diff options
author | baude <bbaude@redhat.com> | 2019-02-11 09:07:34 -0600 |
---|---|---|
committer | baude <bbaude@redhat.com> | 2019-02-11 09:20:30 -0600 |
commit | 440dd8c2ed5127d657e06e10b48b9ee8d423a799 (patch) | |
tree | 4c5ac398979a6e548d8646f7f746bf6ab36757f7 | |
parent | acf2e913730a27fcdc3fcd7c160aa19e071dde36 (diff) | |
download | podman-440dd8c2ed5127d657e06e10b48b9ee8d423a799.tar.gz podman-440dd8c2ed5127d657e06e10b48b9ee8d423a799.tar.bz2 podman-440dd8c2ed5127d657e06e10b48b9ee8d423a799.zip |
lock and sync container before checking mountpoint
when checking for a container's mountpoint, you must lock and sync
the container or the result may be "".
Fixes: #2304
Signed-off-by: baude <bbaude@redhat.com>
-rw-r--r-- | libpod/kube.go | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libpod/kube.go b/libpod/kube.go index f34805e39..16cebf99b 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -401,7 +401,7 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) { func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { priv := c.Privileged() ro := c.IsReadOnly() - allowPrivEscalation := !c.Spec().Process.NoNewPrivileges + allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities) if err != nil { @@ -421,7 +421,13 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { } if c.User() != "" { - // It is *possible* that + if !c.batched { + c.lock.Lock() + defer c.lock.Unlock() + } + if err := c.syncContainer(); err != nil { + return nil, errors.Wrapf(err, "unable to sync container during YAML generation") + } logrus.Debugf("Looking in container for user: %s", c.User()) u, err := lookup.GetUser(c.state.Mountpoint, c.User()) if err != nil { |