CT-Ops
Host Containers
How to use CT-Ops container inventory, image risk, metrics, network graph, and lifecycle views.
The Containers area appears on a host detail page when CT-Ops has Docker runtime data for that host. Use it to answer four operator questions:
- What containers are currently present and what images are they running?
- Which container images have known vulnerability or exploit risk?
- Which container is consuming CPU, memory, network I/O, block I/O, or process count?
- How are containers attached to Docker networks, and when did a container start, stop, restart, or disappear?
The page is read-oriented except for image scan requests. Most controls filter or focus data already collected by the agent. Run image scan asks the agent and scanner pipeline to refresh Docker image vulnerability data.
Global Docker settings affect this page. The Docker metric retention period controls how long chart samples can be queried, and Docker image scanning settings control whether the scan action is enabled and how scheduled image scans run. See Docker container settings for the instance-level defaults.
Docker runtime status
Before showing container data, CT-Ops checks the host’s Docker runtime status. If the status is anything other than installed, the Containers area shows an empty-state explanation instead of the tabs.
| Status | What the operator sees | Meaning and next action |
|---|---|---|
| installed | The Containers tabs and controls are available. | Docker was detected and the agent can read container inventory. Continue with inventory, risk, metrics, network, or lifecycle investigation. |
| unknown | Docker status unknown and “No Docker runtime status has been reported for this host yet.” | The host has not reported Docker status. Wait for a newer agent heartbeat or confirm the agent version and connectivity. |
| not_installed | Docker not installed and “Docker Engine is not installed or was not found on this host.” | Docker is not expected on this host, or the agent could not find it. Do not treat missing containers as a runtime incident until Docker installation is confirmed. |
| permission_denied | Permission denied and “The agent found Docker but cannot read container inventory.” | The agent can see Docker but lacks permission to inspect it. Fix socket or group access before relying on container data. |
| unreachable | Docker unreachable and “Docker was detected but did not respond to the agent.” | Docker was detected but did not answer the agent. Check Docker service health on the host. |
| error | Docker status error and “The agent hit an unexpected Docker status check error.” | The status check failed unexpectedly. Review agent logs and host Docker health. |
Use this status first. If Docker is expected but CT-Ops reports permission denied or unreachable, the problem is collection access or Docker availability, not the state of individual containers.
Overview tab
The Overview tab is the main container inventory view. It lists present Docker containers in visible runtime states, shows image risk per row, and renders a metrics panel for the selected container.
The inventory is capped at 200 visible rows. CT-Ops shows present containers in
the Docker running or exited states, ordered by most recently seen and then
by name. Containers that are no longer present, or that are in hidden states,
can still appear in lifecycle history when events exist, but they are not part
of the current inventory table.
Use this tab when a service is unhealthy, a host is under pressure, or you need to identify which image and runtime state a container is using now.
| Control | What it does |
|---|---|
| Container count | Shows Loading containers… while the query runs, then the number of containers returned after filters and the 200-row cap. |
| Run image scan | Requests an immediate Docker image vulnerability scan for this host. The button is disabled when effective Docker image scanning is off for the instance or host, or while the request is being submitted. |
| Requesting… | Temporary button text while CT-Ops is saving the scan request. |
| Scan requested | Success confirmation shown for about three seconds after CT-Ops records the request timestamp. The agent processes the request on a later check-in; results are not guaranteed to appear instantly. |
| Scan request error | Shows the server error if the request fails, such as missing write access or a missing host. |
| Search name, image or ID | Filters by primary name, additional Docker names, image reference, Docker container ID, and reported network JSON. Input is trimmed server-side and capped at 256 characters. |
| State filter | Shows All states, Running, or Stopped. Stopped maps to Docker exited. |
| Image filter | Shows All images plus image references currently reported for present running or exited containers on the host. |
| Clear | Appears only when search, state, or image filters are active. It resets search to blank and both selectors to all. |
| Row click | Selects that container for the Container Metrics panel. The selected row is highlighted. |
The container inventory card can show these states:
| State | Meaning |
|---|---|
| Loading containers… | CT-Ops is querying the server action. |
| No containers match your filters | Docker data exists, but the current search, state, or image filters removed every row. |
| No containers reported | Docker is installed, but the agent has not reported current or recently seen containers. |
| No running or stopped containers | Container data exists, but no present running or exited rows are available for the inventory table. |
The container inventory table contains:
| Column | Meaning |
|---|---|
| Name | Primary container name, or the first Docker name, or the first 12 characters of the Docker container ID when no name is available. The smaller monospace line is always the short Docker container ID. |
| Image | Image reference reported by Docker. CT-Ops also shows a detected app icon when the image can be mapped to a known infrastructure application. A dash means no image was reported. |
| Exploit risk | Button that opens the Docker image scan dialog for the row’s image ID. It is disabled when the container has no image ID. |
| State | Runtime state badge. Running maps to Docker running; Stopped maps to exited; Dead, Restarting, and Paused map to their Docker states; Not present is used when lifecycle data represents a disappeared container; otherwise CT-Ops shows the raw state or Unknown. |
| CPU trend | A one-hour sparkline of 5-minute maximum CPU percentage buckets. A dashed line means no CPU trend samples are available. |
| Status | Docker status text such as Up 9 minutes or Exited. A dash means Docker did not report status text. |
| Last seen | Last time CT-Ops saw the container in Docker inventory, formatted with the instance display date setting. |
| Started | Docker start time when the agent reported one. A dash means Docker did not provide a source start time. |
| Restarts | Docker restart count. A dash means no restart count was reported. |
Image risk
The Exploit risk badge summarises the latest known scan evidence for the container image. Select the badge to open Docker Image Scan details for that image. Use it when a vulnerability report names an image, after pulling or rebuilding an image, or before deciding whether a running container can stay in service.
