Master Production-Ready Containerd Installation & Configuration

Introduction

Containerd is a highly modular container runtime designed for performance and simplicity, widely used in modern cloud‑native architectures. It is typically paired with Kubernetes in production, while Docker remains the preferred choice for single‑node container workloads.

Prerequisites

Operating System: stable Linux distribution (Ubuntu, CentOS, RHEL, etc.)

Hardware: at least 4 GB RAM and sufficient disk space

Network: internet access to download Containerd components

Install Containerd

Download the cri‑containerd package (which includes containerd, runc, and CNI plugins) and the runc binary:

<code># cri-containerd
curl -SLO https://github.com/containerd/containerd/releases/download/v1.6.34/cri-containerd-1.6.34-linux-amd64.tar.gz
# runc binary
curl -SLO https://github.com/opencontainers/runc/releases/download/v1.1.13/runc.amd64</code>

Extract and copy the binaries:

<code># Extract cri-containerd
mkdir /tmp/cri-containerd
tar xf cri-containerd-1.6.34-linux-amd64.tar.gz -C /tmp/cri-containerd
sudo cp /tmp/cri-containerd/usr/local/bin/* /usr/bin
# Install runc
sudo cp runc.amd64 /usr/bin/runc
sudo chmod +x /usr/bin/runc</code>

Load Kernel Modules

<code># Temporary
sudo modprobe overlay br_netfilter
# Permanent
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF</code>

Configure sysctl Parameters

<code>cat <<EOF | sudo tee /etc/sysctl.d/containerd.conf > /dev/null
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
sudo sysctl -p /etc/sysctl.d/containerd.conf</code>

Containerd Configuration

<code># Generate default config
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
# Change data directory
sudo sed -ri 's@^(root).*@\1 = "/data/containerd"@g' /etc/containerd/config.toml
# Set sandbox image
sudo sed -ri 's@(sandbox_image).*@\1 = "registry.aliyuncs.com/google_containers/pause:3.9"@g' /etc/containerd/config.toml
# Enable systemd cgroup
sudo sed -ri 's@(SystemdCgroup).*@\1 = true@g' /etc/containerd/config.toml
# Set registry config path
sudo sed -ri 's@(config_path).*@\1 = "/etc/containerd/certs.d"@g' /etc/containerd/config.toml</code>

Systemd Service

<code>sudo cp /tmp/cri-containerd/etc/systemd/system/containerd.service /usr/lib/systemd/system
sudo sed -ri 's@(ExecStart)=.*@\1=/usr/bin/containerd --config /etc/containerd/config.toml@g' /usr/lib/systemd/system/containerd.service</code>

Start and Verify

<code>sudo systemctl daemon-reload
sudo systemctl enable containerd.service --now
sudo ctr version</code>

Pull an Image

<code>sudo ctr -n k8s.io image pull registry.aliyuncs.com/google_containers/pause:3.9
sudo ctr -n k8s.io image ls
sudo crictl -r unix:///run/containerd/containerd.sock images</code>

Tips

ctr operates in the

default

namespace, while crictl defaults to

k8s.io

.

crictl requires the

-r

flag to specify the containerd socket; you can place this configuration in

/etc/crictl.yaml

for convenience:

<code>cat <<-EOF | sudo tee /etc/crictl.yaml > /dev/null
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF</code>

Security & Optimization

Run Containerd with the principle of least privilege.

Enable logging and real‑time monitoring to quickly detect anomalies.

Manage resources wisely—allocate CPU and memory to avoid contention and performance bottlenecks.

Conclusion

By following these steps you now have a production‑ready Containerd installation and configuration. Containerd serves as a crucial bridge between containers and the cloud‑native ecosystem, empowering you to build reliable, scalable workloads.