.6 and v1.7 too.
The release of nerdctl v2.1 is NOT planned to be synchronized with containerd v2.1.
Changes
nerdctl v2 enables "detach-netns" for Rootless mode by default (#2723).
This will bring:
- Faster and more stable
nerdctl pull
,nerdctl push
,nerdctl build
, etc - Proper support for
nerdctl pull 127.0.0.1:.../...
- Proper support for
nerdctl run --net=host
Depends on RootlessKit >= v2.0 and BuildKit >= v0.13 (included in nerdctl-full-*.tar.gz
).
Note
After upgrading nerdctl (rootless mode) from v1.x to v2.x, it is highly recommended to
re-install the systemd units and the configurations:
containerd-rootless-setuptool.sh uninstall
rm -rf ~/.config/{nerdctl,buildkit}
containerd-rootless-setuptool.sh install
CONTAINERD_NAMESPACE=default containerd-rootless-setuptool.sh install-buildkit-containerd
Other major changes:
nerdctl run
:- Added
--systemd=(true|false|always)
flag for running systemd in containers flag (#2785, thanks to @sazzy4o) - Added
--ipc=(shareable|container:<container>)
flag (#2757, thanks to @minuk-dev) - Added
--annotation
flag (#2906)- Now
nerdctl run --label
is only set as a containerd label and not propagated as an OCI annotation. A label with thenerdctl/
prefix can no longer be set manually, with an exception fornerdctl/bypass4netns
. Thenerdctl/bypass4netns
label is still allowed and is propagated to an OCI annotation, for sake of compatibility.
- Now
- Added
--sig-proxy
flag (#3043, thanks to @CodeChanning) - Propagate image labels to container labels (not to container annotations) (#3023, thanks to @yankay)
- Added
--attach
flag (#3157, thanks to @CodeChanning) - The restriction for
--name
is relaxed to support longer names (#3279, thanks to @Shubhranshu153) - Added
--security-opt systempaths=unconfined
flag (#3533, thanks to @austinvazquez) - Added
--network ns:<PATH>
flag (#3538, thanks to @dancavallaro) - Added the support for oci-layout image references (#3537, thanks to @austinvazquez)
- Added
--log-driver=none
flag (#3633, thanks to @coderbirju)
- Added
nerdctl build
:- Added
--attest
,--sbom
, and--provenance
flags (#2786, thanks to @yankay) - Added
--pull
flag (#3074, thanks to @sondavidb) - Added the support for Windows (#2587, thanks to @TBBle)
- Added the support for oci-layout build contexts (#3327, thanks to @austinvazquez)
- Added
nerdctl ps
:- JSON type of
--format=json
is changed for better Docker compatibility (#2987, #3058, thanks to @apostasie and @yankay)
- JSON type of
nerdctl inspect
:- Added
--size
flag (#3021, thanks to @apostasie)
- Added
nerdctl network
:- The networks are now aware of containerd namespaces. i.e.,
nerdctl --namespace=foo network list
no longer shows networks created withnerdctl --namespace=bar network create
(#3096, thanks to @apostasie) - Enhanced support for DHCP (#3001, thanks to @apostasie)
- The networks are now aware of containerd namespaces. i.e.,
nerdctl compose up
:- Added
--abort-on-container-exit
flag (#2873, thanks to @alegrey91)
- Added
nerdctl builder prune
:- Added
--all
flag (#3316, thanks to @austinvazquez) - Added
--force
flag (#3316, thanks to @austinvazquez)
- Added
nerdctl image prune
:- Added
--filter
flag (#3319, thanks to @austinvazquez)
- Added
nerdctl image load
:- Added
--quiet
flag (#3551, thanks to @austinvazquez)
- Added
- nerdct-full:
- Misc:
- Refactoring and stability improvements (Many PRs, thanks to @apostasie et al.)
- And more!
Full changes: https://github.com/containerd/nerdctl/milestone/37?closed=1
Thanks to @CerberusQc @CodeChanning @Iceber @Shikachuu @Shubhranshu153 @TBBle @THLIVSQAZ @TinaMor @abitrolly @alegrey91 @apostasie @austinvazquez @bobcallaway @cezar-r @chews93319 @coderbirju @curlwget @dancavallaro @djdongjin @dmcgowan @fahedouch @frits-v @fwilhe2 @haytok @jmpargana @kebe7jun @ktock @lingdie @manugupt1 @midnight-wonderer @minuk-dev @monirul @pendo324 @qianxi0410 @roman-kiselenko @sazzy4o @sondavidb @testwill @thaJeztah @xyz-li @yankay @zjumoon01 @zwpaper
Compatible containerd versions
This release of nerdctl is expected to be used with containerd v1.6, v1.7, or v2.0.
