CT-Ops

Host Containers

How to use CT-Ops container inventory, image risk, metrics, network graph, and lifecycle views.

The Containers area appears on a host detail page when CT-Ops has Docker runtime data for that host. Use it to answer four operator questions:

  • What containers are currently present and what images are they running?
  • Which container images have known vulnerability or exploit risk?
  • Which container is consuming CPU, memory, network I/O, block I/O, or process count?
  • How are containers attached to Docker networks, and when did a container start, stop, restart, or disappear?

The page is read-oriented except for image scan requests. Most controls filter or focus data already collected by the agent. Run image scan asks the agent and scanner pipeline to refresh Docker image vulnerability data.

Global Docker settings affect this page. The Docker metric retention period controls how long chart samples can be queried, and Docker image scanning settings control whether the scan action is enabled and how scheduled image scans run. See Docker container settings for the instance-level defaults.

Docker runtime status

Before showing container data, CT-Ops checks the host’s Docker runtime status. If the status is anything other than installed, the Containers area shows an empty-state explanation instead of the tabs.

StatusWhat the operator seesMeaning and next action
installedThe Containers tabs and controls are available.Docker was detected and the agent can read container inventory. Continue with inventory, risk, metrics, network, or lifecycle investigation.
unknownDocker status unknown and “No Docker runtime status has been reported for this host yet.”The host has not reported Docker status. Wait for a newer agent heartbeat or confirm the agent version and connectivity.
not_installedDocker not installed and “Docker Engine is not installed or was not found on this host.”Docker is not expected on this host, or the agent could not find it. Do not treat missing containers as a runtime incident until Docker installation is confirmed.
permission_deniedPermission denied and “The agent found Docker but cannot read container inventory.”The agent can see Docker but lacks permission to inspect it. Fix socket or group access before relying on container data.
unreachableDocker unreachable and “Docker was detected but did not respond to the agent.”Docker was detected but did not answer the agent. Check Docker service health on the host.
errorDocker status error and “The agent hit an unexpected Docker status check error.”The status check failed unexpectedly. Review agent logs and host Docker health.

Use this status first. If Docker is expected but CT-Ops reports permission denied or unreachable, the problem is collection access or Docker availability, not the state of individual containers.

Overview tab

The Overview tab is the main container inventory view. It lists present Docker containers in visible runtime states, shows image risk per row, and renders a metrics panel for the selected container.

The inventory is capped at 200 visible rows. CT-Ops shows present containers in the Docker running or exited states, ordered by most recently seen and then by name. Containers that are no longer present, or that are in hidden states, can still appear in lifecycle history when events exist, but they are not part of the current inventory table.

Use this tab when a service is unhealthy, a host is under pressure, or you need to identify which image and runtime state a container is using now.

ControlWhat it does
Container countShows Loading containers… while the query runs, then the number of containers returned after filters and the 200-row cap.
Run image scanRequests an immediate Docker image vulnerability scan for this host. The button is disabled when effective Docker image scanning is off for the instance or host, or while the request is being submitted.
Requesting…Temporary button text while CT-Ops is saving the scan request.
Scan requestedSuccess confirmation shown for about three seconds after CT-Ops records the request timestamp. The agent processes the request on a later check-in; results are not guaranteed to appear instantly.
Scan request errorShows the server error if the request fails, such as missing write access or a missing host.
Search name, image or IDFilters by primary name, additional Docker names, image reference, Docker container ID, and reported network JSON. Input is trimmed server-side and capped at 256 characters.
State filterShows All states, Running, or Stopped. Stopped maps to Docker exited.
Image filterShows All images plus image references currently reported for present running or exited containers on the host.
ClearAppears only when search, state, or image filters are active. It resets search to blank and both selectors to all.
Row clickSelects that container for the Container Metrics panel. The selected row is highlighted.

The container inventory card can show these states:

StateMeaning
Loading containers…CT-Ops is querying the server action.
No containers match your filtersDocker data exists, but the current search, state, or image filters removed every row.
No containers reportedDocker is installed, but the agent has not reported current or recently seen containers.
No running or stopped containersContainer data exists, but no present running or exited rows are available for the inventory table.

