[
https://issues.apache.org/jira/browse/YARN-8342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16488073#comment-16488073
]
Eric Badger commented on YARN-8342:
-----------------------------------
{quote}Looks like the name {{docker.privileged-containers.registries}} is very
misleading. It doesn't apply only for Docker Privileged Containers, right? If
so, we should fix this name.
{quote}
I 100% agree with this.
bq. With YARN-7654 changes to use execvp, this concern has been nullified. It
is safe to preserve launch command even for untrusted images.
If we're going to allow random (untrusted) images to execute, then the command
with which they start doesn't really matter, user-specified or image-supplied.
The image could start with any CMD, so we already have to assume that it's
untrusted/possibly malicious code that is executing right off the bat. I don't
see any added risk here by letting the user define what they want to run.
> Using docker image from a non-privileged registry, the launch_command is not
> honored
> ------------------------------------------------------------------------------------
>
> Key: YARN-8342
> URL: https://issues.apache.org/jira/browse/YARN-8342
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Wangda Tan
> Priority: Critical
> Labels: Docker
>
> During test of the Docker feature, I found that if a container comes from
> non-privileged docker registry, the specified launch command will be ignored.
> Container will success without any log, which is very confusing to end users.
> And this behavior is inconsistent to containers from privileged docker
> registries.
> cc: [~eyang], [[email protected]], [~ebadger], [~jlowe]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
