Do I need to know about containerd?

Probably not. If you're using Kubernetes, you're already using containerd whether you know it or not. If you're doing local development with Docker, just keep using Docker. containerd is infrastructure that works best when you ignore it.

Kubernetes deprecated Docker - am I fucked?

No, you're fine. The "Docker deprecation" was mostly marketing panic. Your Docker images still work, your k8s deployments still work. Kubernetes just uses containerd directly now instead of going through Docker's daemon. Your containers don't care.

Should I switch from Docker to containerd for development?

Unless you're allergic to Docker's licensing fees or really want rootless containers, just stick with Docker. containerd with [nerdctl](https://github.com/containerd/nerdctl) gives you Docker-like commands, but some Docker Compose features don't work right and the ecosystem assumes Docker exists.

Is containerd actually free or is there a catch?

It's [Apache 2.0 licensed](https://github.com/containerd/containerd/blob/main/LICENSE) and totally free. No subscriptions, no per-container fees, no licensing bullshit. The CNCF owns it so it won't suddenly become commercial like Docker Desktop did.

How do I install this thing without breaking my system?

On Ubuntu: Add Docker's repo first, then `apt install containerd.io`. Don't use the distro package - it's ancient.On CentOS/RHEL: Also use Docker's repo. The base repo version is broken.On Windows: Good luck. It works for Windows containers but WSL2 support is flaky. Check [containerd.io/downloads](https://containerd.io/downloads/) for the full installation hell.

What version should I actually use?

Stick with containerd 1.7.x for production - it's the LTS version until March 2026. containerd 2.x is newer but less battle-tested. Don't use whatever ancient version your distro ships by default.

Can containerd build Docker images?

Nope. You need [BuildKit](https://github.com/moby/buildkit), [buildah](https://buildah.io/), or [kaniko](https://github.com/GoogleContainerTools/kaniko). This is annoying if you're used to `docker build` just working. BuildKit integration exists but it's more complicated than Docker's setup.

Why is the ctr command so terrible?

Because it's designed for debugging, not human use. Everything needs a namespace: `ctr -n k8s.io containers list` to see k8s containers. Use [nerdctl](https://github.com/containerd/nerdctl) instead - it has sane commands like `nerdctl ps`.

My containers are stuck in "Creating" - what's wrong?

Usually cgroup configuration. Add `SystemdCgroup = true` to your `/etc/containerd/config.toml` if you're using systemd (which you probably are). Run `systemctl restart containerd` after changing the config.

How do I see what's actually running?

`ctr -n k8s.io containers list` for k8s containers, `ctr -n default containers list` for everything else. Or install nerdctl and use `nerdctl ps` like a civilized human being.

Where are the logs when things break?

`journalctl -u containerd` shows containerd service logs. Enable debug logging if you hate your disk space: `containerd --log-level debug`. Container logs depend on what's calling containerd (usually k8s handles this).

Is rootless containerd worth the pain?

Only if you're security-paranoid or can't run as root. The setup involves [rootlesskit](https://rootlesscontaine.rs/), multiple config files, and hoping your kernel supports user namespaces. Most people just run as root and deal with the security implications.

Currently viewing the AI version

Switch to human version

containerd: AI-Optimized Technical Reference

Executive Summary

containerd is a container runtime that Kubernetes uses instead of Docker. It's 20-30% faster with lower memory usage (~40MB vs 200MB+) but lacks image building capabilities and has a hostile CLI interface.

Critical Configuration Requirements

Installation Failure Modes

Ubuntu: apt install containerd installs broken ancient version
- Solution: Add Docker's repo first, install containerd.io
CentOS/RHEL: Base repo package often broken
- Solution: Use Docker's repo or build from source
Windows: WSL2 integration is unreliable

Configuration Breaking Points

Config location: /etc/containerd/config.toml
Version migration: 1.x to 2.x breaks config format
Critical setting: SystemdCgroup = true (required for k8s with systemd)
- Failure consequence: Pods randomly fail to start
Registry config: Now in /etc/containerd/certs.d/, not main config

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
  SystemdCgroup = true

Operational Intelligence

Performance Characteristics

Container startup: 20-30% faster than Docker
Memory footprint: ~40MB (containerd) vs 200MB+ (Docker)
Significance: Matters at scale (thousands of containers), negligible for development

Version Strategy

Production: containerd 1.7.x (LTS until March 2026)
Avoid: Distribution packages (ancient/broken)
Current: 2.1.4 as of August 2025 (breaking changes from 1.x)

