Why Containerd Beats Docker: Understanding Container Runtimes in Kubernetes

Container Runtime

A container runtime is a software component that creates and manages containers at the operating‑system level, providing isolation, resource management, and security. In Kubernetes, the container runtime is responsible for running containers, and while Docker was historically dominant, containerd has become a popular alternative.

Note: Starting with Kubernetes 1.24, Dockershim has been removed from the project.

The main tasks of a container runtime include:

Creating and starting containers based on image, command, and environment specifications.

Managing the container file system and mounting images.

Enforcing resource limits for CPU, memory, and storage.

Configuring container networking for communication with other containers and external networks.

Implementing security mechanisms to ensure isolation between containers and the host.

In the cloud‑native era, containerization is the primary method for deploying modern applications. Kubernetes (K8s) is a widely used orchestration system, and the choice of container runtime significantly impacts performance, reliability, and security. This article compares two common K8s runtimes: containerd and Docker.

Docker: The Early Leader

Docker revolutionized application packaging and delivery with lightweight containers, offering user‑friendly CLI tools and graphical interfaces. However, as Kubernetes grew, Docker’s all‑in‑one platform introduced unnecessary components and resource overhead. Docker was split into modular parts:

docker-client

dockerd

containerd

docker-shim

runc

Since containerd is a core component of Docker, Docker’s container management ultimately relies on containerd.

Containerd: The Cloud‑Native Standard

Containerd, open‑sourced by the Docker team, is a lightweight, high‑performance runtime designed to align with Kubernetes architecture. It offers smaller resource footprints, faster startup, and better performance. Containerd manages the full container lifecycle, including image transfer and storage, execution, networking, and storage management. Its responsibilities include:

Managing the container lifecycle (creation to destruction).

Pulling and pushing container images.

Handling storage for images and container data.

Invoking runC to run containers.

Managing container network interfaces and networking.

Container Runtime Interface (CRI)

The Container Runtime Interface (CRI) is a plugin interface that allows the kubelet to use various container runtimes without recompiling cluster components. Each node must have a functional runtime so the kubelet can start Pods and their containers.

Kubernetes and Dockershim

The Kubernetes architecture shows that the kubelet interacts with a container runtime layer, which handles the full container lifecycle and image pulling.

Supported CRI Backends

Beyond Docker, Kubernetes supports several CRI‑compatible backends:

cri‑o: Implements the CRI standard and serves as an intermediate layer for OCI‑compatible runtimes.

cri‑containerd: CRI implementation based on containerd.

rkt: CoreOS‑backed runtime positioned as an alternative to Docker.

frakti: Hypervisor‑based CRI implementation.

docker: The original runtime still supported, though its shim has been deprecated.

Dockershim

When CRI was introduced, Docker did not yet support it, so a compatibility layer called Dockershim was added to bridge kubelet and Docker. The container launch flow with Docker involved:

Dockershim was maintained by the Kubernetes project, requiring updates for each new Docker release. Starting with Kubernetes 1.24, Dockershim was removed, and containerd is used directly via CRI, simplifying the call chain.

Call Chain Comparison

When using Docker, the call chain is: kubelet → dockershim (in kubelet) → dockerd → containerd. When using containerd, the chain is: kubelet → cri‑plugin (in containerd) → containerd. From a Kubernetes perspective, containerd offers a shorter, more stable call chain with fewer components and lower node resource consumption.

Common Commands

Typical command‑line tools include ctr for containerd and crictl for CRI‑compatible operations. Below are some frequently used commands:

List running containers: docker ps / ctr task ls / crictl ps List images: docker images / ctr image ls / crictl images View container logs: docker logs / (none for containerd) / crictl logs Inspect container details: docker inspect / ctr container info / crictl inspect Show container resource usage: docker stats / (none for containerd) / crictl stats Start/stop containers: docker start/stop / ctr task start/kill / crictl start/stop Run a new container: docker run / ctr run / (not applicable; pod is the smallest unit for CRI)

Tag an image: docker tag / ctr image tag Create a container: docker create / ctr container create / crictl create Import/export images: docker load/save / ctr image import/export Remove containers/images: docker rm/rmi / ctr container rm / crictl rm Pull/push images: docker pull/push / ctr image pull/push Execute commands inside a container: docker exec / (none for containerd) /

crictl exec