hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8927) Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check" function
Date Mon, 29 Oct 2018 17:03:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16667455#comment-16667455

Eric Yang commented on YARN-8927:

{quote}Basically, the mode I'm talking about is allowing users to run privileged containers,
but preventing the users from hitting a docker registry. If the library keyword is used, then
the user can either specify a local image that exists, or an image in a default registry that
exists in the library repository. That's what I'm not comfortable with. I want sysadmins to
be able to define that only certain local images can be run as privileged.{quote}

There are 3 related issues to what we are discuss here.
# The trust of top level public image. (this JIRA)
# Privileged container using privileged registry. (YARN-8376)
# Trust and privileged local image. (need a new JIRA)

It may be best to open a new JIRA to discuss how local image should be trusted and enable
privileged container.  There are depths in each of the items that need to be designed separately.
 I am becoming less favoring to use library keyword to combine 1 and 3 together.  This JIRA
should focus on the original user experience problem of public image.  [~ebadger] [~tangzhankun]
Do you agree that this is the way forward?

> Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check"
> -----------------------------------------------------------------------------------------------------
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
> There are some missing cases that we need to catch when handling "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" and "ubuntu[:tagName]"
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message