Containerd

Mark Taguiad
Mark Taguiad Mar 20, 2026 · 2 min read

Containerd is a high-performance container runtime that manages the entire container lifecycle: pulling images, running containers, handling storage, networking, and supervising processes. Originally part of Docker, it is now a CNCF project widely used in cloud-native environments.

Table of Contents

Architecture

1Application
23Kubernetes / Docker CLI
45containerd
67runc (OCI runtime)
89Linux Kernel

Containerd sits in the middle, managing containers while delegating execution to runc.

  • High-level tools: Docker, Podman
  • Mid-level runtime: containerd
  • Low-level runtime: runc

containerd vs Docker

Feature Docker containerd
CLI yes no (use ctr or nerdctl)
Image building yes no (needs BuildKit)
Runtime yes (uses containerd internally) yes
Full platform yes no (runtime-only)

Docker is a complete platform, containerd is a lightweight runtime engine.

Why Containerd?

  1. Separation of Concerns – Simplifies architecture, modular design.
  2. Lightweight & Efficient – Lower resource use, faster container operations.
  3. Kubernetes-native – Implements CRI directly, eliminating Docker shim:
1kubelet → dockershim → Docker → containerd → runc
2
3# k8s version 1.24
4kubelet → containerd → runc

Installation

 1# Add Docker's official GPG key:
 2sudo apt update
 3sudo apt install ca-certificates curl
 4sudo install -m 0755 -d /etc/apt/keyrings
 5sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
 6sudo chmod a+r /etc/apt/keyrings/docker.asc
 7
 8# Add the repository to Apt sources:
 9sudo tee /etc/apt/sources.list.d/docker.sources <<EOF
10Types: deb
11URIs: https://download.docker.com/linux/debian
12Suites: $(. /etc/os-release && echo "$VERSION_CODENAME")
13Components: stable
14Architectures: $(dpkg --print-architecture)
15Signed-By: /etc/apt/keyrings/docker.asc
16EOF
17
18sudo apt update
19
20sudo apt install containerd.io

Using Containerd Directly

ctr – low-level debugging

 1ctr images pull docker.io/library/nginx:latest
 2
 3ctr images list
 4
 5ctr run --rm -t docker.io/library/nginx:latest nginx
 6
 7ctr containers list
 8
 9ctr tasks list
10
11ctr namespaces list

nerdctl - docker compose compatible

Compatible with compose file but expect some limitation, this is worst than podman compose - but really light weight.

 1nerdctl run -d --name nginx -p 80:80 nginx
 2
 3nerdctl ps -a
 4
 5nerdctl logs nginx
 6
 7nerdctl exec -it nginx sh
 8
 9nerdctl compose up -d
10
11nerdctl compose pull

Namespaces

Containerd isolates clients by using namespaces.

1sudo ctr namespaces list
2
3# k8s namespace
4sudo ctr -n k8s.io containers list
5
6# containerd namespace
7sudo ctr -n moby containers list
8
9sudo ctr -n default images list

containerd vs CRI-O

Both are CRI-compliant runtimes for Kubernetes.

Feature containerd CRI-O
Scope General-purpose Kubernetes-only
Flexibility High Minimal
Use case Docker + K8s K8s only