Containerd in simple terms is a container runtime that is, Containerd is a software responsible for running and managing containers on a host system. It is a resource manager which manages the container processes, image, snapshots, container metadata and its dependencies. Going further, Containerd is a daemon for Linux and Windows, that manages the complete container life cycle of its host system from image transfer and storage to container execution and supervision and beyond. So basically Containerd is a complete package for the container lifecycle.

Containerd is a CNCF (Cloud Native Community Foundation) graduated project. It was the fifth project to graduate from CNCF on 2019. In this article we will learn about Containerd and why it is consider the secret hero of the cloud native world.

What is Containerd?

With the increasing adoption of Kubernetes, Docker was moving with its own set of features and enhancements more oriented towards Docker Swarm so it became difficult for the Kubernetes community to adopt everything and also they started working on then CRI (Container Runtime Initiative) to plug other container runtimes with Kubernetes because it makes sense to have our own CRI that we can plug with the Kubernetes architecture rather than Docker because Docker has more number of features that probably we won’t need with respect to Kubernetes. This was when Containerd started to become more mature as a project and became fully contained which means it can perform tasks like the image pull, image push, task management etc.

How Containerd Works?

So basically when a request is sent to Docker, it passes the request to Containerd, which then passes the request to run c. Run c is actually running the containers by having the all the name spaces and other things that interact with the operating system. Therefore we usually say that Containerd sits between Docker and runc.

Docker API

• CLI Client uses the Docker API

Docker(d)

• Docker(d) focuses on Development Experience
• Handles higher-level tasks (example: login/build/inspect/attach/etc.)
• Has orchestration support (aka Swarm)

Containerd

• Focuses on being a “higher-level runtime”
• Starts container runtimes (including OCI)
• Manages networks (example bridge, namespaces)
• Cannot build images, but is used for building!

Container-runtime-Shim

• The container-runtime-Shims help to abstract low-level runtimes
• Shim lives as long as a container process
• Shim intercepts container’s stdin, stdout, and stderr streams and redirects them to logs
• Shim helps with ‘docker attach functionality

Runc (OCI runtime)

• runc is a command-line tool for spawning and running containers according to OCI runtime specification
• It prepares runtime for container, including namespace creation
• starts (fork/exec) container process and then exits

Containers

• Container are regular Linux processes
• They can outlive dockerd daemon (see live-restore)
• They see a virtualized OS around them (fs, network, PID, UID, etc. namespaces, veth and bridge network devices, etc.)

How Containerd was built?

Containerd was originally build alongside Docker, surprisingly, it wasn’t forked or inherited from the docker codebase but was created as a new project around the same time when OCI (Open Container Initiative) was formed and run c was created. it started with as specific branch where docker pulled its containary piece out and put it as a separate kind of project where more people could collaborate. Then it gradually grew in scope from a container supervisor to full runtime. it was initially a process supervisor that sat between the full Docker runtime and run c. Over the years it has grown in scope from a process supervisor to a full runtime.

The CRI (Container Runtime Interface) was originally out of the process and that was the last piece that came into Containerd. That’s how Containerd had its growth over the years from the supervisor to a full runtime and then adding in the CRI (Container Runtime Interface), Containerd became a runtime for Kubernetes. In between all this, it was donated to CNCF (Cloud Native Community Foundation). Now it is a CNCF (Cloud Native Community Foundation) graduated project.

How to use and Troubleshoot Containerd?

Containerd comes with a command line tool called ctr and this tool is solely made for debugging Containerd and is not very user friendly as it only supports a limited set of features. While the ctr tool is bundled together with containerd, the ctr tool is solely made for debugging containerd. The nerdcti tool provides stable and human-friendly user experience. We don’t have to necessarily code on Containerd. In fact, We can simply use Kubernetes and Kubernetes will under the hood use Containerd and take that heavy lifting for us.

Follow along with the turotial to learn how to use Containerd’s command line tool ctr:

Steps To Install Containerd

Step 1. Installing Containerd

In order to install Containerd’s latest release v1.76 (as of october 2023) enter the following command in your WSL (Window Subsystem for Linux) terminal or simply Linux terminal:

wget https://github.com/containerd/containerd/releases/download/v1.7.6/containerd-1.7.6-linux-amd64.tar.gz
tar xvf containerd-1.7.6-linux-amd64.tar.gz

The process will take some time to install.

Following packages will be installed:

1. bin/
2. bin/containerd-shim-runc-v1
3. bin/containerd-stress
4. bin/containerd-shim-runc-v2
5. bin/containerd
6. bin/containerd-shim
7. bin/ctr

CTR: As per the official documentation in the Containerd CLI, ctr is an unsupported debug and administrative client for interacting with the containerd daemon. Because it is unsupported, the commands, options, and operations are not guaranteed to be backward compatible or stable from release to release of the containerd project.

Step 2 : Installing runc

runc is a standardized runtime for spawning and running containers on Linux according to the OCI specification. Enter the following command to download runc, make sure to change the version to the latest version of runc.

wget https://github.com/opencontainers/runc/releases/download/v1.1.3/runc.amd64

Enter the following command to install it.

sudo install -m 755 runc.amd64 /usr/local/sbin/runc

Step 3: Download and install CNI plugins.

