What is the problem you're trying to solve

container runtimes support passing additional file descriptors from the parent process into containers, which has at least two nice use cases:

• using a socket manager to bind sockets that do network IO on host interfaces, and then listening on them in a container that uses --net=none. effectively this allows the container to do host network I/O, without exposing the host network to the container.
• using a socket manager to stop one such container, create a new one, and start it again, while its clients see a stalled response instead of an ECONNREFUSED

which enhances security and allows for seamless upgrades.

Describe the solution you'd like

nerdctl run takes a --preserve-fds N argument, that specifies how many "extra" fds to pass to containers after stdin/stdout/stderr. podman also supports systemd's socket activation $LISTEN_FDS environment variable, which I do not recommend adding separate support for to nerdctl. a simple shell script can read these variables and supply the appropriate --preserve-fds argument to nerdctl if desired.

Additional context

support is already in runc, and podman run has this argument: containers/podman#6625

I am happy to contribute this feature if there is interest :)