#!/usr/bin/python
#
# Copyright 2016 Red Hat | Ansible
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

from __future__ import absolute_import, division, print_function
__metaclass__ = type


ANSIBLE_METADATA = {'metadata_version': '1.1',
                    'status': ['preview'],
                    'supported_by': 'community'}


DOCUMENTATION = '''
---
module: docker_container

short_description: manage docker containers

description:
  - Manage the life cycle of docker containers.
  - Supports check mode. Run with C(--check) and C(--diff) to view config difference and list of actions to be taken.


notes:
  - For most config changes, the container needs to be recreated, i.e. the existing container has to be destroyed and
    a new one created. This can cause unexpected data loss and downtime. You can use the I(comparisons) option to
    prevent this.
  - If the module needs to recreate the container, it will only use the options provided to the module to create the
    new container (except I(image)). Therefore, always specify *all* options relevant to the container.
  - When I(restart) is set to C(true), the module will only restart the container if no config changes are detected.
    Please note that several options have default values; if the container to be restarted uses different values for
    these options, it will be recreated instead. The options with default values which can cause this are I(auto_remove),
    I(detach), I(init), I(interactive), I(memory), I(paused), I(privileged), I(read_only) and I(tty). This behavior
    can be changed by setting I(container_default_behavior) to C(no_defaults), which will be the default value from
    Ansible 2.14 on.

options:
  auto_remove:
    description:
      - Enable auto-removal of the container on daemon side when the container's process exits.
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C(no).
    type: bool
  blkio_weight:
    description:
      - Block IO (relative weight), between 10 and 1000.
    type: int
  capabilities:
    description:
      - List of capabilities to add to the container.
    type: list
    elements: str
  cap_drop:
    description:
      - List of capabilities to drop from the container.
    type: list
    elements: str
  cleanup:
    description:
      - Use with I(detach=false) to remove the container after successful execution.
    type: bool
    default: no
  command:
    description:
      - Command to execute when the container starts. A command may be either a string or a list.
      - Prior to version 2.4, strings were split on commas.
    type: raw
  comparisons:
    description:
      - Allows to specify how properties of existing containers are compared with
        module options to decide whether the container should be recreated / updated
        or not.
      - Only options which correspond to the state of a container as handled by the
        Docker daemon can be specified, as well as C(networks).
      - Must be a dictionary specifying for an option one of the keys C(strict), C(ignore)
        and C(allow_more_present).
      - If C(strict) is specified, values are tested for equality, and changes always
        result in updating or restarting. If C(ignore) is specified, changes are ignored.
      - C(allow_more_present) is allowed only for lists, sets and dicts. If it is
        specified for lists or sets, the container will only be updated or restarted if
        the module option contains a value which is not present in the container's
        options. If the option is specified for a dict, the container will only be updated
        or restarted if the module option contains a key which isn't present in the
        container's option, or if the value of a key present differs.
      - The wildcard option C(*) can be used to set one of the default values C(strict)
        or C(ignore) to *all* comparisons which are not explicitly set to other values.
      - See the examples for details.
    type: dict
  container_default_behavior:
    description:
      - Various module options used to have default values. This causes problems with
        containers which use different values for these options.
      - The default value is C(compatibility), which will ensure that the default values
        are used when the values are not explicitly specified by the user.
      - From Ansible 2.14 on, the default value will switch to C(no_defaults). To avoid
        deprecation warnings, please set I(container_default_behavior) to an explicit
        value.
      - This affects the I(auto_remove), I(detach), I(init), I(interactive), I(memory),
        I(paused), I(privileged), I(read_only) and I(tty) options.
    type: str
    choices:
      - compatibility
      - no_defaults
  cpu_period:
    description:
      - Limit CPU CFS (Completely Fair Scheduler) period.
      - See I(cpus) for an easier to use alternative.
    type: int
  cpu_quota:
    description:
      - Limit CPU CFS (Completely Fair Scheduler) quota.
      - See I(cpus) for an easier to use alternative.
    type: int
  cpus:
    description:
      - Specify how much of the available CPU resources a container can use.
      - A value of C(1.5) means that at most one and a half CPU (core) will be used.
    type: float
  cpuset_cpus:
    description:
      - CPUs in which to allow execution C(1,3) or C(1-3).
    type: str
  cpuset_mems:
    description:
      - Memory nodes (MEMs) in which to allow execution C(0-3) or C(0,1).
    type: str
  cpu_shares:
    description:
      - CPU shares (relative weight).
    type: int
  detach:
    description:
      - Enable detached mode to leave the container running in background.
      - If disabled, the task will reflect the status of the container run (failed if the command failed).
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C(yes).
    type: bool
  devices:
    description:
      - List of host device bindings to add to the container.
      - "Each binding is a mapping expressed in the format C(<path_on_host>:<path_in_container>:<cgroup_permissions>)."
    type: list
    elements: str
  device_read_bps:
    description:
      - "List of device path and read rate (bytes per second) from device."
    type: list
    elements: dict
    suboptions:
      path:
        description:
        - Device path in the container.
        type: str
        required: yes
      rate:
        description:
        - "Device read limit in format C(<number>[<unit>])."
        - "Number is a positive integer. Unit can be one of C(B) (byte), C(K) (kibibyte, 1024B), C(M) (mebibyte), C(G) (gibibyte),
          C(T) (tebibyte), or C(P) (pebibyte)."
        - "Omitting the unit defaults to bytes."
        type: str
        required: yes
  device_write_bps:
    description:
      - "List of device and write rate (bytes per second) to device."
    type: list
    elements: dict
    suboptions:
      path:
        description:
        - Device path in the container.
        type: str
        required: yes
      rate:
        description:
        - "Device read limit in format C(<number>[<unit>])."
        - "Number is a positive integer. Unit can be one of C(B) (byte), C(K) (kibibyte, 1024B), C(M) (mebibyte), C(G) (gibibyte),
          C(T) (tebibyte), or C(P) (pebibyte)."
        - "Omitting the unit defaults to bytes."
        type: str
        required: yes
  device_read_iops:
    description:
      - "List of device and read rate (IO per second) from device."
    type: list
    elements: dict
    suboptions:
      path:
        description:
        - Device path in the container.
        type: str
        required: yes
      rate:
        description:
        - "Device read limit."
        - "Must be a positive integer."
        type: int
        required: yes
  device_write_iops:
    description:
      - "List of device and write rate (IO per second) to device."
    type: list
    elements: dict
    suboptions:
      path:
        description:
        - Device path in the container.
        type: str
        required: yes
      rate:
        description:
        - "Device read limit."
        - "Must be a positive integer."
        type: int
        required: yes
  dns_opts:
    description:
      - List of DNS options.
    type: list
    elements: str
  dns_servers:
    description:
      - List of custom DNS servers.
    type: list
    elements: str
  dns_search_domains:
    description:
      - List of custom DNS search domains.
    type: list
    elements: str
  domainname:
    description:
      - Container domainname.
    type: str
  env:
    description:
      - Dictionary of key,value pairs.
      - Values which might be parsed as numbers, booleans or other types by the YAML parser must be quoted (e.g. C("true")) in order to avoid data loss.
    type: dict
  env_file:
    description:
      - Path to a file, present on the target, containing environment variables I(FOO=BAR).
      - If variable also present in I(env), then the I(env) value will override.
    type: path
  entrypoint:
    description:
      - Command that overwrites the default C(ENTRYPOINT) of the image.
    type: list
    elements: str
  etc_hosts:
    description:
      - Dict of host-to-IP mappings, where each host name is a key in the dictionary.
        Each host name will be added to the container's C(/etc/hosts) file.
    type: dict
  exposed_ports:
    description:
      - List of additional container ports which informs Docker that the container
        listens on the specified network ports at runtime.
      - If the port is already exposed using C(EXPOSE) in a Dockerfile, it does not
        need to be exposed again.
    type: list
    elements: str
    aliases:
      - exposed
      - expose
  force_kill:
    description:
      - Use the kill command when stopping a running container.
    type: bool
    default: no
    aliases:
      - forcekill
  groups:
    description:
      - List of additional group names and/or IDs that the container process will run as.
    type: list
    elements: str
  healthcheck:
    description:
      - Configure a check that is run to determine whether or not containers for this service are "healthy".
      - "See the docs for the L(HEALTHCHECK Dockerfile instruction,https://docs.docker.com/engine/reference/builder/#healthcheck)
        for details on how healthchecks work."
      - "I(interval), I(timeout) and I(start_period) are specified as durations. They accept duration as a string in a format
        that look like: C(5h34m56s), C(1m30s) etc. The supported units are C(us), C(ms), C(s), C(m) and C(h)."
    type: dict
    suboptions:
      test:
        description:
          - Command to run to check health.
          - Must be either a string or a list. If it is a list, the first item must be one of C(NONE), C(CMD) or C(CMD-SHELL).
        type: raw
      interval:
        description:
          - Time between running the check.
          - The default used by the Docker daemon is C(30s).
        type: str
      timeout:
        description:
          - Maximum time to allow one check to run.
          - The default used by the Docker daemon is C(30s).
        type: str
      retries:
        description:
          - Consecutive number of failures needed to report unhealthy.
          - The default used by the Docker daemon is C(3).
        type: int
      start_period:
        description:
          - Start period for the container to initialize before starting health-retries countdown.
          - The default used by the Docker daemon is C(0s).
        type: str
  hostname:
    description:
      - The container's hostname.
    type: str
  ignore_image:
    description:
      - When I(state) is C(present) or C(started), the module compares the configuration of an existing
        container to requested configuration. The evaluation includes the image version. If the image
        version in the registry does not match the container, the container will be recreated. You can
        stop this behavior by setting I(ignore_image) to C(True).
      - "*Warning:* This option is ignored if C(image: ignore) or C(*: ignore) is specified in the
        I(comparisons) option."
    type: bool
    default: no
  image:
    description:
      - Repository path and tag used to create the container. If an image is not found or pull is true, the image
        will be pulled from the registry. If no tag is included, C(latest) will be used.
      - Can also be an image ID. If this is the case, the image is assumed to be available locally.
        The I(pull) option is ignored for this case.
    type: str
  init:
    description:
      - Run an init inside the container that forwards signals and reaps processes.
      - This option requires Docker API >= 1.25.
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C(no).
    type: bool
  interactive:
    description:
      - Keep stdin open after a container is launched, even if not attached.
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C(no).
    type: bool
  ipc_mode:
    description:
      - Set the IPC mode for the container.
      - Can be one of C(container:<name|id>) to reuse another container's IPC namespace or C(host) to use
        the host's IPC namespace within the container.
    type: str
  keep_volumes:
    description:
      - Retain volumes associated with a removed container.
    type: bool
    default: yes
  kill_signal:
    description:
      - Override default signal used to kill a running container.
    type: str
  kernel_memory:
    description:
      - "Kernel memory limit in format C(<number>[<unit>]). Number is a positive integer.
        Unit can be C(B) (byte), C(K) (kibibyte, 1024B), C(M) (mebibyte), C(G) (gibibyte),
        C(T) (tebibyte), or C(P) (pebibyte). Minimum is C(4M)."
      - Omitting the unit defaults to bytes.
    type: str
  labels:
    description:
      - Dictionary of key value pairs.
    type: dict
  links:
    description:
      - List of name aliases for linked containers in the format C(container_name:alias).
      - Setting this will force container to be restarted.
    type: list
    elements: str
  log_driver:
    description:
      - Specify the logging driver. Docker uses C(json-file) by default.
      - See L(here,https://docs.docker.com/config/containers/logging/configure/) for possible choices.
    type: str
  log_options:
    description:
      - Dictionary of options specific to the chosen I(log_driver).
      - See U(https://docs.docker.com/engine/admin/logging/overview/) for details.
    type: dict
    aliases:
      - log_opt
  mac_address:
    description:
      - Container MAC address (e.g. 92:d0:c6:0a:29:33).
    type: str
  memory:
    description:
      - "Memory limit in format C(<number>[<unit>]). Number is a positive integer.
        Unit can be C(B) (byte), C(K) (kibibyte, 1024B), C(M) (mebibyte), C(G) (gibibyte),
        C(T) (tebibyte), or C(P) (pebibyte)."
      - Omitting the unit defaults to bytes.
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C("0").
    type: str
  memory_reservation:
    description:
      - "Memory soft limit in format C(<number>[<unit>]). Number is a positive integer.
        Unit can be C(B) (byte), C(K) (kibibyte, 1024B), C(M) (mebibyte), C(G) (gibibyte),
        C(T) (tebibyte), or C(P) (pebibyte)."
      - Omitting the unit defaults to bytes.
    type: str
  memory_swap:
    description:
      - "Total memory limit (memory + swap) in format C(<number>[<unit>]).
        Number is a positive integer. Unit can be C(B) (byte), C(K) (kibibyte, 1024B),
        C(M) (mebibyte), C(G) (gibibyte), C(T) (tebibyte), or C(P) (pebibyte)."
      - Omitting the unit defaults to bytes.
    type: str
  memory_swappiness:
    description:
        - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
        - If not set, the value will be remain the same if container exists and will be inherited
          from the host machine if it is (re-)created.
    type: int
  mounts:
    type: list
    elements: dict
    description:
      - Specification for mounts to be added to the container. More powerful alternative to I(volumes).
    suboptions:
      target:
        description:
          - Path inside the container.
        type: str
        required: true
      source:
        description:
          - Mount source (e.g. a volume name or a host path).
        type: str
      type:
        description:
          - The mount type.
          - Note that C(npipe) is only supported by Docker for Windows.
        type: str
        choices:
          - bind
          - npipe
          - tmpfs
          - volume
        default: volume
      read_only:
        description:
          - Whether the mount should be read-only.
        type: bool
      consistency:
        description:
          - The consistency requirement for the mount.
        type: str
        choices:
          - cached
          - consistent
          - default
          - delegated
      propagation:
        description:
          - Propagation mode. Only valid for the C(bind) type.
        type: str
        choices:
          - private
          - rprivate
          - shared
          - rshared
          - slave
          - rslave
      no_copy:
        description:
          - False if the volume should be populated with the data from the target. Only valid for the C(volume) type.
          - The default value is C(false).
        type: bool
      labels:
        description:
          - User-defined name and labels for the volume. Only valid for the C(volume) type.
        type: dict
      volume_driver:
        description:
          - Specify the volume driver. Only valid for the C(volume) type.
          - See L(here,https://docs.docker.com/storage/volumes/#use-a-volume-driver) for details.
        type: str
      volume_options:
        description:
          - Dictionary of options specific to the chosen volume_driver. See
            L(here,https://docs.docker.com/storage/volumes/#use-a-volume-driver) for details.
        type: dict
      tmpfs_size:
        description:
          - "The size for the tmpfs mount in bytes in format <number>[<unit>]."
          - "Number is a positive integer. Unit can be one of C(B) (byte), C(K) (kibibyte, 1024B), C(M) (mebibyte), C(G) (gibibyte),
             C(T) (tebibyte), or C(P) (pebibyte)."
          - "Omitting the unit defaults to bytes."
        type: str
      tmpfs_mode:
        description:
          - The permission mode for the tmpfs mount.
        type: str
  name:
    description:
      - Assign a name to a new container or match an existing container.
      - When identifying an existing container name may be a name or a long or short container ID.
    type: str
    required: yes
  network_mode:
    description:
      - Connect the container to a network. Choices are C(bridge), C(host), C(none), C(container:<name|id>), C(<network_name>) or C(default).
      - "*Note* that from Ansible 2.14 on, if I(networks_cli_compatible) is C(true) and I(networks) contains at least one network,
         the default value for I(network_mode) will be the name of the first network in the I(networks) list. You can prevent this
         by explicitly specifying a value for I(network_mode), like the default value C(default) which will be used by Docker if
         I(network_mode) is not specified."
    type: str
  userns_mode:
    description:
      - Set the user namespace mode for the container. Currently, the only valid value are C(host) and the empty string.
    type: str
  networks:
    description:
      - List of networks the container belongs to.
      - For examples of the data structure and usage see EXAMPLES below.
      - To remove a container from one or more networks, use the I(purge_networks) option.
      - Note that as opposed to C(docker run ...), M(docker_container) does not remove the default
        network if I(networks) is specified. You need to explicitly use I(purge_networks) to enforce
        the removal of the default network (and all other networks not explicitly mentioned in I(networks)).
        Alternatively, use the I(networks_cli_compatible) option, which will be enabled by default from Ansible 2.12 on.
    type: list
    elements: dict
    suboptions:
      name:
        description:
          - The network's name.
        type: str
        required: yes
      ipv4_address:
        description:
          - The container's IPv4 address in this network.
        type: str
      ipv6_address:
        description:
          - The container's IPv6 address in this network.
        type: str
      links:
        description:
          - A list of containers to link to.
        type: list
        elements: str
      aliases:
        description:
          - List of aliases for this container in this network. These names
            can be used in the network to reach this container.
        type: list
        elements: str
  networks_cli_compatible:
    description:
      - "When networks are provided to the module via the I(networks) option, the module
         behaves differently than C(docker run --network): C(docker run --network other)
         will create a container with network C(other) attached, but the default network
         not attached. This module with I(networks: {name: other}) will create a container
         with both C(default) and C(other) attached. If I(purge_networks) is set to C(yes),
         the C(default) network will be removed afterwards."
      - "If I(networks_cli_compatible) is set to C(yes), this module will behave as
         C(docker run --network) and will *not* add the default network if I(networks) is
         specified. If I(networks) is not specified, the default network will be attached."
      - "*Note* that docker CLI also sets I(network_mode) to the name of the first network
         added if C(--network) is specified. For more compatibility with docker CLI, you
         explicitly have to set I(network_mode) to the name of the first network you're
         adding. This behavior will change for Ansible 2.14: then I(network_mode) will
         automatically be set to the first network name in I(networks) if I(network_mode)
         is not specified, I(networks) has at least one entry and I(networks_cli_compatible)
         is C(true)."
      - Current value is C(no). A new default of C(yes) will be set in Ansible 2.12.
    type: bool
  oom_killer:
    description:
      - Whether or not to disable OOM Killer for the container.
    type: bool
  oom_score_adj:
    description:
      - An integer value containing the score given to the container in order to tune
        OOM killer preferences.
    type: int
  output_logs:
    description:
      - If set to true, output of the container command will be printed.
      - Only effective when I(log_driver) is set to C(json-file) or C(journald).
    type: bool
    default: no
  paused:
    description:
      - Use with the started state to pause running processes inside the container.
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C(no).
    type: bool
  pid_mode:
    description:
      - Set the PID namespace mode for the container.
      - Note that Docker SDK for Python < 2.0 only supports C(host). Newer versions of the
        Docker SDK for Python (docker) allow all values supported by the Docker daemon.
    type: str
  pids_limit:
    description:
      - Set PIDs limit for the container. It accepts an integer value.
      - Set C(-1) for unlimited PIDs.
    type: int
  privileged:
    description:
      - Give extended privileges to the container.
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C(no).
    type: bool
  published_ports:
    description:
      - List of ports to publish from the container to the host.
      - "Use docker CLI syntax: C(8000), C(9000:8000), or C(0.0.0.0:9000:8000), where 8000 is a
        container port, 9000 is a host port, and 0.0.0.0 is a host interface."
      - Port ranges can be used for source and destination ports. If two ranges with
        different lengths are specified, the shorter range will be used.
        Since Ansible 2.10, if the source port range has length 1, the port will not be assigned
        to the first port of the destination range, but to a free port in that range. This is the
        same behavior as for C(docker) command line utility.
      - "Bind addresses must be either IPv4 or IPv6 addresses. Hostnames are *not* allowed. This
        is different from the C(docker) command line utility. Use the L(dig lookup,../lookup/dig.html)
        to resolve hostnames."
      - A value of C(all) will publish all exposed container ports to random host ports, ignoring
        any other mappings.
      - If I(networks) parameter is provided, will inspect each network to see if there exists
        a bridge network with optional parameter C(com.docker.network.bridge.host_binding_ipv4).
        If such a network is found, then published ports where no host IP address is specified
        will be bound to the host IP pointed to by C(com.docker.network.bridge.host_binding_ipv4).
        Note that the first bridge network with a C(com.docker.network.bridge.host_binding_ipv4)
        value encountered in the list of I(networks) is the one that will be used.
    type: list
    elements: str
    aliases:
      - ports
  pull:
    description:
       - If true, always pull the latest version of an image. Otherwise, will only pull an image
         when missing.
       - "*Note:* images are only pulled when specified by name. If the image is specified
         as a image ID (hash), it cannot be pulled."
    type: bool
    default: no
  purge_networks:
    description:
       - Remove the container from ALL networks not included in I(networks) parameter.
       - Any default networks such as C(bridge), if not found in I(networks), will be removed as well.
    type: bool
    default: no
  read_only:
    description:
      - Mount the container's root file system as read-only.
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C(no).
    type: bool
  recreate:
    description:
      - Use with present and started states to force the re-creation of an existing container.
    type: bool
    default: no
  removal_wait_timeout:
    description:
      - When removing an existing container, the docker daemon API call exists after the container
        is scheduled for removal. Removal usually is very fast, but it can happen that during high I/O
        load, removal can take longer. By default, the module will wait until the container has been
        removed before trying to (re-)create it, however long this takes.
      - By setting this option, the module will wait at most this many seconds for the container to be
        removed. If the container is still in the removal phase after this many seconds, the module will
        fail.
    type: float
  restart:
    description:
      - Use with started state to force a matching container to be stopped and restarted.
    type: bool
    default: no
  restart_policy:
    description:
      - Container restart policy.
      - Place quotes around C(no) option.
    type: str
    choices:
      - 'no'
      - 'on-failure'
      - 'always'
      - 'unless-stopped'
  restart_retries:
    description:
      - Use with restart policy to control maximum number of restart attempts.
    type: int
  runtime:
    description:
      - Runtime to use for the container.
    type: str
  shm_size:
    description:
      - "Size of C(/dev/shm) in format C(<number>[<unit>]). Number is positive integer.
        Unit can be C(B) (byte), C(K) (kibibyte, 1024B), C(M) (mebibyte), C(G) (gibibyte),
        C(T) (tebibyte), or C(P) (pebibyte)."
      - Omitting the unit defaults to bytes. If you omit the size entirely, Docker daemon uses C(64M).
    type: str
  security_opts:
    description:
      - List of security options in the form of C("label:user:User").
    type: list
    elements: str
  state:
    description:
      - 'C(absent) - A container matching the specified name will be stopped and removed. Use I(force_kill) to kill the container
         rather than stopping it. Use I(keep_volumes) to retain volumes associated with the removed container.'
      - 'C(present) - Asserts the existence of a container matching the name and any provided configuration parameters. If no
        container matches the name, a container will be created. If a container matches the name but the provided configuration
        does not match, the container will be updated, if it can be. If it cannot be updated, it will be removed and re-created
        with the requested config.'
      - 'C(started) - Asserts that the container is first C(present), and then if the container is not running moves it to a running
        state. Use I(restart) to force a matching container to be stopped and restarted.'
      - 'C(stopped) - Asserts that the container is first C(present), and then if the container is running moves it to a stopped
        state.'
      - To control what will be taken into account when comparing configuration, see the I(comparisons) option. To avoid that the
        image version will be taken into account, you can also use the I(ignore_image) option.
      - Use the I(recreate) option to always force re-creation of a matching container, even if it is running.
      - If the container should be killed instead of stopped in case it needs to be stopped for recreation, or because I(state) is
        C(stopped), please use the I(force_kill) option. Use I(keep_volumes) to retain volumes associated with a removed container.
      - Use I(keep_volumes) to retain volumes associated with a removed container.
    type: str
    default: started
    choices:
      - absent
      - present
      - stopped
      - started
  stop_signal:
    description:
      - Override default signal used to stop the container.
    type: str
  stop_timeout:
    description:
      - Number of seconds to wait for the container to stop before sending C(SIGKILL).
        When the container is created by this module, its C(StopTimeout) configuration
        will be set to this value.
      - When the container is stopped, will be used as a timeout for stopping the
        container. In case the container has a custom C(StopTimeout) configuration,
        the behavior depends on the version of the docker daemon. New versions of
        the docker daemon will always use the container's configured C(StopTimeout)
        value if it has been configured.
    type: int
  trust_image_content:
    description:
      - If C(yes), skip image verification.
      - The option has never been used by the module. It will be removed in Ansible 2.14.
    type: bool
    default: no
  tmpfs:
    description:
      - Mount a tmpfs directory.
    type: list
    elements: str
  tty:
    description:
      - Allocate a pseudo-TTY.
      - If I(container_default_behavior) is set to C(compatiblity) (the default value), this
        option has a default of C(no).
    type: bool
  ulimits:
    description:
      - "List of ulimit options. A ulimit is specified as C(nofile:262144:262144)."
    type: list
    elements: str
  sysctls:
    description:
      - Dictionary of key,value pairs.
    type: dict
  user:
    description:
      - Sets the username or UID used and optionally the groupname or GID for the specified command.
      - "Can be of the forms C(user), C(user:group), C(uid), C(uid:gid), C(user:gid) or C(uid:group)."
    type: str
  uts:
    description:
      - Set the UTS namespace mode for the container.
    type: str
  volumes:
    description:
      - List of volumes to mount within the container.
      - "Use docker CLI-style syntax: C(/host:/container[:mode])"
      - "Mount modes can be a comma-separated list of various modes such as C(ro), C(rw), C(consistent),
        C(delegated), C(cached), C(rprivate), C(private), C(rshared), C(shared), C(rslave), C(slave), and
        C(nocopy). Note that the docker daemon might not support all modes and combinations of such modes."
      - SELinux hosts can additionally use C(z) or C(Z) to use a shared or private label for the volume.
      - "Note that Ansible 2.7 and earlier only supported one mode, which had to be one of C(ro), C(rw),
        C(z), and C(Z)."
    type: list
    elements: str
  volume_driver:
    description:
      - The container volume driver.
    type: str
  volumes_from:
    description:
      - List of container names or IDs to get volumes from.
    type: list
    elements: str
  working_dir:
    description:
      - Path to the working directory.
    type: str
extends_documentation_fragment:
- community.general.docker
- community.general.docker.docker_py_1_documentation


