System Tools Install: Cri File

# Download nerdctl full bundle (includes containerd + runc + CNI) curl -LO https://github.com/containerd/nerdctl/releases/download/v1.7.6/nerdctl-full-1.7.6-linux-amd64.tar.gz sudo tar Cxzvvf /usr/local nerdctl-full-1.7.6-linux-amd64.tar.gz curl -LO https://github.com/containerd/nerdctl/releases/download/v1.7.6/nerdctl-1.7.6-linux-amd64.tar.gz sudo tar Cxzvvf /usr/local/bin nerdctl-1.7.6-linux-amd64.tar.gz

sudo ls -la /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/23/fs Use du -sh to find the bloat: cri file system tools install

Run: ps aux | grep -E "containerd|crio|dockerd" We will cover installation on Ubuntu 22.04/24.04 LTS , RHEL 9 / CentOS 9 , and macOS (for remote debugging) . Part 1: Installing cri-tools (crictl) crictl is the Swiss Army knife. It does not care about your underlying filesystem; it talks to the CRI socket. On Ubuntu/Debian # Add Kubernetes repository (contains cri-tools) sudo apt-get update sudo apt-get install -y apt-transport-https ca-certificates curl curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list sudo apt-get update sudo apt-get install -y cri-tools On RHEL/CentOS/Fedora cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://pkgs.k8s.io/core:/stable:/v1.30/rpm/ enabled=1 gpgcheck=1 gpgkey=https://pkgs.k8s.io/core:/stable:/v1.30/rpm/repodata/repomd.xml.key EOF sudo yum install -y cri-tools Manual Install (All Linux distros) For the latest version (bypassing package managers): # Download nerdctl full bundle (includes containerd +

| Runtime | CRI Socket | Default CLI Tools | | :--- | :--- | :--- | | | /run/containerd/containerd.sock | ctr , nerdctl , crictl | | CRI-O | /run/crio/crio.sock | crictl , podman | | Docker (via cri-dockerd) | /run/cri-dockerd.sock | crictl (limited) | Let's investigate

# For containerd runtime-endpoint: "unix:///run/containerd/containerd.sock" image-endpoint: "unix:///run/containerd/containerd.sock" timeout: 10 debug: false # For CRI-O runtime-endpoint: "unix:///run/crio/crio.sock" Test config: crictl ps -a export CONTAINERD_ADDRESS=/run/containerd/containerd.sock export CONTAINERD_NAMESPACE=k8s.io # Critical for Kubernetes nerdctl ps Hands-On: Using CRI Filesystem Tools to Inspect Container Storage Now for the practical part. Assume a pod named my-app is consuming 10GB of disk space, but df -h inside the pod shows only 1GB. Where is the space? Let's investigate. Step 1: Find the Target Container ID crictl ps --name my-app --state Running # Output: CONTAINER ID: 3e8f2a1b9c0d Step 2: Inspect the Container's Root Filesystem Mounts crictl inspect 3e8f2a1b9c0d | jq .info.runtimeSpec.mounts Look for type: "overlay" . You'll see lowerdir , upperdir , workdir .

# OverlayFS tools are usually in the kernel; user-space helpers: sudo apt-get install -y fuse-overlayfs # For rootless sudo apt-get install -y attr # For xattr (getfattr/setfattr) sudo apt-get install -y util-linux # Provides findmnt , lsblk sudo apt-get install -y lsof # Shows open files within container mounts Configuring CRI Tools for Filesystem Access By default, crictl points to the Docker socket. You must redirect it to your runtime. Configure crictl Create /etc/crictl.yaml or ~/.config/crictl.yaml :

With the installation steps and debugging workflows outlined above, you are now equipped to handle the most complex container storage issues on any CRI-compliant runtime.