Containerd Rootless Setup: Docker Alternative for Linux

Containerd is a lightweight, high-performance container runtime that serves as an excellent alternative to Docker. This guide covers setting up containerd in rootless mode with nerdctl, providing a Docker-compatible command-line interface without requiring root privileges.

What is Containerd?

Containerd is an industry-standard container runtime that emphasizes simplicity, robustness, and portability. Originally developed by Docker and donated to the Cloud Native Computing Foundation (CNCF), it powers many container platforms including Kubernetes. When combined with nerdctl (containerd CLI), it provides a Docker-compatible experience with enhanced security through rootless operation.

Why Choose Containerd Over Docker?

• Rootless Operation: Enhanced security by running containers without root privileges
• Lower Resource Usage: Minimal overhead compared to Docker’s daemon architecture
• Kubernetes Native: Direct compatibility with Kubernetes container runtime interface
• Simplified Architecture: Fewer moving parts and dependencies
• Industry Standard: Widely adopted by cloud providers and orchestration platforms

Prerequisites

Before installing containerd, ensure you have:

• Arch Linux system with sudo privileges
• Basic understanding of container concepts
• Familiarity with command-line operations
• Network connectivity for package installation

For package management on Arch Linux, refer to our pacman cheatsheet, which covers essential commands for installation, removal, updates, and troubleshooting.

Installation

Step 1: Install Required Packages

Install containerd and all necessary components for rootless operation:

sudo pacman -Sy --noconfirm containerd nerdctl slirp4netns rootlesskit cni-plugins buildkit

Package Breakdown:**

• containerd: Core container runtime
• nerdctl: Docker-compatible CLI for containerd
• slirp4netns: User-mode networking for rootless containers
• rootlesskit: Provides rootless container capabilities
• cni-plugins: Container Network Interface plugins
• buildkit: Advanced build toolkit for container images

For detailed pacman usage including installation options, dependency management, and troubleshooting, see our comprehensive pacman guide.

Step 2: Configure Rootless Environment

Set up the rootless containerd environment:

# Install rootless containerd setup
containerd-rootless-setuptool.sh install
 
# Install buildkit for image building
containerd-rootless-setuptool.sh install-buildkit

Step 3: Enable and Start Services

Enable the user-level services:

# Enable and start containerd and buildkit for the current user
systemctl --user enable --now containerd buildkit

Step 4: Verify Installation

Check that services are running correctly:

# Check service status
systemctl --user status containerd buildkit
 
# Test nerdctl functionality
nerdctl version

Basic Usage

Container Operations

Use nerdctl with the same syntax as Docker commands:

# Pull an image
nerdctl pull alpine:latest
 
# Run a container
nerdctl run -it alpine:latest /bin/sh
 
# List running containers
nerdctl ps
 
# List all containers
nerdctl ps -a
 
# Stop a container
nerdctl stop <container_id>
 
# Remove a container
nerdctl rm <container_id>

Image Management

# List images
nerdctl images
 
# Build an image from Dockerfile
nerdctl build -t myapp:latest .
 
# Remove an image
nerdctl rmi <image_id>
 
# Search for images
nerdctl search nginx

Network Operations

# List networks
nerdctl network ls
 
# Create a network
nerdctl network create mynetwork
 
# Run container on specific network
nerdctl run --network mynetwork alpine:latest

Volume Management

# Create a volume
nerdctl volume create myvolume
 
# List volumes
nerdctl volume ls
 
# Mount volume to container
nerdctl run -v myvolume:/data alpine:latest

Advanced Configuration

Custom Network Configuration

For advanced networking setups, configure CNI plugins:

# Default CNI configuration location
~/.config/cni/net.d/

Resource Limits

Set resource constraints for containers:

# Limit memory and CPU
nerdctl run --memory=512m --cpus=0.5 alpine:latest

Registry Configuration

Configure custom container registries:

# Edit containerd configuration
$HOME/.config/containerd/config.toml

Troubleshooting

Common Issues

Service fails to start:

# Check service logs
journalctl --user -u containerd
journalctl --user -u buildkit

Network connectivity issues:

# Verify slirp4netns is working
nerdctl run --rm busybox ping -c 1 google.com

Permission errors:

