Master Production-Ready Containerd Installation & Configuration

Introduction

Containerd is a highly modular container runtime designed for performance and simplicity, widely used in modern cloud‑native architectures. It is typically paired with Kubernetes in production, while Docker remains the preferred choice for single‑node container workloads.

Prerequisites

Operating System: stable Linux distribution (Ubuntu, CentOS, RHEL, etc.)

Hardware: at least 4 GB RAM and sufficient disk space

Network: internet access to download Containerd components

Install Containerd

Download the cri‑containerd package (which includes containerd, runc, and CNI plugins) and the runc binary:

# cri-containerd
curl -SLO https://github.com/containerd/containerd/releases/download/v1.6.34/cri-containerd-1.6.34-linux-amd64.tar.gz
# runc binary
curl -SLO https://github.com/opencontainers/runc/releases/download/v1.1.13/runc.amd64

Extract and copy the binaries:

# Extract cri-containerd
mkdir /tmp/cri-containerd
tar xf cri-containerd-1.6.34-linux-amd64.tar.gz -C /tmp/cri-containerd
sudo cp /tmp/cri-containerd/usr/local/bin/* /usr/bin
# Install runc
sudo cp runc.amd64 /usr/bin/runc
sudo chmod +x /usr/bin/runc

Load Kernel Modules

# Temporary
sudo modprobe overlay br_netfilter
# Permanent
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF

Configure sysctl Parameters

cat <<EOF | sudo tee /etc/sysctl.d/containerd.conf > /dev/null
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
sudo sysctl -p /etc/sysctl.d/containerd.conf

Containerd Configuration

# Generate default config
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
# Change data directory
sudo sed -ri 's@^(root).*@\1 = "/data/containerd"@g' /etc/containerd/config.toml
# Set sandbox image
sudo sed -ri 's@(sandbox_image).*@\1 = "registry.aliyuncs.com/google_containers/pause:3.9"@g' /etc/containerd/config.toml
# Enable systemd cgroup
sudo sed -ri 's@(SystemdCgroup).*@\1 = true@g' /etc/containerd/config.toml
# Set registry config path
sudo sed -ri 's@(config_path).*@\1 = "/etc/containerd/certs.d"@g' /etc/containerd/config.toml

Systemd Service

sudo cp /tmp/cri-containerd/etc/systemd/system/containerd.service /usr/lib/systemd/system
sudo sed -ri 's@(ExecStart)=.*@\1=/usr/bin/containerd --config /etc/containerd/config.toml@g' /usr/lib/systemd/system/containerd.service

Start and Verify

sudo systemctl daemon-reload
sudo systemctl enable containerd.service --now
sudo ctr version

Pull an Image

sudo ctr -n k8s.io image pull registry.aliyuncs.com/google_containers/pause:3.9
sudo ctr -n k8s.io image ls
sudo crictl -r unix:///run/containerd/containerd.sock images

Tips

ctr operates in the default namespace, while crictl defaults to k8s.io.

crictl requires the -r flag to specify the containerd socket; you can place this configuration in /etc/crictl.yaml for convenience:

cat <<-EOF | sudo tee /etc/crictl.yaml > /dev/null
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF

Security & Optimization

Run Containerd with the principle of least privilege.

Enable logging and real‑time monitoring to quickly detect anomalies.

Manage resources wisely—allocate CPU and memory to avoid contention and performance bottlenecks.

Conclusion

By following these steps you now have a production‑ready Containerd installation and configuration. Containerd serves as a crucial bridge between containers and the cloud‑native ecosystem, empowering you to build reliable, scalable workloads.