About the binaries
- Minimal (
nerdctl-2.0.0-linux-amd64.tar.gz
): nerdctl only - Full (
nerdctl-full-2.0.0-linux-amd64.tar.gz
): Includes dependencies such as containerd, runc, and CNI
Minimal
Extract the archive to a path like /usr/local/bin
or ~/bin
.
tar Cxzvvf /usr/local/bin nerdctl-2.0.0-linux-amd64.tar.gz
-rwxr-xr-x root/root 26366104 2024-11-06 00:32 nerdctl
-rwxr-xr-x root/root 22657 2024-11-06 00:32 containerd-rootless-setuptool.sh
-rwxr-xr-x root/root 8708 2024-11-06 00:32 containerd-rootless.sh
Full
Extract the archive to a path like /usr/local
or ~/.local
.
tar Cxzvvf /usr/local nerdctl-full-2.0.0-linux-amd64.tar.gz
drwxr-xr-x 0/0 0 2024-11-06 00:39 bin/
-rwxr-xr-x 0/0 29493543 2015-10-21 00:00 bin/buildctl
-rwxr-xr-x 0/0 23724032 2022-09-05 09:52 bin/buildg
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-LICENSE -> ../libexec/cni/LICENSE
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-README.md -> ../libexec/cni/README.md
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-bandwidth -> ../libexec/cni/bandwidth
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-bridge -> ../libexec/cni/bridge
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-dhcp -> ../libexec/cni/dhcp
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-dummy -> ../libexec/cni/dummy
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-firewall -> ../libexec/cni/firewall
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-host-device -> ../libexec/cni/host-device
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-host-local -> ../libexec/cni/host-local
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-ipvlan -> ../libexec/cni/ipvlan
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-loopback -> ../libexec/cni/loopback
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-macvlan -> ../libexec/cni/macvlan
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-portmap -> ../libexec/cni/portmap
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-ptp -> ../libexec/cni/ptp
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-sbr -> ../libexec/cni/sbr
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-static -> ../libexec/cni/static
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-tap -> ../libexec/cni/tap
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-tuning -> ../libexec/cni/tuning
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-vlan -> ../libexec/cni/vlan
lrwxrwxrwx 0/0 0 2024-11-06 00:38 bin/buildkit-cni-vrf -> ../libexec/cni/vrf
-rwxr-xr-x 0/0 60229721 2015-10-21 00:00 bin/buildkitd
-rwxr-xr-x 0/0 15311568 2024-11-06 00:37 bin/bypass4netns
-rwxr-xr-x 0/0 5882008 2024-11-06 00:37 bin/bypass4netnsd
-rwxr-xr-x 0/0 38868944 2024-11-06 00:38 bin/containerd
-rwxr-xr-x 0/0 10494104 2024-11-05 23:12 bin/containerd-fuse-overlayfs-grpc
-rwxr-xr-x 0/0 22657 2024-11-06 00:39 bin/containerd-rootless-setuptool.sh
-rwxr-xr-x 0/0 8708 2024-11-06 00:39 bin/containerd-rootless.sh
-rwxr-xr-x 0/0 7717016 2024-11-06 00:38 bin/containerd-shim-runc-v2
-rwxr-xr-x 0/0 45903872 2023-10-31 08:57 bin/containerd-stargz-grpc
-rwxr-xr-x 0/0 22214956 2024-11-06 00:39 bin/ctd-decoder
-rwxr-xr-x 0/0 19706008 2024-11-06 00:38 bin/ctr