Image risk depends on Docker image scanning. Scheduled scanning, scanner mode, limits, and stale-alert thresholds are controlled globally in Docker container settings. A host can also disable image scanning from the host Management page. The Containers tab’s Run image scan button is available only when the effective host setting is enabled.
The risk badge is resolved in this order:
| Badge | How CT-Ops chooses it |
|---|---|
| Not scanned | No completed scan timestamp exists for the image. |
| Critical | The image has at least one known exploited open finding, a Grype risk score of at least 10, a maximum EPSS probability of at least 0.1, or highest open severity critical. |
| High | Grype risk score is at least 1, maximum EPSS probability is at least 0.01, or highest open severity is high. |
| Medium | Grype risk score is at least 0.1, maximum EPSS probability is at least 0.001, or highest open severity is medium. |
| Low | There are open findings but none of the higher thresholds match, or risk scoring produces a lower non-zero level. |
| Scanner status | If the latest scan status is neither success nor partial, CT-Ops shows the scan status text with underscores replaced by spaces. |
| Clean | The image has scan evidence and no open finding or non-success scanner status that raises a badge. |
The Docker Image Scan dialog shows:
| Field | Meaning |
|---|---|
| Image | Image reference from the latest scan when available, otherwise the image ID. |
| Open findings | Count of open vulnerability findings for the image. |
| Known exploited | Count of open findings marked as known exploited. Any value above zero makes the row Critical. |
| Grype risk | Highest Grype risk score among open findings. Values between 0 and 0.1 display as <0.1. A dash means no score was available. |
| Max EPSS | Highest EPSS probability among open findings, displayed as a percentage. Values between 0% and 0.1% display as <0.1%. |
| Highest severity | Highest open finding severity, or None when no severity is available. |
| Last scanned | Latest scan completion time. A dash means no scan completion has been recorded. |
| Syft | Syft scanner version recorded by the scan run, or a dash. |
| Grype | Grype scanner version recorded by the scan run, or a dash. |
Container metrics
The Container Metrics panel appears on the Overview tab when at least one inventory container is available. It charts the selected container’s recent resource samples.
CT-Ops chooses a default metrics container in this order:
- A present running container.
- Any present container.
- The first known container in the filtered inventory.
Selecting a table row or choosing a value from the container selector changes the chart target. The selector lists the same containers returned by the current inventory filters, so clearing filters may be necessary when the container you want is hidden.
| Control | What it does |
|---|---|
| Container selector | Chooses which Docker container ID drives the metrics panel. The option label is the primary container name when available, otherwise the short ID. |
| Last hour | Queries the last 1 hour with 1-minute buckets. This is the default range. |
| Last 6h | Queries the last 6 hours with 2-minute buckets. |
| Last 24h | Queries the last 24 hours with 10-minute buckets. |
| Last 7 days | Queries the last 168 hours with 1-hour buckets. |
Metric queries return up to 300 chart points. Network and block I/O charts use per-sample deltas, not cumulative counters. CT-Ops ignores negative deltas, such as counter resets after container restart, by treating them as empty samples.
Docker metric retention limits how far back data is available. The global default is 30 days, and each host can override it from the host Management page. See Docker container settings for the global retention control.
