hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8927) Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check" function
Date Thu, 25 Oct 2018 16:03:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16663948#comment-16663948

Eric Badger commented on YARN-8927:

bq. Eric Badger This seems to imply that library keyword will toggle to allow public image
and image without a registry name. Locally built images will not have registry name. Should
we trust all local images without a registry name? I prefer this idea more than prepending
library/* but just want to be sure that by common sense, local images can be trusted without
getting into trouble.

I'm not sure it has to be one or the other. If you specify just {{library}} in the trusted
registries then it would mean that all local images are trusted. If you specify {{library/centos:latest}},
then only the {{centos:latest}} image that is local will be trusted and none of the other
local images. The main takeaway I want to have here is that the user should not have to change
the name of what they're specifying. If the image on the node is {{centos:latest}} then they
should ask for {{centos:latest}}, not {{library/centos:latest}}. And there should be a configuration
in {{docker.trusted.registries}} to allow for that image to be trusted, even if it is a local
image that has no "registry"

> Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check"
> -----------------------------------------------------------------------------------------------------
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
> There are some missing cases that we need to catch when handling "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" and "ubuntu[:tagName]"
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message