LinuxCommandLibrary

crictl

Manage Kubernetes container runtimes

TLDR

List all Kubernetes pods (Ready and NotReady)

$ crictl pods
copy

List all containers (Running and Exited)
$ crictl ps [[-a|--all]]
copy

List all images
$ crictl images
copy

Print information about specific containers
$ crictl inspect [container_id1 container_id2 ...]
copy

Open a specific shell inside a running container
$ crictl exec [[-it|--interactive --tty]] [container_id] [sh]
copy

Pull a specific image from a registry
$ crictl pull [image:tag]
copy

Print and follow logs of a specific container
$ crictl logs [[-f|--follow]] [container_id]
copy

Remove one or more images
$ crictl rmi [image_id1 image_id2 ...]
copy

SYNOPSIS

crictl [OPTIONS] <COMMAND> [<ARGS>...]

PARAMETERS

--debug
    Enable debug output

--help, -h
    Print help and exit

--image-endpoint ENDPOINT
    Image service endpoint (default: runtime-endpoint)

--pod-endpoint ENDPOINT
    Pod service endpoint (default: runtime-endpoint)

--runtime-endpoint ENDPOINT
    CRI runtime endpoint (default: unix:///var/run/containerd/containerd.sock or CRI-O)

--timeout DURATION
    Timeout for gRPC calls (default: 2m)

--verbose, -v
    Enable verbose output

--version
    Print version information

DESCRIPTION

crictl is a lightweight, command-line tool for interacting with container runtimes compliant with the Kubernetes Container Runtime Interface (CRI), such as containerd and CRI-O. It mirrors familiar docker CLI functionality but targets CRI gRPC APIs, making it essential for debugging containers and pods directly on Kubernetes nodes.

Key capabilities include listing pods/containers (crictl ps), inspecting details (crictl inspect ID), streaming logs (crictl logs ID), executing commands (crictl exec), attaching to consoles (crictl attach), port-forwarding (crictl port-forward), and image management (crictl pull, crictl images, crictl rmi). Outputs like inspect are JSON-formatted for easy parsing.

Designed for simplicity and speed, crictl connects via configurable endpoints (Unix sockets or TCP), supporting remote diagnostics. It's pre-installed in many Kubernetes setups (e.g., kubeadm) and vital for troubleshooting issues like pod crashes, OOM kills, or failed image pulls without relying on kubectl. Environment variables like $CONTAINER_RUNTIME_ENDPOINT can override defaults, enhancing flexibility in multi-runtime clusters.

CAVEATS

Requires root or socket permissions; defaults vary by runtime (containerd vs CRI-O); not for Docker daemon directly.

COMMON COMMANDS

crictl ps -a: List all pods/containers.
crictl inspect ID: JSON details on ID.
crictl logs ID: Stream logs.
crictl exec -it ID /bin/sh: Interactive shell.

ENDPOINTS

Set via flags or env vars: CRI_RUNTIME_ENDPOINT, CRI_IMAGE_ENDPOINT, CRI_POD_ENDPOINT.

HISTORY

crictl originated in the cri-tools project (2018) for Kubernetes CRI conformance testing. Developed by Kubernetes SIGs, it gained prominence with CRI adoption in v1.13+, replacing direct Docker access in clusters.

SEE ALSO

ctr(8), crio(8), docker(1), kubectl(1)

Copied to clipboard