diff options
| author | Andrew Pashkin <andrew.pashkin@gmx.co.uk> | 2015-10-02 00:44:52 +0300 |
|---|---|---|
| committer | Toshio Kuratomi <toshio@fedoraproject.org> | 2015-12-18 21:26:57 -0800 |
| commit | b3dff4bacffddf8310133b0fc367ca0be64526e6 (patch) | |
| tree | 603519d14f789f76e0da250380618a94677c763c | |
| parent | 299bd687b4db403ebd3fe953db03d90c4b7eec4b (diff) | |
| download | ansible-modules-core-b3dff4bacffddf8310133b0fc367ca0be64526e6.tar.gz | |
Harden matching running containers by "command" in the Docker module
Before this patch:
- Command was matched if 'Command' field of docker-py
representation of Docker container ends with 'command' passed
to Ansible docker module by user.
- That can give false positives and false negatives.
- For example:
a) If 'command' was set up with more than one spaces,
like 'command=sleep 123', it would be never matched again
with a container(s) launched by this task.
Because after launching, command would be normalized and
appear, in docker-py API call, just as 'sleep 123' - with one
space. This is false negative case.
b) If 'entrypoint + command = command', for example
'sleep + 123 = sleep 123', module would give false positive
match.
This patch fixes it, by making matching more explicit - against
'Config'->Cmd' field of 'docker inspect' output, provided by docker-py
API and with proper normalization of user input by splitting it to
tokens with 'shlex.split()'.
| -rw-r--r-- | cloud/docker/docker.py | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/cloud/docker/docker.py b/cloud/docker/docker.py index f3b2062a..49d81a32 100644 --- a/cloud/docker/docker.py +++ b/cloud/docker/docker.py @@ -1329,8 +1329,8 @@ class DockerManager(object): """ command = self.module.params.get('command') - if command: - command = command.strip() + if command is not None: + command = shlex.split(command) name = self.module.params.get('name') if name and not name.startswith('/'): name = '/' + name @@ -1357,13 +1357,10 @@ class DockerManager(object): details = _docker_id_quirk(details) running_image = normalize_image(details['Config']['Image']) - running_command = container['Command'].strip() image_matches = running_image in repo_tags - # if a container has an entrypoint, `command` will actually equal - # '{} {}'.format(entrypoint, command) - command_matches = (not command or running_command.endswith(command)) + command_matches = command == details['Config']['Cmd'] matches = image_matches and command_matches |