hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod Kumar Vavilapalli (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8342) Using docker image from a non-privileged registry, the launch_command is not honored
Date Fri, 25 May 2018 07:46:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16490364#comment-16490364
] 

Vinod Kumar Vavilapalli commented on YARN-8342:
-----------------------------------------------

bq. 2. Change the name docker.privileged-containers.registries back to docker.trusted.registries.
Images outside of trusted.registries are disallowed.
My understanding instead is that we should rename this to be called something like docker.privileged-registries
to avoid confusion with the privileged-containers moniker. The disallow-images-from-everywhere-else
is instead what is asked at YARN-8343?

bq. Option 1 requires RHEL 7.5+ to be completely immune to security hole.
Can you expand what this means?

> Using docker image from a non-privileged registry, the launch_command is not honored
> ------------------------------------------------------------------------------------
>
>                 Key: YARN-8342
>                 URL: https://issues.apache.org/jira/browse/YARN-8342
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Wangda Tan
>            Assignee: Eric Yang
>            Priority: Critical
>              Labels: Docker
>         Attachments: YARN-8342.001.patch
>
>
> During test of the Docker feature, I found that if a container comes from non-privileged
docker registry, the specified launch command will be ignored. Container will success without
any log, which is very confusing to end users. And this behavior is inconsistent to containers
from privileged docker registries.
> cc: [~eyang], [~shanekumpf@gmail.com], [~ebadger], [~jlowe]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message