# See all overlay mounts on the system findmnt -t overlay cat /proc/mounts | grep overlay | grep <container-id>
In the modern world of cloud-native computing, containers are ephemeral, but data is eternal. The bridge between a container’s short lifespan and persistent storage is the Container Runtime Interface (CRI) . For DevOps engineers, SREs, and system administrators, understanding the "CRI file system tools link" —the relationship between the CRI specification and the underlying filesystem management utilities—is not just a technical curiosity; it is a necessity for debugging, security, and performance tuning. cri file system tools link
# Find the top 10 largest container rootfs directories du -sh /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/*/fs | sort -h If a node crashes, the underlying filesystem containing CRI directories may corrupt. You cannot run fsck on a mounted device. The link here is to unmount the CRI storage partition (often /var/lib/containerd ) first: # See all overlay mounts on the system
Without crictl , finding the relationship between a Kubernetes pod and its physical layer on disk is nearly impossible. The most powerful link between the host and the container’s view of the world is nsenter . Once you have the PID from crictl , you can enter the container’s mount namespace: # Find the top 10 largest container rootfs
lrwxrwxrwx 1 root root ... rootfs -> /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/42/fs You can follow this link to directly inspect the writable layer of a running container without needing crictl . 3.2 Image Layer Linking CRI runtimes use content-addressable storage (CAS). The tool ls -l in /var/lib/containerd/io.containerd.content.v1.content/blobs/ reveals symlinks from digest hashes to actual blob files. Tools like containerd-fuse-overlayfs use these links to compose merge directories. Part 4: Advanced Filesystem Toolchains 4.1 OverlayFS Tools – mount , umount , findmnt OverlayFS is the default driver for all major CRI runtimes. Key commands to trace the "CRI link":
# List all containers and their mount points crictl ps -a crictl inspect <container-id> | jq '.info.runtimeSpec.mounts' Get the PID of a container – essential for nsenter into its filesystem crictl inspect <container-id> | jq '.info.pid'
ls -la /var/run/containerd/io.containerd.runtime.v2.task/k8s.io/ You will see directories named by container ID. Each contains a symbolic link rootfs pointing to the actual lower directories of the overlay filesystem. For example: