lock and sync container before checking mountpoint

when checking for a container's mountpoint, you must lock and sync the container or the result may be "". Fixes: containers#2304 Signed-off-by: baude <bbaude@redhat.com>
baude · Feb 11, 2019 · 440dd8c · 440dd8c
1 parent acf2e91
commit 440dd8c
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/libpod/kube.go b/libpod/kube.go
@@ -401,7 +401,7 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) {
 func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
 	priv := c.Privileged()
 	ro := c.IsReadOnly()
-	allowPrivEscalation := !c.Spec().Process.NoNewPrivileges
+	allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges
 
 	newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
 	if err != nil {
@@ -421,7 +421,13 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
 	}
 
 	if c.User() != "" {
-		// It is *possible* that
+		if !c.batched {
+			c.lock.Lock()
+			defer c.lock.Unlock()
+		}
+		if err := c.syncContainer(); err != nil {
+			return nil, errors.Wrapf(err, "unable to sync container during YAML generation")
+		}
 		logrus.Debugf("Looking in container for user: %s", c.User())
 		u, err := lookup.GetUser(c.state.Mountpoint, c.User())
 		if err != nil {