3 Container Commands That Rule Them All (ctr, nerdctl & crictl)
As container technologies like Docker, containerd, CRI-O and others have matured, there has been an explosion of command line interface (CLI) tools for interacting with container images, containers, pods and more. Deciding which CLI tool to use can be confusing given all the options. In this article, we will compare three of the most popular open source CLIs - ctr, nerdctl and crictl.
ctr is a CLI designed specifically for managing containerd, a popular low-level container runtime that underpins many container systems. With ctr, you get direct access to containerd features like image pulling, container debugging and log streaming. It uses very container-centric terminology which makes sense if you work closely with containerd, but could be unfamiliar otherwise.
nerdctl takes a different approach - it aims to provide a user-friendly, Docker-compatible CLI that runs in userspace without needing elevated privileges to function. For those looking for a docker-like experience without running the Docker daemon, nerdctl is a lightweight alternative using containerd in the backend. It supports common docker commands for images, containers, networking and volumes making it familiar for those starting out with containers.
Finally, crictl focuses squarely on working with any container runtime that implements the CRI compatibility standard. As such, crictl is tailored for tasks like debugging Kubernetes cluster issues by letting you directly inspect the containers and pods on the nodes. The concepts map closely to Kubernetes objects, so it helps to have an understanding of pods, containers and Kubernetes architecture to use crictl effectively.
As we can see, while all three CLIs can manage containers at the lowest levels, their audiences and use cases differ. So consider what runtime you are using, as well as your level of experience when deciding between tools. With container usage growing exponentially, all three CLIs are robust options that will continue evolving and improving.
ctr vs nerdctl vs crictl: Choosing a CLI for Containers
When working with container technologies like Docker, Podman, containerd or CRI-O, having a good command line interface (CLI) tool is essential. There are now several robust tools that allow you to manage container images, containers, pods and more. But which one should you use? Let's compare 3 popular options:
ctr
ctr is designed specifically as a debugging and management CLI for containerd, a popular low-level container runtime. Some key features:
ctr is included by default with containerd installs. It's mainly geared towards developers and administrators needing low-level access to containerd.
nerdctl
nerdctl aims to provide an easy-to-use Docker-compatible CLI that runs entirely in userspace:
For those looking for a docker-like experience without needing Docker installed, nerdctl is a great choice.
crictl
crictl is designed specifically for CRI-compatible container runtimes:
If you operate Kubernetes clusters on top of a CRI runtime, then crictl should be your CLI tool of choice.
All 3 tools serve slightly different audiences:
nerdctl: General purpose, docker-like CLI that can act as lightweight alternative to docker
ctr: Low-level debugging and access to containerd
crictl: Interact with any CRI runtime, good for Kubernetes users
Consider what runtime you are using, your level of expertise, and what kinds of tasks you need to accomplish to determine which CLI will serve you best.
ctr
ctr is a simple command line interface for interacting with container runtimes that implement the container runtime interface (CRI). It allows you to manage container images, inspect containers, manage Pod sandboxes, and more. Some key things you can do with ctr:
ctr is particularly useful for debugging containers and Pods managed by higher level container orchestrators like Kubernetes. It gives you direct access to the containers for troubleshooting issues.?
Installing ctr
ctr is a standalone command line tool that is distributed alongside container runtime implementations like containerd and CRI-O.
To install on a system running containerd:
apt install containerd.io
For CRI-O:
apt install cri-o-tools
Pulling Container Images
To pull a container image use the ctr image pull command:
ctr image pull docker.io/library/nginx:latest
This will pull the latest nginx image from Docker Hub.
Listing Containers
To list running containers use ctr container list:
ctr container list
This will print out a table with container IDs, names, POD IDs, images, runtime status and more.
Starting a Container
Use ctr container run to directly run a new container:
ctr container run --rm docker.io/library/nginx:latest nginx
This runs nginx in the foreground. The --rm flag deletes the container on exit.
