Containers are powerful tools for scaling and deploying your applications, but with so many components pulled from different sources, there’s a greater potential for issues within them to go undetected. As a result, you need to monitor every layer of your containerized environments for vulnerabilities and performance problems—from your application to your container images.
With the Container Images view in Datadog Container Monitoring, you get key insights into every image used in your environment, helping you quickly detect and remediate security and performance problems that can affect multiple containers. You can view container image details alongside the rest of your container data, making it easy to troubleshoot image issues affecting infrastructure health. Additionally, you can view vulnerabilities found in your images by Datadog Cloud Security Management (CSM) to help you streamline your security efforts.
In this post, we’ll explore how you can use the Container Images view to:
- Perform detailed investigations with context from Container Images
- Seamlessly pivot between container and image data
- Pinpoint and remediate security risks across your images
Because container images are often deployed as multiple containers, it’s easy for vulnerabilities within them to proliferate throughout your system. And by the time you detect these issues in your cloud environment, they’re often so widespread that it’s hard to trace their root cause back to the problematic image.
The Container Images view provides you with a centralized location for easily assessing the state of your container images and any issues within them. Each image is labeled with key characteristics such as age, size, and source. Additionally, every image comes with a count of the containers running it, enabling you to identify the most widely used container images in your cloud environment. To integrate this data into your workflows, you can even leverage out-of-the-box APIs for your containers and container images.
You can also quickly filter your list of container images based on relevant information gathered during troubleshooting. Datadog assigns each image a short name that enables you to quickly query them without needing to type the full image name every time. You can also filter your images based on characteristics of the containers running them, such as the relevant team or environment, to find images using a top-down approach.
The Container Images view is integrated with the rest of Datadog Container Monitoring, so you can quickly switch between features for fast troubleshooting. For example, let’s say you receive an alert that multiple containers are using an abnormally high amount of memory. You view the panel for one of the affected containers in the Containers view. This panel includes resource metrics for all currently running processes, one of which is displaying increased memory consumption. This panel also shows you the image that this container is derived from as well as high-level information about the image, including the number of containers running it and the count of critical security vulnerabilities detected within it.
By clicking on the image details, you can quickly pivot to the Container Images view. From here, you see that all the containers identified in the alert are indeed running this image, suggesting that this is where the problem originates. This panel also enables you to determine how widespread the issue is by providing a list of all derived containers. After implementing a fix and redeploying your containers, you can then check the memory metrics in the side panel for the new container image to confirm that the problem is resolved.
Using off-the-shelf container images is a common strategy for streamlining the container build process, enabling you to create workload-specific containers with minimal effort. Even when sourcing images from a reputable organization, however, using prebuilt images increases your attack surface by introducing new, potentially vulnerable third-party components. As with performance issues, vulnerabilities in your images can quickly multiply throughout your system via derived containers, creating convenient attack routes for malicious actors.
To help you identify potential security weaknesses, the Container Images view lists any vulnerabilities detected within your images by CSM Vulnerability Management. This vulnerability detection is provided by the lightweight Datadog Agent running on your hosts, eliminating the need for any additional installation. The total number of vulnerabilities is included for each image, so you can sort your images depending on which have the most security issues. Alternatively, you can sort your images by the number of containers running them to prioritize image deployments with larger footprints.
Let’s say you notice a high number of vulnerabilities on one of your images and decide to investigate further. By clicking on an image, you can access a list of vulnerabilities sorted by severity, as well as a total for how many containers are affected by these vulnerabilities. Then, by clicking on a vulnerability, you can view additional details about the type of risk and any suggested next steps, such as patched versions you can upgrade to.
With the Container Images view in Datadog Container Monitoring, you can visualize critical resource details for all your images, helping you easily assess the state of your container ecosystem and quickly troubleshoot issues. Additionally, you can view any vulnerabilities detected in your images by Datadog CSM—this enables you to patch security risks across multiple containers before they can be exploited.
The Container Images view is available to all Datadog Container Monitoring users. You can use our documentation to get started with Container Monitoring. Or, if you aren’t already a Datadog user, you can sign up for a 14-day free trial.