Week 9 - `containerd` Architecture¶

9.1 Conceptual Core¶

containerd is a container daemon that manages: image pull/push, content storage, layered snapshotters, runtime invocation (via OCI-spec runtimes like runc/crun), task/process management.
It is not a monolithic daemon. Plugins (snapshotter, runtime, content store) are pluggable. containerd is what dockerd actually calls underneath; it is also the default runtime daemon in Kubernetes since 1.24.

Architecture (read containerd/containerd/docs/architecture.md):
Content store-content-addressed blob storage.
Image store-refs and image metadata.
Snapshotters-overlayfs, btrfs, zfs, stargz, devmapper. Pluggable.
Runtime plugin-invokes OCI runtimes via the shim model (one shim process per container, decouples container lifecycle from daemon restart).
Tasks API-manage processes inside containers.
Events API-pub/sub for lifecycle events.
The ctr CLI is a debugging tool, not a user-facing CLI. For users: nerdctl (Docker-compatible), crictl (CRI-level), or higher-level (Kubernetes, Buildah).
The shim (containerd-shim-runc-v2) keeps the container alive across containerd daemon restarts. Each container has its own shim.

Install containerd and nerdctl. Configure /etc/containerd/config.toml.
Pull, run, exec, kill containers entirely via nerdctl. Confirm dockerd is not running.
Enable the stargz-snapshotter. Pull a large image with eStargz layers. Measure first-run startup time vs cold pull.
Use ctr to inspect tasks, snapshots, and content blobs at the daemon level.

Configure containerd to use a custom seccomp profile and AppArmor (or SELinux) profile by default. Update config.toml's [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] section.

Wire containerd metrics to Prometheus (metrics.address in config). Plot container start latency, image pull bytes, snapshotter ops/sec.