When to Use
- Pre-upgrade check: Inspect a running container to retrieve its current environment variables and port bindings before replacing it with a new version.
- Failure diagnosis: After a container stops unexpectedly, inspect it to get the
ExitCode, FinishedAt timestamp, and Error message.
- IP discovery: Retrieve the container's internal IP address for use in internal service-to-service communication or network rule updates.
- Config drift detection: Compare the running container's
Config object against an expected specification stored in a workflow variable to detect unauthorized changes.
- Mount verification: Confirm that required volumes are attached and mounted at the expected paths before starting a dependent service.
Configuration
Connection Fields
| Field | Type | Default | Description |
dockerHost | string | unix:///var/run/docker.sock | Docker socket path or TCP endpoint |
connectionType | string | unixsocket | unixsocket | tcp | tcptls |
tlsCertPath | string | — | TLS certificate directory path. Required for tcptls. optional |
timeoutSeconds | int | 30 | Operation timeout in seconds. optional |
Operation Fields
| Field | Type | Required | Description |
resource | string | required | Must be container |
operation | string | required | Must be inspect |
ContainerId | string | required | Container ID (full or short) or container name |
Sample Configuration
{
"resource": "container",
"operation": "inspect",
"ContainerId": "api-service",
"connection": {
"dockerHost": "unix:///var/run/docker.sock",
"connectionType": "unixsocket",
"timeoutSeconds": 30
}
}
Validation Errors
| Error Code | Trigger | Resolution |
MISSING_INPUT | ContainerId field is empty or not provided | Provide a valid container ID or name. Use container/list upstream to dynamically resolve IDs. |
NOT_FOUND | No container with the given ID or name exists | Verify the container name or ID. Container may have been removed. |
CONFIG_ERROR | Docker host connection settings are invalid | Check dockerHost format and connectionType value. |
AUTH_FAILED | TLS certificate validation failed for remote host | Verify tlsCertPath contains valid cert.pem, key.pem, and ca.pem. |
DOCKER_API_ERROR | Docker daemon returned an unexpected error | Check Docker daemon logs for details. |
Output
Success Port
| Field | Type | Description |
container.Id | string | Full 64-character container ID |
container.Name | string | Container name with leading / |
container.State.Status | string | running | exited | paused | restarting |
container.State.Running | boolean | Whether the container is currently running |
container.State.Pid | int | PID of the container's main process (0 if not running) |
container.State.ExitCode | int | Exit code of the last run (0 = success) |
container.State.StartedAt | string | ISO 8601 timestamp when container last started |
container.State.FinishedAt | string | ISO 8601 timestamp when container last stopped |
container.Config.Image | string | Image name and tag |
container.Config.Env | string[] | Environment variables as KEY=VALUE strings |
container.Config.Cmd | string[] | Container entrypoint command arguments |
container.Config.Labels | object | Container labels |
container.NetworkSettings.IPAddress | string | Container IP on the default bridge network |
container.NetworkSettings.Ports | object | Port binding map |
container.Mounts | array | Volume and bind mount information |
container.HostConfig.RestartPolicy.Name | string | Restart policy: no | always | unless-stopped | on-failure |
status | string | success |
Error Port
On failure, the error port receives errorCode, message, resource, and operation. A NOT_FOUND error is expected when checking for a container that may or may not exist — handle it with a conditional branch.
Sample Output
{
"container": {
"Id": "a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890",
"Name": "/api-service",
"Created": "2024-01-01T08:00:00.000Z",
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"Pid": 12345,
"ExitCode": 0,
"StartedAt": "2024-01-01T08:00:05.123Z",
"FinishedAt": "0001-01-01T00:00:00Z",
"Error": ""
},
"Config": {
"Image": "myapp:v2.1.0",
"Env": ["NODE_ENV=production", "PORT=8080", "DB_HOST=db-service"],
"Cmd": ["node", "server.js"],
"Labels": {
"com.bizfirst.env": "production",
"com.bizfirst.version": "2.1.0"
}
},
"NetworkSettings": {
"IPAddress": "172.17.0.2",
"Ports": {
"8080/tcp": [{ "HostIp": "0.0.0.0", "HostPort": "3000" }]
},
"Networks": {
"bridge": {
"IPAddress": "172.17.0.2",
"Gateway": "172.17.0.1"
}
}
},
"Mounts": [
{
"Type": "volume",
"Name": "api-data",
"Source": "/var/lib/docker/volumes/api-data/_data",
"Destination": "/app/data",
"RW": true
}
],
"HostConfig": {
"RestartPolicy": { "Name": "unless-stopped", "MaximumRetryCount": 0 },
"PortBindings": {
"8080/tcp": [{ "HostIp": "", "HostPort": "3000" }]
}
}
},
"status": "success",
"resource": "container",
"operation": "inspect"
}
Expression Reference
| Expression | Returns |
{{ $output.container.State.Status }} | Current container state string |
{{ $output.container.State.Running }} | Boolean — true if container is running |
{{ $output.container.State.ExitCode }} | Exit code of last run (0 = clean exit) |
{{ $output.container.State.StartedAt }} | ISO timestamp of last start |
{{ $output.container.State.FinishedAt }} | ISO timestamp of last stop |
{{ $output.container.Config.Image }} | Image name and tag currently running |
{{ $output.container.NetworkSettings.IPAddress }} | Container's bridge IP address |
{{ $output.container.Mounts[0].Destination }} | Mount path inside the container |
{{ $output.container.HostConfig.RestartPolicy.Name }} | Restart policy name |
Node Policies & GuardRails
| Policy | Detail |
| No remote TCP without TLS | connectionType: tcp against remote hosts is blocked in production profiles. Use tcptls. |
| Credentials Manager for TLS paths | Reference TLS paths via {{ $credentials.dockerTlsCertPath }}. |
| Always wire the error port | A container may not exist when checked. Handle NOT_FOUND as an expected condition in deployment workflows. |
| Do not log Env output | The Config.Env array may contain sensitive values. Avoid writing inspect output to logs without first redacting env fields. |
| Read-only operation | container/inspect is non-destructive and safe to call frequently without side effects. |
Examples
Example 1: Failure diagnosis workflow
After a health-check workflow detects a container is not responding, use inspect to extract the exit code and error for incident reporting.
{
"resource": "container",
"operation": "inspect",
"ContainerId": "{{ $trigger.containerName }}"
}
// Then in a Function node:
const exitCode = $input.container.State.ExitCode;
const finishedAt = $input.container.State.FinishedAt;
const errorMsg = $input.container.State.Error;
return {
incidentSummary: `Container exited with code ${exitCode} at ${finishedAt}. Error: ${errorMsg || 'none'}`
};
Example 2: IP address discovery for network automation
Retrieve the container's IP and pass it to a Cloudflare or load-balancer node to update routing rules.
// Expression in downstream Cloudflare node:
// "value": "{{ $output.container.NetworkSettings.IPAddress }}"
Example 3: Config drift detection
Compare the running container's image tag against the expected version stored in a workflow variable and escalate if they differ.
// If Condition node:
// Left: {{ $output.container.Config.Image }}
// Op: not equals
// Right: {{ $vars.expectedImage }}
// → true branch: trigger alert and rollback workflow