author:
  - "Cove Schneider (@cove)"
  - "Joshua Conner (@joshuaconner)"
  - "Pavel Antonov (@softzilla)"
  - "Thomas Steinbach (@ThomasSteinbach)"
  - "Philippe Jandot (@zfil)"
  - "Daan Oosterveld (@dusdanig)"
  - "Chris Houseknecht (@chouseknecht)"
  - "Kassian Sun (@kassiansun)"
  - "Felix Fontein (@felixfontein)"

requirements:
  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 1.8.0 (use L(docker-py,https://pypi.org/project/docker-py/) for Python 2.6)"
  - "Docker API >= 1.20"
'''

EXAMPLES = '''
- name: Create a data container
  docker_container:
    name: mydata
    image: busybox
    volumes:
      - /data

- name: Re-create a redis container
  docker_container:
    name: myredis
    image: redis
    command: redis-server --appendonly yes
    state: present
    recreate: yes
    exposed_ports:
      - 6379
    volumes_from:
      - mydata

- name: Restart a container
  docker_container:
    name: myapplication
    image: someuser/appimage
    state: started
    restart: yes
    links:
     - "myredis:aliasedredis"
    devices:
     - "/dev/sda:/dev/xvda:rwm"
    ports:
     # Publish container port 9000 as host port 8080
     - "8080:9000"
     # Publish container UDP port 9001 as host port 8081 on interface 127.0.0.1
     - "127.0.0.1:8081:9001/udp"
     # Publish container port 9002 as a random host port
     - "9002"
     # Publish container port 9003 as a free host port in range 8000-8100
     # (the host port will be selected by the Docker daemon)
     - "8000-8100:9003"
     # Publish container ports 9010-9020 to host ports 7000-7010
     - "7000-7010:9010-9020"
    env:
        SECRET_KEY: "ssssh"
        # Values which might be parsed as numbers, booleans or other types by the YAML parser need to be quoted
        BOOLEAN_KEY: "yes"

- name: Container present
  docker_container:
    name: mycontainer
    state: present
    image: ubuntu:14.04
    command: sleep infinity

- name: Stop a container
  docker_container:
    name: mycontainer
    state: stopped

- name: Start 4 load-balanced containers
  docker_container:
    name: "container{{ item }}"
    recreate: yes
    image: someuser/anotherappimage
    command: sleep 1d
  with_sequence: count=4

- name: remove container
  docker_container:
    name: ohno
    state: absent

- name: Syslogging output
  docker_container:
    name: myservice
    image: busybox
    log_driver: syslog
    log_options:
      syslog-address: tcp://my-syslog-server:514
      syslog-facility: daemon
      # NOTE: in Docker 1.13+ the "syslog-tag" option was renamed to "tag" for
      # older docker installs, use "syslog-tag" instead
      tag: myservice

- name: Create db container and connect to network
  docker_container:
    name: db_test
    image: "postgres:latest"
    networks:
      - name: "{{ docker_network_name }}"

- name: Start container, connect to network and link
  docker_container:
    name: sleeper
    image: ubuntu:14.04
    networks:
      - name: TestingNet
        ipv4_address: "172.1.1.100"
        aliases:
          - sleepyzz
        links:
          - db_test:db
      - name: TestingNet2

- name: Start a container with a command
  docker_container:
    name: sleepy
    image: ubuntu:14.04
    command: ["sleep", "infinity"]