Runtime Comparison Matrix

Runtime	Memory	Build Images	Rootless	k8s Default	Best Use Case
containerd	~40MB	No (needs BuildKit)	Complex setup	Yes	Production k8s
Docker	200MB+	Yes (built-in)	Half-broken	Deprecated	Development
Podman	~60MB	Yes (buildah)	Designed for it	Needs CRI setup	Rootless environments
CRI-O	~50MB	No	Works	OpenShift default	k8s purist

Critical Failure Scenarios

Common Breaking Points

"failed to start container"
- Root cause: cgroup misconfiguration
- Diagnostic: Check SystemdCgroup setting
- Alternative error: "failed to create shim task"
Image pulls hang
- Root cause: Registry configuration issues
- Diagnostic: Check /etc/containerd/certs.d/
- Symptoms: "connection timeout" or "x509" errors in journalctl -u containerd
Containers won't stop
- Root cause: Stuck shim processes
- Diagnostic: ps aux | grep containerd-shim
- Nuclear option: kill -9 containerd process
Permission denied
- Root cause: SELinux/AppArmor blocking
- Diagnostic: ausearch -m avc for SELinux violations
- Test: setenforce 0 temporarily

CLI Interface Reality

Native tool: ctr (user-hostile, requires namespaces for everything)
Better alternative: nerdctl (Docker-like commands)
Namespace gotcha: k8s uses k8s.io, default is default

# ctr (painful)
ctr -n k8s.io containers list

# nerdctl (sane)
nerdctl ps

Resource Requirements

Expertise Investment

Minimal: If using managed k8s (EKS/GKE/AKS) - runs transparently
Moderate: For direct installation/configuration
High: For rootless setup, custom runtimes (gVisor/Kata)

Time Investment

Installation: 30 minutes (if using correct repos)
Basic config: 1-2 hours
Rootless setup: 4-8 hours (multiple config files, kernel requirements)
Troubleshooting: Significantly longer than Docker (fewer Stack Overflow answers)

Decision Criteria

Use containerd When:

Running production Kubernetes (already using it)
Need rootless containers (better than Docker)
Want faster container startup at scale
Avoiding Docker licensing fees

Stick with Docker When:

Local development (better tooling ecosystem)
Need integrated image building
Want mature troubleshooting resources
Using Docker Compose extensively

Avoid containerd When:

Need GUI management tools
Require Windows container support
Team lacks container runtime expertise

Monitoring and Debugging

Metrics

Endpoint: /metrics (Prometheus format)
Quality: Low-level metrics like containerd_container_blkio_io_serviced_recursive_total
Requirement: Need cAdvisor or node-exporter for useful container metrics

Logging

Location: journald (journalctl -u containerd)
Debug mode: Fills disk rapidly
Container logs: Handled by calling system (usually k8s)

Support Channels

GitHub Issues: Primary troubleshooting resource
Official Slack: Real-time community support
Stack Overflow: Limited containerd content compared to Docker

Security Considerations

Rootless Implementation

Setup complexity: High (rootlesskit, multiple configs, kernel requirements)
Adoption: Most run as root despite security implications
Prerequisites: User namespace kernel support, specific file permissions

Production Security

Default: Runs as root
Hardening: User namespaces, SELinux/AppArmor policies
Supply chain: Notary v2 integration available for image signing

Integration Ecosystem

Image Building

containerd: No native building
Solutions: BuildKit, buildah, kaniko
Complexity: More setup than Docker's integrated approach

Orchestration

Kubernetes: Native integration (default runtime)
Docker Compose: Limited nerdctl support, some features missing
Single containers: Use nerdctl for Docker-like experience

Registry Integration

Configuration: /etc/containerd/certs.d/ directory structure
Authentication: hosts.toml format
Private registries: Requires explicit configuration (not auto-discovered)

Migration Considerations

From Docker

Images: Compatible (same OCI format)
Compose files: Limited compatibility via nerdctl
Build processes: Need separate BuildKit setup
Monitoring: Different metrics format

Kubernetes Migration

Timeline: Most managed services already migrated
Impact: Transparent to applications
Troubleshooting: Different error messages, fewer familiar debugging tools

Breaking Changes and Gotchas

Version 2.x Changes

Config format: TOML structure changed
API endpoints: Some breaking changes
Migration: Test thoroughly, regenerate config with containerd config default

Production Deployment Warnings

Don't: Use distribution packages
Don't: Upgrade major versions without testing config
Don't: Assume Docker Compose full compatibility
Do: Monitor GitHub releases for security updates
Do: Test rootless setup extensively before production use

