This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Advanced

1 - Enhanced supply chain security with gomodjail

gomodjail is an experimental library sandbox for Go modules.

gomodjail imposes syscall restrictions on a specific set of Go modules, so as to mitigate their potential vulnerabilities and supply chain attack vectors. A restricted module is hindered to access files and execute commands.

gomodjail can be enabled for nerdctl by using the nerdctl.gomodjail binary.

lima nerdctl.gomodjail ...

For the gomodjail policy applied to nerdctl.gomodjail, see https://github.com/containerd/nerdctl/blob/main/go.mod.

2 - Accelerating rootless networking with bypass4netns

bypass4netns is an experimental accelerator for rootless networking.

On macOS hosts, it is highly recommended to use the vzNAT networking in conjunction to reduce the overhead of Lima’s user-mode networking:

limactl start --network vzNAT

To enable bypass4netns, the daemon process (bypass4netnsd) has to be installed in the VM as follows:

lima containerd-rootless-setuptool.sh install-bypass4netnsd

Then run a container with an annotation nerdctl/bypass4netns=true:

# 192.168.64.1 is the IP address of the "bridge100" interface on the macOS host
lima nerdctl run --annotation nerdctl/bypass4netns=true alpine \
  sh -euc 'apk add iperf3 && iperf3 -c 192.168.64.1'

Benchmark result:

ModeThroughput
Rootless without bypass4netns2.30 Gbits/sec
Rootless with bypass4netns86.0 Gbits/sec
Rootful90.3 Gbits/sec
Benchmarking environment

  • Lima version: 2.0.0-alpha.2
    • nerdctl 2.1.6
    • containerd 2.1.4
    • bypass4netns 0.4.2
  • Container: Alpine Linux 3.22.2
    • iperf 3.19.1-r0 (apk)
  • Guest: Ubuntu 25.04
  • Host: macOS 26.0.1
    • iperf 3.19.1 (Homebrew)
  • Hardware: MacBook Pro 2024 (M4 Max, 128 GiB)

3 - Accelerating start-up time with eStargz

eStargz is an OCI-compatible container image format that reduces start-up latency using lazy-pulling technique.

The support for eStargz is available by default in Lima.

The timings below were measured on an Apple M5 Max (macOS, VZ-backend Lima, default template) pulling the native arm64 images. Numbers are a median of three cold runs (image removed with nerdctl rmi between each run).

Without eStargz:

$ time lima nerdctl run ghcr.io/stargz-containers/python:3.13-org python3 -c 'print("hi")'
hi

real	0m14.031s
user	0m0.017s
sys	0m0.018s

With eStargz:

$ time lima nerdctl --snapshotter=stargz run ghcr.io/stargz-containers/python:3.13-esgz python3 -c 'print("hi")'
hi

real	0m3.275s
user	0m0.017s
sys	0m0.016s

Examples of eStargz images can be found at https://github.com/containerd/stargz-snapshotter/blob/main/docs/pre-converted-images.md.

See also: