lando · AaronFeledy · Mar 13, 2026 · Mar 13, 2026 · Mar 13, 2026 · Mar 13, 2026
diff --git a/.github/workflows/pr-containerd-tests.yml b/.github/workflows/pr-containerd-tests.yml
@@ -0,0 +1,62 @@
+name: Containerd Engine Tests
+
+on:
+  pull_request:
+
+jobs:
+  leia-tests:
+    runs-on: ${{ matrix.os }}
+    env:
+      TERM: xterm
+    strategy:
+      fail-fast: false
+      matrix:
+        leia-test:
+          - containerd
+        node-version:
+          - "20"
+        os:
+          - ubuntu-24.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install node ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          registry-url: https://registry.npmjs.org
+          cache: npm
+      - name: Bundle Deps
+        uses: lando/prepare-release-action@v3
+        with:
+          lando-plugin: true
+          version: dev
+          sync: false
+      - name: Install pkg dependencies
+        run: npm clean-install --prefer-offline --frozen-lockfile --production
+      - name: Package into node binary
+        uses: lando/pkg-action@v6
+        id: pkg-action
+        with:
+          entrypoint: bin/lando
+          filename: lando
+          node-version: ${{ matrix.node-version }}
+          options: --options dns-result-order=ipv4first
+          upload: false
+          pkg: "@yao-pkg/pkg@5.16.1"
+      - name: Install full deps
+        run: npm clean-install --prefer-offline --frozen-lockfile
+      - name: Setup lando ${{ steps.pkg-action.outputs.file }}
+        uses: lando/setup-lando@v3
+        with:
+          auto-setup: false
+          lando-version: ${{ steps.pkg-action.outputs.file }}
+          telemetry: false
+      - name: Run Leia Tests
+        uses: lando/run-leia-action@v2
+        with:
+          leia-test: "./examples/${{ matrix.leia-test }}/README.md"
+          cleanup-header: "Destroy tests"
+          shell: bash
+          stdin: true
diff --git a/.github/workflows/pr-core-tests.yml b/.github/workflows/pr-core-tests.yml
@@ -5,6 +5,7 @@ on:
 
 jobs:
   leia-tests:
+    name: ${{ matrix.leia-test }} (${{ matrix.engine }})
     runs-on: ${{ matrix.os }}
     env:
       TERM: xterm
@@ -62,6 +63,8 @@ jobs:
           - update
           - version
           - yaml
+        engine:
+          - docker
         node-version:
           - "20"
         os:
@@ -106,13 +109,14 @@ jobs:
           pkg: "@yao-pkg/pkg@5.16.1"
       - name: Install full deps
         run: npm clean-install --prefer-offline --frozen-lockfile
-      - name: Setup lando ${{ steps.pkg-action.outputs.file }}
+      - name: Setup lando ${{ steps.pkg-action.outputs.file }} (${{ matrix.engine }})
         uses: lando/setup-lando@v3
         with:
           lando-version: ${{ steps.pkg-action.outputs.file }}
           telemetry: false
           config: |
             setup.skipCommonPlugins=true
+            engine=${{ matrix.engine }}
       - name: Run Leia Tests
         uses: lando/run-leia-action@v2
         env:

diff --git a/BRIEF.md b/BRIEF.md
diff --git a/app.js b/app.js
@@ -210,6 +210,9 @@ module.exports = async (app, lando) => {
   // Check for docker compat warnings and surface them nicely as well
   app.events.on('post-start', async () => await require('./hooks/app-check-docker-compat')(app, lando));
 
+  // Check for containerd compat warnings and surface them nicely as well
+  app.events.on('post-start', async () => await require('./hooks/app-check-containerd-compat')(app, lando));
+
   // throw service not start errors
   app.events.on('post-start', 1, async () => await require('./hooks/app-check-v4-service-running')(app, lando));
 

diff --git a/builders/_proxy.js b/builders/_proxy.js
@@ -6,7 +6,7 @@ const _ = require('lodash');
 /*
  * Helper to get core proxy service
  */
-const getProxy = ({proxyCommand, proxyPassThru, proxyDomain, userConfRoot, version = 'unknown'} = {}) => {
+const getProxy = ({proxyCommand, proxyPassThru, proxyDomain, userConfRoot, dockerSocket, version = 'unknown'} = {}) => {
   return {
     services: {
       proxy: {
@@ -21,7 +21,7 @@ const getProxy = ({proxyCommand, proxyPassThru, proxyDomain, userConfRoot, versi
         },
         networks: ['edge'],
         volumes: [
-          '/var/run/docker.sock:/var/run/docker.sock',
+          `${dockerSocket || '/var/run/docker.sock'}:/var/run/docker.sock`,
           `${userConfRoot}/scripts/proxy-certs.sh:/scripts/100-proxy-certs`,
           'proxy_config:/proxy_config',
         ],

diff --git a/builders/lando-v4.js b/builders/lando-v4.js
@@ -434,12 +434,16 @@ module.exports = {
       }, config.labels);
 
