From 949a709069b6fafbebcb7e07fba778f50be160c2 Mon Sep 17 00:00:00 2001 From: Martin Date: Sun, 28 Sep 2025 22:35:16 +0200 Subject: [PATCH] fix(container): omit sending systempaths=unconfied to daemon (#796) --- .../resource_docker_container_funcs.go | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/internal/provider/resource_docker_container_funcs.go b/internal/provider/resource_docker_container_funcs.go index b3078bf3..2755db1f 100644 --- a/internal/provider/resource_docker_container_funcs.go +++ b/internal/provider/resource_docker_container_funcs.go @@ -304,7 +304,10 @@ func resourceDockerContainerCreate(ctx context.Context, d *schema.ResourceData, } if v, ok := d.GetOk("security_opts"); ok { - hostConfig.SecurityOpt = stringSetToStringSlice(v.(*schema.Set)) + securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(stringSetToStringSlice(v.(*schema.Set))) + hostConfig.SecurityOpt = securityOpts + hostConfig.MaskedPaths = maskedPaths + hostConfig.ReadonlyPaths = readonlyPaths } if v, ok := d.GetOk("memory"); ok { @@ -648,6 +651,25 @@ func resourceDockerContainerCreate(ctx context.Context, d *schema.ResourceData, return resourceDockerContainerRead(ctx, d, meta) } +// parseSystemPaths checks if `systempaths=unconfined` security option is set, +// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated +// list of security options is returned with this option removed, because the +// `unconfined` option is handled client-side, and should not be sent to the +// daemon. +func parseSystemPaths(securityOpts []string) (filtered, maskedPaths, readonlyPaths []string) { + filtered = securityOpts[:0] + for _, opt := range securityOpts { + if opt == "systempaths=unconfined" { + maskedPaths = []string{} + readonlyPaths = []string{} + } else { + filtered = append(filtered, opt) + } + } + + return filtered, maskedPaths, readonlyPaths +} + func resourceDockerContainerRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { containerReadRefreshTimeoutMilliseconds := d.Get("container_read_refresh_timeout_milliseconds").(int) // Ensure the timeout can never be 0, the default integer value.