Linux 下安装 nerdctl

Linux 下安装 nerdctl

本文将介绍 Linux 下安装 nerdctl 的方法。演示环境为 Fedora Cloud 43。本文所有组件均从 GitHub Releases 安装(iptables 除外),不使用包管理器,方法通用于 glibc 的 Linux 发行版。

下载地址已包含加速源,并使用 SDLP 解析最新版本。

安装 nerdctl-full

使用 nerdctl 提供的完整版安装包安装,无需手动安装后面的组件,包括 Buildkit 和 RootlessKit 等。

从 GitHub Releases 下载最新版本:

1
2
3
# wget https://github.com/containerd/nerdctl/releases/download/v2.2.0/nerdctl-full-2.2.0-linux-amd64.tar.gz -O nerdctl-full-linux-amd64.tar.gz

curl -SL "https://api.xrgzs.top/ghrelease/?repo=containerd/nerdctl&search=nerdctl-full-&filter=linux-amd64.tar.gz&mirror=auto" -o nerdctl-full-linux-amd64.tar.gz

解压安装:

1
sudo tar Cxzvf /usr/local nerdctl-full-linux-amd64.tar.gz

安装 iptables:

1
2
# sudo apt install iptables
sudo dnf install iptables

启用 containerd systemd 服务:

1
2
sudo systemctl daemon-reload
sudo systemctl enable --now containerd

运行容器:

1
2
sudo nerdctl pull nginx:latest
sudo nerdctl run -p 80:80 nginx:latest

CLI 使用方法类似 Docker,只有少数功能如 Swarm 不支持。

如需配置 Rootless 容器,请跳转到 [配置 Rootless](#配置 Rootless) 一节。

安装 Containerd

Containerd 是一个来自 Docker 的容器运行时,并实现了 CRI 规范。nerdctl 运行容器需要 Containerd。

从 GitHub Releases 下载最新版本:

1
2
3
# wget https://github.com/containerd/containerd/releases/download/v2.2.0/containerd-2.2.0-linux-amd64.tar.gz -O containerd-linux-amd64.tar.gz

curl -SL "https://api.xrgzs.top/ghrelease/?repo=containerd/containerd&search=containerd-2&filter=linux-amd64.tar.gz&mirror=auto" -o containerd-linux-amd64.tar.gz

解压安装:

1
sudo tar Cxzvf /usr/local containerd-linux-amd64.tar.gz

创建 systemd 配置:

1
sudo curl -SL https://gh.xrgzs.top/https://raw.githubusercontent.com/containerd/containerd/main/containerd.service -o /usr/lib/systemd/system/containerd.service

启用 systemd 服务:

1
2
sudo systemctl daemon-reload
sudo systemctl enable --now containerd

安装 RunC

Containerd 用 RunC 运行容器。

从 GitHub Releases 下载最新版本:

1
2
3
4
# sudo wget https://github.com/opencontainers/runc/releases/download/v1.3.3/runc.amd64 -O /usr/local/sbin/runc

sudo curl -SL "https://gh.xrgzs.top/https://github.com/opencontainers/runc/releases/latest/download/runc.amd64" -o /usr/local/sbin/runc
sudo chmod 755 /usr/local/sbin/runc

安装 CNI Plugin

Containerd 用 CNI(容器网络接口)管理网络,如 bridgemacvlan 等。

从 GitHub Releases 下载最新版本:

1
2
3
# wget https://github.com/containernetworking/plugins/releases/download/v1.8.0/cni-plugins-linux-amd64-v1.8.0.tgz -O cni-plugins-linux-amd64.tgz

curl -SL "https://api.xrgzs.top/ghrelease/?repo=containernetworking/plugins&search=cni-plugins-linux-amd64&filter=tgz&mirror=auto" -o cni-plugins-linux-amd64.tgz

解压安装:

1
2
sudo mkdir -p /opt/cni/bin
sudo tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64.tgz

需要注意的是,CNI 依赖 iptables 命令,所以还需安装 iptables。

1
2
# sudo apt install iptables
sudo dnf install iptables

安装 nerdctl

从 GitHub Releases 下载最新版本:

1
2
3
# wget https://github.com/containerd/nerdctl/releases/download/v2.2.0/nerdctl-2.2.0-linux-amd64.tar.gz -O nerdctl-linux-amd64.tar.gz

curl -SL "https://api.xrgzs.top/ghrelease/?repo=containerd/nerdctl&search=nerdctl-&filter=linux-amd64.tar.gz&mirror=auto" -o nerdctl-linux-amd64.tar.gz

解压安装:

1
sudo tar Cxzvf /usr/local/bin nerdctl-linux-amd64.tar.gz

(可选)安装 Buildkit

如果需构建容器,则需要安装 Buildkit。

从 GitHub Releases 下载最新版本:

1
2
3
# wget https://github.com/moby/buildkit/releases/download/v0.26.2/buildkit-v0.26.2.linux-amd64.tar.gz -O buildkit-linux-amd64.tar.gz

curl -SL "https://api.xrgzs.top/ghrelease/?repo=moby/buildkit&search=buildkit-&filter=linux-amd64.tar.gz&mirror=auto" -o buildkit-linux-amd64.tar.gz

解压安装:

1
sudo tar Cxzvf /usr/local buildkit-linux-amd64.tar.gz

(可选)安装 RootlessKit + slirp4netns

如需使用 nerdctl 的 rootless 容器,需要安装这两个组件。

  1. RootlessKit 是使用 Linux 的用户命名空间原生实现的 fake root。
  2. slirp4netns 为非特权网络命名空间提供用户模式网络(slirp)。

从 GitHub Releases 下载最新版本:

