website: enhance container examples

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Author: AkihiroSuda

website/content/en/docs/_index.md

@@ -11,7 +11,7 @@ Lima launches Linux virtual machines with automatic file sharing and port forwar
 
 ✅ Automatic port forwarding
 
-✅ Built-in support for [containerd](https://containerd.io) ([Other container engines can be used too](./templates))
+✅ Built-in support for [containerd](https://containerd.io) ([Other container engines can be used too]({{< ref "/docs/examples/containers" >}}))
 
 ✅ Intel on Intel
 

website/content/en/docs/examples/_index.md

@@ -54,20 +54,16 @@ docker run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
 ```bash
 limactl start template://k8s
 export KUBECONFIG=$(limactl list k8s --format 'unix://{{.Dir}}/copied-from-guest/kubeconfig.yaml')
-kubectl apply -f ...
+kubectl create deployment nginx --image nginx:alpine
+kubectl create service nodeport nginx --node-port=31080 --tcp=80:80
 ```
 {{% /tab %}}
 
 {{< /tabpane >}}
 
 - <http://127.0.0.1:8080> is accessible from the host, as well as from the VM.
 
-- For the usage of containerd and nerdctl (contaiNERD ctl), visit <https://github.com/containerd/containerd>
-and <https://github.com/containerd/nerdctl>.
-
-- If you have installed Lima by `make install`, the `nerdctl.lima` command is also available as `nerdctl`.
-  If you have installed Lima by `brew install lima`, you may make an alias (or a symlink) by yourself:
-  `alias nerdctl=nerdctl.lima`
+- See more [examples](./containers/).
 
 ## Advanced configuration
 

website/content/en/docs/examples/containers/_index.md

@@ -0,0 +1,10 @@
+---
+title: Containers
+weight: 3
+---
+
+Lima was designed to facilitate running containers inside a virtual machine, with automatic
+[filesystem sharing](../../config/mount.md) and  [port forwarding](../../config/port.md).
+
+The original motivation of Lima was to promote [containerd](./containerd) for macOS users, however,
+the current version of Lima supports other container engines too, and does not depend on macOS hosts.

website/content/en/docs/examples/containers/apptainer.md

@@ -0,0 +1,21 @@
+---
+title: Apptainer
+weight: 90
+---
+
+{{< tabpane text=true >}}
+{{% tab header="Rootless" %}}
+```bash
+limactl start template://apptainer
+limactl shell apptainer apptainer run -u -B $HOME:$HOME docker://alpine
+```
+{{% /tab %}}
+{{% tab header="Rootful" %}}
+```bash
+limactl start template://apptainer-rootful
+limactl shell apptainer-rootful apptainer run -u -B $HOME:$HOME docker://alpine
+```
+{{% /tab %}}
+{{< /tabpane >}}
+
+See also <https://apptainer.org/docs/user/latest/>.

