Working with Docker Containers in NodeJS App

Are there any recommended or best practices for working with Docker containers in a NodeJS app?

I have seen a few different methods of accessing or working with containers in Node by either using:

• child_process
• dockerode (npm package)
• or others

I am new to working with Docker and am wanting to have my Node app to have the ability to access and start docker containers and was looking for any suggestions on best practices for working with docker containers in NodeJS?

The absolute best practice is to restructure your application to avoid needing administrator-level access to the Docker daemon. Start long-running containers that can do the work you need once, and either communicate with them via Docker networks or using a message-queue system like RabbitMQ.

There are a number of practical problems with trying to directly use Docker. If you start a new container, you need to monitor and stop it; if your process fails with a container running, at startup you'll need to figure out how to clean up from the previous run. Adding a hard Docker dependency makes it difficult to run either unit or manual tests. And of course the biggest problem is that there are few security controls within Docker: you can manipulate containers that don't belong to your project, and bind-mount arbitrary parts of the host filesystem in new containers, which means Docker becomes a path to easily compromise the entire host.

If you must make a privileged call to the Docker daemon, using a Docker SDK like dockerode is better than running docker as a subprocess. It's easier for downstream users to run and harder to make mistakes with shell syntax (I do see several questions that allow shell-injection attacks trying to run docker commands, which becomes a path for an external attacker to root the host).