- name: Add container to networks
  docker_container:
    name: sleepy
    networks:
      - name: TestingNet
        ipv4_address: 172.1.1.18
        links:
          - sleeper
      - name: TestingNet2
        ipv4_address: 172.1.10.20

- name: Update network with aliases
  docker_container:
    name: sleepy
    networks:
      - name: TestingNet
        aliases:
          - sleepyz
          - zzzz

- name: Remove container from one network
  docker_container:
    name: sleepy
    networks:
      - name: TestingNet2
    purge_networks: yes

- name: Remove container from all networks
  docker_container:
    name: sleepy
    purge_networks: yes

- name: Start a container and use an env file
  docker_container:
    name: agent
    image: jenkinsci/ssh-slave
    env_file: /var/tmp/jenkins/agent.env

- name: Create a container with limited capabilities
  docker_container:
    name: sleepy
    image: ubuntu:16.04
    command: sleep infinity
    capabilities:
      - sys_time
    cap_drop:
      - all

- name: Finer container restart/update control
  docker_container:
    name: test
    image: ubuntu:18.04
    env:
      arg1: "true"
      arg2: "whatever"
    volumes:
      - /tmp:/tmp
    comparisons:
      image: ignore   # don't restart containers with older versions of the image
      env: strict   # we want precisely this environment
      volumes: allow_more_present   # if there are more volumes, that's ok, as long as `/tmp:/tmp` is there

- name: Finer container restart/update control II
  docker_container:
    name: test
    image: ubuntu:18.04
    env:
      arg1: "true"
      arg2: "whatever"
    comparisons:
      '*': ignore  # by default, ignore *all* options (including image)
      env: strict   # except for environment variables; there, we want to be strict

- name: Start container with healthstatus
  docker_container:
    name: nginx-proxy
    image: nginx:1.13
    state: started
    healthcheck:
      # Check if nginx server is healthy by curl'ing the server.
      # If this fails or timeouts, the healthcheck fails.
      test: ["CMD", "curl", "--fail", "http://nginx.host.com"]
      interval: 1m30s
      timeout: 10s
      retries: 3
      start_period: 30s

- name: Remove healthcheck from container
  docker_container:
    name: nginx-proxy
    image: nginx:1.13
    state: started
    healthcheck:
      # The "NONE" check needs to be specified
      test: ["NONE"]

- name: start container with block device read limit
  docker_container:
    name: test
    image: ubuntu:18.04
    state: started
    device_read_bps:
      # Limit read rate for /dev/sda to 20 mebibytes per second
      - path: /dev/sda
        rate: 20M
    device_read_iops:
      # Limit read rate for /dev/sdb to 300 IO per second
      - path: /dev/sdb
        rate: 300
'''

RETURN = '''
container:
    description:
      - Facts representing the current state of the container. Matches the docker inspection output.
      - Note that facts are part of the registered vars since Ansible 2.8. For compatibility reasons, the facts
        are also accessible directly as C(docker_container). Note that the returned fact will be removed in Ansible 2.12.
      - Before 2.3 this was C(ansible_docker_container) but was renamed in 2.3 to C(docker_container) due to
        conflicts with the connection plugin.
      - Empty if I(state) is C(absent)
      - If I(detached) is C(false), will include C(Output) attribute containing any output from container run.
    returned: always
    type: dict
    sample: '{
        "AppArmorProfile": "",
        "Args": [],
        "Config": {
            "AttachStderr": false,
            "AttachStdin": false,
            "AttachStdout": false,
            "Cmd": [
                "/usr/bin/supervisord"
            ],
            "Domainname": "",
            "Entrypoint": null,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "ExposedPorts": {
                "443/tcp": {},
                "80/tcp": {}
            },
            "Hostname": "8e47bf643eb9",
            "Image": "lnmp_nginx:v1",
            "Labels": {},
            "OnBuild": null,
            "OpenStdin": false,
            "StdinOnce": false,
            "Tty": false,
            "User": "",
            "Volumes": {
                "/tmp/lnmp/nginx-sites/logs/": {}
            },
            ...
    }'
'''

import os
import re
import shlex
import traceback
from distutils.version import LooseVersion
from time import sleep

from ansible.module_utils.common.text.formatters import human_to_bytes
from ansible_collections.community.general.plugins.module_utils.docker.common import (
    AnsibleDockerClient,
    DifferenceTracker,
    DockerBaseClass,
    compare_generic,
    is_image_name_id,
    sanitize_result,
    clean_dict_booleans_for_docker_api,
    omit_none_from_dict,
    parse_healthcheck,
    DOCKER_COMMON_ARGS,
    RequestException,
)
from ansible.module_utils.six import string_types

try:
    from docker import utils
    from ansible_collections.community.general.plugins.module_utils.docker.common import docker_version
    if LooseVersion(docker_version) >= LooseVersion('1.10.0'):
        from docker.types import Ulimit, LogConfig
        from docker import types as docker_types
    else:
        from docker.utils.types import Ulimit, LogConfig
    from docker.errors import DockerException, APIError, NotFound
except Exception:
    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
    pass


REQUIRES_CONVERSION_TO_BYTES = [
    'kernel_memory',
    'memory',
    'memory_reservation',
    'memory_swap',
    'shm_size'
]


def is_volume_permissions(mode):
    for part in mode.split(','):
        if part not in ('rw', 'ro', 'z', 'Z', 'consistent', 'delegated', 'cached', 'rprivate', 'private', 'rshared', 'shared', 'rslave', 'slave', 'nocopy'):
            return False
    return True


def parse_port_range(range_or_port, client):
    '''
    Parses a string containing either a single port or a range of ports.

    Returns a list of integers for each port in the list.
    '''
    if '-' in range_or_port:
        try:
            start, end = [int(port) for port in range_or_port.split('-')]
        except Exception:
            client.fail('Invalid port range: "{0}"'.format(range_or_port))
        if end < start:
            client.fail('Invalid port range: "{0}"'.format(range_or_port))
        return list(range(start, end + 1))
    else:
        try:
            return [int(range_or_port)]
        except Exception:
            client.fail('Invalid port: "{0}"'.format(range_or_port))


def split_colon_ipv6(text, client):
    '''
    Split string by ':', while keeping IPv6 addresses in square brackets in one component.
    '''
    if '[' not in text:
        return text.split(':')
    start = 0
    result = []
    while start < len(text):
        i = text.find('[', start)
        if i < 0:
            result.extend(text[start:].split(':'))
            break
        j = text.find(']', i)
        if j < 0:
            client.fail('Cannot find closing "]" in input "{0}" for opening "[" at index {1}!'.format(text, i + 1))
        result.extend(text[start:i].split(':'))
        k = text.find(':', j)
        if k < 0:
            result[-1] += text[i:]
            start = len(text)
        else:
            result[-1] += text[i:k]
            if k == len(text):
                result.append('')
                break
            start = k + 1
    return result


class TaskParameters(DockerBaseClass):
    '''
    Access and parse module parameters
    '''

    def __init__(self, client):
        super(TaskParameters, self).__init__()
        self.client = client

        self.auto_remove = None
        self.blkio_weight = None
        self.capabilities = None
        self.cap_drop = None
        self.cleanup = None
        self.command = None
        self.cpu_period = None
        self.cpu_quota = None
        self.cpus = None
        self.cpuset_cpus = None
        self.cpuset_mems = None
        self.cpu_shares = None
        self.detach = None
        self.debug = None
        self.devices = None
        self.device_read_bps = None
        self.device_write_bps = None
        self.device_read_iops = None
        self.device_write_iops = None
        self.dns_servers = None
        self.dns_opts = None
        self.dns_search_domains = None
        self.domainname = None
        self.env = None
        self.env_file = None
        self.entrypoint = None
        self.etc_hosts = None
        self.exposed_ports = None
        self.force_kill = None
        self.groups = None
        self.healthcheck = None
        self.hostname = None
        self.ignore_image = None
        self.image = None
        self.init = None
        self.interactive = None
        self.ipc_mode = None
        self.keep_volumes = None
        self.kernel_memory = None
        self.kill_signal = None
        self.labels = None
        self.links = None
        self.log_driver = None
        self.output_logs = None
        self.log_options = None
        self.mac_address = None
        self.memory = None
        self.memory_reservation = None
        self.memory_swap = None
        self.memory_swappiness = None
        self.mounts = None
        self.name = None
        self.network_mode = None
        self.userns_mode = None
        self.networks = None
        self.networks_cli_compatible = None
        self.oom_killer = None
        self.oom_score_adj = None
        self.paused = None
        self.pid_mode = None
        self.pids_limit = None
        self.privileged = None
        self.purge_networks = None
        self.pull = None
        self.read_only = None
        self.recreate = None
        self.removal_wait_timeout = None
        self.restart = None
        self.restart_retries = None
        self.restart_policy = None
        self.runtime = None
        self.shm_size = None
        self.security_opts = None
        self.state = None
        self.stop_signal = None
        self.stop_timeout = None
        self.tmpfs = None
        self.trust_image_content = None
        self.tty = None
        self.user = None
        self.uts = None
        self.volumes = None
        self.volume_binds = dict()
        self.volumes_from = None
        self.volume_driver = None
        self.working_dir = None

        for key, value in client.module.params.items():
            setattr(self, key, value)
        self.comparisons = client.comparisons

        # If state is 'absent', parameters do not have to be parsed or interpreted.
        # Only the container's name is needed.
        if self.state == 'absent':
            return

        if self.cpus is not None:
            self.cpus = int(round(self.cpus * 1E9))

        if self.groups:
            # In case integers are passed as groups, we need to convert them to
            # strings as docker internally treats them as strings.
            self.groups = [str(g) for g in self.groups]

        for param_name in REQUIRES_CONVERSION_TO_BYTES:
            if client.module.params.get(param_name):
                try:
                    setattr(self, param_name, human_to_bytes(client.module.params.get(param_name)))
                except ValueError as exc:
                    self.fail("Failed to convert %s to bytes: %s" % (param_name, exc))

        self.publish_all_ports = False
        self.published_ports = self._parse_publish_ports()
        if self.published_ports in ('all', 'ALL'):
            self.publish_all_ports = True
            self.published_ports = None

        self.ports = self._parse_exposed_ports(self.published_ports)
        self.log("expose ports:")
        self.log(self.ports, pretty_print=True)

        self.links = self._parse_links(self.links)

        if self.volumes:
            self.volumes = self._expand_host_paths()

        self.tmpfs = self._parse_tmpfs()
        self.env = self._get_environment()
        self.ulimits = self._parse_ulimits()
        self.sysctls = self._parse_sysctls()
        self.log_config = self._parse_log_config()
        try:
            self.healthcheck, self.disable_healthcheck = parse_healthcheck(self.healthcheck)
        except ValueError as e:
            self.fail(str(e))

        self.exp_links = None
        self.volume_binds = self._get_volume_binds(self.volumes)
        self.pid_mode = self._replace_container_names(self.pid_mode)
        self.ipc_mode = self._replace_container_names(self.ipc_mode)
        self.network_mode = self._replace_container_names(self.network_mode)

        self.log("volumes:")
        self.log(self.volumes, pretty_print=True)
        self.log("volume binds:")
        self.log(self.volume_binds, pretty_print=True)

        if self.networks:
            for network in self.networks:
                network['id'] = self._get_network_id(network['name'])
                if not network['id']:
                    self.fail("Parameter error: network named %s could not be found. Does it exist?" % network['name'])
                if network.get('links'):
                    network['links'] = self._parse_links(network['links'])

        if self.mac_address:
            # Ensure the MAC address uses colons instead of hyphens for later comparison
            self.mac_address = self.mac_address.replace('-', ':')

        if self.entrypoint:
            # convert from list to str.
            self.entrypoint = ' '.join([str(x) for x in self.entrypoint])

        if self.command:
            # convert from list to str
            if isinstance(self.command, list):
                self.command = ' '.join([str(x) for x in self.command])

        self.mounts_opt, self.expected_mounts = self._process_mounts()

        self._check_mount_target_collisions()

        for param_name in ["device_read_bps", "device_write_bps"]:
            if client.module.params.get(param_name):
                self._process_rate_bps(option=param_name)

        for param_name in ["device_read_iops", "device_write_iops"]:
            if client.module.params.get(param_name):
                self._process_rate_iops(option=param_name)

    def fail(self, msg):
        self.client.fail(msg)

    @property
    def update_parameters(self):
        '''
        Returns parameters used to update a container
        '''

        update_parameters = dict(
            blkio_weight='blkio_weight',
            cpu_period='cpu_period',
            cpu_quota='cpu_quota',
            cpu_shares='cpu_shares',
            cpuset_cpus='cpuset_cpus',
            cpuset_mems='cpuset_mems',
            mem_limit='memory',
            mem_reservation='memory_reservation',
            memswap_limit='memory_swap',
            kernel_memory='kernel_memory',
            restart_policy='restart_policy',
        )

        result = dict()
        for key, value in update_parameters.items():
            if getattr(self, value, None) is not None:
                if key == 'restart_policy' and self.client.option_minimal_versions[value]['supported']:
                    restart_policy = dict(Name=self.restart_policy,
                                          MaximumRetryCount=self.restart_retries)
                    result[key] = restart_policy
                elif self.client.option_minimal_versions[value]['supported']:
                    result[key] = getattr(self, value)
        return result

