hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhankun Tang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8927) Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check" function
Date Fri, 26 Oct 2018 05:19:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16664670#comment-16664670

Zhankun Tang commented on YARN-8927:

[~eyang] ,

Sorry for the misleading. I mean we do check with "library" prefix but not using this "library/centos:latest"
to replace user's input image name. I agree that we enable local and docker pub repository
by default.

 [~ebadger] Thanks for the detailed discussion here. Really helpful. 

What YARN does here is adding a white-list for an administrator to allow what "repository/image[:tag]
" end user can pull(YARN-3854) or run.

To keep the end user's experience of running image without repository name consistent with
"Docker", I guess we all agreed that leave "library" in "{{docker.trusted.registries}}"
by default to enable local images.

Since Docker will try to pull it from docker hub if not in local, should we avoid this pull?
I think probably no. The Docker hub could be a trusted repo for YARN. And if not,  another
problem comes up when only allow real local images: how do we configure Docker hub repo
for YARN-3854 to pull images? Use another convention preserved words?

So maybe set "library" to "docker.trusted.registries" allowing both local and Docker hub
is clean and simple?


> Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check"
> -----------------------------------------------------------------------------------------------------
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
> There are some missing cases that we need to catch when handling "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" and "ubuntu[:tagName]"
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message