       // add it all 2getha
+      const networks = lando.engine?.engineBackend === 'containerd'
+        ? {}
+        : {[this.network]: {aliases: this.hostnames}};
+
       this.addLandoServiceData({
         environment,
         extra_hosts: ['host.lando.internal:host-gateway'],
         labels,
         logging: {driver: 'json-file', options: {'max-file': '3', 'max-size': '10m'}},
-        networks: {[this.network]: {aliases: this.hostnames}},
+        networks,
         user: this.user.name,
         volumes: this.volumes,
       });

diff --git a/components/docker-engine.js b/components/docker-engine.js
@@ -3,6 +3,7 @@
 
 const fs = require('fs-extra');
 const path = require('path');
+
 const merge = require('lodash/merge');
 const slugify = require('slugify');
 
@@ -35,7 +36,21 @@ class DockerEngine extends Dockerode {
     orchestrator = DockerEngine.orchestrator,
   } = {}) {
     super(config);
-    this.builder = builder;
+    const userConfRoot = config.userConfRoot || path.join(require('os').homedir(), '.lando');
+    const systemBinDir = config.containerdSystemBinDir || '/usr/local/lib/lando/bin';
+
+    this.containerdMode = config.containerdMode === true
+      || config.engine === 'containerd'
+      || process.env.LANDO_ENGINE === 'containerd';
+    this.containerdNamespace = config.containerdNamespace || 'default';
+    this.containerdSocket = config.containerdSocket || '/run/lando/containerd.sock';
+    this.buildkitHost = config.buildkitHost || 'unix:///run/lando/buildkitd.sock';
+    this.buildctl = config.buildctlBin
+      || (fs.existsSync(path.join(userConfRoot, 'bin', 'buildctl')) ? path.join(userConfRoot, 'bin', 'buildctl') : path.join(systemBinDir, 'buildctl'));
+    this.nerdctlConfig = config.nerdctlConfig || path.join(userConfRoot, 'config', 'nerdctl.toml');
+    this.authConfig = config.authConfig || {env: {}};
+    this.builder = this.containerdMode ? path.join(userConfRoot, 'bin', 'nerdctl') : builder;
+    if (this.containerdMode) this.modem.socketPath = config.socketPath || '/run/lando/finch.sock';
     this.debug = debug;
     this.orchestrator = orchestrator;
   }
@@ -56,6 +71,10 @@ class DockerEngine extends Dockerode {
       id = tag,
       sources = [],
     } = {}) {
+    if (this.containerdMode) {
+      return this.buildx(dockerfile, {attach, buildArgs, context, id, sources, tag});
+    }
+
     // handles the promisification of the merged return
     const awaitHandler = async () => {
       return new Promise((resolve, reject) => {
@@ -244,21 +263,27 @@ class DockerEngine extends Dockerode {
     fs.copySync(dockerfile, path.join(context, 'Dockerfile'));
     dockerfile = path.join(context, 'Dockerfile');
 
-    // build initial buildx command
-    const args = {
-      command: this.builder,
-      args: [
-        'buildx',
-        'build',
-        `--file=${dockerfile}`,
-        '--progress=plain',
-        `--tag=${tag}`,
-        context,
-      ],
-    };
+    const outputPath = this.containerdMode ? path.join(context, 'image.tar') : null;
+
+    // build initial build command
+    const args = this.containerdMode
+      ? this._getContainerdBuildctlCommand({buildArgs, context, dockerfile, outputPath, tag})
+      : {
+        command: this.builder,
+        args: [
+          'buildx',
+          'build',
+          `--file=${dockerfile}`,
+          '--progress=plain',
+          `--tag=${tag}`,
+          context,
+        ],
+      };
 
     // add any needed build args into the command
-    for (const [key, value] of Object.entries(buildArgs)) args.args.push(`--build-arg=${key}=${value}`);
+    if (!this.containerdMode) {
+      for (const [key, value] of Object.entries(buildArgs)) args.args.push(`--build-arg=${key}=${value}`);
+    }
 