website/content/en/docs/examples/containers/containerd.md

@@ -0,0 +1,159 @@
+---
+title: containerd (Default)
+weight: 1
+---
+
+Lima comes with the built-in integration for [containerd](https://containerd.io) and
+[nerdctl](https://github.com/containerd/nerdctl) (contaiNERD CTL):
+
+{{< tabpane text=true >}}
+{{% tab header="Rootless" %}}
+```bash
+lima nerdctl run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
+```
+
+or
+
+```bash
+nerdctl.lima run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
+```
+
+
+- If you have installed Lima by [`make install`](../../installation/source.md), the `nerdctl.lima` command is also available as `nerdctl`.
+- If you have installed Lima by [`brew install lima`](../../installation/_index.md), you may make an alias (or a symlink) by yourself:
+  `alias nerdctl=nerdctl.lima`
+{{% /tab %}}
+{{% tab header="Rootful" %}}
+```bash
+limactl start --containerd=system
+lima sudo nerdctl run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
+```
+{{% /tab %}}
+{{< /tabpane >}}
+
+The usage of the `nerdctl` command is similar to the `docker` command. See the [Command Reference](https://github.com/containerd/nerdctl/blob/main/docs/command-reference.md).
+
+## Advanced features
+### Enhanced supply chain security with gomodjail
+
+[gomodjail](https://github.com/AkihiroSuda/gomodjail) is an experimental library sandbox for Go modules.
+
+gomodjail imposes syscall restrictions on a specific set of Go modules, so as to mitigate their potential vulnerabilities and supply chain attack vectors.
+A restricted module is hindered to access files and execute commands.
+
+gomodjail can be enabled for nerdctl by using the `nerdctl.gomodjail` binary.
+
+```bash
+lima nerdctl.gomodjail ...
+```
+
+For the gomodjail policy applied to `nerdctl.gomodjail`, see <https://github.com/containerd/nerdctl/blob/main/go.mod>.
+
+### Accelerating rootless networking with bypass4netns
+
+[bypass4netns](https://github.com/rootless-containers/bypass4netns) is an experimental accelerator for rootless networking.
+
+On macOS hosts, it is highly recommended to use the [vzNAT](../../config/network/vmnet.md#vznat) networking in conjunction
+to reduce the overhead of Lima's user-mode networking:
+
+```bash
+limactl start --network vzNAT
+```
+
+To enable bypass4netns, the daemon process (`bypass4netnsd`) has to be installed in the VM as follows:
+<!-- TODO: install by default -->
+```bash
+lima containerd-rootless-setuptool.sh install-bypass4netnsd
+```
+
+Then run a container with an annotation `nerdctl/bypass4netns=true`:
+
+```bash
+# 192.168.64.1 is the IP address of the "bridge100" interface on the macOS host
+lima nerdctl run --annotation nerdctl/bypass4netns=true alpine \
+  sh -euc 'apk add iperf3 && iperf3 -c 192.168.64.1'
+```
+
+Benchmark result:
+
+| Mode                          | Throughput     |
+|-------------------------------|----------------|
+| Rootless without bypass4netns | 2.30 Gbits/sec |
+| Rootless with bypass4netns    | 86.0 Gbits/sec |
+| Rootful                       | 90.3 Gbits/sec |
+
+<details>
+<summary>Benchmarking environment</summary>
+<p>
+
+- Lima version: 2.0.0-alpha.2
+  - nerdctl 2.1.6
+  - containerd 2.1.4
+  - bypass4netns 0.4.2
+- Container: Alpine Linux 3.22.2
+  - iperf 3.19.1-r0 (apk)
+- Guest: Ubuntu 25.04
+- Host: macOS 26.0.1
+  - iperf 3.19.1 (Homebrew)
+- Hardware: MacBook Pro 2024 (M4 Max, 128 GiB)
+
+</p>
+</details>
+
+### Accelerating start-up time with eStargz
+
+[eStargz](https://github.com/containerd/stargz-snapshotter) is an OCI-compatible container image format
+that reduces start-up latency using lazy-pulling technique.
+
+The support for eStargz is available by default for `ubuntu-24.04` instances:
+
+```bash
+limactl start --name=default template://ubuntu-24.04
+```
+
+The latest Ubuntu will be supported too in [a future release](https://github.com/containerd/stargz-snapshotter/issues/2144).
+
+{{% alert title="Hint" color=success %}}
+ARM Mac users need to run `limactl start` with `--rosetta` to allow [running AMD64 binaries](../../config/multi-arch.md).
+This is not an architectural limitation of eStargz, however, Rosetta is needed because the example Python image below
+is currently [only available for AMD64](https://github.com/containerd/stargz-snapshotter/issues/2143).
+{{% /alert %}}
+
+Without eStargz:
+
+```console
+$ time lima nerdctl run --platform=amd64 ghcr.io/stargz-containers/python:3.13-org python3 -c 'print("hi")'
+[...]
+hi
+
+real	0m23.767s
+user	0m0.025s
+sys	0m0.020s
+```
+
+With eStargz:
+
+```console
+$ time lima nerdctl --snapshotter=stargz run --platform=amd64 ghcr.io/stargz-containers/python:3.13-esgz python3 -c 'print("hi")'
+[...]
+hi
+
+real	0m13.365s
+user	0m0.026s
+sys	0m0.021s
+```
+
+Examples of eStargz images can be found at
+<https://github.com/containerd/stargz-snapshotter/blob/main/docs/pre-converted-images.md>.
+
+See also:
+- https://github.com/containerd/stargz-snapshotter
+- https://github.com/containerd/nerdctl/blob/main/docs/stargz.md
+
+## Disabling containerd
+
+To disable containerd, start an instance with `--containerd=none`:
+
+```bash
+limactl start --containerd=none
+```

website/content/en/docs/examples/containers/docker.md

@@ -0,0 +1,21 @@
+---
+title: Docker
+weight: 2
+---
+
+{{< tabpane text=true >}}
+{{% tab header="Rootless" %}}
+```bash
+limactl start template://docker
+export DOCKER_HOST=$(limactl list docker --format 'unix://{{.Dir}}/sock/docker.sock')
+docker run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
+```
+{{% /tab %}}
+{{% tab header="Rootful" %}}
+```bash
+limactl start template://docker-rootful
+export DOCKER_HOST=$(limactl list docker-rootful --format 'unix://{{.Dir}}/sock/docker.sock')
+docker run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
+```
+{{% /tab %}}
+{{< /tabpane >}}

