diff --git a/.oebuild/features/containerd.yaml b/.oebuild/features/containerd.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6f8bd306d55bc3d52beb1af87422ff8265e6da68
--- /dev/null
+++ b/.oebuild/features/containerd.yaml
@@ -0,0 +1,9 @@
+type: feature
+
+support: qemu-aarch64|phytiumpi
+
+layers:
+- yocto-meta-virtualization
+
+local_conf: |
+  DISTRO_FEATURES:append = " virtualization containerd "
diff --git a/.oebuild/features/xen.yaml b/.oebuild/features/xen.yaml
index 3a795dc7997f8d1b065d49ea2355174d83b52529..8c6cbbad3404263b5bdf48a5600af91b64cb0c8b 100644
--- a/.oebuild/features/xen.yaml
+++ b/.oebuild/features/xen.yaml
@@ -1,6 +1,6 @@
 type: feature
 
-support: qemu-aarch64|raspberrypi4-64|kp920
+support: qemu-aarch64|raspberrypi4-64|kp920|phytiumpi
 
 local_conf: |
   DISTRO_FEATURES:append = " xen"
diff --git a/.oebuild/manifest.yaml b/.oebuild/manifest.yaml
index 984c9d0ce0356b57fde53743e045914377a8ef06..0d3ef0b50626075bfc9ba2eec65e890916d82b68 100644
--- a/.oebuild/manifest.yaml
+++ b/.oebuild/manifest.yaml
@@ -1947,6 +1947,9 @@ manifest_list:
   yocto-meta-ros:
     remote_url: https://gitee.com/openeuler/yocto-meta-ros.git
     version: 7c7a4e6bb6ffdd06b19b2f5f81843506d57895f0
+  yocto-meta-virtualization:
+    remote_url: https://gitee.com/openeuler/yocto-meta-virtualization.git
+    version: dev_kirkstone
   yocto-opkg-utils:
     remote_url: https://gitee.com/src-openeuler/yocto-opkg-utils.git
     version: 1d04472046d0225e013dd7e18c62dddf82025969
diff --git a/meta-openeuler/conf/machine/include/kernel-modules-conf/common.inc b/meta-openeuler/conf/machine/include/kernel-modules-conf/common.inc
index f6dc5bc212fd658ce5b3b4dcf8a44e0a1f68243a..e25feeb29510dfb88ffb95293c549aa3d5e05910 100644
--- a/meta-openeuler/conf/machine/include/kernel-modules-conf/common.inc
+++ b/meta-openeuler/conf/machine/include/kernel-modules-conf/common.inc
@@ -1,5 +1,5 @@
 INSTALLMODULES = " \
-${@bb.utils.contains('DISTRO_FEATURES', 'isulad', 'kernel-module-overlay', '', d)} \
+${@bb.utils.contains_any('DISTRO_FEATURES', 'isulad containerd', 'kernel-module-overlay', '', d)} \
 kernel-module-8021q \
 kernel-module-ext2 \
 kernel-module-inet-diag \
@@ -8,7 +8,7 @@ kernel-module-ip6-udp-tunnel \
 kernel-module-ipip \
 kernel-module-ipt-reject \
 kernel-module-ipv6 \
-kernel-module-nf-defrag-ipv6 \
+${@bb.utils.contains_any('DISTRO_FEATURES', 'k3s containerd', '', 'kernel-module-nf-defrag-ipv6',d)} \
 kernel-module-nf-nat \
 kernel-module-nf-reject-ipv4 \
 kernel-module-nf-reject-ipv6 \
diff --git a/meta-openeuler/recipes-containers/containerd/containerd-opencontainers_%.bbappend b/meta-openeuler/recipes-containers/containerd/containerd-opencontainers_%.bbappend
new file mode 100644
index 0000000000000000000000000000000000000000..d6573bcb909323c6de61cbbd58e8e79db68f1ee2
--- /dev/null
+++ b/meta-openeuler/recipes-containers/containerd/containerd-opencontainers_%.bbappend
@@ -0,0 +1,11 @@
+HOMEPAGE = "https://github.com/containerd/containerd"
+SRCREV = "2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41"
+CONTAINERD_VERSION = "v1.7.19"
+CVE_VERSION = "1.7.19"