     // if we have sshKeys then lets pass those in
     if (sshKeys.length > 0) {
@@ -274,15 +299,16 @@ class DockerEngine extends Dockerode {
 
     // if we have an sshAuth socket then add that as well
     if (sshSocket && fs.existsSync(sshSocket)) {
-      args.args.push(`--ssh=agent=${sshSocket}`);
+      args.args.push(`--ssh=${this.containerdMode ? 'default' : 'agent'}=${sshSocket}`);
       debug('passing in ssh agent socket %o', sshSocket);
     }
 
     // get builder
     // @TODO: consider other opts? https://docs.docker.com/reference/cli/docker/buildx/build/ args?
     // secrets?
     // gha cache-from/to?
-    const buildxer = require('../utils/run-command')(args.command, args.args, {debug});
+    const env = {...process.env, ...(this.authConfig.env || {})};
+    const buildxer = require('../utils/run-command')(args.command, args.args, {debug, env});
 
     // augment buildxer with more events so it has the same interface as build
     buildxer.stdout.on('data', data => {
@@ -297,25 +323,88 @@ class DockerEngine extends Dockerode {
       for (const line of data.toString().trim().split('\n')) debug(line);
       stderr += data;
     });
-    buildxer.on('close', code => {
+    buildxer.on('close', async code => {
       // if code is non-zero and we arent ignoring then reject here
       if (code !== 0 && !ignoreReturnCode) {
         buildxer.emit('error', require('../utils/get-buildx-error')({code, stdout, stderr}));
       // otherwise return done
       } else {
+        try {
+          if (this.containerdMode && outputPath) {
+            const loadOutput = await this._loadContainerdImage(outputPath, tag, debug);
+            stdout += loadOutput;
+          }
+        } catch (error) {
+          buildxer.emit('error', error);
+          return;
+        } finally {
+          if (outputPath && fs.existsSync(outputPath)) fs.removeSync(outputPath);
+        }
+
         buildxer.emit('done', {code, stdout, stderr});
         buildxer.emit('finished', {code, stdout, stderr});
         buildxer.emit('success', {code, stdout, stderr});
       }
     });
 
     // debug
-    debug('buildxing image %o from %o with build-args', tag, context, buildArgs);
+    debug('%s image %o from %o with build-args %o', this.containerdMode ? 'building with buildctl' : 'buildxing', tag, context, buildArgs);
 
     // return merger
     return mergePromise(buildxer, awaitHandler);
   }
 
+  _getContainerdBuildctlCommand({buildArgs = {}, context, dockerfile, outputPath, tag}) {
+    const filename = path.basename(dockerfile);
+    const args = [
+      '--addr', this.buildkitHost,
+      'build',
+      '--frontend', 'dockerfile.v0',
+      '--local', `context=${context}`,
+      '--local', `dockerfile=${path.dirname(dockerfile)}`,
+      '--opt', `filename=${filename}`,
+      '--opt', `platform=${process.arch === 'arm64' ? 'linux/arm64' : 'linux/amd64'}`,
+      '--output', `type=docker,name=${tag},dest=${outputPath}`,
+      '--progress=plain',
+    ];
+
+    for (const [key, value] of Object.entries(buildArgs)) args.push('--opt', `build-arg:${key}=${value}`);
+
+    return {
+      command: this.buildctl,
+      args,
+    };
+  }
+
+  async _loadContainerdImage(imageTarball, tag, debug = this.debug) {
+    // Load via finch-daemon's Docker-compatible API (Dockerode).
+    // finch-daemon proxies to containerd, so this loads into both.
+    return this._loadContainerdImageIntoFinch(imageTarball, tag, debug);
+  }
+
+  async _loadContainerdImageIntoFinch(imageTarball, tag, debug = this.debug) {
+    return new Promise((resolve, reject) => {
+      const stream = fs.createReadStream(imageTarball);
+
+      this.loadImage(stream, (error, responseStream) => {
+        if (error) return reject(error);
+        if (!responseStream) return resolve('');
+
+        this.modem.followProgress(responseStream, (followError, output = []) => {
+          if (followError) return reject(followError);
+
+          const messages = output
+            .map(event => event.stream || event.status || '')
+            .filter(Boolean);
+
+          for (const message of messages) debug(message.trim());
+          debug('loaded image %o into finch-daemon from %o', tag, imageTarball);
+          resolve(messages.join(''));
+        });
+      });
+    });
+  }
+
   /*
    * A helper method that automatically will build the image needed for the run command
    * NOTE: this is only available as async/await so you cannot return directly and access events