img / nerdctl
Definition
img and nerdctl are container management tools that provide alternatives to Docker, focusing on compatibility with the Open Container Initiative (OCI) standards. img is designed to build OCI and Docker container images without requiring root privileges, enhancing security by minimizing the attack surface. nerdctl is a Docker-compatible CLI for containerd, enabling users to manage containers and images with a familiar interface while leveraging containerd’s lightweight and efficient runtime.
Secure Settings Example
# Example of running a container with nerdctl using user namespace remapping for enhanced security
nerdctl run --rm --userns=keep-id --name secure-container alpine:latest
# Example of building an image with img using a non-root user
img build --user $(id -u):$(id -g) -t my-secure-image .
Insecure Settings Example
# Running a container with nerdctl without user namespace remapping, exposing the host to potential risks
nerdctl run --rm --name insecure-container alpine:latest
# Building an image with img as the root user, increasing the risk of privilege escalation
img build -t my-insecure-image .