containerd is a container runtime that manages the lifecycle of a container that is either hosted on a physical machine or a virtual machine, i.e it manages the process of creating, starting, stopping, and destroying containers. containerd is available as a daemon, meaning it is a computer program that runs as a background process rather than being under the direct control of an interactive user. It is available for both Linux and Windows. It also manages everything from image transfer and storage to container execution and supervision to low-level storage to network attachments and beyond.
When you are building a large platform or distributed system you want an abstraction layer between your management code and the syscalls and duct tape of features to run a container.That is where containerd lives.It provides a client layer of types that platforms can build on top of without ever having to drop down to the kernel level.
As a container runtime, containerd can:
- Limit the total memory and CPU shares allocated to containers with cgroups.
- Isolate the processes within a container, blocking it from seeing any host process.
- Extract the container image into an isolated part of the host system, processing it within the container so it sees those files as its own entire file system. This ensures the container cannot access any other container’s files or the host files. containerd can also attach some parts of the host file system into the container when required.
- Create a UID namespace where the UID 0 (root) within the container (root) maps to a different UID on the host system. This feature ensures that, should the container root process be able to access the host system, it’s blocked from running as root on the host.
- Set up the environment variables within the container. Some variables may come from the container image as default, while containerd can assign others during the container execution.
- Add or remove Linux capabilities when starting a container.
- Allow you to create your own network namespace and provide it to containerd to attach it to a container when it starts.
containerd was created by Docker and donated it to the Cloud Native Computing Foundation (CNCF) so that the container community can have the basis for creating new container solutions.Containerd also supports the standards of the Open Container Initiative which is an open governance organization focused on container best practices.
containerd vs Docker :
Docker provides a broad set of technologies used to run and manage containers. One of those technologies is Docker Engine, a full-featured container runtime with advanced developer tools.
containerd is also a container runtime, based on Docker technology. You can use containerd on its own, as a bare-bones container runtime solution. Additionally, newer versions of Docker Engine use containerd behind the scenes.