+PV = "${CONTAINERD_VERSION}+git"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+SRC_URI:remove = "git://github.com/containerd/containerd;branch=release/1.6;protocol=https;destsuffix=git/src/github.com/containerd/containerd"
+SRC_URI:append = "git://github.com/containerd/containerd;branch=release/1.7;protocol=https;destsuffix=git/src/github.com/containerd/containerd \
+"
+#EXTRA_OEMAKE:append:pn-containerd-opencontainers = " GO111MODULE=on GO_BUILD_FLAGS+=-mod=vendor"
diff --git a/meta-openeuler/recipes-core/images/openeuler-image.bb b/meta-openeuler/recipes-core/images/openeuler-image.bb
index 71efbbd63cd1dbd895fbbea222cdf66b051055dc..9a5f69b3aacc7155254755e690a75cad872e4855 100644
--- a/meta-openeuler/recipes-core/images/openeuler-image.bb
+++ b/meta-openeuler/recipes-core/images/openeuler-image.bb
@@ -31,6 +31,7 @@ ${@bb.utils.contains("DISTRO_FEATURES", "preempt-rt", "packagegroup-preempt-rt",
 ${@bb.utils.contains("DISTRO_FEATURES", "dsoftbus", "packagegroup-dsoftbus", "", d)} \
 ${@bb.utils.contains("DISTRO_FEATURES", "benchmarks", "packagegroup-openeuler-benchmarks", "", d)} \
 ${@bb.utils.contains("DISTRO_FEATURES", "oebridge", "packagegroup-oebridge", "", d)} \
+${@bb.utils.contains("DISTRO_FEATURES", "containerd", "packagegroup-basic-containerd", "", d)} \
 "
 
 # You can add extra user here, suck like:
diff --git a/meta-openeuler/recipes-core/packagegroups/packagegroup-basic-containerd.bb b/meta-openeuler/recipes-core/packagegroups/packagegroup-basic-containerd.bb
new file mode 100644
index 0000000000000000000000000000000000000000..40a30e16f098b796fce820d9afa9eb989b8356ab
--- /dev/null
+++ b/meta-openeuler/recipes-core/packagegroups/packagegroup-basic-containerd.bb
@@ -0,0 +1,22 @@
+DESCRIPTION = "package group for simple custom container tools including nerdctl, containerd, and dependencies."
+SUMMARY = "custom lightweight containerd-based toolkits"
+inherit packagegroup features_check
+
+REQUIRED_DISTRO_FEATURES += "systemd"
+# it is not recommended to package this simple lightweight containerd packagegroup together with isulad
+CONFLICT_DISTRO_FEATURES = "isulad"
+PACKAGES = " \
+    ${PN} \
+"
+
+# TODO: version migration for containerd (to >1.7.1)
+# TODO: cni compatibility
+RDEPENDS:${PN} = " \
+    virtual-containerd \
+    virtual-runc \
+    oci-systemd-hook \
+    oci-runtime-tools \
+    oci-image-tools \
+    nerdctl \
+    bridge-utils \
+    "
diff --git a/meta-openeuler/recipes-kernel/linux/files/meta-data/features/basic-containerd/containerd.cfg b/meta-openeuler/recipes-kernel/linux/files/meta-data/features/basic-containerd/containerd.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..5b53a73ddd8c51410148afff239300de988ae4ce
--- /dev/null
+++ b/meta-openeuler/recipes-kernel/linux/files/meta-data/features/basic-containerd/containerd.cfg
@@ -0,0 +1,151 @@
+#
+# containerd toolkits runtime kconfigs appending
+#
+# This configuration is for basic containerd functionality.
+# It includes necessary kernel options and some common optional features.
+# For more advanced features, you may need to enable more kernel options.
