Docker virtualization Discovery can collect data about specific objects in a Docker engine, running on a Linux host. The ServiceNow® platform supports the discovery of Docker release 1.11.0 or later. Docker configuration items Discovery creates configuration items (CI) for these Docker objects: Engine: Software that runs on the Linux host to create the operating environment for distributed applications. Images: Images on the Docker engine separated into these entities: Global images. Locally stored instances of the images. Tags associated with the locally stored instances of the images. Containers: Virtual wrappers, found on the Docker engine, which contain running instances of images. Docker restrictions and considerations When using Docker virtualization, consider the following: The initial Discovery process scan can identify an application in a container and classify it correctly. However, subsequent probes launched to explore that application cannot see inside the container and cannot return details about the application. Discovery scans all containers it finds, including inactive containers, which can slow down Discovery. You should delete containers that are not running. Only one Docker engine is permitted per computer (on either a physical or virtual machine). User privileges The user whose credentials are used to perform Docker Discovery must have privileges defined by one of these methods: Provide a user with elevated rights for running commands, since the Docker daemon runs as the root user. The Docker pattern supports the use of privileged commands, such as sudo or pbrun, to run as the root user. Assigned to a group named docker, which has special privileges for running Docker commands. For instructions on setting up a group, see Create a Docker group. Table schema and relationships The Docker tables are installed with the Discovery plugin and extend tables used to store data on the operating-system-level virtualization (OSLV) engine.Table 1. Docker tables Table Description Docker Engine [cmdb_ci_docker_engine] Stores instances of the Docker engine. Docker Image [cmdb_ci_docker_image] Stores the globally unique representation of Docker images. Docker Local Image [cmdb_ci_docker_local_image] Stores local instances of Docker images. Docker Image Tag [cmdb_ci_docker_image_tag] Stores tags from local Docker images. Docker Container [cmdb_ci_docker_container] Stores Docker containers found on the host. Discovery stores these relationships in the CI Relationship [cmdb_rel_ci] table. cmdb_ci_server Runs::RunsOn cmdb_ci_docker_engine cmdb_ci_docker_engine Manages::ManagedBy cmdb_ci_docker_container cmdb_ci_docker_engine Manages::ManagedBy cmdb_ci_docker_local_image cmdb_ci_docker_container Instantiates::InstantiatedBy cmdb_ci_docker_local_image cmdb_ci_docker_image_tag RegisteredOn::HasRegistered cmdb_ci_docker_local_image cmdb_ci_docker_local_image Instantiates::InstantiatedBy cmdb_ci_docker_image Figure 1. Parent and child relationships for the OSLV and Docker dependent tables Identification, containment, and hosting rules Discovery uses an application rule identifiers to find the Docker engine and then applies other rules to identify specific Docker objects. Application rule identifier The system creates the cmdb_ci_docker_engine configuration item (CI) during process classification. Based on this, Discovery uses the Application Rule identifier, on the Application [cmdb_ci_appl] table to identify the particular Docker engine encountered. After establishing this identity, Discovery uses the relationships defined in the containment and hosting rules to accurately create and update the individual Docker component CIs related to that engine. Identifiers Name Table Attributes Docker Container Docker Container [cmdb_ci_docker_container] container_id Docker Global Image Docker Image [cmdb_ci_docker_image] image_id Docker Local Image Docker Local Image [cmdb_ci_docker_local_image] image_id Docker Image Tag Docker Image Tag [cmdb_ci_docker_image_tag] repository, tag Containment and hosting rules Docker Discovery uses these containment and hosting rules to create configuration items (CI) from the data retured by the Docker Pattern. After Discovery identifies the Docker engine by its relationship to the Application [cmdb_ci_appl] table, it uses these rules to identify the specific CIs connected to that engine from their relationships to one another. By connecting the components to one another in this fashion, from the application down, starting with the engine, Discovery avoids creating duplicate CIs for components from other Docker engines that use the same name or image_id.Table 2. Containment rule Parent Child Relationship Docker Local Image Docker Image Tag Has registered Table 3. Hosting rules Parent Child Relationship Docker Container Docker Engine Managed by Docker Local Image Docker Engine Managed by PatternTo view the pattern for discovering the docker engine (cmdb_ci_docker_engine) and its components, navigate to Pattern Designer > Discovery Patterns and open Docker Pattern. For more information about Discovery patterns, see Pattern customization.Discovery runs the Docker Engine process classifier in the network. If the classifier identifies the dockerd or docker daemon process, the classifier triggers the Horizontal Pattern (HorizontalDiscoveryProbe) probe, which launches the Docker Pattern and begins collecting data from Docker components.The pattern collects data for the main CI type, cmdb_ci_docker_engine, and for these related CI types: cmdb_ci_docker_image cmdb_ci_docker_local_image cmdb_ci_docker_image_tag cmdb_ci_docker_container Warning: DO NOT switch from probes to patterns if you are already running Discovery with probes, and your CMDB is already populated. If you do so, it is possible that the pattern Discovery process does not synchronize on the same values that the probe Discovery process does. This could result in duplicate CIs in your CMDB. Data collected These attributes are discovered, in addition to the attributes derived from the parent OSLV tables. Table Fields Docker Engine [cmdb_ci_docker_engine] Version [version] Go version [go_version] Git commit [git_commit] Build date [build_date] OS/Arch [os_arch] API version [api_version] Docker Image [cmdb_ci_docker_image] No additional attributes are discovered for this child table. Docker Local Image [cmdb_ci_docker_local_image] No additional attributes are discovered for this child table. Docker Image Tag [cmdb_ci_docker_image_tag] No additional attributes are discovered for this child table. Docker Container [cmdb_ci_docker_container] Image ID [image_id] Command [command] Container created [container_created_at]