Useful Links for Further Investigation

Essential containerd Resources

Link	Description
containerd.io	The authoritative source for containerd documentation, featuring getting started guides, architecture overviews, and best practices for production deployments.
GitHub Repository	Active development repository containing source code, issue tracking, and comprehensive technical documentation including API references and contributor guidelines.
Releases and Downloads	Official distribution point for containerd binaries across platforms, including Linux, Windows, and source code packages with GPG signatures.
containerd Slack	Join the official Slack workspace for real-time community support, development discussions, and announcements from maintainers.
Getting Started Guide	Step-by-step walkthrough for installing containerd, basic configuration, and running your first containers across different operating systems.
Configuration Reference	Comprehensive reference for containerd.toml configuration options, including CRI plugin settings, runtime selection, and security configurations.
Container Registry Configuration	Detailed guide for configuring registry authentication, mirrors, and private registry access using the hosts.toml configuration system.
Kubernetes CRI Documentation	Kubernetes documentation covering containerd installation, configuration, and troubleshooting for production cluster deployments.
AWS EKS containerd Guide	Amazon's comprehensive guide for migrating EKS clusters to containerd, including version compatibility and configuration considerations.
nerdctl	Community-driven command-line tool providing familiar Docker-style commands for containerd operations, perfect for development workflows.
ctr CLI Documentation	Reference guide for the native containerd CLI tool, useful for debugging, container inspection, and low-level runtime operations.
BuildKit	Next-generation image builder that integrates with containerd for efficient, secure, and parallel image construction workflows.
Prometheus Metrics Guide	Technical documentation for containerd's Prometheus metrics endpoint, including available metrics and monitoring best practices.
containerd Issues on GitHub	Active issue tracker and troubleshooting resource where users report problems, share solutions, and get help from maintainers and community.
Rootless Containers Guide	Community resource for implementing rootless container deployments with containerd, improving security posture and reducing privilege escalation risks.
Notary v2 Integration	Documentation for implementing container image signing and verification workflows using Notary v2 with containerd for supply chain security.
CNCF Security Audit	Independent security audits and assessments of containerd, providing transparency about security practices and vulnerability management.
CNCF Webinars	Cloud Native Computing Foundation webinar series featuring containerd presentations, use cases, and technical deep-dives from industry experts.
Container Runtime Comparison	Kubernetes documentation comparing containerd with other container runtimes, helping understand ecosystem positioning and selection criteria.

containerd: AI-Optimized Technical Reference

Executive Summary

Critical Configuration Requirements

Installation Failure Modes

Configuration Breaking Points

Operational Intelligence

Performance Characteristics

Version Strategy

Runtime Comparison Matrix

Critical Failure Scenarios

Common Breaking Points

CLI Interface Reality

Resource Requirements

Expertise Investment

Time Investment

Decision Criteria

Use containerd When:

Stick with Docker When:

Avoid containerd When:

Monitoring and Debugging

Metrics

Logging

Support Channels

Security Considerations

Rootless Implementation

Production Security

Integration Ecosystem

Image Building

Orchestration

Registry Integration

Migration Considerations

From Docker

Kubernetes Migration

Breaking Changes and Gotchas

Version 2.x Changes

Production Deployment Warnings

Useful Links for Further Investigation

Essential containerd Resources

Related Tools & Recommendations

Making Pulumi, Kubernetes, Helm, and GitOps Actually Work Together

CrashLoopBackOff Exit Code 1: When Your App Works Locally But Kubernetes Hates It

Temporal + Kubernetes + Redis: The Only Microservices Stack That Doesn't Hate You

Amazon EKS - Managed Kubernetes That Actually Works

Sketch - Fast Mac Design Tool That Your Windows Teammates Will Hate

Parallels Desktop 26: Actually Supports New macOS Day One

Rancher Desktop - Docker Desktop's Free Replacement That Actually Works

I Ditched Docker Desktop for Rancher Desktop - Here's What Actually Happened

Rancher - Manage Multiple Kubernetes Clusters Without Losing Your Sanity

Podman - The Container Tool That Doesn't Need Root

Podman Desktop - Free Docker Desktop Alternative

Docker, Podman & Kubernetes Enterprise Pricing - What These Platforms Actually Cost (Hint: Your CFO Will Hate You)

jQuery - The Library That Won't Die

US Pulls Plug on Samsung and SK Hynix China Operations

Fix Helm When It Inevitably Breaks - Debug Guide

Helm - Because Managing 47 YAML Files Will Drive You Insane

Playwright - Fast and Reliable End-to-End Testing

Docker Desktop Alternatives That Don't Suck

Docker Swarm - Container Orchestration That Actually Works

Docker Security Scanner Performance Optimization - Stop Waiting Forever