# Ensure proper user setup
containerd-rootless-setuptool.sh check

Image pull failures:

# Test registry connectivity
nerdctl info

Performance Optimization

For better performance:

# Enable experimental features
export CONTAINERD_EXPERIMENTAL=1
 
# Use specific snapshotter
nerdctl run --snapshotter=native alpine:latest

Security Considerations

Rootless Benefits

• Reduced Attack Surface: No root daemon running
• User Namespace Isolation: Enhanced container isolation
• Minimal Privileges: Containers run with user-level permissions

Best Practices

1. Regular Updates: Keep containerd and components updated
2. Image Scanning: Scan images for vulnerabilities
3. Network Segmentation: Use custom networks for isolation
4. Resource Limits: Always set appropriate resource constraints
5. Non-Root Images: Use images with non-root users when possible

Migration from Docker

Command Mapping

Common Docker commands and their nerdctl equivalents:

# Docker → nerdctl
docker run → nerdctl run
docker build → nerdctl build
docker pull → nerdctl pull
docker push → nerdctl push
docker images → nerdctl images
docker ps → nerdctl ps
docker exec → nerdctl exec
docker logs → nerdctl logs

Docker Compose Alternative

Use nerdctl with compose files:

# Install compose plugin
nerdctl compose up -f docker-compose.yml

Integration with Development Workflow

Automated Setup

For automated environment setup, consider using our desktop setup utility, which installs and configures a complete Hyprland desktop environment with over 50 packages, including containerization tools and development workflows.

CI/CD Integration

Containerd works well with continuous integration:

# In CI scripts
nerdctl build -t app:$CI_COMMIT_SHA .
nerdctl push registry.example.com/app:$CI_COMMIT_SHA

References and Resources

Official Documentation

• Containerd Official Documentation
• nerdctl GitHub Repository
• Rootless Containers Documentation

Related Tools

• BuildKit Documentation
• CNI Plugin Documentation
• Slirp4netns Documentation

Community Resources

• CNCF Containerd Project
• Rootless Containers Community

Questions Answered in This Document

Q: What is containerd and how does it differ from Docker? A: Containerd is a lightweight, industry-standard container runtime that emphasizes simplicity and performance. Unlike Docker’s daemon-based architecture, containerd provides a more minimal approach with direct Kubernetes compatibility and enhanced security through rootless operation.

Q: Can I use containerd without root privileges? A: Yes, containerd supports rootless mode through rootlesskit, allowing you to run containers without requiring root access. This significantly improves security by reducing the attack surface and providing better isolation.

Q: Is nerdctl compatible with Docker commands? A: Yes, nerdctl provides a Docker-compatible command-line interface. Most Docker commands work with nerdctl using the same syntax, making it easy to migrate existing workflows.

Q: How do I migrate from Docker to containerd? A: Migration involves replacing Docker commands with nerdctl equivalents (docker run → nerdctl run), updating any scripts, and optionally using nerdctl’s compose functionality for multi-container applications.

Q: What packages are required for containerd on Arch Linux? A: The essential packages are containerd, nerdctl, slirp4netns, rootlesskit, cni-plugins, and buildkit. These provide the runtime, CLI, networking, rootless capabilities, and build functionality.

Q: Can I build container images with containerd? A: Yes, containerd supports image building through buildkit integration. Use nerdctl build command just like docker build to create container images from Dockerfiles.

Q: How do I troubleshoot containerd networking issues? A: Check service logs with journalctl --user -u containerd, verify slirp4netns functionality with connectivity tests, and ensure CNI plugins are properly configured in the user’s configuration directory.

Q: Is containerd suitable for production use? A: Yes, containerd is widely used in production environments and is the default runtime for many Kubernetes distributions. Its minimal design, industry standardization, and active maintenance make it production-ready.

Q: How do I configure custom container registries with containerd? A: Edit the containerd configuration file at $HOME/.config/containerd/config.toml to add registry authentication and mirror configurations for custom or private registries.

Q: What are the performance benefits of using containerd over Docker? A: Containerd offers lower resource overhead, faster startup times, and reduced memory usage due to its minimal architecture. It eliminates the Docker daemon layer, providing more direct container management.