    @property
    def create_parameters(self):
        '''
        Returns parameters used to create a container
        '''
        create_params = dict(
            command='command',
            domainname='domainname',
            hostname='hostname',
            user='user',
            detach='detach',
            stdin_open='interactive',
            tty='tty',
            ports='ports',
            environment='env',
            name='name',
            entrypoint='entrypoint',
            mac_address='mac_address',
            labels='labels',
            stop_signal='stop_signal',
            working_dir='working_dir',
            stop_timeout='stop_timeout',
            healthcheck='healthcheck',
        )

        if self.client.docker_py_version < LooseVersion('3.0'):
            # cpu_shares and volume_driver moved to create_host_config in > 3
            create_params['cpu_shares'] = 'cpu_shares'
            create_params['volume_driver'] = 'volume_driver'

        result = dict(
            host_config=self._host_config(),
            volumes=self._get_mounts(),
        )

        for key, value in create_params.items():
            if getattr(self, value, None) is not None:
                if self.client.option_minimal_versions[value]['supported']:
                    result[key] = getattr(self, value)

        if self.disable_healthcheck:
            # Make sure image's health check is overridden
            result['healthcheck'] = {'test': ['NONE']}

        if self.networks_cli_compatible and self.networks:
            network = self.networks[0]
            params = dict()
            for para in ('ipv4_address', 'ipv6_address', 'links', 'aliases'):
                if network.get(para):
                    params[para] = network[para]
            network_config = dict()
            network_config[network['name']] = self.client.create_endpoint_config(**params)
            result['networking_config'] = self.client.create_networking_config(network_config)
        return result

    def _expand_host_paths(self):
        new_vols = []
        for vol in self.volumes:
            if ':' in vol:
                parts = vol.split(':')
                if len(parts) == 3:
                    host, container, mode = parts
                    if not is_volume_permissions(mode):
                        self.fail('Found invalid volumes mode: {0}'.format(mode))
                    if re.match(r'[.~]', host):
                        host = os.path.abspath(os.path.expanduser(host))
                    new_vols.append("%s:%s:%s" % (host, container, mode))
                    continue
                elif len(parts) == 2:
                    if not is_volume_permissions(parts[1]) and re.match(r'[.~]', parts[0]):
                        host = os.path.abspath(os.path.expanduser(parts[0]))
                        new_vols.append("%s:%s:rw" % (host, parts[1]))
                        continue
            new_vols.append(vol)
        return new_vols

    def _get_mounts(self):
        '''
        Return a list of container mounts.
        :return:
        '''
        result = []
        if self.volumes:
            for vol in self.volumes:
                # Only pass anonymous volumes to create container
                if ':' in vol:
                    parts = vol.split(':')
                    if len(parts) == 3:
                        continue
                    if len(parts) == 2:
                        if not is_volume_permissions(parts[1]):
                            continue
                result.append(vol)
        self.log("mounts:")
        self.log(result, pretty_print=True)
        return result

    def _host_config(self):
        '''
        Returns parameters used to create a HostConfig object
        '''

        host_config_params = dict(
            port_bindings='published_ports',
            publish_all_ports='publish_all_ports',
            links='links',
            privileged='privileged',
            dns='dns_servers',
            dns_opt='dns_opts',
            dns_search='dns_search_domains',
            binds='volume_binds',
            volumes_from='volumes_from',
            network_mode='network_mode',
            userns_mode='userns_mode',
            cap_add='capabilities',
            cap_drop='cap_drop',
            extra_hosts='etc_hosts',
            read_only='read_only',
            ipc_mode='ipc_mode',
            security_opt='security_opts',
            ulimits='ulimits',
            sysctls='sysctls',
            log_config='log_config',
            mem_limit='memory',
            memswap_limit='memory_swap',
            mem_swappiness='memory_swappiness',
            oom_score_adj='oom_score_adj',
            oom_kill_disable='oom_killer',
            shm_size='shm_size',
            group_add='groups',
            devices='devices',
            pid_mode='pid_mode',
            tmpfs='tmpfs',
            init='init',
            uts_mode='uts',
            runtime='runtime',
            auto_remove='auto_remove',
            device_read_bps='device_read_bps',
            device_write_bps='device_write_bps',
            device_read_iops='device_read_iops',
            device_write_iops='device_write_iops',
            pids_limit='pids_limit',
            mounts='mounts',
            nano_cpus='cpus',
        )

        if self.client.docker_py_version >= LooseVersion('1.9') and self.client.docker_api_version >= LooseVersion('1.22'):
            # blkio_weight can always be updated, but can only be set on creation
            # when Docker SDK for Python and Docker API are new enough
            host_config_params['blkio_weight'] = 'blkio_weight'

        if self.client.docker_py_version >= LooseVersion('3.0'):
            # cpu_shares and volume_driver moved to create_host_config in > 3
            host_config_params['cpu_shares'] = 'cpu_shares'
            host_config_params['volume_driver'] = 'volume_driver'

        params = dict()
        for key, value in host_config_params.items():
            if getattr(self, value, None) is not None:
                if self.client.option_minimal_versions[value]['supported']:
                    params[key] = getattr(self, value)

        if self.restart_policy:
            params['restart_policy'] = dict(Name=self.restart_policy,
                                            MaximumRetryCount=self.restart_retries)

        if 'mounts' in params:
            params['mounts'] = self.mounts_opt

        return self.client.create_host_config(**params)

    @property
    def default_host_ip(self):
        ip = '0.0.0.0'
        if not self.networks:
            return ip
        for net in self.networks:
            if net.get('name'):
                try:
                    network = self.client.inspect_network(net['name'])
                    if network.get('Driver') == 'bridge' and \
                       network.get('Options', {}).get('com.docker.network.bridge.host_binding_ipv4'):
                        ip = network['Options']['com.docker.network.bridge.host_binding_ipv4']
                        break
                except NotFound as nfe:
                    self.client.fail(
                        "Cannot inspect the network '{0}' to determine the default IP: {1}".format(net['name'], nfe),
                        exception=traceback.format_exc()
                    )
        return ip

    def _parse_publish_ports(self):
        '''
        Parse ports from docker CLI syntax
        '''
        if self.published_ports is None:
            return None

        if 'all' in self.published_ports:
            return 'all'

        default_ip = self.default_host_ip

        binds = {}
        for port in self.published_ports:
            parts = split_colon_ipv6(str(port), self.client)
            container_port = parts[-1]
            protocol = ''
            if '/' in container_port:
                container_port, protocol = parts[-1].split('/')
            container_ports = parse_port_range(container_port, self.client)

            p_len = len(parts)
            if p_len == 1:
                port_binds = len(container_ports) * [(default_ip,)]
            elif p_len == 2:
                if len(container_ports) == 1:
                    port_binds = [(default_ip, parts[0])]
                else:
                    port_binds = [(default_ip, port) for port in parse_port_range(parts[0], self.client)]
            elif p_len == 3:
                # We only allow IPv4 and IPv6 addresses for the bind address
                ipaddr = parts[0]
                if not re.match(r'^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$', parts[0]) and not re.match(r'^\[[0-9a-fA-F:]+\]$', ipaddr):
                    self.fail(('Bind addresses for published ports must be IPv4 or IPv6 addresses, not hostnames. '
                               'Use the dig lookup to resolve hostnames. (Found hostname: {0})').format(ipaddr))
                if re.match(r'^\[[0-9a-fA-F:]+\]$', ipaddr):
                    ipaddr = ipaddr[1:-1]
                if parts[1]:
                    if len(container_ports) == 1:
                        port_binds = [(ipaddr, parts[1])]
                    else:
                        port_binds = [(ipaddr, port) for port in parse_port_range(parts[1], self.client)]
                else:
                    port_binds = len(container_ports) * [(ipaddr,)]

            for bind, container_port in zip(port_binds, container_ports):
                idx = '{0}/{1}'.format(container_port, protocol) if protocol else container_port
                if idx in binds:
                    old_bind = binds[idx]
                    if isinstance(old_bind, list):
                        old_bind.append(bind)
                    else:
                        binds[idx] = [old_bind, bind]
                else:
                    binds[idx] = bind
        return binds

    def _get_volume_binds(self, volumes):
        '''
        Extract host bindings, if any, from list of volume mapping strings.

        :return: dictionary of bind mappings
        '''
        result = dict()
        if volumes:
            for vol in volumes:
                host = None
                if ':' in vol:
                    parts = vol.split(':')
                    if len(parts) == 3:
                        host, container, mode = parts
                        if not is_volume_permissions(mode):
                            self.fail('Found invalid volumes mode: {0}'.format(mode))
                    elif len(parts) == 2:
                        if not is_volume_permissions(parts[1]):
                            host, container, mode = (parts + ['rw'])
                if host is not None:
                    result[host] = dict(
                        bind=container,
                        mode=mode
                    )
        return result

    def _parse_exposed_ports(self, published_ports):
        '''
        Parse exposed ports from docker CLI-style ports syntax.
        '''
        exposed = []
        if self.exposed_ports:
            for port in self.exposed_ports:
                port = str(port).strip()
                protocol = 'tcp'
                match = re.search(r'(/.+$)', port)
                if match:
                    protocol = match.group(1).replace('/', '')
                    port = re.sub(r'/.+$', '', port)
                exposed.append((port, protocol))
        if published_ports:
            # Any published port should also be exposed
            for publish_port in published_ports:
                match = False
                if isinstance(publish_port, string_types) and '/' in publish_port:
                    port, protocol = publish_port.split('/')
                    port = int(port)
                else:
                    protocol = 'tcp'
                    port = int(publish_port)
                for exposed_port in exposed:
                    if exposed_port[1] != protocol:
                        continue
                    if isinstance(exposed_port[0], string_types) and '-' in exposed_port[0]:
                        start_port, end_port = exposed_port[0].split('-')
                        if int(start_port) <= port <= int(end_port):
                            match = True
                    elif exposed_port[0] == port:
                        match = True
                if not match:
                    exposed.append((port, protocol))
        return exposed

    @staticmethod
    def _parse_links(links):
        '''
        Turn links into a dictionary
        '''
        if links is None:
            return None

        result = []
        for link in links:
            parsed_link = link.split(':', 1)
            if len(parsed_link) == 2:
                result.append((parsed_link[0], parsed_link[1]))
            else:
                result.append((parsed_link[0], parsed_link[0]))
        return result

    def _parse_ulimits(self):
        '''
        Turn ulimits into an array of Ulimit objects
        '''
        if self.ulimits is None:
            return None

        results = []
        for limit in self.ulimits:
            limits = dict()
            pieces = limit.split(':')
            if len(pieces) >= 2:
                limits['name'] = pieces[0]
                limits['soft'] = int(pieces[1])
                limits['hard'] = int(pieces[1])
            if len(pieces) == 3:
                limits['hard'] = int(pieces[2])
            try:
                results.append(Ulimit(**limits))
            except ValueError as exc:
                self.fail("Error parsing ulimits value %s - %s" % (limit, exc))
        return results

    def _parse_sysctls(self):
        '''
        Turn sysctls into an hash of Sysctl objects
        '''
        return self.sysctls

    def _parse_log_config(self):
        '''
        Create a LogConfig object
        '''
        if self.log_driver is None:
            return None

        options = dict(
            Type=self.log_driver,
            Config=dict()
        )

        if self.log_options is not None:
            options['Config'] = dict()
            for k, v in self.log_options.items():
                if not isinstance(v, string_types):
                    self.client.module.warn(
                        "Non-string value found for log_options option '%s'. The value is automatically converted to '%s'. "
                        "If this is not correct, or you want to avoid such warnings, please quote the value." % (k, str(v))
                    )
                v = str(v)
                self.log_options[k] = v
                options['Config'][k] = v

        try:
            return LogConfig(**options)
        except ValueError as exc:
            self.fail('Error parsing logging options - %s' % (exc))

    def _parse_tmpfs(self):
        '''
        Turn tmpfs into a hash of Tmpfs objects
        '''
        result = dict()
        if self.tmpfs is None:
            return result

        for tmpfs_spec in self.tmpfs:
            split_spec = tmpfs_spec.split(":", 1)
            if len(split_spec) > 1:
                result[split_spec[0]] = split_spec[1]
            else:
                result[split_spec[0]] = ""
        return result

    def _get_environment(self):
        """
        If environment file is combined with explicit environment variables, the explicit environment variables
        take precedence.
        """
        final_env = {}
        if self.env_file:
            parsed_env_file = utils.parse_env_file(self.env_file)
            for name, value in parsed_env_file.items():
                final_env[name] = str(value)
        if self.env:
            for name, value in self.env.items():
                if not isinstance(value, string_types):
                    self.fail("Non-string value found for env option. Ambiguous env options must be "
                              "wrapped in quotes to avoid them being interpreted. Key: %s" % (name, ))
                final_env[name] = str(value)
        return final_env

    def _get_network_id(self, network_name):
        network_id = None
        try:
            for network in self.client.networks(names=[network_name]):
                if network['Name'] == network_name:
                    network_id = network['Id']
                    break
        except Exception as exc:
            self.fail("Error getting network id for %s - %s" % (network_name, str(exc)))
        return network_id

    def _process_mounts(self):
        if self.mounts is None:
            return None, None
        mounts_list = []
        mounts_expected = []
        for mount in self.mounts:
            target = mount['target']
            datatype = mount['type']
            mount_dict = dict(mount)
            # Sanity checks (so we don't wait for docker-py to barf on input)
            if mount_dict.get('source') is None and datatype != 'tmpfs':
                self.client.fail('source must be specified for mount "{0}" of type "{1}"'.format(target, datatype))
            mount_option_types = dict(
                volume_driver='volume',
                volume_options='volume',
                propagation='bind',
                no_copy='volume',
                labels='volume',
                tmpfs_size='tmpfs',
                tmpfs_mode='tmpfs',
            )
            for option, req_datatype in mount_option_types.items():
                if mount_dict.get(option) is not None and datatype != req_datatype:
                    self.client.fail('{0} cannot be specified for mount "{1}" of type "{2}" (needs type "{3}")'.format(option, target, datatype, req_datatype))
            # Handle volume_driver and volume_options
            volume_driver = mount_dict.pop('volume_driver')
            volume_options = mount_dict.pop('volume_options')
            if volume_driver:
                if volume_options:
                    volume_options = clean_dict_booleans_for_docker_api(volume_options)
                mount_dict['driver_config'] = docker_types.DriverConfig(name=volume_driver, options=volume_options)
            if mount_dict['labels']:
                mount_dict['labels'] = clean_dict_booleans_for_docker_api(mount_dict['labels'])
            if mount_dict.get('tmpfs_size') is not None:
                try:
                    mount_dict['tmpfs_size'] = human_to_bytes(mount_dict['tmpfs_size'])
                except ValueError as exc:
                    self.fail('Failed to convert tmpfs_size of mount "{0}" to bytes: {1}'.format(target, exc))
            if mount_dict.get('tmpfs_mode') is not None:
                try:
                    mount_dict['tmpfs_mode'] = int(mount_dict['tmpfs_mode'], 8)
                except Exception as dummy:
                    self.client.fail('tmp_fs mode of mount "{0}" is not an octal string!'.format(target))
            # Fill expected mount dict
            mount_expected = dict(mount)
            mount_expected['tmpfs_size'] = mount_dict['tmpfs_size']
            mount_expected['tmpfs_mode'] = mount_dict['tmpfs_mode']
            # Add result to lists
            mounts_list.append(docker_types.Mount(**mount_dict))
            mounts_expected.append(omit_none_from_dict(mount_expected))
        return mounts_list, mounts_expected

    def _process_rate_bps(self, option):
        """
        Format device_read_bps and device_write_bps option
        """
        devices_list = []
        for v in getattr(self, option):
            device_dict = dict((x.title(), y) for x, y in v.items())
            device_dict['Rate'] = human_to_bytes(device_dict['Rate'])
            devices_list.append(device_dict)

        setattr(self, option, devices_list)

    def _process_rate_iops(self, option):
        """
        Format device_read_iops and device_write_iops option
        """
        devices_list = []
        for v in getattr(self, option):
            device_dict = dict((x.title(), y) for x, y in v.items())
            devices_list.append(device_dict)

        setattr(self, option, devices_list)

