containerd
containerd 是一个行业标准的容器运行时,注重简洁性、稳健性和可移植性。它可作为 Linux 和 Windows 的守护进程使用,管理其主机系统的完整容器生命周期:镜像传输和存储、容器执行和监控、底层存储和网络连接等。最初由 Docker 开发并捐赠给 CNCF(云原生计算基金会),现已成为独立的开源项目。
-
核心功能:
镜像管理(拉取、推送、存储)。
容器执行(通过 runc 等底层工具运行容器)。
存储和网络管理(通过插件扩展)。
支持 OCI(Open Container Initiative)标准,兼容 Docker 镜像格式。 -
定位:
专注于底层容器运行时,不提供高级功能(如构建镜像、CLI 工具等)。
通常被更上层的平台(如 Kubernetes、Docker)调用,作为其底层引擎。 -
使用场景:
Kubernetes (1.24版本后)默认的容器运行时(通过 CRI 接口调用)。
需要轻量级、低开销容器管理的场景。
Containerd 与 Docker 的对比
| 特性 | Containerd | Docker |
|---|---|---|
| 定位 | 轻量级容器运行时 | 完整的容器平台 |
| 功能范围 | 基础生命周期管理 | 镜像构建、CLI、编排、网络等全功能 |
| 性能开销 | 更低(无额外组件) | 较高(包含多个后台进程) |
| 依赖关系 | 可独立运行 | 依赖 Containerd(现代版本)或旧引擎 |
| CLI 工具 | 无原生 CLI(需通过 ctr 或 nerdctl) | 提供友好的 docker CLI |
| 镜像构建 | 不支持 | 支持(docker build) |
| 默认编排 | 无 | Docker Swarm |
| Kubernetes | 集成 直接支持(通过 CRI) | 需通过 Docker Engine 间接支持 |
| 适用场景 | 生产环境、Kubernetes | 开发、测试环境 |
Docker 更适合开发者,提供完整的工具链和易用性。Containerd 更适合生产环境(如 Kubernetes),追求轻量化和标准化。
安装Containerd
使用环境:VMware下的Ubuntu2404虚拟机
使用二进制文件安装
containerd 的官方二进制版本适用于amd64(也称为x86_64)和arm64(也称为aarch64)架构。还必须 从其官方网站安装runc和CNI 插件。
- 如果命令拉取较慢,可浏览器下载后上传
wget https://github.com/containerd/containerd/releases/download/v2.0.4/containerd-2.0.4-linux-amd64.tar.gz
- 解压二进制包
tar -xf containerd-2.0.4-linux-amd64.tar.gz -C /usr/local/
- 配置systemd启动containerd
官网示例文件
cat > /etc/systemd/system/containerd.service <<eof
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target dbus.service
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
eof
- 启动并开机自启
systemctl daemon-reload
systemctl enable --now containerd
- 查看版本并生成配置文件
root@huhy:~# ctr -v
ctr github.com/containerd/containerd/v2 v2.0.4
root@huhy:~# mkdir /etc/containerd
root@huhy:~# containerd config default > /etc/containerd/config.toml
root@huhy:~# systemctl restart containerd
root@huhy:~# systemctl status containerd
● containerd.service - containerd container runtime
Loaded: loaded (/etc/systemd/system/containerd.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-04-09 01:35:35 UTC; 4s ago
Docs: https://containerd.io
Process: 2558 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
Main PID: 2561 (containerd)
Tasks: 9
Memory: 13.2M (peak: 14.7M)
CPU: 66ms
CGroup: /system.slice/containerd.service
└─2561 /usr/local/bin/containerd
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466699880Z" level=info msg="Start event monitor"
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466712294Z" level=info msg="Start cni network conf syn>
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466719037Z" level=info msg="Start streaming server"
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466725800Z" level=info msg="Registered namespace \"k8s>
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466731700Z" level=info msg="runtime interface starting>
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466735767Z" level=info msg="starting plugins..."
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466742165Z" level=info msg="Synchronizing NRI (plugin)>
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466655151Z" level=info msg=serving... address=/run/con>
Apr 09 01:35:35 huhy containerd[2561]: time="2025-04-09T01:35:35.466844934Z" level=info msg="containerd successfully bo>
Apr 09 01:35:35 huhy systemd[1]: Started containerd.service - containerd container runtime.
