hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8927) Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check" function
Date Thu, 25 Oct 2018 15:56:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16663945#comment-16663945
] 

Eric Yang commented on YARN-8927:
---------------------------------

{quote}we implicitly transform user given value "centos" to "library/centos:latest", "centos:6"
to "library/centos:6".{quote}

[~tangzhankun] The idea is good to improve usability.  Can user get confused that they ask
for centos, but they get library/centos when they run docker inspect command?

{quote}If the image is deemed to not have a registry associated with it (e.g. centos:latest
or centos:6), we could then mark it as trusted or not based on whether library is in the trusted
registries list.{quote}

[~ebadger] This seems to imply that library keyword will toggle to allow public image and
image without a registry name.  Locally built images will not have registry name.  Should
we trust all local images without a registry name?  I prefer this idea more than prepending
library/* but just want to be sure that by common sense, local images can be trusted without
getting into trouble.

> Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check"
function
> -----------------------------------------------------------------------------------------------------
>
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
>
> There are some missing cases that we need to catch when handling "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" and "ubuntu[:tagName]"
fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message