    def _replace_container_names(self, mode):
        """
        Parse IPC and PID modes. If they contain a container name, replace
        with the container's ID.
        """
        if mode is None or not mode.startswith('container:'):
            return mode
        container_name = mode[len('container:'):]
        # Try to inspect container to see whether this is an ID or a
        # name (and in the latter case, retrieve it's ID)
        container = self.client.get_container(container_name)
        if container is None:
            # If we can't find the container, issue a warning and continue with
            # what the user specified.
            self.client.module.warn('Cannot find a container with name or ID "{0}"'.format(container_name))
            return mode
        return 'container:{0}'.format(container['Id'])

    def _check_mount_target_collisions(self):
        last = dict()

        def f(t, name):
            if t in last:
                if name == last[t]:
                    self.client.fail('The mount point "{0}" appears twice in the {1} option'.format(t, name))
                else:
                    self.client.fail('The mount point "{0}" appears both in the {1} and {2} option'.format(t, name, last[t]))
            last[t] = name

        if self.expected_mounts:
            for t in [m['target'] for m in self.expected_mounts]:
                f(t, 'mounts')
        if self.volumes:
            for v in self.volumes:
                vs = v.split(':')
                f(vs[0 if len(vs) == 1 else 1], 'volumes')


class Container(DockerBaseClass):

    def __init__(self, container, parameters):
        super(Container, self).__init__()
        self.raw = container
        self.Id = None
        self.container = container
        if container:
            self.Id = container['Id']
            self.Image = container['Image']
        self.log(self.container, pretty_print=True)
        self.parameters = parameters
        self.parameters.expected_links = None
        self.parameters.expected_ports = None
        self.parameters.expected_exposed = None
        self.parameters.expected_volumes = None
        self.parameters.expected_ulimits = None
        self.parameters.expected_sysctls = None
        self.parameters.expected_etc_hosts = None
        self.parameters.expected_env = None
        self.parameters_map = dict()
        self.parameters_map['expected_links'] = 'links'
        self.parameters_map['expected_ports'] = 'expected_ports'
        self.parameters_map['expected_exposed'] = 'exposed_ports'
        self.parameters_map['expected_volumes'] = 'volumes'
        self.parameters_map['expected_ulimits'] = 'ulimits'
        self.parameters_map['expected_sysctls'] = 'sysctls'
        self.parameters_map['expected_etc_hosts'] = 'etc_hosts'
        self.parameters_map['expected_env'] = 'env'
        self.parameters_map['expected_entrypoint'] = 'entrypoint'
        self.parameters_map['expected_binds'] = 'volumes'
        self.parameters_map['expected_cmd'] = 'command'
        self.parameters_map['expected_devices'] = 'devices'
        self.parameters_map['expected_healthcheck'] = 'healthcheck'
        self.parameters_map['expected_mounts'] = 'mounts'

    def fail(self, msg):
        self.parameters.client.fail(msg)

    @property
    def exists(self):
        return True if self.container else False

    @property
    def removing(self):
        if self.container and self.container.get('State'):
            return self.container['State'].get('Status') == 'removing'
        return False

    @property
    def running(self):
        if self.container and self.container.get('State'):
            if self.container['State'].get('Running') and not self.container['State'].get('Ghost', False):
                return True
        return False

    @property
    def paused(self):
        if self.container and self.container.get('State'):
            return self.container['State'].get('Paused', False)
        return False

    def _compare(self, a, b, compare):
        '''
        Compare values a and b as described in compare.
        '''
        return compare_generic(a, b, compare['comparison'], compare['type'])

    def _decode_mounts(self, mounts):
        if not mounts:
            return mounts
        result = []
        empty_dict = dict()
        for mount in mounts:
            res = dict()
            res['type'] = mount.get('Type')
            res['source'] = mount.get('Source')
            res['target'] = mount.get('Target')
            res['read_only'] = mount.get('ReadOnly', False)  # golang's omitempty for bool returns None for False
            res['consistency'] = mount.get('Consistency')
            res['propagation'] = mount.get('BindOptions', empty_dict).get('Propagation')
            res['no_copy'] = mount.get('VolumeOptions', empty_dict).get('NoCopy', False)
            res['labels'] = mount.get('VolumeOptions', empty_dict).get('Labels', empty_dict)
            res['volume_driver'] = mount.get('VolumeOptions', empty_dict).get('DriverConfig', empty_dict).get('Name')
            res['volume_options'] = mount.get('VolumeOptions', empty_dict).get('DriverConfig', empty_dict).get('Options', empty_dict)
            res['tmpfs_size'] = mount.get('TmpfsOptions', empty_dict).get('SizeBytes')
            res['tmpfs_mode'] = mount.get('TmpfsOptions', empty_dict).get('Mode')
            result.append(res)
        return result

    def has_different_configuration(self, image):
        '''
        Diff parameters vs existing container config. Returns tuple: (True | False, List of differences)
        '''
        self.log('Starting has_different_configuration')
        self.parameters.expected_entrypoint = self._get_expected_entrypoint()
        self.parameters.expected_links = self._get_expected_links()
        self.parameters.expected_ports = self._get_expected_ports()
        self.parameters.expected_exposed = self._get_expected_exposed(image)
        self.parameters.expected_volumes = self._get_expected_volumes(image)
        self.parameters.expected_binds = self._get_expected_binds(image)
        self.parameters.expected_ulimits = self._get_expected_ulimits(self.parameters.ulimits)
        self.parameters.expected_sysctls = self._get_expected_sysctls(self.parameters.sysctls)
        self.parameters.expected_etc_hosts = self._convert_simple_dict_to_list('etc_hosts')
        self.parameters.expected_env = self._get_expected_env(image)
        self.parameters.expected_cmd = self._get_expected_cmd()
        self.parameters.expected_devices = self._get_expected_devices()
        self.parameters.expected_healthcheck = self._get_expected_healthcheck()

        if not self.container.get('HostConfig'):
            self.fail("has_config_diff: Error parsing container properties. HostConfig missing.")
        if not self.container.get('Config'):
            self.fail("has_config_diff: Error parsing container properties. Config missing.")
        if not self.container.get('NetworkSettings'):
            self.fail("has_config_diff: Error parsing container properties. NetworkSettings missing.")

        host_config = self.container['HostConfig']
        log_config = host_config.get('LogConfig', dict())
        config = self.container['Config']
        network = self.container['NetworkSettings']

        # The previous version of the docker module ignored the detach state by
        # assuming if the container was running, it must have been detached.
        detach = not (config.get('AttachStderr') and config.get('AttachStdout'))

        # "ExposedPorts": null returns None type & causes AttributeError - PR #5517
        if config.get('ExposedPorts') is not None:
            expected_exposed = [self._normalize_port(p) for p in config.get('ExposedPorts', dict()).keys()]
        else:
            expected_exposed = []

        # Map parameters to container inspect results
        config_mapping = dict(
            expected_cmd=config.get('Cmd'),
            domainname=config.get('Domainname'),
            hostname=config.get('Hostname'),
            user=config.get('User'),
            detach=detach,
            init=host_config.get('Init'),
            interactive=config.get('OpenStdin'),
            capabilities=host_config.get('CapAdd'),
            cap_drop=host_config.get('CapDrop'),
            expected_devices=host_config.get('Devices'),
            dns_servers=host_config.get('Dns'),
            dns_opts=host_config.get('DnsOptions'),
            dns_search_domains=host_config.get('DnsSearch'),
            expected_env=(config.get('Env') or []),
            expected_entrypoint=config.get('Entrypoint'),
            expected_etc_hosts=host_config['ExtraHosts'],
            expected_exposed=expected_exposed,
            groups=host_config.get('GroupAdd'),
            ipc_mode=host_config.get("IpcMode"),
            labels=config.get('Labels'),
            expected_links=host_config.get('Links'),
            mac_address=network.get('MacAddress'),
            memory_swappiness=host_config.get('MemorySwappiness'),
            network_mode=host_config.get('NetworkMode'),
            userns_mode=host_config.get('UsernsMode'),
            oom_killer=host_config.get('OomKillDisable'),
            oom_score_adj=host_config.get('OomScoreAdj'),
            pid_mode=host_config.get('PidMode'),
            privileged=host_config.get('Privileged'),
            expected_ports=host_config.get('PortBindings'),
            read_only=host_config.get('ReadonlyRootfs'),
            runtime=host_config.get('Runtime'),
            shm_size=host_config.get('ShmSize'),
            security_opts=host_config.get("SecurityOpt"),
            stop_signal=config.get("StopSignal"),
            tmpfs=host_config.get('Tmpfs'),
            tty=config.get('Tty'),
            expected_ulimits=host_config.get('Ulimits'),
            expected_sysctls=host_config.get('Sysctls'),
            uts=host_config.get('UTSMode'),
            expected_volumes=config.get('Volumes'),
            expected_binds=host_config.get('Binds'),
            volume_driver=host_config.get('VolumeDriver'),
            volumes_from=host_config.get('VolumesFrom'),
            working_dir=config.get('WorkingDir'),
            publish_all_ports=host_config.get('PublishAllPorts'),
            expected_healthcheck=config.get('Healthcheck'),
            disable_healthcheck=(not config.get('Healthcheck') or config.get('Healthcheck').get('Test') == ['NONE']),
            device_read_bps=host_config.get('BlkioDeviceReadBps'),
            device_write_bps=host_config.get('BlkioDeviceWriteBps'),
            device_read_iops=host_config.get('BlkioDeviceReadIOps'),
            device_write_iops=host_config.get('BlkioDeviceWriteIOps'),
            pids_limit=host_config.get('PidsLimit'),
            # According to https://github.com/moby/moby/, support for HostConfig.Mounts
            # has been included at least since v17.03.0-ce, which has API version 1.26.
            # The previous tag, v1.9.1, has API version 1.21 and does not have
            # HostConfig.Mounts. I have no idea what about API 1.25...
            expected_mounts=self._decode_mounts(host_config.get('Mounts')),
            cpus=host_config.get('NanoCpus'),
        )
        # Options which don't make sense without their accompanying option
        if self.parameters.log_driver:
            config_mapping['log_driver'] = log_config.get('Type')
            config_mapping['log_options'] = log_config.get('Config')

        if self.parameters.client.option_minimal_versions['auto_remove']['supported']:
            # auto_remove is only supported in Docker SDK for Python >= 2.0.0; unfortunately
            # it has a default value, that's why we have to jump through the hoops here
            config_mapping['auto_remove'] = host_config.get('AutoRemove')

        if self.parameters.client.option_minimal_versions['stop_timeout']['supported']:
            # stop_timeout is only supported in Docker SDK for Python >= 2.1. Note that
            # stop_timeout has a hybrid role, in that it used to be something only used
            # for stopping containers, and is now also used as a container property.
            # That's why it needs special handling here.
            config_mapping['stop_timeout'] = config.get('StopTimeout')

        if self.parameters.client.docker_api_version < LooseVersion('1.22'):
            # For docker API < 1.22, update_container() is not supported. Thus
            # we need to handle all limits which are usually handled by
            # update_container() as configuration changes which require a container
            # restart.
            restart_policy = host_config.get('RestartPolicy', dict())

            # Options which don't make sense without their accompanying option
            if self.parameters.restart_policy:
                config_mapping['restart_retries'] = restart_policy.get('MaximumRetryCount')

            config_mapping.update(dict(
                blkio_weight=host_config.get('BlkioWeight'),
                cpu_period=host_config.get('CpuPeriod'),
                cpu_quota=host_config.get('CpuQuota'),
                cpu_shares=host_config.get('CpuShares'),
                cpuset_cpus=host_config.get('CpusetCpus'),
                cpuset_mems=host_config.get('CpusetMems'),
                kernel_memory=host_config.get("KernelMemory"),
                memory=host_config.get('Memory'),
                memory_reservation=host_config.get('MemoryReservation'),
                memory_swap=host_config.get('MemorySwap'),
                restart_policy=restart_policy.get('Name')
            ))

        differences = DifferenceTracker()
        for key, value in config_mapping.items():
            minimal_version = self.parameters.client.option_minimal_versions.get(key, {})
            if not minimal_version.get('supported', True):
                continue
            compare = self.parameters.client.comparisons[self.parameters_map.get(key, key)]
            self.log('check differences %s %s vs %s (%s)' % (key, getattr(self.parameters, key), str(value), compare))
            if getattr(self.parameters, key, None) is not None:
                match = self._compare(getattr(self.parameters, key), value, compare)

                if not match:
                    # no match. record the differences
                    p = getattr(self.parameters, key)
                    c = value
                    if compare['type'] == 'set':
                        # Since the order does not matter, sort so that the diff output is better.
                        if p is not None:
                            p = sorted(p)
                        if c is not None:
                            c = sorted(c)
                    elif compare['type'] == 'set(dict)':
                        # Since the order does not matter, sort so that the diff output is better.
                        if key == 'expected_mounts':
                            # For selected values, use one entry as key
                            def sort_key_fn(x):
                                return x['target']
                        else:
                            # We sort the list of dictionaries by using the sorted items of a dict as its key.
                            def sort_key_fn(x):
                                return sorted((a, str(b)) for a, b in x.items())
                        if p is not None:
                            p = sorted(p, key=sort_key_fn)
                        if c is not None:
                            c = sorted(c, key=sort_key_fn)
                    differences.add(key, parameter=p, active=c)

        has_differences = not differences.empty
        return has_differences, differences

    def has_different_resource_limits(self):
        '''
        Diff parameters and container resource limits
        '''
        if not self.container.get('HostConfig'):
            self.fail("limits_differ_from_container: Error parsing container properties. HostConfig missing.")
        if self.parameters.client.docker_api_version < LooseVersion('1.22'):
            # update_container() call not supported
            return False, []

        host_config = self.container['HostConfig']

        restart_policy = host_config.get('RestartPolicy') or dict()

        config_mapping = dict(
            blkio_weight=host_config.get('BlkioWeight'),
            cpu_period=host_config.get('CpuPeriod'),
            cpu_quota=host_config.get('CpuQuota'),
            cpu_shares=host_config.get('CpuShares'),
            cpuset_cpus=host_config.get('CpusetCpus'),
            cpuset_mems=host_config.get('CpusetMems'),
            kernel_memory=host_config.get("KernelMemory"),
            memory=host_config.get('Memory'),
            memory_reservation=host_config.get('MemoryReservation'),
            memory_swap=host_config.get('MemorySwap'),
            restart_policy=restart_policy.get('Name')
        )

        # Options which don't make sense without their accompanying option
        if self.parameters.restart_policy:
            config_mapping['restart_retries'] = restart_policy.get('MaximumRetryCount')

        differences = DifferenceTracker()
        for key, value in config_mapping.items():
            if getattr(self.parameters, key, None):
                compare = self.parameters.client.comparisons[self.parameters_map.get(key, key)]
                match = self._compare(getattr(self.parameters, key), value, compare)

                if not match:
                    # no match. record the differences
                    differences.add(key, parameter=getattr(self.parameters, key), active=value)
        different = not differences.empty
        return different, differences

    def has_network_differences(self):
        '''
        Check if the container is connected to requested networks with expected options: links, aliases, ipv4, ipv6
        '''
        different = False
        differences = []

        if not self.parameters.networks:
            return different, differences

        if not self.container.get('NetworkSettings'):
            self.fail("has_missing_networks: Error parsing container properties. NetworkSettings missing.")

