hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8927) Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check" function
Date Thu, 25 Oct 2018 21:29:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16664312#comment-16664312
] 

Eric Yang commented on YARN-8927:
---------------------------------

[~ebadger] I am some what concerned with "local" or "localhost" being the name to toggle local
registry.  "library" is a reserved word from docker point of view.  No third party can publish
to library without Docker Inc approval or the image is already resided locally and tagged
by someone who has docker rights.  Unknown party might be able to create a "local" or "localhost"
registry on docker hub to defeat the docker.trusted.registries mechanism, if we didn't choose
the keyword carefully.

> Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check"
function
> -----------------------------------------------------------------------------------------------------
>
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
>
> There are some missing cases that we need to catch when handling "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" and "ubuntu[:tagName]"
fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message