website/content/en/docs/examples/containers/kubernetes.md

@@ -0,0 +1,65 @@
+---
+title: Kubernetes
+weight: 4
+---
+
+## Single-node
+
+{{< tabpane text=true >}}
+{{% tab header="kubeadm" %}}
+```bash
+limactl start template://k8s
+export KUBECONFIG=$(limactl list k8s --format 'unix://{{.Dir}}/copied-from-guest/kubeconfig.yaml')
+kubectl create deployment nginx --image nginx:alpine
+kubectl create service nodeport nginx --node-port=31080 --tcp=80:80
+```
+
+Modify [`templates/k8s.yaml`](https://github.com/lima-vm/lima/blob/master/templates/k8s.yaml) to change
+the kubeadm configuration.
+
+See also <https://kubernetes.io/docs/reference/setup-tools/kubeadm/>.
+{{% /tab %}}
+{{% tab header="k3s" %}}
+```bash
+limactl start template://k3s
+export KUBECONFIG=$(limactl list k3s --format 'unix://{{.Dir}}/copied-from-guest/kubeconfig.yaml')
+kubectl create deployment nginx --image nginx:alpine
+kubectl create service nodeport nginx --node-port=31080 --tcp=80:80
+```
+
+See also <https://docs.k3s.io>.
+{{% /tab %}}
+{{% tab header="k0s" %}}
+```bash
+limactl start template://k0s
+export KUBECONFIG=$(limactl list k0s --format 'unix://{{.Dir}}/copied-from-guest/kubeconfig.yaml')
+kubectl create deployment nginx --image nginx:alpine
+kubectl create service nodeport nginx --node-port=31080 --tcp=80:80
+```
+
+See also <https://docs.k0sproject.io/>.
+{{% /tab %}}
+{{% tab header="Usernetes" %}}
+```bash
+limactl start template://experimental/u7s
+export KUBECONFIG=$(limactl list u7s --format 'unix://{{.Dir}}/copied-from-guest/kubeconfig.yaml')
+kubectl create deployment nginx --image nginx:alpine
+# NodePorts are not available by default in the case of Usernetes
+kubectl port-forward deployments/nginx 8080:80
+```
+
+See also <https://github.com/rootless-containers/usernetes>.
+{{% /tab %}}
+{{< /tabpane >}}
+
+## Multi-node
+
+A multi-node cluster can be created by creating multiple VMs connected via the ([`lima:user-v2`](../../config/network/user-v2.md) network.
+
+```bash
+limactl create --name k8s-0 --network lima:user-v2
+limactl create --name k8s-1 --network lima:user-v2
+```
+
+The cluster has to be set up manually, as the built-in templates do not support multi-node mode yet.
+Support for multi-node template is tracked in <https://github.com/lima-vm/lima/issues/4100>.

website/content/en/docs/examples/containers/podman.md

@@ -0,0 +1,45 @@
+---
+title: Podman
+weight: 3
+---
+
+{{< tabpane text=true >}}
+{{% tab header="Rootless" %}}
+To use `podman` command in the VM:
+```bash
+limactl start template://podman
+limactl shell podman podman run -d --name nginx -p 127.0.0.1:8080:80 docker.io/library/nginx:alpine
+```
+
+To use `podman` command on the host:
+```bash
+export CONTAINER_HOST=$(limactl list podman --format 'unix://{{.Dir}}/sock/podman.sock')
+podman --remote run -d --name nginx -p 127.0.0.1:8080:80 docker.io/library/nginx:alpine
+```
+
+To use `docker` command on the host:
+```bash
+export DOCKER_HOST=$(limactl list podman --format 'unix://{{.Dir}}/sock/podman.sock')
+docker run -d --name nginx -p 127.0.0.1:8080:80 docker.io/library/nginx:alpine
+```
+{{% /tab %}}
+{{% tab header="Rootful" %}}
+To use `podman` command in the VM:
+```bash
+limactl start template://podman-rootful
+limactl shell podman-rootful sudo podman run -d --name nginx -p 127.0.0.1:8080:80 docker.io/library/nginx:alpine
+```
+
+To use `podman` command on the host:
+```bash
+export CONTAINER_HOST=$(limactl list podman-rootful --format 'unix://{{.Dir}}/sock/podman.sock')
+podman --remote run -d --name nginx -p 127.0.0.1:8080:80 docker.io/library/nginx:alpine
+```
+
+To use `docker` command on the host:
+```bash
+export DOCKER_HOST=$(limactl list podman-rootful --format 'unix://{{.Dir}}/sock/podman.sock')
+docker run -d --name nginx -p 127.0.0.1:8080:80 docker.io/library/nginx:alpine
+```
+{{% /tab %}}
+{{< /tabpane >}}