        connected_networks = self.container['NetworkSettings']['Networks']
        for network in self.parameters.networks:
            network_info = connected_networks.get(network['name'])
            if network_info is None:
                different = True
                differences.append(dict(
                    parameter=network,
                    container=None
                ))
            else:
                diff = False
                network_info_ipam = network_info.get('IPAMConfig') or {}
                if network.get('ipv4_address') and network['ipv4_address'] != network_info_ipam.get('IPv4Address'):
                    diff = True
                if network.get('ipv6_address') and network['ipv6_address'] != network_info_ipam.get('IPv6Address'):
                    diff = True
                if network.get('aliases'):
                    if not compare_generic(network['aliases'], network_info.get('Aliases'), 'allow_more_present', 'set'):
                        diff = True
                if network.get('links'):
                    expected_links = []
                    for link, alias in network['links']:
                        expected_links.append("%s:%s" % (link, alias))
                    if not compare_generic(expected_links, network_info.get('Links'), 'allow_more_present', 'set'):
                        diff = True
                if diff:
                    different = True
                    differences.append(dict(
                        parameter=network,
                        container=dict(
                            name=network['name'],
                            ipv4_address=network_info_ipam.get('IPv4Address'),
                            ipv6_address=network_info_ipam.get('IPv6Address'),
                            aliases=network_info.get('Aliases'),
                            links=network_info.get('Links')
                        )
                    ))
        return different, differences

    def has_extra_networks(self):
        '''
        Check if the container is connected to non-requested networks
        '''
        extra_networks = []
        extra = False

        if not self.container.get('NetworkSettings'):
            self.fail("has_extra_networks: Error parsing container properties. NetworkSettings missing.")

        connected_networks = self.container['NetworkSettings'].get('Networks')
        if connected_networks:
            for network, network_config in connected_networks.items():
                keep = False
                if self.parameters.networks:
                    for expected_network in self.parameters.networks:
                        if expected_network['name'] == network:
                            keep = True
                if not keep:
                    extra = True
                    extra_networks.append(dict(name=network, id=network_config['NetworkID']))
        return extra, extra_networks

    def _get_expected_devices(self):
        if not self.parameters.devices:
            return None
        expected_devices = []
        for device in self.parameters.devices:
            parts = device.split(':')
            if len(parts) == 1:
                expected_devices.append(
                    dict(
                        CgroupPermissions='rwm',
                        PathInContainer=parts[0],
                        PathOnHost=parts[0]
                    ))
            elif len(parts) == 2:
                parts = device.split(':')
                expected_devices.append(
                    dict(
                        CgroupPermissions='rwm',
                        PathInContainer=parts[1],
                        PathOnHost=parts[0]
                    )
                )
            else:
                expected_devices.append(
                    dict(
                        CgroupPermissions=parts[2],
                        PathInContainer=parts[1],
                        PathOnHost=parts[0]
                    ))
        return expected_devices

    def _get_expected_entrypoint(self):
        if not self.parameters.entrypoint:
            return None
        return shlex.split(self.parameters.entrypoint)

    def _get_expected_ports(self):
        if not self.parameters.published_ports:
            return None
        expected_bound_ports = {}
        for container_port, config in self.parameters.published_ports.items():
            if isinstance(container_port, int):
                container_port = "%s/tcp" % container_port
            if len(config) == 1:
                if isinstance(config[0], int):
                    expected_bound_ports[container_port] = [{'HostIp': "0.0.0.0", 'HostPort': config[0]}]
                else:
                    expected_bound_ports[container_port] = [{'HostIp': config[0], 'HostPort': ""}]
            elif isinstance(config[0], tuple):
                expected_bound_ports[container_port] = []
                for host_ip, host_port in config:
                    expected_bound_ports[container_port].append({'HostIp': host_ip, 'HostPort': str(host_port)})
            else:
                expected_bound_ports[container_port] = [{'HostIp': config[0], 'HostPort': str(config[1])}]
        return expected_bound_ports

    def _get_expected_links(self):
        if self.parameters.links is None:
            return None
        self.log('parameter links:')
        self.log(self.parameters.links, pretty_print=True)
        exp_links = []
        for link, alias in self.parameters.links:
            exp_links.append("/%s:%s/%s" % (link, ('/' + self.parameters.name), alias))
        return exp_links

    def _get_expected_binds(self, image):
        self.log('_get_expected_binds')
        image_vols = []
        if image:
            image_vols = self._get_image_binds(image[self.parameters.client.image_inspect_source].get('Volumes'))
        param_vols = []
        if self.parameters.volumes:
            for vol in self.parameters.volumes:
                host = None
                if ':' in vol:
                    parts = vol.split(':')
                    if len(parts) == 3:
                        host, container, mode = parts
                        if not is_volume_permissions(mode):
                            self.fail('Found invalid volumes mode: {0}'.format(mode))
                    if len(parts) == 2:
                        if not is_volume_permissions(parts[1]):
                            host, container, mode = parts + ['rw']
                if host:
                    param_vols.append("%s:%s:%s" % (host, container, mode))
        result = list(set(image_vols + param_vols))
        self.log("expected_binds:")
        self.log(result, pretty_print=True)
        return result

    def _get_image_binds(self, volumes):
        '''
        Convert array of binds to array of strings with format host_path:container_path:mode

        :param volumes: array of bind dicts
        :return: array of strings
        '''
        results = []
        if isinstance(volumes, dict):
            results += self._get_bind_from_dict(volumes)
        elif isinstance(volumes, list):
            for vol in volumes:
                results += self._get_bind_from_dict(vol)
        return results

    @staticmethod
    def _get_bind_from_dict(volume_dict):
        results = []
        if volume_dict:
            for host_path, config in volume_dict.items():
                if isinstance(config, dict) and config.get('bind'):
                    container_path = config.get('bind')
                    mode = config.get('mode', 'rw')
                    results.append("%s:%s:%s" % (host_path, container_path, mode))
        return results

    def _get_expected_volumes(self, image):
        self.log('_get_expected_volumes')
        expected_vols = dict()
        if image and image[self.parameters.client.image_inspect_source].get('Volumes'):
            expected_vols.update(image[self.parameters.client.image_inspect_source].get('Volumes'))

        if self.parameters.volumes:
            for vol in self.parameters.volumes:
                # We only expect anonymous volumes to show up in the list
                if ':' in vol:
                    parts = vol.split(':')
                    if len(parts) == 3:
                        continue
                    if len(parts) == 2:
                        if not is_volume_permissions(parts[1]):
                            continue
                expected_vols[vol] = dict()

        if not expected_vols:
            expected_vols = None
        self.log("expected_volumes:")
        self.log(expected_vols, pretty_print=True)
        return expected_vols

    def _get_expected_env(self, image):
        self.log('_get_expected_env')
        expected_env = dict()
        if image and image[self.parameters.client.image_inspect_source].get('Env'):
            for env_var in image[self.parameters.client.image_inspect_source]['Env']:
                parts = env_var.split('=', 1)
                expected_env[parts[0]] = parts[1]
        if self.parameters.env:
            expected_env.update(self.parameters.env)
        param_env = []
        for key, value in expected_env.items():
            param_env.append("%s=%s" % (key, value))
        return param_env

    def _get_expected_exposed(self, image):
        self.log('_get_expected_exposed')
        image_ports = []
        if image:
            image_exposed_ports = image[self.parameters.client.image_inspect_source].get('ExposedPorts') or {}
            image_ports = [self._normalize_port(p) for p in image_exposed_ports.keys()]
        param_ports = []
        if self.parameters.ports:
            param_ports = [str(p[0]) + '/' + p[1] for p in self.parameters.ports]
        result = list(set(image_ports + param_ports))
        self.log(result, pretty_print=True)
        return result

    def _get_expected_ulimits(self, config_ulimits):
        self.log('_get_expected_ulimits')
        if config_ulimits is None:
            return None
        results = []
        for limit in config_ulimits:
            results.append(dict(
                Name=limit.name,
                Soft=limit.soft,
                Hard=limit.hard
            ))
        return results

    def _get_expected_sysctls(self, config_sysctls):
        self.log('_get_expected_sysctls')
        if config_sysctls is None:
            return None
        result = dict()
        for key, value in config_sysctls.items():
            result[key] = str(value)
        return result

    def _get_expected_cmd(self):
        self.log('_get_expected_cmd')
        if not self.parameters.command:
            return None
        return shlex.split(self.parameters.command)

    def _convert_simple_dict_to_list(self, param_name, join_with=':'):
        if getattr(self.parameters, param_name, None) is None:
            return None
        results = []
        for key, value in getattr(self.parameters, param_name).items():
            results.append("%s%s%s" % (key, join_with, value))
        return results

    def _normalize_port(self, port):
        if '/' not in port:
            return port + '/tcp'
        return port

    def _get_expected_healthcheck(self):
        self.log('_get_expected_healthcheck')
        expected_healthcheck = dict()

        if self.parameters.healthcheck:
            expected_healthcheck.update([(k.title().replace("_", ""), v)
                                         for k, v in self.parameters.healthcheck.items()])

        return expected_healthcheck


class ContainerManager(DockerBaseClass):
    '''
    Perform container management tasks
    '''

    def __init__(self, client):

        super(ContainerManager, self).__init__()

        if client.module.params.get('log_options') and not client.module.params.get('log_driver'):
            client.module.warn('log_options is ignored when log_driver is not specified')
        if client.module.params.get('healthcheck') and not client.module.params.get('healthcheck').get('test'):
            client.module.warn('healthcheck is ignored when test is not specified')
        if client.module.params.get('restart_retries') is not None and not client.module.params.get('restart_policy'):
            client.module.warn('restart_retries is ignored when restart_policy is not specified')

        self.client = client
        self.parameters = TaskParameters(client)
        self.check_mode = self.client.check_mode
        self.results = {'changed': False, 'actions': []}
        self.diff = {}
        self.diff_tracker = DifferenceTracker()
        self.facts = {}

        state = self.parameters.state
        if state in ('stopped', 'started', 'present'):
            self.present(state)
        elif state == 'absent':
            self.absent()

        if not self.check_mode and not self.parameters.debug:
            self.results.pop('actions')

        if self.client.module._diff or self.parameters.debug:
            self.diff['before'], self.diff['after'] = self.diff_tracker.get_before_after()
            self.results['diff'] = self.diff

        if self.facts:
            self.results['ansible_facts'] = {'docker_container': self.facts}
            self.results['container'] = self.facts

    def wait_for_state(self, container_id, complete_states=None, wait_states=None, accept_removal=False, max_wait=None):
        delay = 1.0
        total_wait = 0
        while True:
            # Inspect container
            result = self.client.get_container_by_id(container_id)
            if result is None:
                if accept_removal:
                    return
                msg = 'Encontered vanished container while waiting for container "{0}"'
                self.fail(msg.format(container_id))
            # Check container state
            state = result.get('State', {}).get('Status')
            if complete_states is not None and state in complete_states:
                return
            if wait_states is not None and state not in wait_states:
                msg = 'Encontered unexpected state "{1}" while waiting for container "{0}"'
                self.fail(msg.format(container_id, state))
            # Wait
            if max_wait is not None:
                if total_wait > max_wait:
                    msg = 'Timeout of {1} seconds exceeded while waiting for container "{0}"'
                    self.fail(msg.format(container_id, max_wait))
                if total_wait + delay > max_wait:
                    delay = max_wait - total_wait
            sleep(delay)
            total_wait += delay
            # Exponential backoff, but never wait longer than 10 seconds
            # (1.1**24 < 10, 1.1**25 > 10, so it will take 25 iterations
            #  until the maximal 10 seconds delay is reached. By then, the
            #  code will have slept for ~1.5 minutes.)
            delay = min(delay * 1.1, 10)

    def present(self, state):
        container = self._get_container(self.parameters.name)
        was_running = container.running
        was_paused = container.paused
        container_created = False

        # If the image parameter was passed then we need to deal with the image
        # version comparison. Otherwise we handle this depending on whether
        # the container already runs or not; in the former case, in case the
        # container needs to be restarted, we use the existing container's
        # image ID.
        image = self._get_image()
        self.log(image, pretty_print=True)
        if not container.exists or container.removing:
            # New container
            if container.removing:
                self.log('Found container in removal phase')
            else:
                self.log('No container found')
            if not self.parameters.image:
                self.fail('Cannot create container when image is not specified!')
            self.diff_tracker.add('exists', parameter=True, active=False)
            if container.removing and not self.check_mode:
                # Wait for container to be removed before trying to create it
                self.wait_for_state(
                    container.Id, wait_states=['removing'], accept_removal=True, max_wait=self.parameters.removal_wait_timeout)
            new_container = self.container_create(self.parameters.image, self.parameters.create_parameters)
            if new_container:
                container = new_container
            container_created = True
        else:
            # Existing container
            different, differences = container.has_different_configuration(image)
            image_different = False
            if self.parameters.comparisons['image']['comparison'] == 'strict':
                image_different = self._image_is_different(image, container)
            if image_different or different or self.parameters.recreate:
                self.diff_tracker.merge(differences)
                self.diff['differences'] = differences.get_legacy_docker_container_diffs()
                if image_different:
                    self.diff['image_different'] = True
                self.log("differences")
                self.log(differences.get_legacy_docker_container_diffs(), pretty_print=True)
                image_to_use = self.parameters.image
                if not image_to_use and container and container.Image:
                    image_to_use = container.Image
                if not image_to_use:
                    self.fail('Cannot recreate container when image is not specified or cannot be extracted from current container!')
                if container.running:
                    self.container_stop(container.Id)
                self.container_remove(container.Id)
                if not self.check_mode:
                    self.wait_for_state(
                        container.Id, wait_states=['removing'], accept_removal=True, max_wait=self.parameters.removal_wait_timeout)
                new_container = self.container_create(image_to_use, self.parameters.create_parameters)
                if new_container:
                    container = new_container
                container_created = True

        if container and container.exists:
            container = self.update_limits(container)
            container = self.update_networks(container, container_created)

            if state == 'started' and not container.running:
                self.diff_tracker.add('running', parameter=True, active=was_running)
                container = self.container_start(container.Id)
            elif state == 'started' and self.parameters.restart:
                self.diff_tracker.add('running', parameter=True, active=was_running)
                self.diff_tracker.add('restarted', parameter=True, active=False)
                container = self.container_restart(container.Id)
            elif state == 'stopped' and container.running:
                self.diff_tracker.add('running', parameter=False, active=was_running)
                self.container_stop(container.Id)
                container = self._get_container(container.Id)

            if state == 'started' and self.parameters.paused is not None and container.paused != self.parameters.paused:
                self.diff_tracker.add('paused', parameter=self.parameters.paused, active=was_paused)
                if not self.check_mode:
                    try:
                        if self.parameters.paused:
                            self.client.pause(container=container.Id)
                        else:
                            self.client.unpause(container=container.Id)
                    except Exception as exc:
                        self.fail("Error %s container %s: %s" % (
                            "pausing" if self.parameters.paused else "unpausing", container.Id, str(exc)
                        ))
                    container = self._get_container(container.Id)
                self.results['changed'] = True
                self.results['actions'].append(dict(set_paused=self.parameters.paused))

        self.facts = container.raw

    def absent(self):
        container = self._get_container(self.parameters.name)
        if container.exists:
            if container.running:
                self.diff_tracker.add('running', parameter=False, active=True)
                self.container_stop(container.Id)
            self.diff_tracker.add('exists', parameter=False, active=True)
            self.container_remove(container.Id)

    def fail(self, msg, **kwargs):
        self.client.fail(msg, **kwargs)

    def _output_logs(self, msg):
        self.client.module.log(msg=msg)

    def _get_container(self, container):
        '''
        Expects container ID or Name. Returns a container object
        '''
        return Container(self.client.get_container(container), self.parameters)

    def _get_image(self):
        if not self.parameters.image:
            self.log('No image specified')
            return None
        if is_image_name_id(self.parameters.image):
            image = self.client.find_image_by_id(self.parameters.image)
        else:
            repository, tag = utils.parse_repository_tag(self.parameters.image)
            if not tag:
                tag = "latest"
            image = self.client.find_image(repository, tag)
            if not image or self.parameters.pull:
                if not self.check_mode:
                    self.log("Pull the image.")
                    image, alreadyToLatest = self.client.pull_image(repository, tag)
                    if alreadyToLatest:
                        self.results['changed'] = False
                    else:
                        self.results['changed'] = True
                        self.results['actions'].append(dict(pulled_image="%s:%s" % (repository, tag)))
                elif not image:
                    # If the image isn't there, claim we'll pull.
                    # (Implicitly: if the image is there, claim it already was latest.)
                    self.results['changed'] = True
                    self.results['actions'].append(dict(pulled_image="%s:%s" % (repository, tag)))

        self.log("image")
        self.log(image, pretty_print=True)
        return image

    def _image_is_different(self, image, container):
        if image and image.get('Id'):
            if container and container.Image:
                if image.get('Id') != container.Image:
                    self.diff_tracker.add('image', parameter=image.get('Id'), active=container.Image)
                    return True
        return False

    def update_limits(self, container):
        limits_differ, different_limits = container.has_different_resource_limits()
        if limits_differ:
            self.log("limit differences:")
            self.log(different_limits.get_legacy_docker_container_diffs(), pretty_print=True)
            self.diff_tracker.merge(different_limits)
        if limits_differ and not self.check_mode:
            self.container_update(container.Id, self.parameters.update_parameters)
            return self._get_container(container.Id)
        return container

    def update_networks(self, container, container_created):
        updated_container = container
        if self.parameters.comparisons['networks']['comparison'] != 'ignore' or container_created:
            has_network_differences, network_differences = container.has_network_differences()
            if has_network_differences:
                if self.diff.get('differences'):
                    self.diff['differences'].append(dict(network_differences=network_differences))
                else:
                    self.diff['differences'] = [dict(network_differences=network_differences)]
                for netdiff in network_differences:
                    self.diff_tracker.add(
                        'network.{0}'.format(netdiff['parameter']['name']),
                        parameter=netdiff['parameter'],
                        active=netdiff['container']
                    )
                self.results['changed'] = True
                updated_container = self._add_networks(container, network_differences)

        if (self.parameters.comparisons['networks']['comparison'] == 'strict' and self.parameters.networks is not None) or self.parameters.purge_networks:
            has_extra_networks, extra_networks = container.has_extra_networks()
            if has_extra_networks:
                if self.diff.get('differences'):
                    self.diff['differences'].append(dict(purge_networks=extra_networks))
                else:
                    self.diff['differences'] = [dict(purge_networks=extra_networks)]
                for extra_network in extra_networks:
                    self.diff_tracker.add(
                        'network.{0}'.format(extra_network['name']),
                        active=extra_network
                    )
                self.results['changed'] = True
                updated_container = self._purge_networks(container, extra_networks)
        return updated_container

    def _add_networks(self, container, differences):
        for diff in differences:
            # remove the container from the network, if connected
            if diff.get('container'):
                self.results['actions'].append(dict(removed_from_network=diff['parameter']['name']))
                if not self.check_mode:
                    try:
                        self.client.disconnect_container_from_network(container.Id, diff['parameter']['id'])
                    except Exception as exc:
                        self.fail("Error disconnecting container from network %s - %s" % (diff['parameter']['name'],
                                                                                          str(exc)))
            # connect to the network
            params = dict()
            for para in ('ipv4_address', 'ipv6_address', 'links', 'aliases'):
                if diff['parameter'].get(para):
                    params[para] = diff['parameter'][para]
            self.results['actions'].append(dict(added_to_network=diff['parameter']['name'], network_parameters=params))
            if not self.check_mode:
                try:
                    self.log("Connecting container to network %s" % diff['parameter']['id'])
                    self.log(params, pretty_print=True)
                    self.client.connect_container_to_network(container.Id, diff['parameter']['id'], **params)
                except Exception as exc:
                    self.fail("Error connecting container to network %s - %s" % (diff['parameter']['name'], str(exc)))
        return self._get_container(container.Id)

    def _purge_networks(self, container, networks):
        for network in networks:
            self.results['actions'].append(dict(removed_from_network=network['name']))
            if not self.check_mode:
                try:
                    self.client.disconnect_container_from_network(container.Id, network['name'])
                except Exception as exc:
                    self.fail("Error disconnecting container from network %s - %s" % (network['name'],
                                                                                      str(exc)))
        return self._get_container(container.Id)

    def container_create(self, image, create_parameters):
        self.log("create container")
        self.log("image: %s parameters:" % image)
        self.log(create_parameters, pretty_print=True)
        self.results['actions'].append(dict(created="Created container", create_parameters=create_parameters))
        self.results['changed'] = True
        new_container = None
        if not self.check_mode:
            try:
                new_container = self.client.create_container(image, **create_parameters)
                self.client.report_warnings(new_container)
            except Exception as exc:
                self.fail("Error creating container: %s" % str(exc))
            return self._get_container(new_container['Id'])
        return new_container

    def container_start(self, container_id):
        self.log("start container %s" % (container_id))
        self.results['actions'].append(dict(started=container_id))
        self.results['changed'] = True
        if not self.check_mode:
            try:
                self.client.start(container=container_id)
            except Exception as exc:
                self.fail("Error starting container %s: %s" % (container_id, str(exc)))

            if self.parameters.detach is False:
                if self.client.docker_py_version >= LooseVersion('3.0'):
                    status = self.client.wait(container_id)['StatusCode']
                else:
                    status = self.client.wait(container_id)
                if self.parameters.auto_remove:
                    output = "Cannot retrieve result as auto_remove is enabled"
                    if self.parameters.output_logs:
                        self.client.module.warn('Cannot output_logs if auto_remove is enabled!')
                else:
                    config = self.client.inspect_container(container_id)
                    logging_driver = config['HostConfig']['LogConfig']['Type']

                    if logging_driver in ('json-file', 'journald'):
                        output = self.client.logs(container_id, stdout=True, stderr=True, stream=False, timestamps=False)
                        if self.parameters.output_logs:
                            self._output_logs(msg=output)
                    else:
                        output = "Result logged using `%s` driver" % logging_driver

                if status != 0:
                    self.fail(output, status=status)
                if self.parameters.cleanup:
                    self.container_remove(container_id, force=True)
                insp = self._get_container(container_id)
                if insp.raw:
                    insp.raw['Output'] = output
                else:
                    insp.raw = dict(Output=output)
                return insp
        return self._get_container(container_id)

    def container_remove(self, container_id, link=False, force=False):
        volume_state = (not self.parameters.keep_volumes)
        self.log("remove container container:%s v:%s link:%s force%s" % (container_id, volume_state, link, force))
        self.results['actions'].append(dict(removed=container_id, volume_state=volume_state, link=link, force=force))
        self.results['changed'] = True
        response = None
        if not self.check_mode:
            count = 0
            while True:
                try:
                    response = self.client.remove_container(container_id, v=volume_state, link=link, force=force)
                except NotFound as dummy:
                    pass
                except APIError as exc:
                    if 'Unpause the container before stopping or killing' in exc.explanation:
                        # New docker daemon versions do not allow containers to be removed
                        # if they are paused. Make sure we don't end up in an infinite loop.
                        if count == 3:
                            self.fail("Error removing container %s (tried to unpause three times): %s" % (container_id, str(exc)))
                        count += 1
                        # Unpause
                        try:
                            self.client.unpause(container=container_id)
                        except Exception as exc2:
                            self.fail("Error unpausing container %s for removal: %s" % (container_id, str(exc2)))
                        # Now try again
                        continue
                    if 'removal of container ' in exc.explanation and ' is already in progress' in exc.explanation:
                        pass
                    else:
                        self.fail("Error removing container %s: %s" % (container_id, str(exc)))
                except Exception as exc:
                    self.fail("Error removing container %s: %s" % (container_id, str(exc)))
                # We only loop when explicitly requested by 'continue'
                break
        return response

    def container_update(self, container_id, update_parameters):
        if update_parameters:
            self.log("update container %s" % (container_id))
            self.log(update_parameters, pretty_print=True)
            self.results['actions'].append(dict(updated=container_id, update_parameters=update_parameters))
            self.results['changed'] = True
            if not self.check_mode and callable(getattr(self.client, 'update_container')):
                try:
                    result = self.client.update_container(container_id, **update_parameters)
                    self.client.report_warnings(result)
                except Exception as exc:
                    self.fail("Error updating container %s: %s" % (container_id, str(exc)))
        return self._get_container(container_id)

    def container_kill(self, container_id):
        self.results['actions'].append(dict(killed=container_id, signal=self.parameters.kill_signal))
        self.results['changed'] = True
        response = None
        if not self.check_mode:
            try:
                if self.parameters.kill_signal:
                    response = self.client.kill(container_id, signal=self.parameters.kill_signal)
                else:
                    response = self.client.kill(container_id)
            except Exception as exc:
                self.fail("Error killing container %s: %s" % (container_id, exc))
        return response

    def container_restart(self, container_id):
        self.results['actions'].append(dict(restarted=container_id, timeout=self.parameters.stop_timeout))
        self.results['changed'] = True
        if not self.check_mode:
            try:
                if self.parameters.stop_timeout:
                    dummy = self.client.restart(container_id, timeout=self.parameters.stop_timeout)
                else:
                    dummy = self.client.restart(container_id)
            except Exception as exc:
                self.fail("Error restarting container %s: %s" % (container_id, str(exc)))
        return self._get_container(container_id)

    def container_stop(self, container_id):
        if self.parameters.force_kill:
            self.container_kill(container_id)
            return
        self.results['actions'].append(dict(stopped=container_id, timeout=self.parameters.stop_timeout))
        self.results['changed'] = True
        response = None
        if not self.check_mode:
            count = 0
            while True:
                try:
                    if self.parameters.stop_timeout:
                        response = self.client.stop(container_id, timeout=self.parameters.stop_timeout)
                    else:
                        response = self.client.stop(container_id)
                except APIError as exc:
                    if 'Unpause the container before stopping or killing' in exc.explanation:
                        # New docker daemon versions do not allow containers to be removed
                        # if they are paused. Make sure we don't end up in an infinite loop.
                        if count == 3:
                            self.fail("Error removing container %s (tried to unpause three times): %s" % (container_id, str(exc)))
                        count += 1
                        # Unpause
                        try:
                            self.client.unpause(container=container_id)
                        except Exception as exc2:
                            self.fail("Error unpausing container %s for removal: %s" % (container_id, str(exc2)))
                        # Now try again
                        continue
                    self.fail("Error stopping container %s: %s" % (container_id, str(exc)))
                except Exception as exc:
                    self.fail("Error stopping container %s: %s" % (container_id, str(exc)))
                # We only loop when explicitly requested by 'continue'
                break
        return response


def detect_ipvX_address_usage(client):
    '''
    Helper function to detect whether any specified network uses ipv4_address or ipv6_address
    '''
    for network in client.module.params.get("networks") or []:
        if network.get('ipv4_address') is not None or network.get('ipv6_address') is not None:
            return True
    return False


class AnsibleDockerClientContainer(AnsibleDockerClient):
    # A list of module options which are not docker container properties
    __NON_CONTAINER_PROPERTY_OPTIONS = tuple([
        'env_file', 'force_kill', 'keep_volumes', 'ignore_image', 'name', 'pull', 'purge_networks',
        'recreate', 'restart', 'state', 'trust_image_content', 'networks', 'cleanup', 'kill_signal',
        'output_logs', 'paused', 'removal_wait_timeout'
    ] + list(DOCKER_COMMON_ARGS.keys()))

