Merge pull request #2310 from baude/issue2304

lock and sync container before checking mountpoint

1 files changed, 8 insertions, 2 deletions

diff --git a/libpod/kube.go b/libpod/kube.go
index f34805e39..16cebf99b 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -401,7 +401,7 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) {
 func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
 	priv := c.Privileged()
 	ro := c.IsReadOnly()
-	allowPrivEscalation := !c.Spec().Process.NoNewPrivileges
+	allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges
 
 	newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
 	if err != nil {
@@ -421,7 +421,13 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
 	}
 
 	if c.User() != "" {
-		// It is *possible* that
+		if !c.batched {
+			c.lock.Lock()
+			defer c.lock.Unlock()
+		}
+		if err := c.syncContainer(); err != nil {
+			return nil, errors.Wrapf(err, "unable to sync container during YAML generation")
+		}
 		logrus.Debugf("Looking in container for user: %s", c.User())
 		u, err := lookup.GetUser(c.state.Mountpoint, c.User())
 		if err != nil {