nerdctl is an open source command line tool for containerd that is revolutionizing the developer space thanks to features like rootless mode, container image lazy pulling, image encryption and signing, IPFS-based P2P image distribution, and Docker Compose compatibility.
BuildKit is a modern, open source toolkit for building container images efficiently and securely. It’s an integral part of Docker and is designed to provide a robust backend for all types of container image builds. As you’ll see shortly, nerdctl supports two BuildKit backends: containerd worker and OCI worker.
BuildKit’s key features include concurrent, cache-efficient, and Dockerfile-agnostic builds. It also supports advanced features like exporting build results and importing build caches from remote locations.
BuildKit is important because it can handle various building needs and tasks, making container image creation faster and more secure. This, in turn, improves the overall efficiency of developing containerized applications.
As mentioned, you can use two backends for BuildKit. In the documentation, you can find detailed instructions on how to set up each of them. Keep in mind that if you choose OCI worker, you won’t be able to access images managed by containerd; instead, you’d have to choose containerd worker.
In this section, we will install Containerd, a container runtime, using the APT Docker repository on an Ubuntu system.
First, install the required dependencies for adding a new repository:
sudo apt install \
ca-certificates \
curl \
gnupg \
lsb-release
Create a directory to store the Docker GPG key:
sudo mkdir -p /etc/apt/keyrings
Download and add the GPG key for the Docker repository:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
Add the Docker repository to your system:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Update the APT package index:
sudo apt update
Install the containerd.io package:
sudo apt install containerd.io
After the installation is complete, start and enable the containerd service:
sudo systemctl start containerd
sudo systemctl enable containerd
Verify Containerd Service Status:
Check that the containerd service is running by using:
sudo systemctl status containerd
Backup the default config.toml file provided by the Docker repository:
sudo mv /etc/containerd/config.toml /etc/containerd/config.toml.orig
Generate a new configuration file:
containerd config default | sudo tee /etc/containerd/config.toml
Enable SystemdCgroup:
Edit the config.toml file to enable SystemdCgroup:
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml
In this section, we will use nerdctl as the CLI for containerd to build container images and push them to GHCR. We will also set up buildkitd to run in the background to enable efficient image building.
nerdctl is a CLI tool for managing containerd containers. To install it, follow these steps:
Download the nerdctl CLI:
Go to the official nerdctl releases page and download the latest tar.gz file.
Extract and Install:
Extract the downloaded file and move the nerdctl binary to /usr/local/bin:
tar -xvzf nerdctl-<version>.tar.gz
sudo mv nerdctl /usr/local/bin/
Verify Installation:
To check if the installation is successful, run:
nerdctl --version
buildkitd is needed to build container images efficiently. Follow these steps to install and configure it:
Download buildkitd:
Go to the official BuildKit releases page and download the latest release.
buildkitd binary to the /usr/local/binInstead of running buildkitd manually in the background, we can set it up as a systemd service for automatic startup and management. Follow these steps:
Create the buildkitd systemd Service File:
Use the following buildkitd.service systemd file to configure buildkitd to run as a service:
[Unit]
Description=BuildKit Daemon
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/buildkitd --config /opt/buildkitd/buildkitd.toml
Environment="PATH=/root/.nvm/versions/node/v18.20.4/bin:/usr/local/go/bin:/opt/maven/bin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/snap/bin:/opt/jdk11/bin:/data/flutter/bin:/data/android_sdk/cmdline-toollatest/bin:/data/k8s:/usr/local/go/bin"
Restart=always
User=root
[Install]
WantedBy=multi-user.target
The file contents of the /opt/buildkitd/buildkitd.toml
root = "/data/buildkit"
Place the Service File:
Save the above content in a file called buildkitd.service and place it in /etc/systemd/system/:
sudo nano /etc/systemd/system/buildkitd.service
Reload systemd and Start the Service:
After creating the service file, run the following commands to reload the systemd configuration and start buildkitd:
sudo systemctl daemon-reload
sudo systemctl start buildkitd
Enable buildkitd to Start on Boot:
To ensure that buildkitd starts automatically when the system boots, use:
sudo systemctl enable buildkitd
Verify that buildkitd is Running:
To check if the buildkitd service is running correctly, use:
sudo systemctl status buildkitd
Build and Push Images:
Once nerdctl and buildkitd are set up, you can start building container images using nerdctl and push them to GHCR (GitHub Container Registry).
To push and pull container images to and from the GitHub Container Registry, you need to log in using nerdctl. Follow the steps below:
Login to GHCR:
Run the following command to authenticate with GHCR using your GitHub username and personal access token (PAT) as the password:
nerdctl login ghcr.io -u <your-github-username> --password="<your-ghp-key>"
Replace <your-github-username> with your actual GitHub username and <your-ghp-key> with your GitHub Personal Access Token (PAT).
Note: If you are unsure about your personal access token, you can create it from your GitHub account under Settings > Developer settings > Personal access tokens.
Push and Pull Images:
Once logged in, you can push and pull images to and from GitHub Container Registry. For example:
To push an image:
nerdctl push ghcr.io/<your-github-username>/<image-name>:<tag>
To pull an image:
nerdctl pull ghcr.io/<your-github-username>/<image-name>:<tag>