root@huhy:~#
安装runc:runc是一个根据 OCI 规范在 Linux 上生成和运行容器的 CLI 工具
wget https://github.com/opencontainers/runc/releases/download/v1.2.6/runc.amd64
install -m 755 runc.amd64 /usr/local/sbin/runc
- 查看版本
root@huhy:~# runc -v
runc version 1.2.6
commit: v1.2.6-0-ge89a2992
spec: 1.2.0
go: go1.23.7
libseccomp: 2.5.5
安装CNI插件:容器网络接口,提供网络资源,通过CNI接口,Kubernetes可以支持不同网络环境
wget https://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-amd64-v1.6.2.tgz
- 解压
mkdir -p /opt/cni/bin
tar -xf cni-plugins-linux-amd64-v1.6.2.tgz -C /opt/cni/bin/
使用DEB 和 RPM 格式的软件包安装
- 以Ubuntu2404为例
root@huhy:~# apt list | grep containerd
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
containerd/noble-updates,noble-security 1.7.24-0ubuntu1~24.04.2 amd64
golang-github-containerd-btrfs-dev/noble 1.0.0-1 all
golang-github-containerd-cgroups-dev/noble 1.0.4-1 all
golang-github-containerd-console-dev/noble 1.0.3-1 all
golang-github-containerd-containerd-dev/noble-updates,noble-security 1.6.24~ds1-1ubuntu1.2 all
golang-github-containerd-continuity-dev/noble 0.3.0-1 all
golang-github-containerd-fifo-dev/noble 1.1.0-1 all
golang-github-containerd-go-cni-dev/noble 1.1.7-2 all
golang-github-containerd-go-runc-dev/noble 1.0.0-1 all
golang-github-containerd-stargz-snapshotter-dev/noble-updates,noble-security 0.12.0-2ubuntu0.24.04.2 all
golang-github-containerd-ttrpc-dev/noble-updates,noble-security 1.1.2-1ubuntu0.2 all
golang-github-containerd-typeurl-dev/noble 1.0.2-1 all
apt install -y containerd
- 配置systemd 服务文件的环境变量配置文件
mkdir -p /etc/systemd/system/containerd.service.d
cat > /etc/systemd/system/containerd.service.d/http-proxy.conf <<EOF
[Service]
Environment="HTTP_PROXY=IP"
Environment="HTTPS_PROXY=IP"
Environment="NO_PROXY=localhost,127.0.0.1,::1"
EOF
systemctl daemon-reload
systemctl restart containerd
CLI命令行界面交互
有多个用于与 containerd 交互的命令行界面 (CLI) 项目,例如ctr、crictl 和 nerdctl 是三个常用的命令行工具,分别针对不同的容器运行时和场景设计
- 三者的核心对比
| 特性 | ctr | crictl | nerdctl |
|---|---|---|---|
| 目标用户 | Containerd 开发者 | Kubernetes 运维人员 | 开发者和普通用户 |
| 命令兼容性 | 独特语法 | CRI 专用语法 | 兼容 Docker 语法 |
| 镜像构建 | ❌ 不支持 | ❌ 不支持 ✅ 支持( | 需 BuildKit) |
| 容器网络 | ❌ 需手动配置 | ⚠️ 依赖 CRI 实现 | ✅ 集成 CNI |
| Rootless | 支持 | ❌ 不支持 | ⚠️ 部分支持 |
| Kubernetes集成 | ❌ 不直接相关 | ✅ 原生支持 | ⚠️ 需额外配置 |
| 适用场景 | 底层调试 | 集群节点运维 | 日常开发/生产环境 |
如何选择?
- Containerd 底层操作:用 ctr(其他工具无法满足时)。
- Kubernetes 调试:优先用 crictl(如查看 Pod 日志)。
- 开发/生产管理容器:用 nerdctl(体验接近 Docker)。
ctr(Containerd 原生 CLI)
-
定位:
Containerd 自带的低级调试工具,直接与 Containerd 守护进程交互。
设计初衷是供开发者调试 Containerd 本身,而非日常使用。 -
功能特点:
基础操作:管理镜像(ctr images)、容器(ctr containers)、任务(ctr tasks)。
无用户友好性:命令格式晦涩(如 ctr images pull 而非 docker pull)。
无容器网络管理(需手动配置 CNI)。
无用户命名空间隔离。
无镜像构建功能。 -
适用场景:
需要直接操作 Containerd 底层的调试场景。
极简环境(如嵌入式系统)下的容器管理。
命令使用:帮助手册如下
root@huhy:~# ctr --help
NAME:
ctr -
__
_____/ /______
/ ___/ __/ ___/
/ /__/ /_/ /
\___/\__/_/
containerd CLI
USAGE:
ctr [global options] command [command options]
VERSION:
v2.0.4
DESCRIPTION:
ctr is an unsupported debug and administrative client for interacting
with the containerd daemon. Because it is unsupported, the commands,
options, and operations are not guaranteed to be backward compatible or
stable from release to release of the containerd project.
