Portal Community
  About Docker volumes: Docker volumes provide persistent storage that survives container restarts and removal. Volumes are managed by Docker, not the host filesystem — they are stored in /var/lib/docker/volumes/ by default.

When to Use

Configuration

Connection

FieldTypeDefaultDescription
dockerHoststringunix:///var/run/docker.sockDocker daemon socket path or TCP endpoint.
connectionTypestringunixsocketOne of: unixsocket, tcp, tcptls.
tlsCertPathstringTLS certificate directory. Required for tcptls. optional
timeoutSecondsint30Operation timeout. optional

Operation Fields

FieldTypeBadgeDescription
NamestringrequiredVolume name to inspect.

Sample Configuration

{
  "resource": "volume",
  "operation": "inspect",
  "connection": {
    "dockerHost": "unix:///var/run/docker.sock",
    "connectionType": "unixsocket"
  },
  "Name": "db-tenant-0042"
}

Validation Errors

Error CodeConditionResolution
MISSING_INPUTName field is empty.Provide the volume name to inspect.
NOT_FOUNDVolume does not exist on the host.Create the volume with volume/create or verify the name.
CONFIG_ERRORConnection settings malformed.Check dockerHost and connectionType.
AUTH_FAILEDTLS handshake failed.Verify certificates in tlsCertPath.

Output

Success Port

FieldTypeDescription
statusstring"ok" on success.
resourcestring"volume"
operationstring"inspect"
volumeInfo.NamestringVolume name.
volumeInfo.DriverstringVolume driver (e.g., local).
volumeInfo.MountpointstringHost filesystem path where volume data resides.
volumeInfo.LabelsobjectKey-value label pairs.
volumeInfo.CreatedAtstringISO 8601 creation timestamp.
volumeInfo.Scopestring"local" or "global" (Swarm).
volumeInfo.StatusobjectDriver-specific status information (driver-dependent).

Error Port

Fires when inspection fails. Output contains status: "error", errorCode, and errorMessage.

Sample Output

{
  "status": "ok",
  "resource": "volume",
  "operation": "inspect",
  "volumeInfo": {
    "Name": "db-tenant-0042",
    "Driver": "local",
    "Mountpoint": "/var/lib/docker/volumes/db-tenant-0042/_data",
    "Labels": {
      "tenant_id": "0042",
      "created_by": "tenant-provisioning-workflow",
      "env": "prod"
    },
    "CreatedAt": "2026-05-01T08:30:00Z",
    "Scope": "local",
    "Status": {}
  }
}

Expression Reference

ExpressionReturns
{{ $output.volumeInfo.Name }}Volume name — pass to container/create mount configuration.
{{ $output.volumeInfo.Mountpoint }}Host path — feed to external backup agent.
{{ $output.volumeInfo.Labels['tenant_id'] }}Tenant ID label value.
{{ $output.volumeInfo.CreatedAt }}Creation timestamp — use for age-based cleanup decisions.
{{ $output.volumeInfo.Scope }}"local" or "global" — distinguish Swarm global volumes.

Node Policies & GuardRails

PolicyEnforcement
Never expose Docker daemon TCP without TLSUse tcptls for remote connections. Plain tcp is blocked in production GuardRail profiles.
Store TLS certificates in Credentials ManagerReference tlsCertPath via {{ $credentials.dockerTlsCertPath }}.
Never interpolate user input into the Name fieldVolume names must come from trusted workflow variables, not raw user input.
Handle NOT_FOUND gracefullyRoute the NOT_FOUND error port to a volume/create branch for idempotent setup workflows.
Never remove volumes without confirming backupVolume data is permanently deleted on removal. Confirm backup before any downstream volume/remove call.
Restrict container/exec to approved commandsArbitrary exec access is root-equivalent. GuardRail exec policies restrict allowed command prefixes.

Examples

Example 1 — Verify Before Attach

Before creating a container, inspect the target volume to confirm it exists and retrieve its name for the mount binding. Route to volume/create if not found.

{
  "resource": "volume",
  "operation": "inspect",
  "Name": "db-tenant-{{ $vars.tenantId }}"
}
// Success port → container/create using volumeInfo.Name
// Error port (NOT_FOUND) → volume/create then retry

Example 2 — Retrieve Mountpoint for Backup

Get the host-filesystem path of a tenant database volume and submit it to an external backup scheduler via an HTTP Request node.

// After volume/inspect:
{
  "url": "https://backup.internal/api/schedule",
  "method": "POST",
  "body": {
    "sourcePath": "{{ $node['volume-inspect'].output.volumeInfo.Mountpoint }}",
    "tenantId": "{{ $node['volume-inspect'].output.volumeInfo.Labels.tenant_id }}"
  }
}

Example 3 — Label-Based Metadata Read

During a tenant offboarding workflow, inspect the tenant's volume to read its metadata labels and record them in the audit log before proceeding to backup and removal.

// Read tenant metadata from volume labels:
{
  "tenant_id": "{{ $output.volumeInfo.Labels.tenant_id }}",
  "created_by": "{{ $output.volumeInfo.Labels.created_by }}",
  "mountpoint": "{{ $output.volumeInfo.Mountpoint }}",
  "created_at": "{{ $output.volumeInfo.CreatedAt }}"
}