hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-8927) Support trust top-level image like "centos" when "library" is configured in "docker.trusted.registries"
Date Wed, 30 Jan 2019 00:35:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16755512#comment-16755512
] 

Eric Yang edited comment on YARN-8927 at 1/30/19 12:34 AM:
-----------------------------------------------------------

[~tangzhankun] YARN-8955 is to skip docker pull, if the image already exists locally.  Patch
002 implies that all local images are trusted as long as the image name does not have '/'
character.  On the surface, this is likely to be true.  Admin privileges is required to run
docker tag command to convert any image into a local image.  I am unsure if another ACL is
required to explicitly trust specific local images only.  [~ebadger], you had some feedback
before, and I like to revalidate if that requirement still necessary or the current implementation
is good enough without hinders usability?


was (Author: eyang):
[~tangzhankun] YARN-8955 is to skip docker pull, if the image already exist locally.  Patch
002 implies that all local images are trusted as long as the image name does not have '/'
character.  On the surface, this is likely to be true.  Admin privileges is required to run
docker tag command to convert any image into a local image.  I am unsure if another ACL is
required to explicitly trust specific local images only.  [~ebadger], you had some feedback
before, and I like to revalidate if that requirement still necessary or the current implementation
is good enough without hinders usability?

> Support trust top-level image like "centos" when "library" is configured in "docker.trusted.registries"
> -------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch
>
>
> There are some missing cases that we need to catch when handling "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" and "ubuntu[:tagName]"
fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message