containerd (Default)
Lima comes with the built-in integration for containerd and
nerdctl (contaiNERD CTL):
lima nerdctl run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
or
nerdctl.lima run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
- If you have installed Lima by
make install, the nerdctl.lima command is also available as nerdctl. - If you have installed Lima by
brew install lima, you may make an alias (or a symlink) by yourself:
alias nerdctl=nerdctl.lima
limactl start --containerd=system
lima sudo nerdctl run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
The usage of the nerdctl command is similar to the docker command. See the Command Reference.
Disabling containerd
To disable containerd, start an instance with --containerd=none:
limactl start --containerd=none
1.1 - Enhanced supply chain security with gomodjail
gomodjail is an experimental library sandbox for Go modules.
gomodjail imposes syscall restrictions on a specific set of Go modules, so as to mitigate their potential vulnerabilities and supply chain attack vectors.
A restricted module is hindered to access files and execute commands.
gomodjail can be enabled for nerdctl by using the nerdctl.gomodjail binary.
lima nerdctl.gomodjail ...
For the gomodjail policy applied to nerdctl.gomodjail, see https://github.com/containerd/nerdctl/blob/main/go.mod.
1.2 - Accelerating rootless networking with bypass4netns
bypass4netns is an experimental accelerator for rootless networking.
On macOS hosts, it is highly recommended to use the vzNAT networking in conjunction
to reduce the overhead of Lima’s user-mode networking:
limactl start --network vzNAT
To enable bypass4netns, the daemon process (bypass4netnsd) has to be installed in the VM as follows:
lima containerd-rootless-setuptool.sh install-bypass4netnsd
Then run a container with an annotation nerdctl/bypass4netns=true:
# 192.168.64.1 is the IP address of the "bridge100" interface on the macOS host
lima nerdctl run --annotation nerdctl/bypass4netns=true alpine \
sh -euc 'apk add iperf3 && iperf3 -c 192.168.64.1'
Benchmark result:
| Mode | Throughput |
|---|
| Rootless without bypass4netns | 2.30 Gbits/sec |
| Rootless with bypass4netns | 86.0 Gbits/sec |
| Rootful | 90.3 Gbits/sec |
Benchmarking environment
- Lima version: 2.0.0-alpha.2
- nerdctl 2.1.6
- containerd 2.1.4
- bypass4netns 0.4.2
- Container: Alpine Linux 3.22.2
- Guest: Ubuntu 25.04
- Host: macOS 26.0.1
- Hardware: MacBook Pro 2024 (M4 Max, 128 GiB)
1.3 - Accelerating start-up time with eStargz
eStargz is an OCI-compatible container image format
that reduces start-up latency using lazy-pulling technique.
The support for eStargz is available by default for ubuntu-24.04 instances:
limactl start --name=default template://ubuntu-24.04
The latest Ubuntu will be supported too in a future release.
Hint
ARM Mac users need to run
limactl start with
--rosetta to allow
running AMD64 binaries.
This is not an architectural limitation of eStargz, however, Rosetta is needed because the example Python image below
is currently
only available for AMD64.
Without eStargz:
$ time lima nerdctl run --platform=amd64 ghcr.io/stargz-containers/python:3.13-org python3 -c 'print("hi")'
[...]
hi
real 0m23.767s
user 0m0.025s
sys 0m0.020s
With eStargz:
$ time lima nerdctl --snapshotter=stargz run --platform=amd64 ghcr.io/stargz-containers/python:3.13-esgz python3 -c 'print("hi")'
[...]
hi
real 0m13.365s
user 0m0.026s
sys 0m0.021s
Examples of eStargz images can be found at
https://github.com/containerd/stargz-snapshotter/blob/main/docs/pre-converted-images.md.
See also: