Skip to content

container_remove

NAME

container_remove - a container is terminated

DESCRIPTION

Triggered when an existing container is terminated. This derived event monitors container lifecycle by tracking cgroup directory removal and examining metadata to identify container termination events.

The event leverages the cgroup_rmdir event and examines metadata within cgroupfs subdirectories to determine if a directory's removal correlates with a container's termination, capturing vital information about the terminated container.

EVENT SETS

none

DATA FIELDS

runtime (string) : The container runtime used (e.g., Docker, containerd)

container_id (string) : The unique identifier of the terminated container

DEPENDENCIES

Source Events:

  • cgroup_rmdir (required): Primary event from which container_remove is derived

Derivation Logic:

The event is derived from cgroup_rmdir by assessing whether the cgroup event pertains to the root directory of a terminating container, then using the cgroup_id from the directory inode to gather container-specific information.

USE CASES

  • Security monitoring: Detect unexpected or unauthorized container terminations

  • Resource management: Track container cleanup and resource reclamation

  • System reliability: Monitor container lifecycle for operational stability

  • Compliance auditing: Ensure proper container termination procedures

  • Incident response: Investigate container termination patterns

  • cgroup_rmdir: Primary source event for container termination detection
  • container_create: Container creation events
  • existing_container: Events for already running containers