ScriptsApr 13, 2026·3 min read

containerd — The Industry-Standard Container Runtime

containerd is the core container runtime that powers Docker and Kubernetes. It manages the complete container lifecycle — image transfer, storage, execution, and supervision — providing a stable, reliable foundation for container platforms.

SC
Script Depot · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install containerd
# Linux (Ubuntu/Debian)
sudo apt install containerd.io

# Or from GitHub releases
curl -LO https://github.com/containerd/containerd/releases/download/v1.7.0/containerd-1.7.0-linux-amd64.tar.gz
sudo tar -C /usr/local -xzf containerd-1.7.0-linux-amd64.tar.gz

# Start containerd
sudo systemctl enable --now containerd

# Use with ctr (low-level CLI)
sudo ctr images pull docker.io/library/nginx:latest
sudo ctr run --rm docker.io/library/nginx:latest my-nginx

# Or use nerdctl (Docker-compatible CLI)
nerdctl run -d -p 80:80 nginx

Introduction

containerd is the container runtime that runs beneath Docker and Kubernetes. While Docker provides the user-friendly CLI and Docker Compose, containerd handles the actual work of pulling images, managing storage, creating containers via runc, and supervising running containers.

With over 21,000 GitHub stars and graduated CNCF project status, containerd is the most widely deployed container runtime in the world. It runs inside Docker, is the default runtime for Kubernetes (replacing dockershim), and powers cloud services at AWS (EKS, Fargate), Google (GKE), Microsoft (AKS), and more.

What containerd Does

containerd manages the complete container lifecycle at a lower level than Docker. It handles image pull and push, image storage (snapshots), container creation (via OCI runtimes like runc), container execution and monitoring, networking setup, and content distribution. It provides a stable gRPC API for higher-level tools.

Architecture Overview

[Higher-Level Tools]
Docker | nerdctl | Kubernetes (CRI)
        |
   [containerd]
   gRPC API
        |
+-------+-------+-------+
|       |       |       |
[Images]  [Containers] [Content]
Pull/Push  Create/Start  Blob
Unpack     Exec/Kill     storage
Snapshots  Logs/Events   Distribution
        |
   [OCI Runtime (runc)]
   Actually creates Linux
   containers with namespaces,
   cgroups, seccomp
        |
   [Linux Kernel]
   Namespaces, cgroups,
   overlay FS, seccomp

Self-Hosting & Configuration

# /etc/containerd/config.toml
version = 2

[plugins."io.containerd.grpc.v1.cri"]
  sandbox_image = "registry.k8s.io/pause:3.9"

  [plugins."io.containerd.grpc.v1.cri".containerd]
    default_runtime_name = "runc"

    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
      runtime_type = "io.containerd.runc.v2"

      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
        SystemdCgroup = true

  [plugins."io.containerd.grpc.v1.cri".registry]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
        endpoint = ["https://registry-1.docker.io"]
# Generate default config
containerd config default | sudo tee /etc/containerd/config.toml

# Kubernetes uses containerd via CRI
# kubelet --container-runtime-endpoint=unix:///run/containerd/containerd.sock

Key Features

  • OCI Compliant — implements OCI runtime and image specifications
  • CRI Plugin — native Kubernetes Container Runtime Interface support
  • Image Management — pull, push, and manage OCI and Docker images
  • Snapshotter — pluggable storage backends (overlayfs, btrfs, ZFS)
  • Namespaces — multi-tenant isolation within a single containerd instance
  • Content Store — content-addressable storage for image layers
  • Streaming — container log and exec streaming
  • Plugins — extensible architecture with runtime, snapshotter, and differ plugins

Comparison with Similar Tools

Feature containerd Docker Engine CRI-O Podman
Level Low-level runtime Full platform K8s-focused runtime Daemonless engine
CLI ctr / nerdctl docker crictl podman
Kubernetes CRI native Via containerd CRI native Via CRI-O
Docker Compose Via nerdctl Native No podman-compose
Daemon Yes Yes (dockerd) Yes No (daemonless)
CNCF Status Graduated N/A Incubating N/A
Used By Docker, K8s, AWS, GCP End users, CI OpenShift Rootless containers

FAQ

Q: containerd vs Docker — what is the relationship? A: Docker uses containerd internally. When you run "docker run", Docker calls containerd, which calls runc. containerd is the runtime engine; Docker is the user-facing platform built on top of it.

Q: Why did Kubernetes switch from Docker to containerd? A: Kubernetes only needed the container runtime, not Docker build, Docker CLI, or Docker Compose. Using containerd directly removes unnecessary layers and reduces resource overhead.

Q: What is nerdctl? A: nerdctl is a Docker-compatible CLI for containerd. It provides the familiar "docker run" experience directly on containerd without Docker Engine — useful for Kubernetes nodes and lightweight setups.

Q: Do I need containerd if I use Docker? A: containerd is already included in Docker — you do not install it separately. You only install containerd standalone for Kubernetes nodes or when you want a lighter container runtime without the full Docker platform.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

sops — Simple and Flexible Secrets Management

sops (Secrets OPerationS) encrypts values in YAML, JSON, ENV, and INI files while keeping keys in plaintext. This lets you version-control encrypted secrets in Git, using age, AWS KMS, GCP KMS, Azure Key Vault, or PGP as encryption backends.

Script Depot

jq — Lightweight Command-Line JSON Processor

jq is the essential command-line tool for processing JSON data. It lets you slice, filter, transform, and format JSON with a concise expression language — making it indispensable for working with APIs, config files, and data pipelines in the terminal.

Script Depot

Docker (Moby) — The Container Platform That Changed DevOps

Docker is the platform that popularized containerization. It packages applications with their dependencies into standardized containers that run consistently everywhere. Moby is the open-source project behind Docker Engine, the runtime that powers container-based development and deployment.

Script Depot
Home🔍Search👤Me