COMMANDS:
plugins, plugin Provides information about containerd plugins
version Print the client and server versions
containers, c, container Manage containers
content Manage content
events, event Display containerd events
images, image, i Manage images
leases Manage leases
namespaces, namespace, ns Manage namespaces
pprof Provide golang pprof outputs for containerd
run Run a container
snapshots, snapshot Manage snapshots
tasks, t, task Manage tasks
install Install a new package
oci OCI tools
sandboxes, sandbox, sb, s Manage sandboxes
info Print the server info
deprecations
shim Interact with a shim directly
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug Enable debug output in logs (default: false)
--address value, -a value Address for containerd's GRPC server (default: "/run/containerd/containerd.sock") [$CONTAINERD_ADDRESS]
--timeout value Total timeout for ctr commands (default: 0s)
--connect-timeout value Timeout for connecting to containerd (default: 0s)
--namespace value, -n value Namespace to use with commands (default: "default") [$CONTAINERD_NAMESPACE]
--help, -h Show help (default: false)
--version, -v Print the version (default: false)
全局选项
| 选项 | 说明 | 示例 |
|---|---|---|
| –address, -a | 指定 Containerd 的 GRPC 地址(默认:/run/containerd/containerd.sock) | ctr -a /custom/sock.sock images list |
| –namespace, -n | 指定命名空间(默认:default) | ctr -n k8s.io containers list |
| –timeout | 命令超时时间(默认:0s,无超时) | ctr --timeout 30s tasks list |
| –debug | 启用调试日志 | ctr --debug images pull nginx |
- 镜像管理(images)
| 命令 | 用途 | 示例 |
|---|---|---|
| ctr images pull | 拉取镜像 | ctr i pull docker.io/library/redis:alpine |
| ctr images list (ls) | 列出镜像 | ctr i ls --digests(显示摘要) |
| ctr images remove (rm) | 删除镜像 | ctr i rm docker.io/library/nginx:latest |
| ctr images export | 导出镜像为 tar | ctr i export nginx.tar nginx:latest |
| ctr images import | 导入 tar 镜像 | ctr i import nginx.tar |
-
关键选项:
–platform:指定平台(如 linux/amd64)
–all-platforms:拉取所有平台的镜像 -
配置镜像加速:官网教程
# 配置 containerd 证书路径
sed -i 's/config_path\ =.*/config_path = \"\/etc\/containerd\/certs.d\"/g' /etc/containerd/config.toml
mkdir -p /etc/containerd/certs.d/docker.io
# 配置镜像加速和镜像源
cat > /etc/containerd/certs.d/docker.io/hosts.toml << EOF
server = "https://docker.io"
# 配置阿里云镜像加速器(仅支持 pull)
[host."https://s34fhadh.mirror.aliyuncs.com"]
capabilities = ["pull", "resolve"]
# 配置官方 Docker Hub(支持 pull + push)
[host."https://registry-1.docker.io"]
capabilities = ["pull", "push", "resolve"]
# 配置镜像仓库(支持 pull + push)
[host."https://registry-mirrors.yunyuan.co"]
capabilities = ["pull", "push", "resolve"]
skip_verify = true # 如果是自签名证书,可以跳过证书验证
EOF
systemctl restart containerd
- 拉取镜像:使用
ctr拉取则需要额外的参数来指定目录:--hosts-dir=/etc/containerd/certs.d
root@huhy:~# ctr image pull --hosts-dir=/etc/containerd/certs.d docker.io/library/nginx:latest
docker.io/library/nginx:latest fetching image content
docker.io/library/nginx:latest fetching image content
docker.io/library/nginx:latest fetching image content
-----------------------------
│ └──config (89c0f2004335) complete |++++++++++++++++++++++++++++++++++++++|
└──manifest (a1e6f44bc7da) complete |++++++++++++++++++++++++++++++++++++++|
└──config (f4708ae70e22) complete |++++++++++++++++++++++++++++++++++++++|
application/vnd.oci.image.index.v1+json sha256:09369da6b10306312cd908661320086bf87fbae1b6b0c49a1f50ba531fef2eab
Completed pull from OCI Registry (docker.io/library/nginx:latest) elapsed: 248.7s total: 42.0 M (173.0 KiB/s)
root@huhy:~#
- 查看镜像
root@huhy:~# ctr i ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:09369da6b10306312cd908661320086bf87fbae1b6b0c49a1f50ba531fef2eab 68.9 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x -
root@huhy:~# ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:09369da6b10306312cd908661320086bf87fbae1b6b0c49a1f50ba531fef2eab 68.9 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x -
- 删除镜像
root@huhy:~# ctr images rm docker.io/library/nginx:latest
docker.io/library/nginx:latest
root@huhy:~# ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
root@huhy:~#
- 导入导出镜像
root@huhy:~# ctr i export nginx.tar docker.io/library/nginx:latest
root@huhy:~# ls
cni-plugins-linux-amd64-v1.6.2.tgz containerd-2.0.4-linux-amd64.tar.gz nginx.tar runc.amd64
root@huhy:~# ctr i import nginx.tar
docker.io/library/nginx:latest saved
application/vnd.oci.image.index.v1+json sha256:09369da6b10306312cd908661320086bf87fbae1b6b0c49a1f50ba531fef2eab
Importing elapsed: 1.0 s total: 0.0 B (0.0 B/s)
root@huhy:~#
- 容器管理(containers)
| 命令 | 用途 | 示例 |
|---|---|---|
| ctr containers create | 创建容器(不运行) | ctr c create docker.io/library/nginx:latest my-nginx |
| ctr containers list (ls) | 列出所有容器 | ctr c ls -q(仅显示 ID) |
