Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Docker virtualization

Log in to subscribe to topics and get notified when content changes.

Docker virtualization

Discovery can collect data about specific objects in a Docker engine, running on a Linux host.

The ServiceNow® platform supports the discovery of Docker release 1.11.0 or later.

Docker configuration items

Discovery creates configuration items (CI) for these Docker objects:
  • Engine: Software that runs on the Linux host to create the operating environment for distributed applications.
  • Images: Images on the Docker engine separated into these entities:
    • Global images.
    • Locally stored instances of the images.
    • Tags associated with the locally stored instances of the images.
  • Containers: Virtual wrappers, found on the Docker engine, which contain running instances of images.

Docker restrictions and considerations

When using Docker virtualization, consider the following:
  • The initial Discovery process scan can identify an application in a container and classify it correctly. However, subsequent probes launched to explore that application cannot see inside the container and cannot return details about the application.
  • Discovery scans all containers it finds, including inactive containers, which can slow down Discovery. You should delete containers that are not running.
  • Only one Docker engine is permitted per computer (on either a physical or virtual machine).

User privileges

The user whose credentials are used to perform Docker Discovery must have privileges defined by one of these methods:
  • Provide a user with elevated rights for running commands, since the Docker daemon runs as the root user. The Docker pattern supports the use of privileged commands, such as sudo or pbrun, to run as the root user.
  • Assigned to a group named docker, which has special privileges for running Docker commands. For instructions on setting up a group, see Create a Docker group.

Table schema and relationships

The Docker tables are installed with the Discovery plugin and extend tables used to store data on the operating-system-level virtualization (OSLV) engine.
Table 1. Docker tables
Table Description
Docker Engine [cmdb_ci_docker_engine] Stores instances of the Docker engine.
Docker Image [cmdb_ci_docker_image] Stores the globally unique representation of Docker images.
Docker Local Image [cmdb_ci_docker_local_image] Stores local instances of Docker images.
Docker Image Tag [cmdb_ci_docker_image_tag] Stores tags from local Docker images.
Docker Container [cmdb_ci_docker_container] Stores Docker containers found on the host.
Discovery stores these relationships in the CI Relationship [cmdb_rel_ci] table.
  • cmdb_ci_server Runs::RunsOn cmdb_ci_docker_engine
  • cmdb_ci_docker_engine Manages::ManagedBy cmdb_ci_docker_container
  • cmdb_ci_docker_engine Manages::ManagedBy cmdb_ci_docker_local_image
  • cmdb_ci_docker_container Instantiates::InstantiatedBy cmdb_ci_docker_local_image
  • cmdb_ci_docker_image_tag RegisteredOn::HasRegistered cmdb_ci_docker_local_image
  • cmdb_ci_docker_local_image Instantiates::InstantiatedBy cmdb_ci_docker_image
Figure 1. Parent and child relationships for the OSLV and Docker dependent tables
Parent and child relationships for the OSLV and Docker dependent tables

Identification, containment, and hosting rules

Discovery uses an application rule identifiers to find the Docker engine and then applies other rules to identify specific Docker objects.

Application rule identifier

The system creates the cmdb_ci_docker_engine configuration item (CI) during process classification. Based on this, Discovery uses the Application Rule identifier, on the Application [cmdb_ci_appl] table to identify the particular Docker engine encountered. After establishing this identity, Discovery uses the relationships defined in the containment and hosting rules to accurately create and update the individual Docker component CIs related to that engine.

Name Table Attributes
Docker Container Docker Container [cmdb_ci_docker_container] container_id
Docker Global Image Docker Image [cmdb_ci_docker_image] image_id
Docker Local Image Docker Local Image [cmdb_ci_docker_local_image] image_id
Docker Image Tag Docker Image Tag [cmdb_ci_docker_image_tag] repository, tag
Containment and hosting rules
Docker Discovery uses these containment and hosting rules to create configuration items (CI) from the data retured by the Docker Pattern. After Discovery identifies the Docker engine by its relationship to the Application [cmdb_ci_appl] table, it uses these rules to identify the specific CIs connected to that engine from their relationships to one another. By connecting the components to one another in this fashion, from the application down, starting with the engine, Discovery avoids creating duplicate CIs for components from other Docker engines that use the same name or image_id.
Table 2. Containment rule
Parent Child Relationship
Docker Local Image Docker Image Tag Has registered
Table 3. Hosting rules
Parent Child Relationship
Docker Container Docker Engine Managed by
Docker Local Image Docker Engine Managed by


To view the pattern for discovering the docker engine (cmdb_ci_docker_engine) and its components, navigate to Pattern Designer > Discovery Patterns and open Docker Pattern. For more information about Discovery patterns, see Discovery patterns used by Discovery and Service Mapping.

Discovery runs the Docker Engine process classifier in the network. If the classifier identifies the dockerd or docker daemon process, the classifier triggers the Horizontal Pattern (HorizontalDiscoveryProbe) probe, which launches the Docker Pattern and begins collecting data from Docker components.
The pattern collects data for the main CI type, cmdb_ci_docker_engine, and for these related CI types:
  • cmdb_ci_docker_image
  • cmdb_ci_docker_local_image
  • cmdb_ci_docker_image_tag
  • cmdb_ci_docker_container
Warning: DO NOT switch from probes to patterns if you are already running Discovery with probes, and your CMDB is already populated. If you do so, it is possible that the pattern Discovery process does not synchronize on the same values that the probe Discovery process does. This could result in duplicate CIs in your CMDB.

Data collected

These attributes are discovered, in addition to the attributes derived from the parent OSLV tables.
Table Fields
Docker Engine [cmdb_ci_docker_engine]
  • Version [version]
  • Go version [go_version]
  • Git commit [git_commit]
  • Build date [build_date]
  • OS/Arch [os_arch]
  • API version [api_version]
Docker Image [cmdb_ci_docker_image] No additional attributes are discovered for this child table.
Docker Local Image [cmdb_ci_docker_local_image] No additional attributes are discovered for this child table.
Docker Image Tag [cmdb_ci_docker_image_tag] No additional attributes are discovered for this child table.
Docker Container [cmdb_ci_docker_container]
  • Image ID [image_id]
  • Command [command]
  • Container created [container_created_at]