Podman vs Nerdctl

The Docker CLI has some competition in the form of podman and nerdctl. Recent changes in the Docker ecosystem have caused some folks to start looking at what the other options are. Since these are two of the most capable Docker CLI alternatives, it’s worth looking at them.

Who Owns The Code

Since the recent uptake in conversations on this topic are driven by changes to Docker you might be wondering, who owns the code? While both are open source projects there are some differences here.

Podman is developed by the containers organization on GitHub. Who is behind this organization? If you look at the people who are publicly listed on the org you’ll notice that a vast majority of them work for Red Hat. The same thing happens if you look at the approvers for podman itself. 11 of the 13 approvers work for Red Hat. Podman is basically run by Red Hat.

Nerdctl is “a non-core sub-project of containerd”. containerd is a CNCF graduated project. Two of the criteria for graduation are project governance and maintainers from various organizations. It’s foundation owned (i.e. the CNCF is a sub-foundation of the Linux Foundation).

Note, the organization behind the project doesn’t speak to the quality of the solution or the code behind it.

License and DCO

Both projects are Apache 2 licensed and require signing a Developers Certificate of Origin (DCO) to contribute.

The Engine Powering the Tools

One of the differences is in the engine powering building and running containers.

Nerdctl is CLI for containerd. Using nerdctl to build images will invoke buildkit (which needs to be available). containerd and buildkit are also used by Moby/dockerd. A variety of Kubernetes distros also use containerd.

Podman is part of a different family of tools. If you look at the containers GitHub org you’ll see buildah, cri-o, and other tools.

This left me wondering, should we use the same engine in development as we do in production? Does it matter if they are all working against specs?

Feature Comparison To Docker CLI

The Docker CLI has become the gold standard. So, how do these two projects compare to the Docker CLI for compatibility?

Podman has pretty good coverage of the CLI feature set. Many of the commands you’ll use in the Docker CLI are available in podman. Some things are missing but the common feature set used most of the time is present. The CLI compatibility is fairly impressive.

Nerdctl, which is 3 years younger, has compatibility for the major features but does not have as complete of coverage of Docker CLI commands and flags as podman. In my everyday commands (e.g., build, run, push, and pull) I didn’t notice anything major missing. When I had to deal with some uncommon tasks (e.g., take an image then modify it into a new image before exporting as a tarball) I ran into some shortcomings.

Nerdctl also showcases one of containerd’s features - namespaces. Just like Kubenetes can have namespaces, so can containerd. The command nerdctl namespace ls can show you a list of namespaces. Using the --namespace flag on commands causes them to happen in a specific namespace.

Which Is Better

This really depends on your needs and the ecosystem you’re part of. I would suggest looking at each and seeing which one best meets your needs.

Disclaimer: I work on Rancher Desktop, a desktop app for Mac and Windows that provides container management and Kubernetes. We currently use containerd and nerdctl as part of our platform.