| ctr containers delete (rm) | 删除容器 | ctr c rm my-nginx |
- 创建容器
root@huhy:~# ctr c create docker.io/library/nginx:latest my-nginx
root@huhy:~# ctr c ls
CONTAINER IMAGE RUNTIME
my-nginx docker.io/library/nginx:latest io.containerd.runc.v2
root@huhy:~#
- 任务管理(tasks)
| 命令 | 用途 | 示例 |
|---|---|---|
| ctr tasks start | 启动容器任务 | ctr t start -d my-nginx(后台运行) |
| ctr tasks exec | 进入运行中容器 | ctr t exec --exec-id 1 -t my-nginx sh |
| ctr tasks list (ls) | 列出任务 | ctr t ls |
| ctr tasks kill | 终止任务 | ctr t kill my-nginx SIGTERM |
| ctr tasks pause/resume | 暂停/恢复任务 | ctr t pause my-nginx |
- 启动容器
root@huhy:~# ctr c ls
CONTAINER IMAGE RUNTIME
my-nginx docker.io/library/nginx:latest io.containerd.runc.v2
root@huhy:~# ctr t start -d my-nginx
root@huhy:~# ctr tasks list
TASK PID STATUS
my-nginx 45806 RUNNING
root@huhy:~#
- 快照管理(snapshots)
| 命令 | 用途 | 示例 |
|---|---|---|
| ctr snapshots list | 列出快照 | ctr snapshots ls |
| ctr snapshots remove (rm) | 删除快照 | ctr snapshots rm my-snapshot |
- 查看快照
root@huhy:~# ctr snapshots ls
KEY PARENT KIND
my-nginx sha256:12dc0894b9d83988c128df9d1eda0d43198450dfbb600d3f48951a60dc83ba22 Active
sha256:12dc0894b9d83988c128df9d1eda0d43198450dfbb600d3f48951a60dc83ba22 sha256:cf328fc766bc5a8b4c62d4d1a66a5fd64a012bb9c4edf00733760b50245dcc25 Committed
sha256:252d6f0879cc76efb21ff5ee44a264862e6d5190693d80dcc218847e0ab1deea sha256:ea680fbff095473bb8a6c867938d6d851e11ef0c177fce983ccc83440172bd72 Committed
sha256:2cabaf44a04cb066a69df1ac5fad6d7bb983767f19579e2fcc1c38ee76deaecc sha256:dfb7b04fe3c8a2b11f1e627e3a98987fae238799f35531a03194daf1a555e618 Committed
sha256:482a624ec9ee06ddd66621ef94544670936e5047ce55742aedc630b8f2508e45 sha256:2cabaf44a04cb066a69df1ac5fad6d7bb983767f19579e2fcc1c38ee76deaecc Committed
sha256:cf328fc766bc5a8b4c62d4d1a66a5fd64a012bb9c4edf00733760b50245dcc25 sha256:482a624ec9ee06ddd66621ef94544670936e5047ce55742aedc630b8f2508e45 Committed
sha256:dfb7b04fe3c8a2b11f1e627e3a98987fae238799f35531a03194daf1a555e618 sha256:252d6f0879cc76efb21ff5ee44a264862e6d5190693d80dcc218847e0ab1deea Committed
sha256:ea680fbff095473bb8a6c867938d6d851e11ef0c177fce983ccc83440172bd72 Committed
root@huhy:~#
- 命名空间管理(namespaces)k8s默认使用k8s.io命名空间
| 命令 | 用途 | 示例 |
|---|---|---|
| ctr namespaces list (ls) | 列出命名空间 | ctr ns ls |
| ctr namespaces create | 创建命名空间 | ctr ns create my-ns |
| ctr namespaces delete (rm) | 删除命名空间 | ctr ns rm my-ns |
- 查看命名空间
root@huhy:~# ctr ns ls
NAME LABELS
default
- 其他实用命令
| 命令 | 用途 | 示例 |
|---|---|---|
| ctr version | 查看客户端和服务端版本 | ctr version |
| ctr run | 快速运行容器(创建+启动) | ctr run -d docker.io/library/nginx:latest nginx |
| ctr events | 监听 Containerd 事件 | ctr events |
| ctr info | 查看服务器信息 | ctr info |
- 查看版本信息
root@huhy:~# ctr version
Client:
Version: v2.0.4
Revision: 1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
Go version: go1.23.7
Server:
Version: v2.0.4
Revision: 1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
UUID: 31bd6f01-0be6-485a-ac68-aee368b6a41d
root@huhy:~# ctr info
{
"server": {
"uuid": "31bd6f01-0be6-485a-ac68-aee368b6a41d",
"pid": 45592,
"pidns": 4026531836
}
}
root@huhy:~#
crictl(Kubernetes CRI 工具)
-
定位:
专为 Kubernetes 节点调试设计,遵循 CRI(Container Runtime Interface)标准。
兼容所有 CRI 运行时(Containerd、CRI-O)。 -
功能特点:
直接查看 Pod、容器状态(crictl pods)。
支持 CRI 资源统计(如 crictl stats)。 -
限制:
不提供完整容器生命周期管理(如无 exec 的替代命令)。
镜像构建、网络管理依赖外部工具。 -
适用场景:
Kubernetes 集群节点的运维和故障排查。
需要检查 CRI 运行时状态的场景。
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-amd64.tar.gz
- 解压
tar -xf crictl-v1.32.0-linux-amd64.tar.gz -C /usr/local/bin/
- 配置文件
cat > /etc/crictl.yaml <<EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 2
debug: true
pull-image-on-create: false
EOF
systemctl daemon-reload;systemctl restart containerd
root@huhy:~# crictl -v
crictl version v1.32.0
命令使用
查看帮助文档
root@huhy:~# crictl --help
NAME:
crictl - client for CRI
USAGE:
crictl [global options] command [command options]
VERSION:
v1.32.0
COMMANDS:
attach Attach to a running container
checkpoint Checkpoint one or more running containers
completion Output shell completion code
config Get, set and list crictl configuration options
create Create a new container
events, event Stream the events of containers
exec Run a command in a running container
imagefsinfo Return image filesystem info
images, image, img List images
info Display information of the container runtime
inspect Display the status of one or more containers
inspecti Return the status of one or more images
inspectp Display the status of one or more pods
logs Fetch the logs of a container
metricsp List pod metrics. Metrics are unstructured key/value pairs gathered by CRI meant to replace cAdvisor's /metrics/cadvisor endpoint.
