containerd is the daemon that actually runs containers on most Kubernetes nodes today. It pulls OCI images, unpacks them into snapshots, sets up mounts and namespaces, hands execution off to an OCI runtime like runc, and supervises the resulting processes. Originally extracted from Docker in 2017 and donated to the CNCF, it became a graduated project in 2019 and is now the default runtime in GKE, EKS, AKS, and almost every managed Kubernetes distribution since Kubernetes deprecated the dockershim in 1.24.
Architecturally, containerd is a gRPC daemon exposing services for images, containers, snapshots, tasks, events, and content. The cri plugin implements the Kubernetes Container Runtime Interface, so the kubelet talks directly to containerd without an intermediate Docker shim. Images are stored content-addressed in the content store, then materialized into snapshots by pluggable snapshotters: overlayfs by default, with stargz, native, btrfs, zfs, and devmapper available for lazy pulls or different storage backends. Containers are launched via a per-container containerd-shim-runc-v2 process that calls runc and keeps the container alive if containerd itself restarts.
You rarely interact with containerd directly — the typical entry points are crictl (CRI-level debugging), ctr (low-level built-in CLI), or nerdctl (a Docker-compatible CLI with BuildKit, Compose, and rootless support). Alongside CRI-O, it is one of the two mainstream CRI runtimes; Docker Engine itself embeds containerd underneath.