-rwxr-xr-x 0/0 29814020 2024-11-06 00:39 bin/ctr-enc
-rwxr-xr-x 0/0 19931136 2023-10-31 08:58 bin/ctr-remote
-rwxr-xr-x 0/0 1789968 2024-11-06 00:39 bin/fuse-overlayfs
-rwxr-xr-x 0/0 26333336 2024-11-06 00:39 bin/nerdctl
-rwxr-xr-x 0/0 11346380 2024-08-17 19:28 bin/rootlessctl
-rwxr-xr-x 0/0 13089548 2024-08-17 19:28 bin/rootlesskit
-rwxr-xr-x 0/0 15921736 2024-11-06 00:37 bin/runc
-rwxr-xr-x 0/0 2354520 2024-11-06 00:39 bin/slirp4netns
-rwxr-xr-x 0/0 870496 2024-11-06 00:39 bin/tini
drwxr-xr-x 0/0 0 2024-11-06 00:38 lib/
drwxr-xr-x 0/0 0 2024-11-06 00:38 lib/systemd/
drwxr-xr-x 0/0 0 2024-11-06 00:38 lib/systemd/system/
-rw-r--r-- 0/0 1325 2024-11-06 00:38 lib/systemd/system/buildkit.service
-rw-r--r-- 0/0 1264 2024-11-06 00:37 lib/systemd/system/containerd.service
-rw-r--r-- 0/0 312 2024-11-06 00:38 lib/systemd/system/stargz-snapshotter.service
drwxr-xr-x 0/0 0 2024-11-06 00:38 libexec/
drwxr-xr-x 0/0 0 2024-11-06 00:38 libexec/cni/
-rw-r--r-- 0/0 11357 2024-10-15 09:37 libexec/cni/LICENSE
-rw-r--r-- 0/0 2343 2024-10-15 09:37 libexec/cni/README.md
-rwxr-xr-x 0/0 4648054 2024-10-15 09:36 libexec/cni/bandwidth
-rwxr-xr-x 0/0 5283567 2024-10-15 09:37 libexec/cni/bridge
-rwxr-xr-x 0/0 12771199 2024-10-15 09:37 libexec/cni/dhcp
-rwxr-xr-x 0/0 4843811 2024-10-15 09:37 libexec/cni/dummy
-rwxr-xr-x 0/0 5312426 2024-10-15 09:36 libexec/cni/firewall
-rwxr-xr-x 0/0 4784447 2024-10-15 09:37 libexec/cni/host-device
-rwxr-xr-x 0/0 4047543 2024-10-15 09:37 libexec/cni/host-local
-rwxr-xr-x 0/0 4860660 2024-10-15 09:37 libexec/cni/ipvlan
-rwxr-xr-x 0/0 4107060 2024-10-15 09:37 libexec/cni/loopback
-rwxr-xr-x 0/0 4896553 2024-10-15 09:37 libexec/cni/macvlan
-rwxr-xr-x 0/0 4703145 2024-10-15 09:36 libexec/cni/portmap
-rwxr-xr-x 0/0 5068216 2024-10-15 09:37 libexec/cni/ptp
-rwxr-xr-x 0/0 4330463 2024-10-15 09:36 libexec/cni/sbr
-rwxr-xr-x 0/0 3648356 2024-10-15 09:37 libexec/cni/static
-rwxr-xr-x 0/0 4920887 2024-10-15 09:37 libexec/cni/tap
-rwxr-xr-x 0/0 4195353 2024-10-15 09:36 libexec/cni/tuning
-rwxr-xr-x 0/0 4854297 2024-10-15 09:37 libexec/cni/vlan
-rwxr-xr-x 0/0 4481459 2024-10-15 09:36 libexec/cni/vrf
drwxr-xr-x 0/0 0 2024-11-06 00:36 share/
drwxr-xr-x 0/0 0 2024-11-06 00:39 share/doc/
drwxr-xr-x 0/0 0 2024-11-06 00:39 share/doc/nerdctl/
-rw-r--r-- 0/0 12101 2024-11-06 00:32 share/doc/nerdctl/README.md
drwxr-xr-x 0/0 0 2024-11-06 00:32 share/doc/nerdctl/docs/
-rw-r--r-- 0/0 3953 2024-11-06 00:32 share/doc/nerdctl/docs/build.md
-rw-r--r-- 0/0 2570 2024-11-06 00:32 share/doc/nerdctl/docs/builder-debug.md
-rw-r--r-- 0/0 4779 2024-11-06 00:32 share/doc/nerdctl/docs/cni.md
-rw-r--r-- 0/0 77544 2024-11-06 00:32 share/doc/nerdctl/docs/command-reference.md
-rw-r--r-- 0/0 1814 2024-11-06 00:32 share/doc/nerdctl/docs/compose.md
-rw-r--r-- 0/0 5329 2024-11-06 00:32 share/doc/nerdctl/docs/config.md
-rw-r--r-- 0/0 9128 2024-11-06 00:32 share/doc/nerdctl/docs/cosign.md
-rw-r--r-- 0/0 5660 2024-11-06 00:32 share/doc/nerdctl/docs/cvmfs.md
drwxr-xr-x 0/0 0 2024-11-06 00:32 share/doc/nerdctl/docs/dev/
-rw-r--r-- 0/0 8587 2024-11-06 00:32 share/doc/nerdctl/docs/dev/store.md
-rw-r--r-- 0/0 2776 2024-11-06 00:32 share/doc/nerdctl/docs/dir.md
