Containers: runtimes, tools, etc.
This article is to collect some reminders about certain container technologies and techniques. It is not an introduction to containers/Docker.
Installation and setup for containerd/nerdctl/rootlesskit
[NOTE: As of February 2026, nerdctl and rootlesskit are both available in Homebrew on Linux for both amd64 and aarch64.]
containerd is an industry-standard container runtime with an emphasis on simplicity, robustness, and portability.
nerdctl is a Docker-compatible CLI for containerd [with some additional features].
- I want to use CNI plugins to provide networking options: bridge, portmap, firewall, tuning.
- I want to be able to run non-privileged containers via rootless mode.
- Therefore, I use the ’nerdctl-full’ package from containerd/nerdctl releases
Installation
On Armbian (based on Debian Trixie):
robin@localhost:~$ sudo apt install -y uidmap
robin@localhost:~$ NERDCTL_VERSION=$(curl -s https://api.github.com/repos/containerd/nerdctl/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')
robin@localhost:~$ wget https://github.com/containerd/nerdctl/releases/download/v${NERDCTL_VERSION}/nerdctl-full-${NERDCTL_VERSION}-linux-arm64.tar.gz
robin@localhost:~$ sudo tar -xzvf nerdctl-full-${NERDCTL_VERSION}-linux-arm64.tar.gz -C /usr/local/
robin@localhost:~$ containerd-rootless-setuptool.sh install
<snip>
robin@localhost:~$ systemctl --user start containerd.service
robin@localhost:~$ sudo loginctl enable-linger $(whoami)
robin@localhost:~$ nerdctl version
Client:
Version: v2.2.1
OS/Arch: linux/arm64
Git commit: 0d1089396f017bb872ad40606b0d31ebdeaa828a
buildctl:
Version: v0.26.3
GitCommit: c70e8e666f8f6ee3c0d83b20c338be5aedeaa97a
Server:
containerd:
Version: v2.2.1
GitCommit: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc:
Version: 1.4.0
GitCommit: v1.4.0-0-g8bd78a9
bypass4netns
Use bypass4netns for much faster networking1.
robin@localhost:~$ containerd-rootless-setuptool.sh install-bypass4netnsd
robin@localhost:~$ systemctl --user start bypass4netnsd.service
Then I can add annotations to my containerized services, such as in the compose.yaml:
services:
foo:
image: <some_image>
annotations:
bypass4netnsd.service: true
...
ports:
- "8080:80"
...See Also
Something like 8x compared to
slirp4netns! See https://github.com/rootless-containers/bypass4netns/tree/0f2633f8c8022d39caacd94372855df401411ae2 ↩︎