What is containerd

containerd is a high-level container runtime that manages the full container lifecycle. It pulls images from registries, unpacks layers, creates OCI bundles, invokes the low-level runtime (runc), and manages running container state.

How it works

containerd runs as a daemon and exposes a gRPC API. It handles: image management (pull, push, tag, delete), snapshot management (filesystem layers via overlayfs), container creation (passing OCI bundles to runc), and task management (start, stop, pause, resume).

containerd implements the Kubernetes Container Runtime Interface (CRI), which is how the kubelet communicates with the container runtime. Since Kubernetes 1.24, containerd is the default runtime — Docker (dockershim) was removed.

Docker uses containerd internally: docker run calls the Docker daemon, which calls containerd, which calls runc. Podman and nerdctl can also use containerd as their runtime backend.

CRI-O is an alternative high-level runtime purpose-built for Kubernetes. It implements CRI but has a smaller scope than containerd — no general-purpose container management, just what Kubernetes needs.

Why it matters

containerd is the runtime that Kubernetes, Docker, and most cloud platforms depend on. Understanding containerd explains why Kubernetes removed Docker (containerd was already doing the real work), and how the container runtime stack is layered: CLI (docker/nerdctl) calls containerd calls runc.

See How Containers Work for the full runtime stack.

This concept appears in

How Containers Work — Process Isolation, Not Virtual Machines

What is containerd

How it works

Why it matters

Related

This concept appears in

Referenced by