+#
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+
+#
+# Generally Necessary for containerd
+#
+CONFIG_NAMESPACES=y
+CONFIG_NET_NS=y
+CONFIG_PID_NS=y
+CONFIG_IPC_NS=y
+CONFIG_UTS_NS=y
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CPUSETS=y
+CONFIG_MEMCG=y
+CONFIG_KEYS=y
+CONFIG_VETH=y
+CONFIG_BRIDGE=m
+CONFIG_BRIDGE_NETFILTER=y
+CONFIG_IP_NF_FILTER=m
+CONFIG_IP_NF_MANGLE=m
+CONFIG_IP_NF_TARGET_MASQUERADE=m
+CONFIG_IP6_NF_FILTER=m
+CONFIG_IP6_NF_MANGLE=m
+CONFIG_IP6_NF_TARGET_MASQUERADE=m
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
+CONFIG_NETFILTER_XT_MATCH_IPVS=m
+CONFIG_NETFILTER_XT_MARK=m
+CONFIG_IP_NF_RAW=m
+CONFIG_IP_NF_NAT=m
+CONFIG_NF_NAT=m
+CONFIG_IP6_NF_RAW=m
+CONFIG_IP6_NF_NAT=m
+CONFIG_POSIX_MQUEUE=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_CGROUP_BPF=y
+
+#
+# Optional Features
+#
+
+# cgroup pids controller
+CONFIG_CGROUP_PIDS=y
+# cgroup hugetlb controller
+CONFIG_CGROUP_HUGETLB=y
+# cgroup perf event controller
+CONFIG_CGROUP_PERF=y
+# cgroup net_cls subsystem. Classify network packets with a classid.
+CONFIG_NET_CLS_CGROUP=m
+# cgroup net_prio subsystem. Set the priority of network traffic.
+CONFIG_CGROUP_NET_PRIO=y
+# CPU bandwidth control for CFS task groups
+CONFIG_CFS_BANDWIDTH=y
+# Block device throttling
+CONFIG_BLK_DEV_THROTTLING=y
+CONFIG_BLK_CGROUP=y
+
+# User namespace
+CONFIG_USER_NS=y
+# Seccomp filter
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+
+# Redirecting packets and streams
+CONFIG_IP_NF_TARGET_REDIRECT=m
+# SCTP protocol support
+CONFIG_IP_SCTP=m
+# IP Virtual Server support
+CONFIG_IP_VS=m
+CONFIG_IP_VS_NFCT=y
+CONFIG_IP_VS_PROTO_TCP=y
+CONFIG_IP_VS_PROTO_UDP=y
+CONFIG_IP_VS_RR=m
+
+# Security modules
+# SELinux support
+CONFIG_SECURITY_SELINUX=y
+# AppArmor security module
+CONFIG_SECURITY_APPARMOR=y
+
+# Netfilter Tables support
+# This is a new packet filtering framework that is intended to replace iptables.
+CONFIG_NF_TABLES=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_FIB_IPV4=m
+CONFIG_NFT_FIB_IPV6=m
+CONFIG_NFT_FIB=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_NAT=m
+
+# Filesystem extended attributes and ACLs for ext3/ext4
+CONFIG_EXT3_FS_XATTR=y
+CONFIG_EXT3_FS_POSIX_ACL=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+
+#
+# Network Drivers
+#
+
+# For "overlay" network
+CONFIG_VXLAN=m
+CONFIG_BRIDGE_VLAN_FILTERING=y
+
+# For "ipvlan" network
+CONFIG_IPVLAN=m
+
+# For "macvlan" network
+CONFIG_MACVLAN=y
+CONFIG_DUMMY=m
+
+# Optional (for encrypted networks)
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_GCM=m
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_GHASH=m
+CONFIG_XFRM=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_ALGO=y
+CONFIG_INET_ESP=m
+CONFIG_NETFILTER_XT_MATCH_BPF=m
+
+# For ftp,tftp client in container
+CONFIG_NF_NAT_FTP=m
+CONFIG_NF_CONNTRACK_FTP=m
+CONFIG_NF_NAT_TFTP=m
+CONFIG_NF_CONNTRACK_TFTP=m
+CONFIG_NF_DEFRAG_IPV6=m
+
+#
+# Storage Drivers
+#
+
+# For "overlay" storage driver
+CONFIG_OVERLAY_FS=m
+
+# For "btrfs" storage driver
+CONFIG_BTRFS_FS=m
+CONFIG_BTRFS_FS_POSIX_ACL=y
diff --git a/meta-openeuler/recipes-kernel/linux/files/meta-data/features/basic-containerd/containerd.scc b/meta-openeuler/recipes-kernel/linux/files/meta-data/features/basic-containerd/containerd.scc
new file mode 100644
index 0000000000000000000000000000000000000000..002aa3aaeffe3ccfdb3703db891004f36fac10e6
--- /dev/null