pods List pods
port-forward Forward local port to a pod
ps List containers
pull Pull an image from a registry
rm Remove one or more containers
rmi Remove one or more images
rmp Remove one or more pods
run Run a new container inside a sandbox
runp Run a new pod
runtime-config Retrieve the container runtime configuration
start Start one or more created containers
stats List container(s) resource usage statistics
statsp List pod statistics. Stats represent a structured API that will fulfill the Kubelet's /stats/summary endpoint.
stop Stop one or more running containers
stopp Stop one or more running pods
update Update one or more running containers
update-runtime-config Update the runtime configuration
version Display runtime version information
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--config value, -c value Location of the client config file. If not specified and the default does not exist, the program's directory is searched as well (default: "/etc/crictl.yaml") [$CRI_CONFIG_FILE]
--debug, -D Enable debug mode (default: false)
--enable-tracing Enable OpenTelemetry tracing. (default: false)
--image-endpoint value, -i value Endpoint of CRI image manager service (default: uses 'runtime-endpoint' setting) [$IMAGE_SERVICE_ENDPOINT]
--profile-cpu value Write a pprof CPU profile to the provided path.
--profile-mem value Write a pprof memory profile to the provided path.
--runtime-endpoint value, -r value Endpoint of CRI container runtime service (default: uses in order the first successful one of [unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock unix:///var/run/cri-dockerd.sock]). Default is now deprecated and the endpoint should be set instead. [$CONTAINER_RUNTIME_ENDPOINT]
--timeout value, -t value Timeout of connecting to the server in seconds (e.g. 2s, 20s.). 0 or less is set to default (default: 2s)
--tracing-endpoint value Address to which the gRPC tracing collector will send spans to. (default: "127.0.0.1:4317")
--tracing-sampling-rate-per-million value Number of samples to collect per million OpenTelemetry spans. Set to 1000000 or -1 to always sample. (default: -1)
--help, -h show help
--version, -v print the version
- 全局选项
| 选项 | 用途 | 示例 |
|---|---|---|
| –runtime-endpoint, -r | 指定 CRI 运行时 socket(默认:unix:///run/containerd/containerd.sock) | crictl -r unix:///var/run/crio/crio.sock ps |
| –image-endpoint, -i | 指定镜像服务 endpoint(默认同 runtime-endpoint) | crictl -i unix:///var/run/crio/crio.sock images |
| –timeout, -t | 命令超时时间(默认:10s) | crictl -t 30s ps |
| –debug, -D | 启用调试日志 | crictl -D ps |
| –help, -h | 显示帮助 | crictl -h |
- 容器管理
| 选项 | 用途 | 示例 |
|---|---|---|
| crictl ps | 列出容器 | crictl ps -a(显示所有容器) |
| crictl inspect | 查看容器详情 | crictl inspect abc123 |
| crictl start | 启动容器 | crictl start abc123 |
| crictl stop | 停止容器 | crictl stop abc123 10(10秒超时) |
| crictl rm | 删除容器 | crictl rm abc123 |
| crictl exec -it <命令> | 进入容器 | crictl exec -it abc123 sh |
| crictl logs | 查看容器日志 | crictl logs --tail=100 abc123 |
- 查看容器
root@huhy:~# crictl ps
DEBU[0000] Get runtime connection
DEBU[0000] Using runtime connection timeout: 2s
DEBU[0000] Get image connection
DEBU[0000] ListContainerResponse: []
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID POD NAMESPACE
root@huhy:~# crictl ps -a
DEBU[0000] Get runtime connection
DEBU[0000] Using runtime connection timeout: 2s
DEBU[0000] Get image connection
DEBU[0000] ListContainerResponse: []
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID POD NAMESPACE
root@huhy:~#
- Pod 管理
| 选项 | 用途 | 示例 |
|---|---|---|
| crictl pods | 列出 Pod | crictl pods -q(仅显示 ID) |
| crictl inspectp | 查看 Pod 详情 | crictl inspectp pod123 |
| crictl runp <配置文件> | 启动 Pod | crictl runp pod-config.json |
| crictl stopp | 停止 Pod | crictl stopp pod123 |
| crictl rmp | 删除 Pod | crictl rmp pod123 |
- 镜像管理
| 选项 | 用途 | 示例 |
|---|---|---|
| crictl images | 列出镜像 | crictl images --digests |
| crictl pull <镜像> | 拉取镜像 | crictl pull nginx:latest |
| crictl rmi | 删除镜像 | crictl rmi sha256:abc123 |
- 查看拉取镜像
root@huhy:~# crictl images
DEBU[0000] Get image connection
DEBU[0000] ListImagesRequest: &ListImagesRequest{
Filter:&ImageFilter{
Image:&ImageSpec{
Image:,Annotations:map[string]string{
},UserSpecifiedImage:,RuntimeHandler:,},},}
DEBU[0000] ListImagesResponse: &ListImagesResponse{
Images:[]*Image{
},}
IMAGE TAG IMAGE ID SIZE
