# OverlayFS tools are usually in the kernel; user-space helpers: sudo apt-get install -y fuse-overlayfs # For rootless sudo apt-get install -y attr # For xattr (getfattr/setfattr) sudo apt-get install -y util-linux # Provides findmnt , lsblk sudo apt-get install -y lsof # Shows open files within container mounts Configuring CRI Tools for Filesystem Access By default, crictl points to the Docker socket. You must redirect it to your runtime. Configure crictl Create /etc/crictl.yaml or ~/.config/crictl.yaml :

| Runtime | CRI Socket | Default CLI Tools | | :--- | :--- | :--- | | | /run/containerd/containerd.sock | ctr , nerdctl , crictl | | CRI-O | /run/crio/crio.sock | crictl , podman | | Docker (via cri-dockerd) | /run/cri-dockerd.sock | crictl (limited) |

# List snapshots used by the pod's namespace nerdctl -n k8s.io ps -a # Get snapshot size directly (if using buildkit) nerdctl -n k8s.io image ls -a If you find orphaned overlay mounts ( findmnt | grep overlay shows many old pods):

# For containerd runtime-endpoint: "unix:///run/containerd/containerd.sock" image-endpoint: "unix:///run/containerd/containerd.sock" timeout: 10 debug: false # For CRI-O runtime-endpoint: "unix:///run/crio/crio.sock" Test config: crictl ps -a export CONTAINERD_ADDRESS=/run/containerd/containerd.sock export CONTAINERD_NAMESPACE=k8s.io # Critical for Kubernetes nerdctl ps Hands-On: Using CRI Filesystem Tools to Inspect Container Storage Now for the practical part. Assume a pod named my-app is consuming 10GB of disk space, but df -h inside the pod shows only 1GB. Where is the space? Let's investigate. Step 1: Find the Target Container ID crictl ps --name my-app --state Running # Output: CONTAINER ID: 3e8f2a1b9c0d Step 2: Inspect the Container's Root Filesystem Mounts crictl inspect 3e8f2a1b9c0d | jq .info.runtimeSpec.mounts Look for type: "overlay" . You'll see lowerdir , upperdir , workdir .