Production-ready container runtime stack for developers: containerd, runc, BuildKit, and nerdctl packaged for Debian/Ubuntu.
This toolkit provides a complete container runtime environment for application developers, packaged as proper Debian packages with systemd integration, security scanning, and GPG-signed APT repository hosting.
- containerd (v1.7.22) - Industry-standard container runtime with ctr CLI
- runc (v1.1.14) - OCI container runtime (static build with seccomp/AppArmor)
- BuildKit (v0.13.1) - Next-generation container build system
- nerdctl (v1.7.7) - Docker-compatible CLI for containerd
- Developer-focused: Build and run OCI containers without Kubernetes overhead
- Production-ready: Systemd units, proper dependencies, security scanning
- k0s-compatible: Safely coexists with k0s-managed containerd
- Zero-cost hosting: APT repository via GitHub Pages
- Secure by default: GPG-signed packages, static binaries, Trivy scanning
# Add GPG key
wget -O- https://sansnom-co.github.io/cloudnative-appdev-toolkit/public_key.asc | \
sudo gpg --dearmor -o /usr/share/keyrings/cn-appdev-toolkit.gpg
# Add repository
echo "deb [signed-by=/usr/share/keyrings/cn-appdev-toolkit.gpg] \
https://sansnom-co.github.io/cloudnative-appdev-toolkit stable main" | \
sudo tee /etc/apt/sources.list.d/cn-appdev-toolkit.list
# Install toolkit
sudo apt update
sudo apt install cn-appdev-toolkit# Check services
sudo systemctl status containerd
sudo systemctl status buildkit
# Test container runtime
sudo nerdctl run --rm alpine:3.20 echo "Hello from containerd!"
# Test build system
sudo buildctl debug workers# Pull and run containers
sudo nerdctl pull nginx:alpine
sudo nerdctl run -d --name web -p 8080:80 nginx:alpine
# Build containers
cat > Dockerfile <<EOF
FROM alpine:3.20
RUN apk add --no-cache curl
CMD ["curl", "--version"]
EOF
sudo nerdctl build -t myapp:latest .
sudo nerdctl run --rm myapp:latestcontainerd-standalone- Container runtime daemon (dynamically linked for LSM support)runc-static- OCI runtime (statically linked)buildkit-static- Build daemon and CLI (statically linked)nerdctl-static- Docker-compatible CLI (statically linked)cn-appdev-toolkit- Meta package installing all components
- Debian 12+ or Ubuntu 22.04+
- Linux kernel 5.4+ (cgroup v2 recommended)
- systemd-based init system
- amd64 or arm64 architecture
Edit /etc/buildkit/buildkitd.toml:
[worker.containerd]
enabled = true
namespace = "buildkit"
gc = true
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]Default config at /etc/containerd/config.toml. To regenerate:
sudo containerd config default | sudo tee /etc/containerd/config.toml
sudo systemctl restart containerdThis toolkit automatically detects k0s installations and avoids conflicts:
- If k0s is present,
containerd.servicewon't be enabled - BuildKit will use the k0s-managed containerd
- All CLI tools remain available
sudo journalctl -u containerd -f
sudo journalctl -u buildkit -fldd /usr/bin/nerdctl # Should show "not a dynamic executable"
ldd /usr/bin/buildctl # Should show "not a dynamic executable"
ldd /usr/bin/runc # Should show "not a dynamic executable"- Permission denied: Add your user to the
dockergroup or usesudo - cgroup v2 issues: Ensure kernel has cgroup v2 enabled
- Network issues: Check iptables/nftables configuration
git clone https://github.com/sansnom-co/cloudnative-appdev-toolkit
cd cloudnative-appdev-toolkit
./build_static_tools.sh- Fork the repository
- Create your feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request
- All packages are GPG-signed (Key ID: B24A23CCB7E16E36)
- Binaries scanned with Trivy before release
- Static linking reduces attack surface
- Regular security updates via APT
Report security issues to: mes@sansnom.co.uk
Apache License 2.0 - See LICENSE for details.
Individual components maintain their original licenses:
- containerd: Apache 2.0
- runc: Apache 2.0
- BuildKit: Apache 2.0
- nerdctl: Apache 2.0
Made with ❤️ and ☕ in London