root@huhy:~# crictl pull nginx:latest
DEBU[0000] Get image connection
DEBU[0000] PullImageRequest: &PullImageRequest{
Image:&ImageSpec{
Image:nginx:latest,Annotations:map[string]string{
},UserSpecifiedImage:,RuntimeHandler:,},Auth:nil,SandboxConfig:nil,}
DEBU[0024] PullImageResponse: &PullImageResponse{
ImageRef:sha256:4cad75abc83d5ca6ee22053d85850676eaef657ee9d723d7bef61179e1e1e485,}
Image is up to date for sha256:4cad75abc83d5ca6ee22053d85850676eaef657ee9d723d7bef61179e1e1e485
root@huhy:~# crictl images
DEBU[0000] Get image connection
DEBU[0000] ListImagesRequest: &ListImagesRequest{
Filter:&ImageFilter{
Image:&ImageSpec{
Image:,Annotations:map[string]string{
},UserSpecifiedImage:,RuntimeHandler:,},},}
DEBU[0000] ListImagesResponse: &ListImagesResponse{
Images:[]*Image{
&Image{
Id:sha256:4cad75abc83d5ca6ee22053d85850676eaef657ee9d723d7bef61179e1e1e485,RepoTags:[docker.io/library/nginx:latest],RepoDigests:[docker.io/library/nginx@sha256:09369da6b10306312cd908661320086bf87fbae1b6b0c49a1f50ba531fef2eab],Size_:72207578,Uid:nil,Username:,Spec:nil,Pinned:false,},},}
IMAGE TAG IMAGE ID SIZE
docker.io/library/nginx latest 4cad75abc83d5 72.2MB
root@huhy:~#
- 调试与监控
| 选项 | 用途 | 示例 |
|---|---|---|
| crictl info | 查看运行时信息 | crictl info |
| crictl stats | 查看容器资源统计 | crictl stats |
| crictl events | 监听实时事件 | crictl events --since=1h |
| crictl version | 显示版本 | crictl version |
- 资源清理
| 选项 | 用途 | 示例 |
|---|---|---|
| crictl rm $(crictl ps -aq) | 删除所有停止的容器 | crictl rm $(crictl ps -aq) |
| crictl rmi $(crictl images -q) | 删除所有未使用的镜像 | crictl rmi $(crictl images -q) |
nerdctl(Containerd 的友好 CLI)
-
定位:
Docker CLI 的替代品,为 Containerd 提供完整的用户友好接口。
由 Containerd 社区开发,目标是弥补 ctr 的易用性不足。 -
功能特点:
兼容 Docker 命令
支持 nerdctl run、nerdctl build(需 BuildKit)。
类似 Docker 的语法(如 nerdctl ps -a)。 -
扩展功能:
支持 Rootless 容器(非特权用户运行)。
集成 CNI 网络和高级存储选项。
支持命名空间隔离(与 Kubernetes 互不干扰)。 -
适用场景:
开发环境或生产环境中直接使用 Containerd 的场景。
需要 Docker-like 体验但不想依赖 Docker Daemon。
- 下载二进制包,并解压
wget https://github.com/containerd/nerdctl/releases/download/v2.0.4/nerdctl-2.0.4-linux-amd64.tar.gz
tar -xf nerdctl-2.0.4-linux-amd64.tar.gz -C /usr/local/bin/
- 查看版本
root@huhy:~# nerdctl -v
nerdctl version 2.0.4
命令使用
查看帮助手册
root@huhy:~# nerdctl --help
nerdctl is a command line interface for containerd
Config file ($NERDCTL_TOML): /etc/nerdctl/nerdctl.toml
Usage: nerdctl [flags]
helpers.Management commands:
apparmor Manage AppArmor profiles
builder Manage builds
container Manage containers
image Manage images
ipfs Distributing images on IPFS
namespace Manage containerd namespaces
network Manage networks
system Manage containerd
volume Manage volumes
Commands:
attach Attach stdin, stdout, and stderr to a running container.
build Build an image from a Dockerfile. Needs buildkitd to be running.
commit Create a new image from a container's changes
completion Generate the autocompletion script for the specified shell
compose Compose
cp Copy files/folders between a running container and the local filesystem.
create Create a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
diff Inspect changes to files or directories on a container's filesystem
events Get real time events from the server
exec Run a command in a running container
help Help about any command
history Show the history of an image
images List images
info Display system-wide information
inspect Return low-level information on objects.
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a container registry
logout Log out from a container registry
logs Fetch the logs of a container. Expected to be used with 'nerdctl run -d'.
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
push Push an image or a repository to a registry. Optionally specify "ipfs://" or "ipns://" scheme to push image to IPFS.
rename rename a container
restart Restart one or more running containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container. Optionally specify "ipfs://" or "ipns://" scheme to pull image from IPFS.
save Save one or more images to a tar archive (streamed to STDOUT by default)
start Start one or more running containers
stats Display a live stream of container(s) resource usage statistics.
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update one or more running containers
version Show the nerdctl version information
wait Block until one or more containers stop, then print their exit codes.
