Featuresv2.0
Container Monitoring
Monitor Docker, Podman, and Kubernetes containers with Netwarden's comprehensive container monitoring capabilities
Last updated: January 24, 2025
6 min read
Container Monitoring
Netwarden provides comprehensive container monitoring for Docker, Podman, and Kubernetes environments, giving you deep visibility into your containerized applications.
Overview
Container monitoring is automatically enabled when the agent detects a container runtime. The agent collects metrics about container resource usage, health status, and lifecycle events without requiring any configuration changes to your containers.
Supported Container Runtimes
Docker
- Auto-detection: Checks for
/var/run/docker.sock - Metrics Collection: Every 60 seconds
- Docker Compose Support: Yes, with service grouping
- Swarm Mode: Supported with service-level metrics
Podman
- Auto-detection: Checks for
/run/podman/podman.sock - Rootless Support: Yes, with user socket detection
- Pod Metrics: Aggregated pod-level statistics
- Compatibility: Full Docker API compatibility
Kubernetes/Containerd
- Auto-detection: Checks for
/run/containerd/containerd.sock - CRI Support: Full Container Runtime Interface support
- Namespace Aware: Metrics grouped by namespace
- Pod & Container Metrics: Both levels supported
Configuration
Enable container monitoring in /etc/netwarden/netwarden.conf:
ini# Enable container monitoring (default: true) enable_containers = true # Container runtime: auto, docker, podman, containerd container_runtime = "auto" # Custom socket path (optional) # container_socket = "/var/run/docker.sock" # Stats collection interval container_stats_interval = "60s" # Include specific containers (regex patterns) # container_include = ["prod-*", "api-*"] # Exclude specific containers (regex patterns) # container_exclude = ["test-*", "dev-*"]
Metrics Collected
Resource Metrics
- CPU Usage: Usage percentage, throttled periods, system/user time
- Memory: Usage, limit, cache, RSS, working set
- Disk I/O: Read/write bytes, operations per second
- Network: Bytes sent/received, packets, errors, dropped
Container Information
- Status: Running, stopped, paused, restarting
- Health: Healthy, unhealthy, starting (if health check configured)
- Restart Count: Number of container restarts
- Uptime: Container running duration
Docker-Specific Metrics
bash# Example metrics for a Docker container container.cpu.usage.percent: 45.2% container.memory.usage.mb: 512 container.memory.limit.mb: 1024 container.network.rx.bytes: 125431234 container.network.tx.bytes: 98234123 container.disk.read.bytes: 5242880 container.disk.write.bytes: 10485760 container.status: running container.health: healthy
Kubernetes Integration
For Kubernetes environments, deploy the agent as a DaemonSet:
yamlapiVersion: apps/v1 kind: DaemonSet metadata: name: netwarden namespace: netwarden spec: selector: matchLabels: name: netwarden template: metadata: labels: name: netwarden spec: serviceAccountName: netwarden hostNetwork: true hostPID: true containers: - name: netwarden image: netwarden/agent:latest env: - name: NETWARDEN_TENANT_ID valueFrom: secretKeyRef: name: netwarden-config key: tenant-id - name: NETWARDEN_API_KEY valueFrom: secretKeyRef: name: netwarden-config key: api-key - name: NETWARDEN_ENABLE_CONTAINERS value: "true" - name: NETWARDEN_CONTAINER_RUNTIME value: "containerd" volumeMounts: - name: containerd-sock mountPath: /run/containerd/containerd.sock - name: proc mountPath: /host/proc readOnly: true - name: sys mountPath: /host/sys readOnly: true securityContext: privileged: true volumes: - name: containerd-sock hostPath: path: /run/containerd/containerd.sock - name: proc hostPath: path: /proc - name: sys hostPath: path: /sys
Container Labels and Tags
Use container labels to enhance monitoring:
dockerfile# In your Dockerfile LABEL netwarden.monitor="true" LABEL netwarden.service="api" LABEL netwarden.environment="production" LABEL netwarden.team="backend"
Or in docker-compose.yml:
yamlservices: api: image: myapp:latest labels: netwarden.monitor: "true" netwarden.service: "api" netwarden.environment: "production" netwarden.alert.cpu: "80" # Alert if CPU > 80% netwarden.alert.memory: "90" # Alert if memory > 90%
Container Dashboards
Container Overview Dashboard
View all containers across your infrastructure:
- Container count by status
- Top containers by CPU usage
- Top containers by memory usage
- Container restart frequency
- Network traffic by container
Individual Container View
Detailed metrics for each container:
- Real-time resource usage graphs
- Container logs integration
- Environment variables
- Mounted volumes
- Network connections
- Process list inside container
Alerting on Container Metrics
Create alerts for container issues:
ini# Alert Examples # High CPU usage Alert: Container CPU High Metric: container.cpu.usage.percent Container: api-* Threshold: > 80% Duration: 5 minutes # Memory limit approaching Alert: Container Memory Pressure Metric: container.memory.usage.percent Container: * Threshold: > 90% Duration: 2 minutes # Container restarting Alert: Container Restart Loop Metric: container.restart.count Container: * Threshold: > 3 Duration: 10 minutes # Container unhealthy Alert: Container Health Check Failed Metric: container.health.status Container: * Value: unhealthy Duration: 1 minute
Docker Compose Monitoring
For Docker Compose applications, the agent automatically groups containers by project:
bash# Containers grouped by compose project Project: myapp - myapp_web_1 (running) - myapp_api_1 (running) - myapp_db_1 (running) - myapp_redis_1 (running) # Aggregated metrics per project myapp.cpu.usage.total: 125% myapp.memory.usage.total: 2048 MB myapp.containers.running: 4 myapp.containers.total: 4
Performance Optimization
Reduce Collection Overhead
ini# Increase collection interval for less critical environments container_stats_interval = "120s" # Exclude development containers container_exclude = ["dev-*", "test-*", "tmp-*"] # Only monitor specific containers container_include = ["prod-*"]
Container Runtime Optimization
ini# Skip auto-detection if you know your runtime container_runtime = "docker" # Skip detection, use Docker directly # Use specific socket path container_socket = "/var/run/docker.sock"
Troubleshooting
No Containers Detected
- Check runtime socket exists:
bashls -la /var/run/docker.sock ls -la /run/containerd/containerd.sock
- Verify agent has permissions:
bash# Add agent user to docker group sudo usermod -aG docker netwarden # Restart agent sudo systemctl restart netwarden
- Check logs for errors:
bashsudo journalctl -u netwarden -n 50 | grep container
Missing Container Metrics
- Verify container runtime API is accessible:
bash# Docker docker version # Podman podman version # Containerd ctr version
- Check container is not paused:
bashdocker ps -a | grep container_name
- Ensure health checks are configured:
dockerfileHEALTHCHECK --interval=30s --timeout=3s \ CMD curl -f http://localhost/health || exit 1
Best Practices
- Use Container Labels: Add metadata labels for better organization
- Configure Health Checks: Enable health checks in your containers
- Set Resource Limits: Define memory and CPU limits
- Monitor Log Volume: Watch for containers with excessive logging
- Track Image Sizes: Monitor image size growth over time
- Review Restart Policies: Ensure appropriate restart policies
Security Considerations
- Agent only needs read-only access to container runtime socket
- No changes to container configuration required
- Sensitive environment variables are not collected
- Container filesystem access is not required