The summary row shows maximum values across the selected range:
| Summary value | Meaning |
|---|---|
| CPU max | Highest CPU percentage sample in the selected range. |
| Memory max | Highest memory percentage sample in the selected range. |
| Network RX max | Highest received network-byte delta in one chart bucket. |
| Block read max | Highest block-read byte delta in one chart bucket. |
| PIDs max | Highest process/thread count sample in the selected range. |
The charts are:
| Chart | Series | How to use it |
|---|---|---|
| CPU avg/max | CPU avg and CPU max percentage per bucket. | Find CPU spikes and compare sustained average load with short bursts. |
| Memory avg/max | Memory avg and Memory max percentage per bucket. | Spot memory growth, pressure, or brief peaks hidden by averages. |
| Network I/O per sample | RX avg, RX max, TX avg, and TX max byte deltas. | Confirm whether traffic changed during an incident or whether a container is silent when it should be active. |
| Block I/O per sample | Read avg, Read max, Write avg, and Write max byte deltas. | Identify containers causing storage reads or writes. |
| PIDs | PIDs avg and PIDs max. | Detect process/thread growth, runaway workers, or unexpectedly idle containers. |
If no samples exist for the selected container and range, CT-Ops shows No metrics reported. Wait for agent samples, choose another range, or check Docker metric collection on the host.
Network View tab
The Network View tab renders Docker network attachments as an interactive graph. Use it to understand runtime topology on the host, especially when a service issue may be caused by Docker networking rather than the host’s physical network.
The tab uses the same container query and filters as the Overview tab. If a search, state, or image filter is active, the graph only receives matching containers. Select Clear when expected network attachments are missing.
| Element or control | What it does |
|---|---|
| Network and attachment count | Shows how many Docker networks and container-network attachments are currently in the graph. |
| Network node | Represents one Docker network. It shows the network name and number of attached containers. |
| Container node | Represents one container attached to a network. It shows a running-state dot, detected app icon when available, container name, image, and the first reported IP address. |
| Edge | Connects a network node to a container node to show attachment. |
| Mini-map | Provides a small overview of the graph and can be panned or zoomed. |
| Drag node | Moves a node locally to make dense graphs easier to read. It does not change Docker configuration. |
| Zoom in | Increases graph zoom. |
| Zoom out | Decreases graph zoom. |
| Center display | Fits the graph back into the visible canvas. |
| Full screen | Opens the graph in a larger dialog. In the dialog, the same button exits full screen. |
The graph can show these empty states:
| State | Meaning |
|---|---|
| Loading container networks… | CT-Ops is querying container inventory. |
| No containers match your filters | The active filters removed every graph candidate. |
| No containers reported | Docker inventory has not reported containers yet. |
| No container networks reported | Containers exist, but no Docker network attachment data has been reported. |
Use this view during service discovery, post-deployment checks, and incident triage where a container cannot reach a peer service or expected network.
Lifecycle tab
The Lifecycle tab shows start, stop, restart, and disappearance events for one selected container. Use it to explain whether a deployment, crash loop, manual stop, host restart, or disappearing container lines up with an incident.
Lifecycle starts with no selected container. Choose a container from the selector before the table appears. CT-Ops returns up to 100 events, ordered by event time descending and then creation time descending.
| Control or state | What it does |
|---|---|
| Container selector | Chooses the container whose lifecycle events should be queried. Options use the primary name when available, otherwise the short container ID. |
| Select a container | Empty state shown before a container is selected. |
| Loading lifecycle events… | CT-Ops is querying events for the selected container. |
| No lifecycle events | No start, stop, restart, or disappeared events have been recorded for the selected container. |
The lifecycle table contains:
| Column | Meaning |
|---|---|
| Event | Started, Stopped, Restarted, or Disappeared. |
| Container | Container name and short Docker container ID. CT-Ops uses the current container row when it still exists, otherwise event-time data. |
| Image | Current image when the container row is present, otherwise the image recorded on the event. A dash means no image was recorded. |
| State | Current state for a present container, otherwise the event state. Disappeared events display as Not present. |
| Status | Current Docker status for a present container, otherwise the event status. |
| Restarts | Current restart count for a present container, otherwise the event restart count. |
| Time | Event occurrence time, formatted with the instance display date setting. |
Use lifecycle history alongside metrics. A CPU or network gap immediately after a Restarted or Disappeared event is often expected; the same gap without a lifecycle event may point to collection problems or a different host-level issue.
How container data helps infrastructure management
Container data connects host monitoring to application runtime. Operators can move from “the host is unhealthy” to “this container changed, consumed the resource, used this image, or lost this network attachment.”
In practice:
- Start with Docker runtime status to confirm CT-Ops can collect Docker data.
- Use Overview to find the container, image, state, status, and recent CPU trend.
- Open Exploit risk when the question is vulnerability exposure or image freshness.
- Use Container Metrics when the question is resource pressure or traffic.
- Use Network View when the question is connectivity or runtime topology.
- Use Lifecycle when the question is timing, restarts, or whether a deployment changed runtime state.