1
2
3
# wget https://github.com/rootless-containers/rootlesskit/releases/download/v2.3.5/rootlesskit-x86_64.tar.gz -O rootlesskit-x86_64.tar.gz

curl -SL "https://gh.xrgzs.top/https://github.com/rootless-containers/rootlesskit/releases/latest/download/rootlesskit-x86_64.tar.gz" -o rootlesskit-x86_64.tar.gz

解压安装:

1
sudo tar Cxzvf /usr/local/bin rootlesskit-x86_64.tar.gz

slirp4netns 下载安装:

1
2
3
4
# sudo wget https://github.com/rootless-containers/slirp4netns/releases/download/v1.3.3/slirp4netns-x86_64 -O /usr/local/bin/slirp4netns

sudo curl -SL "https://github.com/rootless-containers/slirp4netns/releases/latest/download/slirp4netns-x86_64" -o /usr/local/bin/slirp4netns
sudo chmod 755 /usr/local/bin/slirp4netns

配置 Rootless

使用 nerdctl 提供的 containerd-rootless-setuptool.sh check 检查一下依赖是否配置正确:

1
2
3
4
5
[fedora@fedora ~]$ containerd-rootless-setuptool.sh check
[INFO] Checking RootlessKit functionality
[INFO] Checking cgroup v2
[INFO] Checking overlayfs
[INFO] Requirements are satisfied

没问题就可以执行 containerd-rootless-setuptool.sh install 安装 rootless 的 daemon 了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
[fedora@fedora ~]$ containerd-rootless-setuptool.sh install
[INFO] Checking RootlessKit functionality
[INFO] Checking cgroup v2
[INFO] Checking overlayfs
[INFO] Requirements are satisfied
[INFO] Creating "/home/fedora/.config/systemd/user/containerd.service"
[INFO] Starting systemd unit "containerd.service"
+ systemctl --user start containerd.service
+ sleep 3
+ systemctl --user --no-pager --full status containerd.service
 containerd.service - containerd (Rootless)
     Loaded: loaded (/home/fedora/.config/systemd/user/containerd.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/user/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Fri 2025-11-21 02:47:37 UTC; 3s ago
 Invocation: 560889ac8bec4de48bcb83b292092485
   Main PID: 3871 (rootlesskit)
      Tasks: 31
     Memory: 20.2M (peak: 20.2M)
        CPU: 168ms
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/containerd.service
             ├─3871 rootlesskit --state-dir=/run/user/1000/containerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --copy-up=/var/lib --propagation=rslave --detach-netns /usr/local/bin/containerd-rootless.sh
             ├─3890 /proc/self/exe --state-dir=/run/user/1000/containerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --copy-up=/var/lib --propagation=rslave --detach-netns /usr/local/bin/containerd-rootless.sh
             ├─3918 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-seccomp --userns-path=/proc/3890/ns/user --netns-type=path /proc/3890/root/run/user/1000/containerd-rootless/netns tap0
             └─3926 containerd

Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.434258032Z" level=info msg="loading plugin" id=io.containerd.ttrpc.v1.otelttrpc type=io.containerd.ttrpc.v1
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.434266430Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.healthcheck type=io.containerd.grpc.v1
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.434275558Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.cri type=io.containerd.grpc.v1
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.434283355Z" level=info msg="Connect containerd service"
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.434346716Z" level=info msg="using experimental NRI integration - disable nri plugin to prevent this"
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.434404243Z" level=warning msg="Running CRI plugin in a user namespace typically requires disable_apparmor and restrict_oom_score_adj to be true"
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.434880822Z" level=warning msg="failed to load plugin" error="failed to create CRI service: failed to create cni conf monitor for default: failed to watch cni conf dir /etc/cni/net.d: permission denied" id=io.containerd.grpc.v1.cri type=io.containerd.grpc.v1
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.435180666Z" level=info msg=serving... address=/run/containerd/containerd.sock.ttrpc
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.435245256Z" level=info msg=serving... address=/run/containerd/containerd.sock
Nov 21 02:47:37 fedora containerd-rootless.sh[3926]: time="2025-11-21T02:47:37.435264820Z" level=info msg="containerd successfully booted in 0.093982s"
+ systemctl --user enable containerd.service
Created symlink '/home/fedora/.config/systemd/user/default.target.wants/containerd.service' '/home/fedora/.config/systemd/user/containerd.service'.
[INFO] Installed "containerd.service" successfully.
[INFO] To control "containerd.service", run: `systemctl --user (start|stop|restart) containerd.service`
[INFO] To run "containerd.service" on system startup automatically, run: `sudo loginctl enable-linger fedora`
[INFO] ------------------------------------------------------------------------------------------
[INFO] Use `nerdctl` to connect to the rootless containerd.
[INFO] You do NOT need to specify $CONTAINERD_ADDRESS explicitly.

根据提示,使用 systemctl --user (start|stop|restart) containerd.service 管理 containerd 服务,如需开机自启容器,需要执行 sudo loginctl enable-linger $USER

配置 注册表镜像

nerdctl 使用 containerd 拉取镜像,所以需要修改 containerd 的配置:

由于镜像具有时效性,具体看这篇文章:

https://www.xrgzs.top/posts/docker-cmd#containerd

然后重启 containerd:

1
sudo systemctl restart containerd

验证配置:

1
sudo nerdctl pull nginx

如果你使用的是其他镜像源(如 gcr.ioquay.io),按同样方式在 /etc/containerd/certs.d/ 下创建对应目录和 hosts.toml 文件即可。