Introduction: The Hidden Complexity of Container Filesystems In the world of containerized applications, the storage layer is often treated as a black box. Developers run docker run or kubectl apply , and somehow, the files appear. But beneath the surface lies a sophisticated ecosystem of snapshots, layers, and mount points. For those managing Kubernetes clusters using the Container Runtime Interface (CRI), understanding CRI file system tools and the critical role of the link (symbolic or hard link) is not just an advanced skill—it is a necessity for debugging, performance tuning, and disaster recovery.
Rebuild the image ensuring absolute symlinks or correct relative paths. Scenario 2: Disk space leak from dangling snapshot links Sometimes, the parent link remains even after the child snapshot is deleted, preventing garbage collection.
"info": "rootDir": "/var/lib/containerd/io.containerd.runtime.v2.task/k8s.io/<container-id>/rootfs" cri file system tools link
Also, the new feature (v1.25+) uses hard links to preserve container state before migration. Conclusion: The Link is the Lost Art of Container Storage The CRI file system tools — crictl , ctr , crio-status —give you x-ray vision into how Kubernetes manages storage. But without understanding the link (whether symbolic, hard, or the conceptual parent pointer between layers), you are blind to half of the system.
ctr namespace ls # List namespaces (e.g., k8s.io) ctr -n k8s.io snapshot ls # Show all snapshots (image layers) ctr -n k8s.io snapshot mount <key> /mnt # Mount a snapshot to inspect Snapshots are immutable directories linked together via overlayfs. Each snapshot has a "parent" link to the previous layer. 3. crio-status – CRI-O’s Inspection Tool For CRI-O users, crio-status dumps storage and runtime information. For those managing Kubernetes clusters using the Container
This article explores the relationship between CRI-compliant runtimes (containerd and CRI-O), the filesystem tools that manipulate container storage, and how the humble link (both symbolic and hard) functions as the architectural glue holding container layers together. Before diving into tools and links, we must establish a baseline. The CRI is a Kubernetes API that kubelet uses to communicate with container runtimes. It abstracts the runtime implementation, allowing Kubernetes to work with Docker (via dockershim, now deprecated), containerd, CRI-O, and others.
crictl images # Lists images with their IDs and sizes crictl inspect <container-id> # Shows detailed mount points and layer paths crictl imagefsinfo # Reports filesystem usage for image storage The inspect command reveals the rootfs path—a symbolic link that points to the container’s writable layer. For example: "info": "rootDir": "/var/lib/containerd/io
ctr -n k8s.io snapshot rm <snapshot-key> ctr -n k8s.io snapshot gc # Garbage collects unlinked snapshots Check /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/metadata.db (a BoltDB file) for orphaned links. Tools like boltdb-viewer can inspect it. Scenario 3: Migrating container rootfs to another disk using symlinks Suppose your /var/lib/containerd partition is full. You can move the storage directory and create a symbolic link.