+++ b/meta-openeuler/recipes-kernel/linux/files/meta-data/features/basic-containerd/containerd.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable containerd toolkit runtime related configs"
+define KFEATURE_COMPATIBILITY all
+
+kconf non-hardware containerd.cfg
diff --git a/meta-openeuler/recipes-kernel/linux/linux-openeuler.inc b/meta-openeuler/recipes-kernel/linux/linux-openeuler.inc
index d77f1305320b987174112c17a745b1134d26b35b..2e0e7979eea8e5143cc3c88de3fe222606e70028 100644
--- a/meta-openeuler/recipes-kernel/linux/linux-openeuler.inc
+++ b/meta-openeuler/recipes-kernel/linux/linux-openeuler.inc
@@ -126,6 +126,10 @@ KERNEL_FEATURES:append = "${@bb.utils.contains('DISTRO_FEATURES', 'xen', ' featu
 # zvm kernel support
 KERNEL_FEATURES:append = "${@bb.utils.contains('MCS_FEATURES', 'zvm', ' features/zvm/zvm.scc', '', d)}"
 
+# containerd kernel support
+KERNEL_FEATURES:append = "${@bb.utils.contains('DISTRO_FEATURES', 'containerd', ' features/basic-containerd/containerd.scc', '', d)}"
+
+# kubeedge kernel support
 KERNEL_FEATURES:append = " \
     ${@bb.utils.contains('DISTRO_FEATURES', 'kubeedge', 'features/kubeedge/kubeedge.scc', '', d)} \
 "
@@ -200,7 +204,47 @@ pkg_postinst_${KERNEL_PACKAGE_NAME}-base () {
 }
 
 
-# qemu is 1st class BSP in openeuler, so add qemu specific kernel customeriazation here
+# qemu is the first class BSP in openeuler, so add qemu specific kernel customeriazation here
 # for other BSP, plese do it in its own layer and use dynamic layer mechanism under bsp/met-openeuler-bsp, for example, see
 # raspberrypi bsp
 SRC_URI:append:qemu-aarch64= "${@bb.utils.contains('DISTRO_FEATURES', 'oe-xfce', 'file://config/cfg-fragments/qemu-aarch64-xfce.cfg', '', d)}"
+
+do_container_configs[doc] = "Checks the kernel configs required by container, parses the output, and issues warnings/notes for missing configs."
+do_container_configs() {
+    wget -P ${WORKDIR}  https://github.com/moby/moby/raw/master/contrib/check-config.sh || true
+    if [ -f ${WORKDIR}/check-config.sh ]; then
+        sed -i 's,zcat "$2" | grep "$1", cat "$2" | grep "$1",g' ${WORKDIR}/check-config.sh
+        chmod +x ${WORKDIR}/check-config.sh
+        kconfigfile="${B}/.config" 
+        section=""
+        NO_COLOR=1 script_output=$(${WORKDIR}/check-config.sh ${kconfigfile} 2>&1 || true)
+        echo "${script_output}" | while IFS= read -r line; do
+            if echo "$line" | grep -q "Generally Necessary:"; then
+                section="necessary"
+                continue
+            fi
+            if echo "$line" | grep -q "Optional Features:"; then
+                section="optional"
+                continue
+            fi
+            
+            if echo "$line" | grep -q "missing" && echo "$line" | grep -q "CONFIG_"; then
+                local trimed=$(echo "$line" | sed -E 's/.*(CONFIG_[A-Z0-9_]+):\s*([a-z]+).*/\1 is \2/')
+                if [ "$section" = "necessary" ]; then
+                    bbwarn "necessary ability for container: $trimed"
+                elif [ "$section" = "optional" ]; then
+                    bbwarn "optional ability for container: $trimed"
+                else
+                    bbwarn "ability for container: $line"
+                fi
+            fi
+        done
+    else
+        bbwarn "Could not download moby check-config.sh, skipping kernel config check."
+    fi
+}
+
+python () {
+    if bb.utils.contains_any('DISTRO_FEATURES', 'containerd k3s', True, False, d):
+        bb.build.addtask('container_configs', 'do_compile', 'do_configure',d)
+}