[
https://issues.apache.org/jira/browse/YARN-8342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16493804#comment-16493804
]
Eric Yang commented on YARN-8342:
---------------------------------
[~ebadger] {quote}
Depending on the registry it comes from, yes. If the registry is a black box
and operated by some 3rd party, then you might not want that image to be run
with mounts at all.{quote}
Sudo users can easily change the configuration to allow the untrusted registry
to become trusted. It would be very difficult to prevent sudo users from
untrusted registries. This is a procedure problem rather than coding problem.
{quote}
Since I don't ever want to run a privileged container, it seems prudent to not
allow users to run them instead of trusting that users won't run them.
{quote}
Let's make sure we agree on the required code fix. If
docker.privileged-containers.enabled is disabled, and user put images in
docker.trusted.registries. The images in docker.trusted.registries behaves
like type 2. When docker.privileged-containers.enabled is enabled, and user
put images in docker.trusted.registries, images behaves like type 3.
Registries not described in trusted registries are type 1 regardless of
docker.privileged-containers.enabled setting. Hence, the
docker.privileged-container.registries renamed to docker.trusted.registries can
address the confusion.
This JIRA is going to tweak type 1 to allow launch_command to be supplied and
change docker.privilegd-containers.registries label. Do we agree this is the
right safety valves and changes that are going to happen?
> Using docker image from a non-privileged registry, the launch_command is not
> honored
> ------------------------------------------------------------------------------------
>
> Key: YARN-8342
> URL: https://issues.apache.org/jira/browse/YARN-8342
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Wangda Tan
> Assignee: Eric Yang
> Priority: Critical
> Labels: Docker
> Attachments: YARN-8342.001.patch
>
>
> During test of the Docker feature, I found that if a container comes from
> non-privileged docker registry, the specified launch command will be ignored.
> Container will success without any log, which is very confusing to end users.
> And this behavior is inconsistent to containers from privileged docker
> registries.
> cc: [~eyang], [[email protected]], [~ebadger], [~jlowe]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
