internet/community.general
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2026-05-06 13:22:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Harden matching running containers by "command" in the Docker module

Browse Source 
Before this patch:

  - Command was matched if 'Command' field of docker-py
    representation of Docker container ends with 'command' passed
    to Ansible docker module by user.
  - That can give false positives and false negatives.
  - For example:
      a) If 'command' was set up with more than one spaces,
         like 'command=sleep  123', it would be never matched again
         with a container(s) launched by this task.
         Because after launching, command would be normalized and
         appear, in docker-py API call, just as 'sleep 123' - with one
         space. This is false negative case.
      b) If 'entrypoint + command = command', for example
         'sleep + 123 = sleep 123', module would give false positive
         match.

This patch fixes it, by making matching more explicit - against
'Config'->Cmd' field of 'docker inspect' output, provided by docker-py
API and with proper normalization of user input by splitting it to
tokens with 'shlex.split()'.
This commit is contained in:
Andrew Pashkin
2015-10-02 00:44:52 +03:00
committed by Matt Clay
parent 369fe78c60
commit 8342397427
1 changed files with 3 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/ansible/modules/cloud/docker/docker.py
View File

@@ -1389,8 +1389,8 @@ class DockerManager(object):
"""
command = self.module.params.get('command')
if command:
command = command.strip()
if command is not None:
command = shlex.split(command)
name = self.module.params.get('name')
if name and not name.startswith('/'):
name = '/' + name
@@ -1417,13 +1417,10 @@ class DockerManager(object):
details = _docker_id_quirk(details)
running_image = normalize_image(details['Config']['Image'])
running_command = container['Command'].strip()
image_matches = running_image in repo_tags
# if a container has an entrypoint, `command` will actually equal
# '{} {}'.format(entrypoint, command)
command_matches = (not command or running_command.endswith(command))
command_matches = command == details['Config']['Cmd']
matches = image_matches and command_matches