How to Get Container PID Using crictl (Equivalent to Docker Inspect)


2 views

As Kubernetes deprecates Docker as a container runtime, engineers increasingly work with CRI-O and containerd. Both solutions use crictl from cri-tools for container management - a crucial replacement for Docker CLI commands.

Previously with Docker, we could easily get a container's PID using:

docker inspect CONTAINER_ID -f '{{ .State.Pid }}'

For CRI-based runtimes, we need alternative approaches.

The most direct equivalent command is:

crictl inspect CONTAINER_ID | jq '.info.pid'

This returns the host PID of the container's init process. The jq utility helps parse JSON output.

For systems without jq installed:

crictl inspect CONTAINER_ID --output json | grep -oP '(?<="pid": )\\d+'

Or through process listing:

ps -p $(crictl inspect CONTAINER_ID | grep -oP '"pid":\\s*\\K\\d+') -o pid=

Let's walk through a real-world scenario:

# List running containers
crictl ps

# Get specific container's PID (example container ID: a1b2c3d4)
crictl inspect a1b2c3d4 | jq '.info.pid'

# Alternative for systems without jq
crictl inspect a1b2c3d4 --output json | \\
  grep -oP '(?<="pid": )\\d+'

Remember these key points about container PIDs:

  • The reported PID is from the host's perspective
  • Inside the container, the process will typically show as PID 1
  • For nested containers or pods with multiple containers, additional namespace considerations apply

If you encounter problems:

  1. Ensure crictl is properly configured (crictl info should work)
  2. Verify container is running (crictl ps)
  3. Check for sufficient permissions (try with sudo if needed)

For batch operations:

for id in $(crictl ps -q); do
  echo "Container $id has PID: $(crictl inspect $id | jq '.info.pid')"
done

With Kubernetes deprecating Docker as a container runtime, engineers are migrating to CRI-compatible runtimes like containerd and CRI-O. The crictl command from cri-tools has become the standard CLI for container management in these environments.

Getting a container's process ID (PID) is crucial for:

  • Debugging containerized applications
  • Inspecting process trees and namespaces
  • Performance monitoring at the process level
  • Security auditing and forensics

Here's the equivalent of docker inspect for crictl:

# First get the container ID
crictl ps --name my-container

# Then inspect for PID
CONTAINER_ID="your_container_id_here"
crictl inspect -o go-template='{{.info.pid}}' $CONTAINER_ID

For different runtime scenarios:

For containerd

ctr -n k8s.io containers ls | grep my-container
ctr -n k8s.io task inspect --pid $CONTAINER_ID

For CRI-O

crictl inspect $CONTAINER_ID | jq '.info.pid'

Here's a complete workflow to find and use a container's PID:

# Get all running containers
crictl ps

# Get specific container ID
CONTAINER_ID=$(crictl ps -q --name nginx)

# Extract PID
PID=$(crictl inspect -o go-template='{{.info.pid}}' $CONTAINER_ID)

# Use the PID (e.g., for nsenter)
nsenter -t $PID -n ip addr
  • Make sure you're using the correct namespace (-n k8s.io for containerd)
  • Some Kubernetes distributions may modify default configurations
  • PIDs may appear different from host perspective due to PID namespaces

When working with container PIDs:

  • Use pgrep judiciously as it can be resource-intensive
  • Consider caching results for frequently accessed containers
  • Be aware of PID namespace implications in nested containers