Containerd vs Docker: Deep Dive into Kubernetes Runtime Differences

Overview

Docker uses Linux kernel features such as cgroups and namespaces to isolate processes, enabling independent execution of multiple applications while maintaining security.

To avoid vendor lock‑in, Docker’s implementation was split into standardized modules that can be replaced by other implementations.

Docker consists of docker‑client, dockerd, containerd, docker‑shim, and runc; containerd is a core component that actually manages containers.

What is containerd?

Containerd is an industrial‑grade, standard container runtime (CRI) that emphasizes simplicity, robustness, and portability. It manages the full container lifecycle, image transfer and storage, execution, networking, and more.

Key responsibilities

Manage container lifecycle (create to destroy)

Pull/push container images

Storage management for images and container data

Invoke runC to run containers

Manage container network interfaces

From a Kubernetes perspective, you can choose containerd or Docker as the runtime; containerd has a shorter call chain, fewer components, higher stability, and lower resource consumption.

Docker vs containerd: Configuration differences

Log storage path : Docker stores logs under /var/lib/docker/containers/... and creates symlinks via kubelet; containerd lets kubelet write logs to /var/log/pods/$CONTAINER_NAME and creates symlinks.

Log driver configuration : Docker uses

{"log-driver":"json-file","log-opts":{"max-size":"100m","max-file":"5"}}

; containerd configures via kubelet flags or KubeletConfiguration (e.g., --container‑log‑max‑size="100Mi").

Persisting logs on a data disk : Docker mounts a data disk to data‑root (default /var/lib/docker); containerd creates a symlink from /var/log/pods to a directory on the data disk.

Stream server

Docker API provides a stream service used by the docker‑shim; containerd requires a separate stream server configuration:

[plugins.cri]
stream_server_address = "127.0.0.1"
stream_server_port = "0"
enable_tls_streaming = false

Before Kubernetes 1.11, kubelet only redirected the stream; after 1.11, kubelet introduced a stream proxy, allowing containerd’s stream server to listen only on localhost.

CNI networking

Docker: kubelet’s docker‑shim invokes CNI using --cni-bin-dir and --cni-conf-dir flags. Containerd: built‑in cri‑plugin (since v1.1) uses a TOML config, e.g., plugins.cri.cni.bin_dir = "/opt/cni/bin" and conf_dir = "/etc/cni/net.d".

Command comparison

Containerd does not support Docker CLI or API, but similar functionality is available via crictl and ctr tools.

Image commands:

List images: docker images vs crictl images Pull image: docker pull vs crictl pull Push image: docker push (not supported by containerd)

Remove image: docker rmi vs crictl rmi Inspect image: docker inspect vs crictl inspecti Container commands:

List containers: docker ps vs crictl ps Create: docker create vs crictl create Start: docker start vs crictl start Stop: docker stop vs crictl stop Remove: docker rm vs crictl rm Inspect: docker inspect vs crictl inspect Attach, exec, logs, stats: analogous crictl commands.

POD commands (containerd only): crictl pods, crictl inspectp, crictl runp, crictl stopp.

Extended reading

Common crictl commands can replace many Docker commands; for image management beyond crictl, the ctr tool is used, e.g.: ctr -n k8s.io images list Containerd supports multiple namespaces (k8s.io, moby, default); operations shown above use the k8s.io namespace, requiring the -n flag.