Flags:
-H, --H string Alias of --address (default "/run/containerd/containerd.sock")
-a, --a string Alias of --address (default "/run/containerd/containerd.sock")
--address string containerd address, optionally with "unix://" prefix [$CONTAINERD_ADDRESS] (default "/run/containerd/containerd.sock")
--bridge-ip string IP address for the default nerdctl bridge network [$NERDCTL_BRIDGE_IP]
--cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd")
--cni-netconfpath string cni config directory [$NETCONFPATH] (default "/etc/cni/net.d")
--cni-path string cni plugins binary directory [$CNI_PATH] (default "/opt/cni/bin")
--data-root string Root directory of persistent nerdctl state (managed by nerdctl, not by containerd) (default "/var/lib/nerdctl")
--debug debug mode
--debug-full debug mode (with full output)
--experimental Control experimental: https://github.com/containerd/nerdctl/blob/main/docs/experimental.md [$NERDCTL_EXPERIMENTAL] (default true)
-h, --help help for nerdctl
--host string Alias of --address (default "/run/containerd/containerd.sock")
--host-gateway-ip string IP address that the special 'host-gateway' string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host [$NERDCTL_HOST_GATEWAY_IP] (default "192.168.200.160")
--hosts-dir strings A directory that contains <HOST:PORT>/hosts.toml (containerd style) or <HOST:PORT>/{
ca.cert, cert.pem, key.pem} (docker style) (default [/etc/containerd/certs.d,/etc/docker/certs.d])
--insecure-registry skips verifying HTTPS certs, and allows falling back to plain HTTP
--kube-hide-dupe Deduplicate images for Kubernetes with namespace k8s.io
-n, --n string Alias of --namespace (default "default")
--namespace string containerd namespace, such as "moby" for Docker, "k8s.io" for Kubernetes [$CONTAINERD_NAMESPACE] (default "default")
--snapshotter string containerd snapshotter [$CONTAINERD_SNAPSHOTTER] (default "overlayfs")
--storage-driver string Alias of --snapshotter (default "overlayfs")
-v, --version version for nerdctl
Run 'nerdctl COMMAND --help' for more information on a command.
- 镜像管理
| 命令 | 用途 | 示例 |
|---|---|---|
| nerdctl pull | 拉取镜像 | nerdctl pull nginx:latest |
| nerdctl images | 列出镜像 | nerdctl images -q(仅显示 ID) |
| nerdctl rmi | 删除镜像 | nerdctl rmi nginx:latest |
| nerdctl build | 构建镜像 | (需 BuildKit) nerdctl build -t myapp . |
| nerdctl push | 推送镜像到仓库 | nerdctl push myapp:latest |
| nerdctl tag | 打标签 | nerdctl tag nginx:latest myrepo/nginx:v1 |
| nerdctl save | 导出镜像为 | tar nerdctl save -o nginx.tar nginx:latest |
| nerdctl load | 导入 tar 镜像 | nerdctl load -i nginx.tar |
- 拉取镜像并查看
root@huhy:~# nerdctl pull tomcat
docker.io/library/tomcat:latest: resolving |--------------------------------------|
docker.io/library/tomcat:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:1374a565d5122fdb42807f3a5f2d4fcc245a5e15420ff5bb5123afedc8ef769d: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:ec01946b5efacf78477bdcfbd535c085881d83e873ae884c0cd44ea1e948d49d: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:88b0f1cee84c76bb84a450edacdc37fb3ee00a8706be9298dfe8ec69e5040cdb: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:8dbbbc6af9dc7b3eec20b35797f66551a17f035a85f020fc99a0457dd268aae8: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:a10b6847b9f1913a9d34980e0354787e49b068cdbdd78c70bab054c6cfbd1660: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:5a7813e071bfadf18aaa6ca8318be4824a9b6297b3240f2cc84c1db6f4113040: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:dcc1c5ea3c7d921e35f64dce04af1c8a2cd97954281eb6af66f6067f6c2c319b: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:91e6cc55403ad09f9aeca15ab95bf547ad0b78be2b665c486beef7161150987d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e231914ca483a93d4915d672a47db6c2022215b7ce5de04ed3bb7214e89c814f: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:5d4660d0a9e9f9a03ab7c4a134c5a0c8d39f649970092b17ebe6a619a9b838f5: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 48.4s total: 231.0 (4.8 MiB/s)
root@huhy:~# nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
tomcat latest 1374a565d512 44 seconds ago linux/amd64 541.3MB 242.2MB
nginx latest 09369da6b103 4 hours ago linux/arm/v5 0B 62.48MB
nginx latest 09369da6b103 4 hours ago linux/386 0B 70.56MB
nginx latest 09369da6b103 4 hours ago linux/ppc64le 0B 76.9MB
nginx latest 09369da6b103 4 hours ago linux/amd64 206.5MB 72.2MB