Enter the following set of commands in your terminal to download all the CNI plugins:

wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz

sudo mkdir -p /opt/cni/bin

sudo tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz

Step 4: Configure containerd.

Enter the following set of commands create a containerd directory for the configuration file config.toml which is the default configuration file for containerd. Then Enable systemd group . and then use sed command to change the parameter in config.toml or you can use an editor. At last to convert containerd into a service.

sudo mkdir /etc/containerd

containerd config default | sudo tee /etc/containerd/config.toml

sudo sed -i 's/SystemdCgroup \= false/SystemdCgroup \= true/g' /etc/containerd/config.toml

sudo curl -L https://raw.githubusercontent.com/containerd/containerd/main/containerd.service -o /etc/systemd/system/containerd.service

Step 5: Start Containerd service.

Enter the following set of command to start Containerd as a service

sudo systemctl daemon-reload

sudo systemctl enable --now containerd

sudo systemctl status containerd

Note: You might face issues in step 5 if you haven’t started your Ubuntu (or other Systemd) distribution.

Once the installation is completed, you can enter the

ctr

command to see if the installation was successful or not. You will get a similar output if the installation is done successfully:

But it’s not complete yet, enter the following command to check if the ctr runs properly or not

ctr version

You should get a similar output if the installation is compete:

Note that I have Client as well as Server options. if you only have Client option. The installation is incomplete, you will have not downloaded the prerequisites before Containerd. Check official docs for solving the issue.

Step 6: Pulling images.

ctr command can be used to perform basic container related activities such as pull Docker images. In order to pull an image you can run the

ctr images pull 

command followed by the address of the image and to run a container we use the

ctr run 

command and specify the image address. but as we mentioned this tool is solely made for debugging Containerd and is not very user friendly and not to be used for running or managing containers on on a production environment so a better alternative recommended is the “nerd control tool” or nerdctl tool. The node control tool is a command line tool that’s very similar to Docker, it supports almost all of the options that Docker supports.

To pull an image enter the following command to pull an redis image:

ctr images pull docker.io/library/redis:alpine

you will get a similar output after this:

Step 7: running the container

ctr run docker.io/library/redis:alpine redis

You will see that the container is running and the server has been initiallized. You might get a bit different output but you will get the server initialized command:

And this is how to can pull container images and run those containers in ctr. Note that ctr is not the ideal CLI to perform these tasks, it was build to troubleshoot Containerd. You can try out other features in ctr by checking out the Containerd documentation.

Features of Containerd

1. OCI Image Spec support

OCI stands for Open Container Initiative. OCI image spec basically is a standardized format for creating container images that is accepted by all container runtimes, it makes it easier to create, share, and run containers across different container runtimes. Containerd being among leader in container runtimes, supports OCI Image Spec which ensures compatibility with industry standards and simplifies creating, sharing and running of containers.

2. Image push and pull request

Being a container runtime, Containerd obviously supports pushing, pulling of images, running of those container images etc. We already discussed in the how to use Containerd tutorial part.

3. OCI runtime spec support (runc)

Containerd provides the OCI (Open Container Initiative) runtime spec support. And with the help of Shim we can even implement other low level container runtimes.

4. Container runtime and lifecycle support

We already talked about Containerd being a container runtime but Containerd also manages the complete lifecycle of containers, including creation, execution, pausing, resuming, and stopping containers as we discussed earlier. Containerd manages container logs and attach to running containers for debugging purposes as well.

5. Management of network namespaces, containers to join existing namespaces

Containerd provides both isolation as well as flexibility in managing network namespaces, it offers enhanced security and networking capabilities for containers.

6. Build by the Community and open-sourced

Containerd is an open-source project which is independent of Docker. Tt has an active community of contributors and users. So you can ask your doubts about Containerd there as well as start contributing to the codebase.

7. Features offered by nerdctl

1. nerdctl provides a Docker-like CLI for containerD
2. nerdctl supports docker compose
3. nerdctl supports features in like following:

• Encrypted container images
• Lazy Pulling
• P2P image distribution
• Image signing and verifying
• Namespaces in Kubernetes

Conclusion

In this article we discussed Containerd in a quite detailed way, Containerd is a daemon for Linux and Windows, that manages the complete container life cycle of its host system from image transfer and storage to container execution and supervision and beyond. We started with a quick intro to Containerd. Then we discussed how Conatinerd was build, how it was kept independent to Docker, how it was given to CNCF (Cloud Native Community Foundation) and how to graguated from CNCF. We then discussed how Containerd actually works. What happens is Docker API gets the request and it passes the request to Containerd, which then passes the request to run c. After that we discussed how to use ctr which is the command line interface for Containerd. At the end we discussed some important features of Containerd.

We hope that through this article, you got to learn a lot about Containerd, how it was build, how it works and how to use it. Hopefully this article improved your knowledge regarding Containerd and container runtimes in general. Here are some frequently asked questions regarding Containerd.

FAQs On Containerd

1. What is Containerd used for?

Containerd is used for running and managing containers on a host system.

2. What operating systems is Containerd available for?

Containerd is available as a daemon for Linux and Windows.

3. Is containerd free to use?

Containerd comes with both free and well as paid features. For beginner you can consider it free.

4. What is OCI?

OCI Stands for Open Container Initiative. The OCI Image Spec is a standardized format for container images. Similarly we have OCI runtime spec that is a standardized format for container runtimes.