What is containerd and how does it relate to Docker?

containerd is an industry-standard, high-level container runtime that manages the complete lifecycle of containers: image pull, storage, execution, and networking. It was originally part of Docker and donated to the CNCF in 2017. Docker's architecture: the Docker CLI → Docker daemon (dockerd) → containerd → runc (OCI runtime that actually creates the container using Linux namespaces/cgroups). Kubernetes deprecated Docker as its container runtime in 1.20 and removed it in 1.24, switching to using containerd (or CRI-O) directly via the CRI (Container Runtime Interface). This doesn't mean Docker images don't run in Kubernetes — they do, because Docker images follow the OCI image spec which containerd reads. runc is the OCI (Open Container Initiative) reference implementation that containerd calls to create and run containers using kernel features. crun is a newer, faster alternative to runc written in C. gVisor (runsc): Google's container runtime that provides a user-space kernel for stronger isolation (sandboxing each container with a dedicated kernel). Used in GKE Sandbox. Kata Containers: runs each container in a lightweight VM for VM-level isolation with container startup speed. Understanding this stack helps when debugging low-level container issues or configuring container runtimes in Kubernetes.