Security tooling company Sysdig has looked into the way its users work with containers on-prem and in the cloud. Its findings are now available in the 2019 container usage report, providing insight into current patterns and issues.

The data processed for the write-up comes from over two million containers deployed by “companies around the world and across a broad range of industries” that are monitored by either Sysdig’s SaaS or on-premises offerings. While this might sound both oddly specific and pretty vague at the same time, prompting readers to take the results with a grain of salt, Sysdig’s observations can help to at least get a rough understanding of common problems. And an idea about the way things are going in more security aware environments.

When it comes to the container runtimes used, Sysdig customers overwhelmingly decided for Docker (79 per cent), followed by containerd (18 per cent, note however, that containerd is also used by Docker), and Red Hat-developed cri-o (4 per cent). The authors of the report expect that last number to climb over the coming years, given that the CNCF project replaced Docker in OpenShift 4 and users are slowly starting to migrate to this version. Meanwhile runtimes such as rkt and lxc dropped in popularity, rendering them “nearly undetectable” to Sysdig.

For container orchestration, the majority of SaaS users took to Kubernetes (77 per cent), while most of the typically larger on-premises customers (43 per cent vs 34 per cent Kubernetes) decided to go with the OpenShift Container Platform, supposedly for the commercial support. Alternatives such as Docker’s Swarm (5 and 9 per cent respectively), Rancher (3 and 7 per cent respectively), and Mesos related projects (4 and 7 per cent respectively) only saw light usage in 2019.

Sysdig also investigated where customers got their container images from. While 60 per cent of the images get pulled from private registries, Docker registries are still one of the major providers for public sources, with 34 per cent of the publicly sourced images taken from there. Google Cloud Registry (28 per cent) came a close second. Attempts to reduce the risks posed by foreign images through policies don’t seem to be terribly fruitful. Over half of the images in Sysdig monitored systems apparently carry known vulnerabilities – including the ones from private registries.

Other areas that could be improved upon include configurations. According to the report, a median of 21 containers per host run as root, making them susceptible to privilege-escalation attacks. A median of four containers per host runs in privileged mode with all capabilities enabled upping the risk of a container breakout amongst other things. Many don’t even use the default security tooling (seccomp and AppArmor) available.

The report authors also looked into container lifespans, finding that most containers (22 per cent) only live for up to 10 seconds, which might indicate an increased use of Kubernetes jobs running finite tasks like batch jobs. However, a quick glance at the number of single clusters per customer (55 per cent) and nodes per cluster (23 per cent use 1-5, while 22 per cent use 6-10) suggests to Sysdig, that many companies are still in the early stages of using Kubernetes.

Agile development on the other hand seems to be widely spread amongst container users, since about half of the container images used get replaced in under a week, pointing to short release cycles.

The complete report can be found on the company’s website.