    def _parse_comparisons(self):
        comparisons = {}
        comp_aliases = {}
        # Put in defaults
        explicit_types = dict(
            command='list',
            devices='set(dict)',
            dns_search_domains='list',
            dns_servers='list',
            env='set',
            entrypoint='list',
            etc_hosts='set',
            mounts='set(dict)',
            networks='set(dict)',
            ulimits='set(dict)',
            device_read_bps='set(dict)',
            device_write_bps='set(dict)',
            device_read_iops='set(dict)',
            device_write_iops='set(dict)',
        )
        all_options = set()  # this is for improving user feedback when a wrong option was specified for comparison
        default_values = dict(
            stop_timeout='ignore',
        )
        for option, data in self.module.argument_spec.items():
            all_options.add(option)
            for alias in data.get('aliases', []):
                all_options.add(alias)
            # Ignore options which aren't used as container properties
            if option in self.__NON_CONTAINER_PROPERTY_OPTIONS and option != 'networks':
                continue
            # Determine option type
            if option in explicit_types:
                datatype = explicit_types[option]
            elif data['type'] == 'list':
                datatype = 'set'
            elif data['type'] == 'dict':
                datatype = 'dict'
            else:
                datatype = 'value'
            # Determine comparison type
            if option in default_values:
                comparison = default_values[option]
            elif datatype in ('list', 'value'):
                comparison = 'strict'
            else:
                comparison = 'allow_more_present'
            comparisons[option] = dict(type=datatype, comparison=comparison, name=option)
            # Keep track of aliases
            comp_aliases[option] = option
            for alias in data.get('aliases', []):
                comp_aliases[alias] = option
        # Process legacy ignore options
        if self.module.params['ignore_image']:
            comparisons['image']['comparison'] = 'ignore'
        if self.module.params['purge_networks']:
            comparisons['networks']['comparison'] = 'strict'
        # Process options
        if self.module.params.get('comparisons'):
            # If '*' appears in comparisons, process it first
            if '*' in self.module.params['comparisons']:
                value = self.module.params['comparisons']['*']
                if value not in ('strict', 'ignore'):
                    self.fail("The wildcard can only be used with comparison modes 'strict' and 'ignore'!")
                for option, v in comparisons.items():
                    if option == 'networks':
                        # `networks` is special: only update if
                        # some value is actually specified
                        if self.module.params['networks'] is None:
                            continue
                    v['comparison'] = value
            # Now process all other comparisons.
            comp_aliases_used = {}
            for key, value in self.module.params['comparisons'].items():
                if key == '*':
                    continue
                # Find main key
                key_main = comp_aliases.get(key)
                if key_main is None:
                    if key_main in all_options:
                        self.fail("The module option '%s' cannot be specified in the comparisons dict, "
                                  "since it does not correspond to container's state!" % key)
                    self.fail("Unknown module option '%s' in comparisons dict!" % key)
                if key_main in comp_aliases_used:
                    self.fail("Both '%s' and '%s' (aliases of %s) are specified in comparisons dict!" % (key, comp_aliases_used[key_main], key_main))
                comp_aliases_used[key_main] = key
                # Check value and update accordingly
                if value in ('strict', 'ignore'):
                    comparisons[key_main]['comparison'] = value
                elif value == 'allow_more_present':
                    if comparisons[key_main]['type'] == 'value':
                        self.fail("Option '%s' is a value and not a set/list/dict, so its comparison cannot be %s" % (key, value))
                    comparisons[key_main]['comparison'] = value
                else:
                    self.fail("Unknown comparison mode '%s'!" % value)
        # Add implicit options
        comparisons['publish_all_ports'] = dict(type='value', comparison='strict', name='published_ports')
        comparisons['expected_ports'] = dict(type='dict', comparison=comparisons['published_ports']['comparison'], name='expected_ports')
        comparisons['disable_healthcheck'] = dict(type='value',
                                                  comparison='ignore' if comparisons['healthcheck']['comparison'] == 'ignore' else 'strict',
                                                  name='disable_healthcheck')
        # Check legacy values
        if self.module.params['ignore_image'] and comparisons['image']['comparison'] != 'ignore':
            self.module.warn('The ignore_image option has been overridden by the comparisons option!')
        if self.module.params['purge_networks'] and comparisons['networks']['comparison'] != 'strict':
            self.module.warn('The purge_networks option has been overridden by the comparisons option!')
        self.comparisons = comparisons

    def _get_additional_minimal_versions(self):
        stop_timeout_supported = self.docker_api_version >= LooseVersion('1.25')
        stop_timeout_needed_for_update = self.module.params.get("stop_timeout") is not None and self.module.params.get('state') != 'absent'
        if stop_timeout_supported:
            stop_timeout_supported = self.docker_py_version >= LooseVersion('2.1')
            if stop_timeout_needed_for_update and not stop_timeout_supported:
                # We warn (instead of fail) since in older versions, stop_timeout was not used
                # to update the container's configuration, but only when stopping a container.
                self.module.warn("Docker SDK for Python's version is %s. Minimum version required is 2.1 to update "
                                 "the container's stop_timeout configuration. "
                                 "If you use the 'docker-py' module, you have to switch to the 'docker' Python package." % (docker_version,))
        else:
            if stop_timeout_needed_for_update and not stop_timeout_supported:
                # We warn (instead of fail) since in older versions, stop_timeout was not used
                # to update the container's configuration, but only when stopping a container.
                self.module.warn("Docker API version is %s. Minimum version required is 1.25 to set or "
                                 "update the container's stop_timeout configuration." % (self.docker_api_version_str,))
        self.option_minimal_versions['stop_timeout']['supported'] = stop_timeout_supported

    def __init__(self, **kwargs):
        option_minimal_versions = dict(
            # internal options
            log_config=dict(),
            publish_all_ports=dict(),
            ports=dict(),
            volume_binds=dict(),
            name=dict(),
            # normal options
            device_read_bps=dict(docker_py_version='1.9.0', docker_api_version='1.22'),
            device_read_iops=dict(docker_py_version='1.9.0', docker_api_version='1.22'),
            device_write_bps=dict(docker_py_version='1.9.0', docker_api_version='1.22'),
            device_write_iops=dict(docker_py_version='1.9.0', docker_api_version='1.22'),
            dns_opts=dict(docker_api_version='1.21', docker_py_version='1.10.0'),
            ipc_mode=dict(docker_api_version='1.25'),
            mac_address=dict(docker_api_version='1.25'),
            oom_score_adj=dict(docker_api_version='1.22'),
            shm_size=dict(docker_api_version='1.22'),
            stop_signal=dict(docker_api_version='1.21'),
            tmpfs=dict(docker_api_version='1.22'),
            volume_driver=dict(docker_api_version='1.21'),
            memory_reservation=dict(docker_api_version='1.21'),
            kernel_memory=dict(docker_api_version='1.21'),
            auto_remove=dict(docker_py_version='2.1.0', docker_api_version='1.25'),
            healthcheck=dict(docker_py_version='2.0.0', docker_api_version='1.24'),
            init=dict(docker_py_version='2.2.0', docker_api_version='1.25'),
            runtime=dict(docker_py_version='2.4.0', docker_api_version='1.25'),
            sysctls=dict(docker_py_version='1.10.0', docker_api_version='1.24'),
            userns_mode=dict(docker_py_version='1.10.0', docker_api_version='1.23'),
            uts=dict(docker_py_version='3.5.0', docker_api_version='1.25'),
            pids_limit=dict(docker_py_version='1.10.0', docker_api_version='1.23'),
            mounts=dict(docker_py_version='2.6.0', docker_api_version='1.25'),
            cpus=dict(docker_py_version='2.3.0', docker_api_version='1.25'),
            # specials
            ipvX_address_supported=dict(docker_py_version='1.9.0', docker_api_version='1.22',
                                        detect_usage=detect_ipvX_address_usage,
                                        usage_msg='ipv4_address or ipv6_address in networks'),
            stop_timeout=dict(),  # see _get_additional_minimal_versions()
        )

        super(AnsibleDockerClientContainer, self).__init__(
            option_minimal_versions=option_minimal_versions,
            option_minimal_versions_ignore_params=self.__NON_CONTAINER_PROPERTY_OPTIONS,
            **kwargs
        )

        self.image_inspect_source = 'Config'
        if self.docker_api_version < LooseVersion('1.21'):
            self.image_inspect_source = 'ContainerConfig'

        self._get_additional_minimal_versions()
        self._parse_comparisons()

        if self.module.params['container_default_behavior'] is None:
            self.module.params['container_default_behavior'] = 'compatibility'
            self.module.deprecate(
                'The container_default_behavior option will change its default value from "compatibility" to '
                '"no_defaults" in Ansible 2.14. To remove this warning, please specify an explicit value for it now',
                version='2.14'
            )
        if self.module.params['container_default_behavior'] == 'compatibility':
            old_default_values = dict(
                auto_remove=False,
                detach=True,
                init=False,
                interactive=False,
                memory="0",
                paused=False,
                privileged=False,
                read_only=False,
                tty=False,
            )
            for param, value in old_default_values.items():
                if self.module.params[param] is None:
                    self.module.params[param] = value


def main():
    argument_spec = dict(
        auto_remove=dict(type='bool'),
        blkio_weight=dict(type='int'),
        capabilities=dict(type='list', elements='str'),
        cap_drop=dict(type='list', elements='str'),
        cleanup=dict(type='bool', default=False),
        command=dict(type='raw'),
        comparisons=dict(type='dict'),
        container_default_behavior=dict(type='str', choices=['compatibility', 'no_defaults']),
        cpu_period=dict(type='int'),
        cpu_quota=dict(type='int'),
        cpus=dict(type='float'),
        cpuset_cpus=dict(type='str'),
        cpuset_mems=dict(type='str'),
        cpu_shares=dict(type='int'),
        detach=dict(type='bool'),
        devices=dict(type='list', elements='str'),
        device_read_bps=dict(type='list', elements='dict', options=dict(
            path=dict(required=True, type='str'),
            rate=dict(required=True, type='str'),
        )),
        device_write_bps=dict(type='list', elements='dict', options=dict(
            path=dict(required=True, type='str'),
            rate=dict(required=True, type='str'),
        )),
        device_read_iops=dict(type='list', elements='dict', options=dict(
            path=dict(required=True, type='str'),
            rate=dict(required=True, type='int'),
        )),
        device_write_iops=dict(type='list', elements='dict', options=dict(
            path=dict(required=True, type='str'),
            rate=dict(required=True, type='int'),
        )),
        dns_servers=dict(type='list', elements='str'),
        dns_opts=dict(type='list', elements='str'),
        dns_search_domains=dict(type='list', elements='str'),
        domainname=dict(type='str'),
        entrypoint=dict(type='list', elements='str'),
        env=dict(type='dict'),
        env_file=dict(type='path'),
        etc_hosts=dict(type='dict'),
        exposed_ports=dict(type='list', elements='str', aliases=['exposed', 'expose']),
        force_kill=dict(type='bool', default=False, aliases=['forcekill']),
        groups=dict(type='list', elements='str'),
        healthcheck=dict(type='dict', options=dict(
            test=dict(type='raw'),
            interval=dict(type='str'),
            timeout=dict(type='str'),
            start_period=dict(type='str'),
            retries=dict(type='int'),
        )),
        hostname=dict(type='str'),
        ignore_image=dict(type='bool', default=False),
        image=dict(type='str'),
        init=dict(type='bool'),
        interactive=dict(type='bool'),
        ipc_mode=dict(type='str'),
        keep_volumes=dict(type='bool', default=True),
        kernel_memory=dict(type='str'),
        kill_signal=dict(type='str'),
        labels=dict(type='dict'),
        links=dict(type='list', elements='str'),
        log_driver=dict(type='str'),
        log_options=dict(type='dict', aliases=['log_opt']),
        mac_address=dict(type='str'),
        memory=dict(type='str'),
        memory_reservation=dict(type='str'),
        memory_swap=dict(type='str'),
        memory_swappiness=dict(type='int'),
        mounts=dict(type='list', elements='dict', options=dict(
            target=dict(type='str', required=True),
            source=dict(type='str'),
            type=dict(type='str', choices=['bind', 'volume', 'tmpfs', 'npipe'], default='volume'),
            read_only=dict(type='bool'),
            consistency=dict(type='str', choices=['default', 'consistent', 'cached', 'delegated']),
            propagation=dict(type='str', choices=['private', 'rprivate', 'shared', 'rshared', 'slave', 'rslave']),
            no_copy=dict(type='bool'),
            labels=dict(type='dict'),
            volume_driver=dict(type='str'),
            volume_options=dict(type='dict'),
            tmpfs_size=dict(type='str'),
            tmpfs_mode=dict(type='str'),
        )),
        name=dict(type='str', required=True),
        network_mode=dict(type='str'),
        networks=dict(type='list', elements='dict', options=dict(
            name=dict(type='str', required=True),
            ipv4_address=dict(type='str'),
            ipv6_address=dict(type='str'),
            aliases=dict(type='list', elements='str'),
            links=dict(type='list', elements='str'),
        )),
        networks_cli_compatible=dict(type='bool'),
        oom_killer=dict(type='bool'),
        oom_score_adj=dict(type='int'),
        output_logs=dict(type='bool', default=False),
        paused=dict(type='bool'),
        pid_mode=dict(type='str'),
        pids_limit=dict(type='int'),
        privileged=dict(type='bool'),
        published_ports=dict(type='list', elements='str', aliases=['ports']),
        pull=dict(type='bool', default=False),
        purge_networks=dict(type='bool', default=False),
        read_only=dict(type='bool'),
        recreate=dict(type='bool', default=False),
        removal_wait_timeout=dict(type='float'),
        restart=dict(type='bool', default=False),
        restart_policy=dict(type='str', choices=['no', 'on-failure', 'always', 'unless-stopped']),
        restart_retries=dict(type='int'),
        runtime=dict(type='str'),
        security_opts=dict(type='list', elements='str'),
        shm_size=dict(type='str'),
        state=dict(type='str', default='started', choices=['absent', 'present', 'started', 'stopped']),
        stop_signal=dict(type='str'),
        stop_timeout=dict(type='int'),
        sysctls=dict(type='dict'),
        tmpfs=dict(type='list', elements='str'),
        trust_image_content=dict(type='bool', default=False, removed_in_version='2.14'),
        tty=dict(type='bool'),
        ulimits=dict(type='list', elements='str'),
        user=dict(type='str'),
        userns_mode=dict(type='str'),
        uts=dict(type='str'),
        volume_driver=dict(type='str'),
        volumes=dict(type='list', elements='str'),
        volumes_from=dict(type='list', elements='str'),
        working_dir=dict(type='str'),
    )

    required_if = [
        ('state', 'present', ['image'])
    ]

    client = AnsibleDockerClientContainer(
        argument_spec=argument_spec,
        required_if=required_if,
        supports_check_mode=True,
        min_docker_api_version='1.20',
    )
    if client.module.params['networks_cli_compatible'] is None and client.module.params['networks']:
        client.module.deprecate(
            'Please note that docker_container handles networks slightly different than docker CLI. '
            'If you specify networks, the default network will still be attached as the first network. '
            '(You can specify purge_networks to remove all networks not explicitly listed.) '
            'This behavior will change in Ansible 2.12. You can change the behavior now by setting '
            'the new `networks_cli_compatible` option to `yes`, and remove this warning by setting '
            'it to `no`',
            version='2.12'
        )
    if client.module.params['networks_cli_compatible'] is True and client.module.params['networks'] and client.module.params['network_mode'] is None:
        client.module.deprecate(
            'Please note that the default value for `network_mode` will change from not specified '
            '(which is equal to `default`) to the name of the first network in `networks` if '
            '`networks` has at least one entry and `networks_cli_compatible` is `true`. You can '
            'change the behavior now by explicitly setting `network_mode` to the name of the first '
            'network in `networks`, and remove this warning by setting `network_mode` to `default`. '
            'Please make sure that the value you set to `network_mode` equals the inspection result '
            'for existing containers, otherwise the module will recreate them. You can find out the '
            'correct value by running "docker inspect --format \'{{.HostConfig.NetworkMode}}\' <container_name>"',
            version='2.14'
        )

    try:
        cm = ContainerManager(client)
        client.module.exit_json(**sanitize_result(cm.results))
    except DockerException as e:
        client.fail('An unexpected docker error occurred: {0}'.format(e), exception=traceback.format_exc())
    except RequestException as e:
        client.fail('An unexpected requests error occurred when docker-py tried to talk to the docker daemon: {0}'.format(e), exception=traceback.format_exc())


if __name__ == '__main__':
    main()