Unveiling Containerd: From Docker’s Shadow to a Robust Cloud‑Native Runtime

1. History of Containerd

Docker rose to prominence by popularizing images, which pressured other container technologies. Google, unwilling to be left behind, collaborated with Docker to open‑source a neutral container runtime, leading to the donation of libcontainer as runc to the OCI community.

To further diminish Docker’s dominance, the CNCF (Cloud Native Computing Foundation) was created, shifting focus to large‑scale orchestration. Docker responded with Swarm and Kubernetes, but Swarm lost. Docker then contributed its core dependency containerd to CNCF, positioning itself as a PaaS platform.

Containerd has since become an industrial‑grade container runtime, emphasizing simplicity, robustness, and portability.

2. Containerd Architecture

Containerd follows a client‑server model. The daemon provides a stable gRPC API, and clients interact via this API. Functionality is split into subsystems (bundles and runtimes) and plugins that implement each subsystem.

Bundle : Represents a container’s filesystem, configuration, and metadata. The Bundle subsystem extracts and packages bundles from images.

Runtime : Executes bundles, e.g., creates containers.

Plugins are loaded as modules, such as Service Plugin, Metadata Plugin, GC Plugin, and Runtime Plugin. Each plugin may depend on others, forming a flexible, extensible system.

The top‑level components are Storage, Metadata, and Runtime. The following diagram illustrates the architecture:

Key plugins include:

Content Plugin : Provides access to immutable content stored in the image.

Snapshot Plugin : Manages filesystem snapshots for each image layer, similar to Docker’s graphdriver.

Metrics : Exposes monitoring metrics for components.

3. Installing Containerd

Below are the steps to install Containerd on Ubuntu 18.04.

Install dependencies

🐳  → sudo apt-get update
🐳  → sudo apt-get install libseccomp2

Download and extract

Containerd provides two tarballs: containerd-${VERSION}.${OS}-${ARCH}.tar.gz (basic) and cri-containerd-${VERSION}.${OS}-${ARCH}.tar.gz (includes all binaries required by Kubernetes). For Kubernetes use the cri-containerd package.

🐳  → wget https://github.com/containerd/containerd/releases/download/v1.4.3/cri-containerd-cni-1.4.3-linux-amd64.tar.gz
🐳  → wget https://download.fastgit.org/containerd/containerd/releases/download/v1.4.3/cri-containerd-cni-1.4.3-linux-amd64.tar.gz

Inspect the archive contents:

🐳  → tar -tf cri-containerd-cni-1.4.3-linux-amd64.tar.gz

Extract to the system directories:

🐳  → sudo tar -C / -xzf cri-containerd-cni-1.4.3-linux-amd64.tar.gz

Add the binaries to PATH:

export PATH=$PATH:/usr/local/bin:/usr/local/sbin

Generate the default configuration file:

🐳  → mkdir /etc/containerd
🐳  → containerd config default > /etc/containerd/config.toml

Configure image mirrors

Because pulling images from public registries can be slow in China, configure mirrors in the registry.mirrors section of /etc/containerd/config.toml:

[plugins."io.containerd.grpc.v1.cri".registry]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
    endpoint = ["https://dockerhub.mirrors.nwafu.edu.cn"]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
    endpoint = ["https://registry.aliyuncs.com/k8sxio"]

Storage paths

Containerd uses two directories: /var/lib/containerd for persistent data (snapshots, content, metadata) and /run/containerd for runtime state.

Systemd service

Create or edit /etc/systemd/system/containerd.service (the file is provided in the archive). Important options include:

Delegate : Allows Containerd to manage its own cgroups.

KillMode=process : Ensures only the Containerd process is killed during restart, preserving containers.

OOMScoreAdjust=-999 : Reduces the chance of Containerd being OOM‑killed.

Enable and start the service:

🐳  → systemctl enable containerd --now

4. Quick Installation with Sealos

Sealos provides a one‑command, offline installation of a high‑availability Kubernetes cluster that bundles the latest Containerd (including arm64 support).

🐳  → wget -c https://sealyun.oss-cn-beijing.aliyuncs.com/latest/sealos
🐳  → chmod +x sealos && mv sealos /usr/bin
🐳  → wget -c https://sealyun.oss-cn-beijing.aliyuncs.com/7b6af025d4884fdd5cd51a674994359c-1.18.0/kube1.18.0.tar.gz
🐳  → sealos init --passwd 123456 \
    --master 192.168.0.2 --master 192.168.0.3 --master 192.168.0.4 \
    --node 192.168.0.5 \
    --pkg-url /root/kube1.18.0.tar.gz \
    --version v1.18.0

5. Using the ctr CLI

Image management

Pull an image:

🐳  → ctr i pull docker.io/library/nginx:alpine

List local images: 🐳 → ctr i ls Mount an image to a host directory:

🐳  → ctr i mount docker.io/library/nginx:alpine /mnt

Export and import images as tarballs:

🐳  → ctr i export nginx.tar.gz docker.io/library/nginx:alpine
🐳  → ctr i import nginx.tar.gz

Container lifecycle

Create a container (static state):

🐳  → ctr c create docker.io/library/nginx:alpine nginx

Start the container as a task: 🐳 → ctr task start -d nginx List running tasks: 🐳 → ctr task ls Execute a command inside the container (requires an exec‑id): 🐳 → ctr task exec --exec-id 0 -t nginx sh Pause, resume, and kill a container:

🐳  → ctr task pause nginx
🐳  → ctr task resume nginx
🐳  → ctr task kill nginx

Namespaces

Containerd supports namespaces. Docker uses the moby namespace, while Kubernetes uses k8s.io. List namespaces: 🐳 → ctr ns ls Show containers in a specific namespace:

🐳  → ctr -n moby c ls

Containerd + Docker

Docker can be run with an external Containerd socket:

dockerd --containerd /run/containerd/containerd.sock --cri-containerd

After starting a Docker container, it appears under the moby namespace in Containerd:

🐳  → ctr ns ls
default
moby
🐳  → ctr -n moby c ls

Kubernetes creates containers in the k8s.io namespace, which can be inspected with:

🐳  → ctr -n k8s.io c ls

References

bucketbench – https://github.com/estesp/bucketbench

Containerd releases – https://github.com/containerd/containerd/releases

Sealos – https://github.com/fanux/sealos