The container inventory table contains:

ColumnMeaning
NamePrimary container name, or the first Docker name, or the first 12 characters of the Docker container ID when no name is available. The smaller monospace line is always the short Docker container ID.
ImageImage reference reported by Docker. CT-Ops also shows a detected app icon when the image can be mapped to a known infrastructure application. A dash means no image was reported.
Exploit riskButton that opens the Docker image scan dialog for the row’s image ID. It is disabled when the container has no image ID.
StateRuntime state badge. Running maps to Docker running; Stopped maps to exited; Dead, Restarting, and Paused map to their Docker states; Not present is used when lifecycle data represents a disappeared container; otherwise CT-Ops shows the raw state or Unknown.
CPU trendA one-hour sparkline of 5-minute maximum CPU percentage buckets. A dashed line means no CPU trend samples are available.
StatusDocker status text such as Up 9 minutes or Exited. A dash means Docker did not report status text.
Last seenLast time CT-Ops saw the container in Docker inventory, formatted with the instance display date setting.
StartedDocker start time when the agent reported one. A dash means Docker did not provide a source start time.
RestartsDocker restart count. A dash means no restart count was reported.

Image risk

The Exploit risk badge summarises the latest known scan evidence for the container image. Select the badge to open Docker Image Scan details for that image. Use it when a vulnerability report names an image, after pulling or rebuilding an image, or before deciding whether a running container can stay in service.

Image risk depends on Docker image scanning. Scheduled scanning, scanner mode, limits, and stale-alert thresholds are controlled globally in Docker container settings. A host can also disable image scanning from the host Management page. The Containers tab’s Run image scan button is available only when the effective host setting is enabled.

The risk badge is resolved in this order:

BadgeHow CT-Ops chooses it
Not scannedNo completed scan timestamp exists for the image.
CriticalThe image has at least one known exploited open finding, a Grype risk score of at least 10, a maximum EPSS probability of at least 0.1, or highest open severity critical.
HighGrype risk score is at least 1, maximum EPSS probability is at least 0.01, or highest open severity is high.
MediumGrype risk score is at least 0.1, maximum EPSS probability is at least 0.001, or highest open severity is medium.
LowThere are open findings but none of the higher thresholds match, or risk scoring produces a lower non-zero level.
Scanner statusIf the latest scan status is neither success nor partial, CT-Ops shows the scan status text with underscores replaced by spaces.
CleanThe image has scan evidence and no open finding or non-success scanner status that raises a badge.

The Docker Image Scan dialog shows:

FieldMeaning
ImageImage reference from the latest scan when available, otherwise the image ID.
Open findingsCount of open vulnerability findings for the image.
Known exploitedCount of open findings marked as known exploited. Any value above zero makes the row Critical.
Grype riskHighest Grype risk score among open findings. Values between 0 and 0.1 display as <0.1. A dash means no score was available.
Max EPSSHighest EPSS probability among open findings, displayed as a percentage. Values between 0% and 0.1% display as <0.1%.
Highest severityHighest open finding severity, or None when no severity is available.
Last scannedLatest scan completion time. A dash means no scan completion has been recorded.
SyftSyft scanner version recorded by the scan run, or a dash.
GrypeGrype scanner version recorded by the scan run, or a dash.

Container metrics

The Container Metrics panel appears on the Overview tab when at least one inventory container is available. It charts the selected container’s recent resource samples.

CT-Ops chooses a default metrics container in this order:

  1. A present running container.
  2. Any present container.
  3. The first known container in the filtered inventory.

Selecting a table row or choosing a value from the container selector changes the chart target. The selector lists the same containers returned by the current inventory filters, so clearing filters may be necessary when the container you want is hidden.

ControlWhat it does
Container selectorChooses which Docker container ID drives the metrics panel. The option label is the primary container name when available, otherwise the short ID.
Last hourQueries the last 1 hour with 1-minute buckets. This is the default range.
Last 6hQueries the last 6 hours with 2-minute buckets.
Last 24hQueries the last 24 hours with 10-minute buckets.
Last 7 daysQueries the last 168 hours with 1-hour buckets.

Metric queries return up to 300 chart points. Network and block I/O charts use per-sample deltas, not cumulative counters. CT-Ops ignores negative deltas, such as counter resets after container restart, by treating them as empty samples.

Docker metric retention limits how far back data is available. The global default is 30 days, and each host can override it from the host Management page. See Docker container settings for the global retention control.

The summary row shows maximum values across the selected range:

Summary valueMeaning
CPU maxHighest CPU percentage sample in the selected range.
Memory maxHighest memory percentage sample in the selected range.
Network RX maxHighest received network-byte delta in one chart bucket.
Block read maxHighest block-read byte delta in one chart bucket.
PIDs maxHighest process/thread count sample in the selected range.

