Docker Node
Control Docker containers, images, volumes, and networks — build IaaS automation workflows for deployments, monitoring, and infrastructure management.
What this node does: The Docker Node connects to a Docker daemon via Unix socket or TCP (with optional TLS) and exposes 28 operations across 5 resources: containers, images, volumes, networks, and system. Use it to drive CI/CD pipelines, manage container lifecycles, automate deployments, and build full infrastructure management workflows — all without leaving BizFirst.
28
Total Operations
10
Container Ops
5
Image Ops
4
Volume Ops
6
Network Ops
Resource Reference
Container — 10 operations
Full container lifecycle management: create, run, stop, inspect, exec, and monitor.
Image — 5 operations
Pull, tag, inspect, list, and remove Docker images.
Volume — 4 operations
Create named volumes, inspect configuration, list, and remove.
Network — 6 operations
Create and manage Docker networks; connect and disconnect containers.
System — 3 operations
Query daemon info, version, and connectivity status.
Connection Modes
| Connection Type | Value | Use Case | Security |
|---|---|---|---|
| Unix Socket | unixsocket | Local Docker daemon on the same host | OS-level file permissions — most secure for local use |
| TCP | tcp | Remote Docker daemon (dev/testing only) | No encryption — never use in production |
| TCP+TLS | tcptls | Remote Docker daemon in production | Mutual TLS authentication — required for remote hosts |
Remote Docker Security: Exposing the Docker daemon TCP port without TLS grants root-equivalent access to the host. Always use
tcptls for any remote connection. Store TLS certificate paths in BizFirst Credentials Manager — never hard-code them in node settings.
Connection Fields
| Field | Type | Default | Description |
|---|---|---|---|
dockerHost | string | unix:///var/run/docker.sock | Docker socket path or TCP endpoint (e.g. tcp://192.168.1.10:2376) |
connectionType | string | unixsocket | One of: unixsocket, tcp, tcptls |
tlsCertPath | string | — | Path to TLS certificate directory. Required when connectionType is tcptls. |
timeoutSeconds | int | 30 | Operation timeout. Increase for long-running operations like image pulls. |
Error Codes
| Code | Meaning | Common Cause |
|---|---|---|
CONFIG_ERROR | Settings resolution failed | Missing or invalid connection settings |
MISSING_INPUT | Required field not provided | ContainerId or Image field left empty |
NOT_FOUND | Resource not found (HTTP 404) | Container ID or image name does not exist |
CONFLICT | Resource conflict (HTTP 409) | Container already running, name collision |
AUTH_FAILED | Authentication failure | Invalid TLS certificates, registry auth |
DOCKER_API_ERROR | Generic Docker API error | Daemon error, out-of-resources conditions |
UNKNOWN_ROUTE | Invalid resource/operation | Typo in resource or operation field |
Node Policies & GuardRails
| Policy | Enforcement |
|---|---|
| Never expose Docker daemon TCP without TLS | Use tcptls connection type for any remote Docker host. Plain tcp is blocked in production GuardRail profiles. |
| Store TLS certificates in Credentials Manager | Set tlsCertPath via {{ $credentials.dockerTlsCertPath }} — never hard-code filesystem paths. |
| Never interpolate user input into Command or Env fields | Any container/exec or container/create command that includes unvalidated user data triggers a GuardRail block. |
| Stop containers before removal | Calling container/remove on a running container returns CONFLICT. Workflows must call container/stop first. |
| Use named containers in workflows | Always assign a Name when creating containers. Relying on auto-generated IDs reduces workflow readability and idempotency. |
| Limit container/exec to approved commands | Arbitrary exec is root-equivalent inside the container. GuardRail exec policies restrict allowed command prefixes. |
| Always handle the error port | Docker daemon may be unreachable. Workflows without error port handling will silently fail on daemon downtime. |
Rate Limits & Concurrency
The Docker API itself has no built-in rate limiting, but running too many concurrent operations (especially image pulls or container starts) can exhaust daemon resources and cause
DOCKER_API_ERROR. Use the BizFirst workflow concurrency limiter to cap parallel Docker node executions to a safe threshold for your host capacity.
Common Workflow Patterns
Blue-Green Deployment
- Pull new image with
image/pull - Create new container with
container/create(blue) - Start blue container with
container/start - Verify health with
container/exec(run health check script) - Stop green container with
container/stop - Remove green container with
container/remove
Continuous Monitoring
- List all containers with
container/liston a schedule - Filter for containers in
exitedstate - For each exited container, retrieve logs with
container/logs - Send log summary to Slack / Email alert node
- Restart or escalate based on exit code
Ephemeral Job Runner
- Create job container with
container/create - Start it with
container/start - Poll
container/inspectuntilState.Statusisexited - Collect output with
container/logs - Remove with
container/remove