nerdctl

nerdctl is a command-line tool for running containers on Linux that is intentionally designed to work the same way as the Docker CLI. If you already know Docker commands, you can use nerdctl with the same flags and syntax. It supports Docker Compose files (nerdctl compose up), image builds, and most other day-to-day Docker workflows.

Under the hood, nerdctl uses containerd as its container runtime rather than the Docker daemon. Containerd is the same runtime that Kubernetes uses internally, so nerdctl is sometimes useful for inspecting or debugging containers running in a Kubernetes cluster by connecting to the k8s.io containerd namespace directly.

The project exists primarily to expose features in containerd that Docker does not yet support. The most notable is lazy-pulling, also called on-demand image pulling: a container can start running before its full image has finished downloading, which reduces startup time for large images. Other optional features include encrypted images, peer-to-peer image distribution using IPFS, and container image signing and verification via cosign. These are all opt-in and do not affect standard usage.

nerdctl also supports running containers in rootless mode, meaning without root privileges on the host system. A performance optimization called bypass4netns reduces the networking overhead that rootless containers normally carry.

On Linux, nerdctl can be installed from release binaries on the GitHub releases page or via Homebrew. On macOS, it runs inside a Linux virtual machine managed by Lima, which handles the integration. Windows is supported on WSL2. A full release archive includes all required dependencies; a minimal archive includes only the nerdctl binary itself.