What is containerd?

Updated June 2026 14 min read Beginner to Intermediate

containerd is the industry-standard container runtime that powers Docker and Kubernetes. This guide explains what containerd is, its architecture, why it matters, and how it fits into the cloud-native ecosystem.

CNCF Graduated Industry Standard Kubernetes Runtime

What is containerd?

containerd is a high-level container runtime that manages the complete container lifecycle on a single host. It handles image distribution, storage, container execution, and network management. Originally built by Docker and later donated to the Cloud Native Computing Foundation (CNCF), containerd is the most widely adopted container runtime in the industry.

Unlike Docker (which is a complete platform), containerd focuses solely on being a reliable, efficient runtime. It's designed to be embedded in larger systems, making it the perfect choice for Kubernetes and other orchestration platforms. containerd is OCI-compliant, meaning it can run any OCI-compatible container image.

containerd is used by Docker, Kubernetes, AWS EKS, Google GKE, Azure AKS, and thousands of other platforms. It's the most widely deployed container runtime in the world.

containerd Architecture Overview

containerd has a modular architecture designed for flexibility and extensibility. It consists of several core components that communicate via gRPC:

containerd Daemon

gRPC API Programmatic interface

Metrics Server Prometheus endpoint

CRI Plugin Kubernetes integration

Content Store Image content storage

Core Components

Runtime (runc) Container execution

Image Distribution Pull / push images

Snapshotter overlayfs / native

The modular design allows containerd to be extended with additional runtimes (Kata, gVisor) and snapshot drivers.

CNCF Graduated Project

containerd became a CNCF (Cloud Native Computing Foundation) project in March 2017 and achieved graduation status in February 2019. CNCF graduation is a significant milestone that indicates maturity, stability, and widespread adoption.

To graduate, a project must demonstrate: widespread production use, a healthy number of maintainers from multiple organizations, clear governance, and adherence to the CNCF code of conduct. containerd met all these criteria and joined the ranks of Kubernetes, Prometheus, and Envoy as a graduated CNCF project.

CNCF graduation means containerd is enterprise-ready, well-maintained, and has a strong community behind it. It's trusted by the world's largest organizations.

OCI Compliance: The Open Container Initiative

containerd is fully compliant with the Open Container Initiative (OCI) standards. OCI defines two specifications:

OCI Image Specification - Defines the format of container images
OCI Runtime Specification - Defines how to run a container

This compliance ensures that any OCI-compliant image can run on containerd, and containerd can use any OCI-compliant runtime (like runc, Kata Containers, or gVisor).

                # OCI Runtime flow
Container image (OCI format)
        ↓
containerd (image distribution, storage)
        ↓
runc (OCI runtime - creates and runs container)
        ↓
Linux Kernel (namespaces, cgroups)
            

Key Features of containerd

OCI Image Support - Pull, push, and manage OCI images from any registry.
Container Lifecycle Management - Create, start, stop, pause, and delete containers.
Snapshot Management - Multiple snapshot drivers (overlayfs, devicemapper, zfs, btrfs).
Content Distribution - Efficient image pulling with content-addressable storage.
CRI Plugin - Seamless integration with Kubernetes.
Metrics and Monitoring - Prometheus metrics endpoint for observability.
gRPC API - Programmatic access to all containerd functions.
Namespace Isolation - Multi-tenancy support with namespaces.
Rootless Mode - Run containers without root privileges.

Getting Started with containerd

                # Install containerd on Ubuntu/Debian
sudo apt-get update
sudo apt-get install -y containerd

# Install containerd on CentOS/RHEL
sudo yum install -y containerd

# Start the containerd service
sudo systemctl enable containerd
sudo systemctl start containerd

# Verify installation
sudo systemctl status containerd
containerd --version

# Generate default configuration
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml

# Restart after configuration changes
sudo systemctl restart containerd
            

containerd CLI Tools: ctr and nerdctl

containerd comes with two main CLI tools:

ctr - The native containerd CLI for debugging and low-level operations.
nerdctl - A Docker-compatible CLI that makes containerd feel like Docker.

                # Using ctr (minimal - for debugging)
ctr image pull docker.io/library/nginx:alpine
ctr container create docker.io/library/nginx:alpine nginx
ctr task start nginx

# Using nerdctl (Docker-like - recommended)
nerdctl pull nginx:alpine
nerdctl run -d -p 80:80 --name web nginx:alpine
nerdctl ps
nerdctl logs web
nerdctl exec -it web sh
nerdctl stop web
nerdctl rm web
            

For users familiar with Docker, nerdctl provides a smooth transition to containerd. Most Docker commands work unchanged.

containerd in the Cloud Native Landscape

containerd is a critical component of the cloud native ecosystem. It sits at the core of the container stack:

Cloud Native Stack

Kubernetes Orchestration Layer

↓

containerd High-level Container Runtime

↓

runc Low-level OCI Runtime

↓

Linux Kernel Namespaces, cgroups, seccomp

containerd is one of the most widely deployed pieces of software in the world, running on millions of servers across every major cloud provider.

Frequently Asked Questions

Is containerd a replacement for Docker?

Not exactly. containerd is a runtime component that Docker uses. Docker includes containerd plus additional features like CLI, build capabilities, and Docker Compose. containerd alone is a more focused runtime.

Why did Kubernetes move from Docker to containerd?

Kubernetes removed Docker support in v1.24 because Docker uses containerd underneath. The extra Docker shim layer added unnecessary complexity. containerd provides the same functionality with better performance and a smaller footprint.

Can I run containerd without Kubernetes?

Absolutely! containerd is a standalone runtime. You can use it with nerdctl (Docker-like CLI) for local container management, or embed it in your own applications via its gRPC API.

Does containerd support Windows containers?

Yes, containerd supports Windows containers on Windows Server 2019 and later. Windows containers require a Windows host with Hyper-V isolation or process isolation.

Is containerd faster than Docker?

containerd is generally faster and more lightweight because it has fewer features. It focuses solely on runtime operations, while Docker includes additional tooling. For container startup and operation, containerd is slightly faster.

Can I build images with containerd?

containerd doesn't include a built-in image builder. However, you can use tools like buildkit, img, or kaniko that are compatible with containerd. nerdctl also supports building images using buildkit.

How do I see running containers in containerd?

Use `ctr container ls` or `nerdctl ps`. For Kubernetes containers, use `crictl ps` (CRI-compatible) or `ctr -n k8s.io container ls`.

Back to containerd Deep Dive Next: containerd vs Docker

containerd is the foundation of modern container infrastructure. Understanding it is essential for any cloud-native engineer.