Docker virtualization Discovery can collect data about specific objects in a Docker engine, running on a Linux host. The ServiceNow® platform supports the discovery of Docker release 1.11.0 or later. Docker configuration items Discovery creates configuration items (CI) for these Docker objects: Engine: Software that runs on the Linux host to create the operating environment for distributed applications. Images: Images on the Docker engine separated into these entities: Global images. Locally stored instances of the images. Tags associated with the locally stored instances of the images. Containers: Virtual wrappers, found on the Docker engine, which contain running instances of images. Docker restrictions and considerations When using Docker virtualization, consider the following: The initial Discovery process scan can identify an application in a container and classify it correctly. However, subsequent probes launched to explore that application cannot see inside the container and cannot return details about the application. Discovery scans all containers it finds, including inactive containers, which can slow down Discovery. You should delete containers that are not running. Only one Docker engine is permitted per computer (on either a physical or virtual machine). User privileges The user whose credentials are used to perform Docker Discovery must have privileges defined by one of these methods: Provide a user with elevated rights for running commands, since the Docker daemon runs as the root user. The Docker pattern supports the use of privileged commands, such as sudo or pbrun, to run as the root user. Assigned to a group named docker, which has special privileges for running Docker commands. For instructions on setting up a group, see Create a Docker group. Table schema and relationships The Docker tables are installed with the Discovery plugin and extend tables used to store data on the operating-system-level virtualization (OSLV) engine.Table 1. Docker tables Table Description Docker Engine [cmdb_ci_docker_engine] Stores instances of the Docker engine. Docker Image [cmdb_ci_docker_image] Stores the globally unique representation of Docker images. Docker Local Image [cmdb_ci_docker_local_image] Stores local instances of Docker images. Docker Image Tag [cmdb_ci_docker_image_tag] Stores tags from local Docker images. Docker Container [cmdb_ci_docker_container] Stores Docker containers found on the host. Discovery stores these relationships in the CI Relationship [cmdb_rel_ci] table. cmdb_ci_server Runs::RunsOn cmdb_ci_docker_engine cmdb_ci_docker_engine Manages::ManagedBy cmdb_ci_docker_container cmdb_ci_docker_engine Manages::ManagedBy cmdb_ci_docker_local_image cmdb_ci_docker_container Instantiates::InstantiatedBy cmdb_ci_docker_local_image cmdb_ci_docker_image_tag RegisteredOn::HasRegistered cmdb_ci_docker_local_image cmdb_ci_docker_local_image Instantiates::InstantiatedBy cmdb_ci_docker_image Figure 1. Parent and child relationships for the OSLV and Docker dependent tables Identification, containment, and hosting rules Discovery uses an application rule identifiers to find the Docker engine and then applies other rules to identify specific Docker objects. Application rule identifier The system creates the cmdb_ci_docker_engine configuration item (CI) during process classification. Based on this, Discovery uses the Application Rule identifier, on the Application [cmdb_ci_appl] table to identify the particular Docker engine encountered. After establishing this identity, Discovery uses the relationships defined in the containment and hosting rules to accurately create and update the individual Docker component CIs related to that engine. Identifiers Name Table Attributes Docker Container Docker Container [cmdb_ci_docker_container] container_id Docker Global Image Docker Image [cmdb_ci_docker_image] image_id Docker Local Image Docker Local Image [cmdb_ci_docker_local_image] image_id Docker Image Tag Docker Image Tag [cmdb_ci_docker_image_tag] repository, tag Containment and hosting rules Docker Discovery uses these containment and hosting rules to create configuration items (CI) from the data retured by the Docker Pattern. After Discovery identifies the Docker engine by its relationship to the Application [cmdb_ci_appl] table, it uses these rules to identify the specific CIs connected to that engine from their relationships to one another. By connecting the components to one another in this fashion, from the application down, starting with the engine, Discovery avoids creating duplicate CIs for components from other Docker engines that use the same name or image_id.Table 2. Containment rule Parent Child Relationship Docker Local Image Docker Image Tag Has registered Table 3. Hosting rules Parent Child Relationship Docker Container Docker Engine Managed by Docker Local Image Docker Engine Managed by PatternTo view the pattern for discovering the docker engine (cmdb_ci_docker_engine) and its components, navigate to Pattern Designer > Discovery Patterns and open Docker Pattern. For more information about Discovery patterns, see Pattern customization.Discovery runs the Docker Engine process classifier in the network. If the classifier identifies the dockerd or docker daemon process, the classifier triggers the Horizontal Pattern (HorizontalDiscoveryProbe) probe, which launches the Docker Pattern and begins collecting data from Docker components.The pattern collects data for the main CI type, cmdb_ci_docker_engine, and for these related CI types: cmdb_ci_docker_image cmdb_ci_docker_local_image cmdb_ci_docker_image_tag cmdb_ci_docker_container Warning: DO NOT switch from probes to patterns if you are already running Discovery with probes, and your CMDB is already populated. If you do so, it is possible that the pattern Discovery process does not synchronize on the same values that the probe Discovery process does. This could result in duplicate CIs in your CMDB. Data collected These attributes are discovered, in addition to the attributes derived from the parent OSLV tables. Table Fields Docker Engine [cmdb_ci_docker_engine] Version [version] Go version [go_version] Git commit [git_commit] Build date [build_date] OS/Arch [os_arch] API version [api_version] Docker Image [cmdb_ci_docker_image] No additional attributes are discovered for this child table. Docker Local Image [cmdb_ci_docker_local_image] No additional attributes are discovered for this child table. Docker Image Tag [cmdb_ci_docker_image_tag] No additional attributes are discovered for this child table. Docker Container [cmdb_ci_docker_container] Image ID [image_id] Command [command] Container created [container_created_at]
