Mastering containerd: Using ctr, nerdctl, and crictl for Container Management

containerd is a high‑level container runtime, also known as a container manager. It runs as a daemon on a host and manages the full container lifecycle: creating, starting, stopping containers, pulling and storing images, configuring mounts, networking, and more.

containerd is designed to be easily embedded into larger systems. Docker uses containerd under the hood, and Kubernetes can use it via the CRI to manage containers on a node. Smaller projects can also benefit from its integration, such as faasd.

Beyond programmatic use, containerd can be operated from the command line using available clients, offering a useful UX for debugging or learning.

How to use ctr with containerd

ctr is the command‑line client that ships with the containerd project. It is not Docker‑compatible, but it provides a close view of the containerd API, making it valuable for testing and learning.

Using ctr to handle container images

Pull images (you must specify the registry and tag):

$ ctr images pull docker.io/library/nginx:1.21
$ ctr images pull docker.io/kennethreitz/httpbin:latest
$ ctr images pull quay.io/quay/redis:latest

List local images: $ ctr images ls containerd does not provide built‑in image build support, but you can import images built with Docker or other OCI‑compatible tools:

$ docker build -t my-app .
$ docker save -o my-app.tar my-app
$ ctr images import my-app.tar

Mount an image to explore its filesystem:

$ mkdir /tmp/httpbin
$ ctr images mount docker.io/kennethreitz/httpbin:latest /tmp/httpbin
$ ls -l /tmp/httpbin/
$ ctr images unmount /tmp/httpbin

Remove an image:

$ ctr images remove docker.io/library/nginx:1.21

Using ctr to handle containers

Run a container:

$ ctr run --rm -t docker.io/library/debian:latest cont1

Note that you must provide a unique container ID yourself; ctr does not generate one automatically. Supported flags include --env, -t / --tty, -d / --detach, --rm, but there is no port‑mapping or automatic restart flag.

List existing containers: $ ctr containers ls The ctr run command is essentially a shortcut for ctr container create followed by ctr task start:

$ ctr container create -t docker.io/library/nginx:latest nginx_1
$ ctr container ls
$ ctr task ls
$ ctr task start -d nginx_1
$ ctr task list

Attach to a running task’s stdio: $ ctr task attach nginx_1 Execute a command inside a container:

$ ctr task exec -t --exec-id bash_1 nginx_1 bash

Before removing a container, stop all its tasks: $ ctr task kill -9 nginx_1 Or force‑remove a running task: $ ctr task rm -f nginx_1 Finally, remove the container:

$ ctr container rm nginx_1

How to use nerdctl with containerd

nerdctl is a newer, Docker‑compatible CLI for containerd. It aims to provide a user‑friendly experience while exposing containerd’s advanced features such as delayed pulls (stargz) and image encryption (ocicrypt).

Image management (nerdctl build)

Container network management

Docker‑compatible compose up

If you are familiar with Docker or Podman CLI, you will feel at home with nerdctl.

How to use crictl with containerd

crictl is the command‑line client for the Kubernetes CRI‑compatible container runtime. Since containerd includes a built‑in CRI plugin (from version 1.1), it works seamlessly with crictl.

crictl supports operations such as attach, create, exec, version, images, inspect, logs, port‑forward, ps, pull, run, runp, rm, rmi, pods, start, stop, update, config, and stats.

crictl + containerd bundle can be used to explore how pods are implemented.