Inspecting Containers
To get low-level details about a container, use ctr container info:
ctr container info <container-id>?
This will print details like environment variables, mounts, port mappings, and more.
Attaching to Container Streams
To attach or stream container output use ctr container attach:
ctr container attach <container-id>
You can exit the stream but keep it running with Ctrl+P Ctrl+Q.
That covers some of the basics with ctr.
领英推荐
nerdctl
nerdctl is an open source CLI for containers and images that aims to be compatible with the Docker CLI while running entirely in userspace (no daemon required). It supports common Docker operations like:
It serves as a user-friendly CLI for container runtimes like containerd or CRI-O.
Installing nerdctl
On Linux, install the latest release via curl:
curl -fsSL https://github.com/containerd/nerdctl/releases/download/v0.18.0/nerdctl-0.18.0-linux-amd64.tar.gz \
| sudo tar xpzf - -C /usr/local/bin
Or use a package manager like Homebrew on macOS:
brew install nerdctl
Pulling and Running Images
To pull an image:
nerdctl pull nginx
Then run a container:
nerdctl run -p 80:80 --rm nginx
?The -p publishes port 80, while --rm deletes the container on exit.
Listing Containers
View running containers:
nerdctl ps
?And images:
nerdctl images
Stopping and Removing
Stop and remove a container:
nerdctl stop mycontainer
nerdctl rm mycontainer
More details
Check out the official nerdctl tutorials for steps on image building, networking, volumes, registries, and more:
?This covers the basics on using nerdctl as an alternative to the Docker CLI.
crictl
crictl is a command-line interface for CRI-compatible container runtimes like containerd, CRI-O and Docker. It allows you to manage containers, images, pods, and more.? crictl is particularly useful for debugging Kubernetes clusters, as it gives you direct access to the underlying containers instead of going through the Kubernetes API.
Installing crictl
crictl is included in the cri-tools package for common container runtimes:?
# Containerd
apt install containerd.io
# CRI-O
apt install cri-o-tools
Listing Containers
To list running pods/containers:
crictl pods
This will list all Kubernetes pods, their IP address, status and container IDs.
You can also list all containers, including non-Kubernetes ones:
crictl ps -a
Inspecting Containers
Inspect low-level container details with:
?crictl inspect <container-id>
This will show config, env variables, mounts, etc.
Pull Container Images
Pull an image from a registry:
crictl pull docker.io/library/alpine:latest
Starting Containers
Run a new container from an image:
crictl run docker.io/library/alpine cat /etc/os-release
This will start the alpine container, execute the cat command, then exit.
Cleanup Containers?
To remove a container when it exits, add --rm:
crictl rm <container-id>
That covers some basics of managing containers with crictl.
Final Thoughts
?With the rapid adoption of container technologies in recent years, the ecosystem of container tools has grown immensely. As we have seen in examining three popular command line interfaces - ctr, nerdctl and crictl - each takes a slightly different approach to container management.
ctr operates as a low-level debugger and control interface directly with the containerd runtime. For those working closely with containerd, ctr delivers the precise access and terminology needed. nerdctl instead looks to replicate the familiar docker CLI experience but entirely in userspace. Its goal is to provide an easy jump-on point for those moving to containers. And crictl speaks the language of Kubernetes and CRI-compatible runtimes. Making it ideal for those operating Kubernetes on top of containerd or CRI-O.
There is no one single CLI that suits every user and use case. As their communities grow, ctr, nerdctl and crictl all work to improve interoperability with each other and adjacent technologies in the container ecosystem. Running containers is now accessible even for novice users thanks to these user-friendly tools that avoid heavyweight daemons. At the same time, they enable advanced debugging for developers and administrators. The modular architecture of modern container engines means you can mix and match the CLI that works best for your needs today. And be confident they will continue progressing and innovating for tomorrow as the landscape evolves.
?