The charts are:

ChartSeriesHow to use it
CPU avg/maxCPU avg and CPU max percentage per bucket.Find CPU spikes and compare sustained average load with short bursts.
Memory avg/maxMemory avg and Memory max percentage per bucket.Spot memory growth, pressure, or brief peaks hidden by averages.
Network I/O per sampleRX avg, RX max, TX avg, and TX max byte deltas.Confirm whether traffic changed during an incident or whether a container is silent when it should be active.
Block I/O per sampleRead avg, Read max, Write avg, and Write max byte deltas.Identify containers causing storage reads or writes.
PIDsPIDs avg and PIDs max.Detect process/thread growth, runaway workers, or unexpectedly idle containers.

If no samples exist for the selected container and range, CT-Ops shows No metrics reported. Wait for agent samples, choose another range, or check Docker metric collection on the host.

Network View tab

The Network View tab renders Docker network attachments as an interactive graph. Use it to understand runtime topology on the host, especially when a service issue may be caused by Docker networking rather than the host’s physical network.

The tab uses the same container query and filters as the Overview tab. If a search, state, or image filter is active, the graph only receives matching containers. Select Clear when expected network attachments are missing.

Element or controlWhat it does
Network and attachment countShows how many Docker networks and container-network attachments are currently in the graph.
Network nodeRepresents one Docker network. It shows the network name and number of attached containers.
Container nodeRepresents one container attached to a network. It shows a running-state dot, detected app icon when available, container name, image, and the first reported IP address.
EdgeConnects a network node to a container node to show attachment.
Mini-mapProvides a small overview of the graph and can be panned or zoomed.
Drag nodeMoves a node locally to make dense graphs easier to read. It does not change Docker configuration.
Zoom inIncreases graph zoom.
Zoom outDecreases graph zoom.
Center displayFits the graph back into the visible canvas.
Full screenOpens the graph in a larger dialog. In the dialog, the same button exits full screen.

The graph can show these empty states:

StateMeaning
Loading container networks…CT-Ops is querying container inventory.
No containers match your filtersThe active filters removed every graph candidate.
No containers reportedDocker inventory has not reported containers yet.
No container networks reportedContainers exist, but no Docker network attachment data has been reported.

Use this view during service discovery, post-deployment checks, and incident triage where a container cannot reach a peer service or expected network.

Lifecycle tab

The Lifecycle tab shows start, stop, restart, and disappearance events for one selected container. Use it to explain whether a deployment, crash loop, manual stop, host restart, or disappearing container lines up with an incident.

Lifecycle starts with no selected container. Choose a container from the selector before the table appears. CT-Ops returns up to 100 events, ordered by event time descending and then creation time descending.

Control or stateWhat it does
Container selectorChooses the container whose lifecycle events should be queried. Options use the primary name when available, otherwise the short container ID.
Select a containerEmpty state shown before a container is selected.
Loading lifecycle events…CT-Ops is querying events for the selected container.
No lifecycle eventsNo start, stop, restart, or disappeared events have been recorded for the selected container.

The lifecycle table contains:

ColumnMeaning
EventStarted, Stopped, Restarted, or Disappeared.
ContainerContainer name and short Docker container ID. CT-Ops uses the current container row when it still exists, otherwise event-time data.
ImageCurrent image when the container row is present, otherwise the image recorded on the event. A dash means no image was recorded.
StateCurrent state for a present container, otherwise the event state. Disappeared events display as Not present.
StatusCurrent Docker status for a present container, otherwise the event status.
RestartsCurrent restart count for a present container, otherwise the event restart count.
TimeEvent occurrence time, formatted with the instance display date setting.

Use lifecycle history alongside metrics. A CPU or network gap immediately after a Restarted or Disappeared event is often expected; the same gap without a lifecycle event may point to collection problems or a different host-level issue.

How container data helps infrastructure management

Container data connects host monitoring to application runtime. Operators can move from “the host is unhealthy” to “this container changed, consumed the resource, used this image, or lost this network attachment.”

In practice:

  • Start with Docker runtime status to confirm CT-Ops can collect Docker data.
  • Use Overview to find the container, image, state, status, and recent CPU trend.
  • Open Exploit risk when the question is vulnerability exposure or image freshness.
  • Use Container Metrics when the question is resource pressure or traffic.
  • Use Network View when the question is connectivity or runtime topology.
  • Use Lifecycle when the question is timing, restarts, or whether a deployment changed runtime state.