nginx latest 09369da6b103 4 hours ago unknown/unknown 0B 3.005MB
nginx latest 09369da6b103 4 hours ago linux/arm/v7 0B 60.76MB
nginx latest 09369da6b103 4 hours ago linux/arm64 0B 68.65MB
nginx latest 09369da6b103 4 hours ago linux/mips64le 0B 68.29MB
nginx latest 09369da6b103 4 hours ago linux/s390x 0B 66.9MB
- 删除镜像
root@huhy:~# nerdctl rmi tomcat
Untagged: docker.io/library/tomcat:latest@sha256:1374a565d5122fdb42807f3a5f2d4fcc245a5e15420ff5bb5123afedc8ef769d
Deleted: sha256:4b7c01ed0534d4f9be9cf97d068da1598c6c20b26cb6134fad066defdb6d541d
Deleted: sha256:3359bc3d7a6a1f94c063d743f3ebd025e299dfbbbb1d48afe18a90e4d5e1f36f
Deleted: sha256:f844dcf94898d99c5a27de863a79e15d5353a6802f1804d01475be0e7b23221f
Deleted: sha256:39cf0ac89a5a18bb69e6cc51b9f37eb9025b0bc85a7433d2ef85256810804361
Deleted: sha256:4e5b554b734518d308942fd75da104b3dc27a25676fa51ce8d36a40e4a5f2491
Deleted: sha256:49cb1bc2daeb9c8543094a01a8a7e261040e7a3cbbc9e58ffae279dde71ac65b
Deleted: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
Deleted: sha256:6fbdf02a6a33fb7e6564c9d0d4f879d3845c91f60805babfe73104e1e0969def
Deleted: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
- 容器管理
| 命令 | 用途 | 示例 |
|---|---|---|
| nerdctl run | 创建并运行容器 | nerdctl run -d --name web nginx:latest |
| nerdctl ps | 列出容器 | nerdctl ps -a(显示所有容器) |
| nerdctl start | 启动容器 | nerdctl start web |
| nerdctl stop | 停止容器 | nerdctl stop web |
| nerdctl rm | 删除容器 | nerdctl rm -f web(强制删除) |
| nerdctl exec | 进入容器 | nerdctl exec -it web sh |
| nerdctl logs | 查看日志 | nerdctl logs -f web(实时日志) |
| nerdctl inspect | 查看容器详情 | nerdctl inspect web |
| nerdctl commit | 从容器创建镜像 | nerdctl commit web my-snapshot:v1 |
| nerdctl cp | 复制文件 | nerdctl cp web:/etc/nginx/nginx.conf ./ |
- 查看容器
root@huhy:~# nerdctl ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
my-nginx docker.io/library/nginx:latest "/docker-entrypoint.…" 4 hours ago Up
- 停止容器
root@huhy:~# nerdctl stop my-nginx
INFO[0000] unable to retrieve networking information for that container container=my-nginx error="unexpected end of JSON input"
my-nginx
root@huhy:~# nerdctl ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- 网络管理
| 命令 | 用途 | 示例 |
|---|---|---|
| nerdctl network ls | 列出网络 | nerdctl network ls |
| nerdctl network create | 创建网络 | nerdctl network create mynet |
| nerdctl network rm | 删除网络 | nerdctl network rm mynet |
| nerdctl network inspect | 查看网络详情 | nerdctl network inspect bridge |
- 创建网络
root@huhy:~# nerdctl network ls
NETWORK ID NAME FILE
host
none
root@huhy:~# nerdctl network create mynet
11c844f95e2862126712e209cd3acbc68c137931c639633da9dfc17b3a464bde
root@huhy:~# nerdctl network ls
NETWORK ID NAME FILE
11c844f95e28 mynet /etc/cni/net.d/default/nerdctl-mynet.conflist
host
none
root@huhy:~#
- 卷管理
| 命令 | 用途 | 示例 |
|---|---|---|
| nerdctl volume ls | 列出卷 | nerdctl volume ls |
| nerdctl volume create | 创建卷 | nerdctl volume create myvol |
| nerdctl volume rm | 删除卷 | nerdctl volume rm myvol |
| nerdctl volume inspect | 查看卷详情 | nerdctl volume inspect myvol |
- 创建卷
root@huhy:~# nerdctl volume ls
VOLUME NAME DIRECTORY
root@huhy:~# nerdctl volume create myvol
myvol
root@huhy:~# nerdctl volume ls
VOLUME NAME DIRECTORY
myvol /var/lib/nerdctl/1935db59/volumes/default/myvol/_data
root@huhy:~#
- Rootless 模式专用
| 命令 | 用途 | 示例 |
|---|---|---|
| nerdctl --rootless | 以非 root 用户运行 | nerdctl --rootless run -d alpine |
| nerdctl --namespace | 指定用户命名空间 | nerdctl --namespace=user1 ps |
- 系统管理
| 命令 | 用途 | 示例 |
|---|---|---|
| nerdctl info | 显示系统信息 | nerdctl info |
| nerdctl version | 显示版本 | nerdctl version |
| nerdctl system prune | 清理无用资源 | nerdctl system prune -a(清理所有) |
- 查看系统信息
root@huhy:~# nerdctl info
Client:
Namespace: default
Debug Mode: false
Server:
Server Version: v2.0.4
Storage Driver: overlayfs
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Log: fluentd journald json-file none syslog
Storage: native overlayfs
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.8.0-31-generic
Operating System: Ubuntu 24.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.778GiB
Name: huhy
ID: 31bd6f01-0be6-485a-ac68-aee368b6a41d
- 高级功能
| 命令 | 用途 | 示例 |
|---|---|---|
| nerdctl compose up | 启动 Compose 项目 | nerdctl compose -f docker-compose.yml up |
| nerdctl build --buildkit | 使用 BuildKit 构建 | nerdctl build --buildkit -t myapp . |
| nerdctl image convert | 转换镜像格式 | nerdctl image convert --format=estargz nginx:latest |