-rw-r--r-- 0/0 906 2024-11-06 00:32 share/doc/nerdctl/docs/experimental.md
-rw-r--r-- 0/0 14217 2024-11-06 00:32 share/doc/nerdctl/docs/faq.md
-rw-r--r-- 0/0 884 2024-11-06 00:32 share/doc/nerdctl/docs/freebsd.md
-rw-r--r-- 0/0 3273 2024-11-06 00:32 share/doc/nerdctl/docs/gpu.md
drwxr-xr-x 0/0 0 2024-11-06 00:32 share/doc/nerdctl/docs/images/
-rw-r--r-- 0/0 1540 2024-11-06 00:32 share/doc/nerdctl/docs/images/nerdctl-white.svg
-rw-r--r-- 0/0 1462 2024-11-06 00:32 share/doc/nerdctl/docs/images/nerdctl.svg
-rw-r--r-- 0/0 684421 2024-11-06 00:32 share/doc/nerdctl/docs/images/rootlessKit-network-design.png
-rw-r--r-- 0/0 14462 2024-11-06 00:32 share/doc/nerdctl/docs/ipfs.md
-rw-r--r-- 0/0 1755 2024-11-06 00:32 share/doc/nerdctl/docs/multi-platform.md
-rw-r--r-- 0/0 2960 2024-11-06 00:32 share/doc/nerdctl/docs/notation.md
-rw-r--r-- 0/0 2596 2024-11-06 00:32 share/doc/nerdctl/docs/nydus.md
-rw-r--r-- 0/0 3277 2024-11-06 00:32 share/doc/nerdctl/docs/ocicrypt.md
-rw-r--r-- 0/0 1876 2024-11-06 00:32 share/doc/nerdctl/docs/overlaybd.md
-rw-r--r-- 0/0 15657 2024-11-06 00:32 share/doc/nerdctl/docs/registry.md
-rw-r--r-- 0/0 8707 2024-11-06 00:32 share/doc/nerdctl/docs/rootless.md
-rw-r--r-- 0/0 2015 2024-11-06 00:32 share/doc/nerdctl/docs/soci.md
-rw-r--r-- 0/0 10312 2024-11-06 00:32 share/doc/nerdctl/docs/stargz.md
drwxr-xr-x 0/0 0 2024-11-06 00:32 share/doc/nerdctl/docs/testing/
-rw-r--r-- 0/0 4115 2024-11-06 00:32 share/doc/nerdctl/docs/testing/README.md
-rw-r--r-- 0/0 15068 2024-11-06 00:32 share/doc/nerdctl/docs/testing/tools.md
drwxr-xr-x 0/0 0 2024-11-06 00:39 share/doc/nerdctl-full/
-rw-r--r-- 0/0 1004 2024-11-06 00:39 share/doc/nerdctl-full/README.md
-rw-r--r-- 0/0 5621 2024-11-06 00:39 share/doc/nerdctl-full/SHA256SUMS
Included components
See share/doc/nerdctl-full/README.md
:
# nerdctl (full distribution)
- nerdctl: v2.0.0
- containerd: v2.0.0
- runc: v1.2.1
- CNI plugins: v1.6.0
- BuildKit: v0.17.0
- Stargz Snapshotter: v0.15.1
- imgcrypt: v2.0.0-rc.1
- slirp4netns: v1.3.1
- bypass4netns: v0.4.1
- fuse-overlayfs: v1.14
- containerd-fuse-overlayfs: v2.0.0
- Tini: v0.19.0
- buildg: v0.4.1
- RootlessKit: v2.3.1
## License
- bin/slirp4netns: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/v1.3.1/COPYING)
- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/v1.14/COPYING)
- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)
- bin/tini: [MIT License](https://github.com/krallin/tini/blob/v0.19.0/LICENSE)
- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)
Quick start
Rootful
$ sudo systemctl enable --now containerd
$ sudo nerdctl run -d --name nginx -p 80:80 nginx:alpine
Rootless
$ containerd-rootless-setuptool.sh install
$ nerdctl run -d --name nginx -p 8080:80 nginx:alpine
Enabling cgroup v2 is highly recommended for rootless mode, see https://rootlesscontaine.rs/getting-started/common/cgroup2/ .
The binaries were built automatically on GitHub Actions.
The build log is available for 90 days: https://github.com/containerd/nerdctl/actions/runs/11694883870
The sha256sum of the SHA256SUMS file itself is 304a5a826358d302ed3c290146b8c67215da3906b559f801b88a148a5033a3be
.
Release manager: @AkihiroSuda