dockerng: compare sets instead of lists of security_opt

Apparently some versions of docker add label=disabled to security_opt when the container is launched as privileged. This causes Salt to relaunch the container to remove it on next run. Container started as privileged and with the security_opt set, causes it to have the option set twice and makes salt want to remove one instance. With this fix, dockerng will compare just (non-)existence of the flag. So containers started with privileged flag and security_opt set to label=disabled will not get relaunched on every salt run. Fixes #39447
2025-04-17 10:10:20 +00:00 · 2017-02-17 17:22:14 +01:00 · 2017-02-17 17:22:14 +01:00 · 20b097a745
commit 20b097a745
parent 9c4292fb4e
1 changed files with 15 additions and 0 deletions
--- a/salt/states/dockerng.py
+++ b/salt/states/dockerng.py
@ -426,6 +426,21 @@ def _compare(actual, create_kwargs, defaults_from_image):
            if actual_data != data:
                ret.update({item: {'old': actual_data, 'new': data}})
                continue
+        elif item == 'security_opt':
+            if actual_data is None:
+                actual_data = []
+            if data is None:
+                data = []
+            actual_data = sorted(set(actual_data))
+            desired_data = sorted(set(data))
+            log.trace('dockerng.running ({0}): munged actual value: {1}'
+                      .format(item, actual_data))
+            log.trace('dockerng.running ({0}): munged desired value: {1}'
+                      .format(item, desired_data))
+            if actual_data != desired_data:
+                ret.update({item: {'old': actual_data,
+                                   'new': desired_data}})
+            continue
        elif item in ('cmd', 'command', 'entrypoint'):
            if (actual_data is None and item not in create_kwargs and
                    _image_get(config['image_path'])):