Mastering containerd: Using ctr, nerdctl, and crictl for Container Management

containerd is a high‑level container runtime, also known as a container manager. It runs as a daemon on a host and manages the full container lifecycle: creating, starting, stopping containers, pulling and storing images, configuring mounts, networking, and more.

containerd is designed to be easily embedded into larger systems. Docker uses containerd under the hood, and Kubernetes can use it via the CRI to manage containers on a node. Smaller projects can also benefit from its integration, such as faasd.

Beyond programmatic use, containerd can be operated from the command line using available clients, offering a useful UX for debugging or learning.

How to use ctr with containerd

ctr is the command‑line client that ships with the containerd project. It is not Docker‑compatible, but it provides a close view of the containerd API, making it valuable for testing and learning.

Using ctr to handle container images

Pull images (you must specify the registry and tag):

<code>$ ctr images pull docker.io/library/nginx:1.21
$ ctr images pull docker.io/kennethreitz/httpbin:latest
$ ctr images pull quay.io/quay/redis:latest</code>

List local images:

<code>$ ctr images ls</code>

containerd does not provide built‑in image build support, but you can import images built with Docker or other OCI‑compatible tools:

<code>$ docker build -t my-app .
$ docker save -o my-app.tar my-app
$ ctr images import my-app.tar</code>

Mount an image to explore its filesystem:

<code>$ mkdir /tmp/httpbin
$ ctr images mount docker.io/kennethreitz/httpbin:latest /tmp/httpbin
$ ls -l /tmp/httpbin/
$ ctr images unmount /tmp/httpbin</code>

Remove an image:

<code>$ ctr images remove docker.io/library/nginx:1.21</code>

Using ctr to handle containers

Run a container:

<code>$ ctr run --rm -t docker.io/library/debian:latest cont1</code>

Note that you must provide a unique container ID yourself; ctr does not generate one automatically. Supported flags include

--env

,

-t

/

--tty

,

-d

/

--detach

,

--rm

, but there is no port‑mapping or automatic restart flag.

List existing containers:

<code>$ ctr containers ls</code>

The

ctr run

command is essentially a shortcut for

ctr container create

followed by

ctr task start

:

<code>$ ctr container create -t docker.io/library/nginx:latest nginx_1
$ ctr container ls
$ ctr task ls
$ ctr task start -d nginx_1
$ ctr task list</code>

Attach to a running task’s stdio:

<code>$ ctr task attach nginx_1</code>

Execute a command inside a container:

<code>$ ctr task exec -t --exec-id bash_1 nginx_1 bash</code>

Before removing a container, stop all its tasks:

<code>$ ctr task kill -9 nginx_1</code>

Or force‑remove a running task:

<code>$ ctr task rm -f nginx_1</code>

Finally, remove the container:

<code>$ ctr container rm nginx_1</code>

How to use nerdctl with containerd

nerdctl is a newer, Docker‑compatible CLI for containerd. It aims to provide a user‑friendly experience while exposing containerd’s advanced features such as delayed pulls (stargz) and image encryption (ocicrypt).

Image management (nerdctl build)

Container network management

Docker‑compatible compose up

If you are familiar with Docker or Podman CLI, you will feel at home with nerdctl.

How to use crictl with containerd

crictl is the command‑line client for the Kubernetes CRI‑compatible container runtime. Since containerd includes a built‑in CRI plugin (from version 1.1), it works seamlessly with crictl.

crictl supports operations such as attach, create, exec, version, images, inspect, logs, port‑forward, ps, pull, run, runp, rm, rmi, pods, start, stop, update, config, and stats.

crictl + containerd bundle can be used to explore how pods are implemented.