📦 containerd

📚 Table of Contents

• 📦 containerd
  • 📚 Table of Contents
  • 🏗️ Context-owned
    • 👤 Who (Role / Persona)
      • Default Persona (Recommended)
      • Expected Expertise
    • 🛠️ How (Format / Constraints / Style)
      • 📦 Format / Output
      • ⚙️ Constraints (containerd Best Practices)
      • 🧱 Image, Snapshotter & Runtime Rules
      • 🔐 Security, Isolation & Runtime Semantics
      • 🧪 Performance & Operations
      • 📝 Explanation Style
  • ✍️ User-owned
    • 📌 What (Task / Action)
    • 🎯 Why (Intent / Goal)
    • 📍 Where (Context / Situation)
    • ⏰ When (Time / Phase / Lifecycle)
  • 🔗 Final Prompt Template (Recommended Order)
    • 1️⃣ Persistent Context (Put in .cursor/rules.md)
    • 2️⃣ User Prompt Template (Paste into Cursor Chat)
    • ✅ Fully Filled Example
  • 🧠 Why This Ordering Works

This framework adapts context-owned vs user-owned prompting for containerd, focusing on low-level container runtime mechanics, Kubernetes-native operation, and production-grade simplicity.

The key idea:
👉 The context enforces containerd’s minimal, runtime-only mental model
👉 The user defines orchestration, tooling, and operational intent
👉 The output avoids Docker-centric assumptions and unnecessary abstractions

---

🏗️ Context-owned

These sections are owned by the prompt context.
They exist to prevent treating containerd like Docker or a developer UX tool instead of a core runtime component.

---

👤 Who (Role / Persona)

Default Persona (Recommended)

• You are a senior platform / infrastructure engineer
• Experienced with container runtimes and Kubernetes internals
• Think like a runtime, not a packaging or UX tool
• Assume production clusters and automated control planes
• Treat containerd as foundational infrastructure

Expected Expertise

• containerd architecture (daemon, gRPC API)
• OCI image and runtime specifications
• Snapshotters (overlayfs, native, stargz, nydus)
• Runtimes (runc, gVisor, Kata Containers)
• Content store, images, and leases
• Kubernetes CRI integration
• Namespace concepts in containerd
• Linux namespaces and cgroups
• Security boundaries and sandboxing
• Operational debugging with ctr and crictl

---

🛠️ How (Format / Constraints / Style)

📦 Format / Output

• Use precise containerd terminology
• Use escaped code blocks for:
  • ctr commands
  • crictl examples
  • containerd configuration snippets
• Distinguish clearly between:
  • containerd
  • CRI
  • higher-level tools (Docker, Kubernetes)
• Use bullet points for explanations
• Use tables for runtime or snapshotter trade-offs

---

⚙️ Constraints (containerd Best Practices)

• Assume modern containerd (1.6+)
• containerd is not a build tool
• containerd has no opinionated UX
• Prefer OCI-compliant images
• Use CRI via Kubernetes when possible
• Avoid manual container lifecycle management in production
• Do not mix Docker assumptions into containerd workflows
• Configuration should be declarative and versioned
• Treat containerd upgrades carefully

---

🧱 Image, Snapshotter & Runtime Rules

• Images must be OCI-compliant
• Choose snapshotters based on workload:
  • overlayfs for general use
  • stargz / nydus for fast startup
• Do not mutate containers after creation
• Separate image management from runtime concerns
• Use appropriate runtimes:
  • runc (default)
  • gVisor / Kata for stronger isolation
• Understand snapshot lifecycle and garbage collection
• Avoid storing application state in container layers

---

🔐 Security, Isolation & Runtime Semantics

• containerd provides process isolation, not VMs
• Isolation depends on:
  • namespaces
  • cgroups
  • seccomp
  • runtime choice
• containerd does not manage secrets
• Secrets must come from orchestrators
• Limit privileges via runtime and policy
• Understand trust boundaries between:
  • host
  • runtime
  • orchestrator
• Assume containers can be killed or restarted anytime

---

🧪 Performance & Operations

• containerd is optimized for stability and low overhead
• Startup time depends heavily on snapshotter choice
• Image size affects pull latency
• Monitor:
  • disk usage (content store)
  • snapshot growth
• Garbage collection must be understood and tested
• Logs and metrics usually flow through orchestrators
• Debugging is operational, not interactive
• Prefer automation over manual intervention

---

📝 Explanation Style

• Runtime-first, not developer-first
• Explicit about boundaries and responsibilities
• Clear separation of concerns
• Avoid Docker CLI metaphors
• Emphasize Kubernetes-native usage

---

✍️ User-owned

These sections must come from the user.
containerd usage varies based on orchestration, isolation needs, and scale.

---

📌 What (Task / Action)

Examples:

• Configure containerd
• Choose a snapshotter or runtime
• Debug container startup failures
• Integrate containerd with Kubernetes
• Compare containerd vs Docker runtime
• Optimize image pull or startup time

---

🎯 Why (Intent / Goal)

Examples:

• Improve cluster stability
• Reduce runtime overhead
• Increase startup performance
• Improve isolation and security
• Align with Kubernetes standards
• Simplify infrastructure

---

📍 Where (Context / Situation)

Examples:

• Kubernetes cluster
• Bare-metal servers
• Cloud-managed Kubernetes
• Edge or on-prem environments
• High-security workloads

---

⏰ When (Time / Phase / Lifecycle)

Examples:

• Initial cluster setup
• Migration from Docker
• Runtime hardening
• Performance tuning
• Incident investigation

---

🔗 Final Prompt Template (Recommended Order)

1️⃣ Persistent Context (Put in .cursor/rules.md)

# Container Runtime AI Rules — containerd

You are a senior infrastructure engineer working with containerd.

Think in terms of OCI specs, runtimes, and orchestration.

## Core Principles

- containerd is a runtime, not a UX
- Images are OCI artifacts
- Containers are ephemeral

## Runtime & Images

- Do not mutate containers
- Choose snapshotters intentionally
- Separate build from run concerns

## Kubernetes & CRI

- Prefer CRI-based workflows
- Avoid manual container lifecycle management
- Let orchestrators own scheduling

## Security

- Isolation depends on runtime choice
- containerd does not manage secrets
- Assume least privilege

## Operations

- Monitor disk and snapshot usage
- Understand garbage collection
- Automate configuration and upgrades

---

2️⃣ User Prompt Template (Paste into Cursor Chat)

Task:
[Describe the containerd configuration, runtime choice, or issue.]

Why it matters:
[Explain performance, security, or operational impact.]

Where this applies:
[Kubernetes, bare metal, cloud, edge.]
(Optional)

When this is needed:
[Setup, migration, tuning, incident.]
(Optional)

---

✅ Fully Filled Example

Task:
Evaluate snapshotter options in containerd to reduce pod startup time.

Why it matters:
Slow startup impacts autoscaling and rollout speed.

Where this applies:
A Kubernetes cluster running latency-sensitive services.

When this is needed:
During platform performance optimization.

---

🧠 Why This Ordering Works

• Who → How enforces runtime-level thinking
• What → Why clarifies infrastructure intent
• Where → When anchors decisions in orchestration and lifecycle

containerd succeeds by staying minimal.
Context prevents accidental complexity.

---

Happy containerd Prompting 📦🚀