[
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16664670#comment-16664670
]
Zhankun Tang commented on YARN-8927:
------------------------------------
[~eyang] ,
Sorry for the misleading. I mean we do check with "library" prefix but not
using this "library/centos:latest" to replace user's input image name. I agree
that we enable local and docker pub repository by default.
[~ebadger] Thanks for the detailed discussion here. Really helpful.
What YARN does here is adding a white-list for an administrator to allow what
"repository/image[:tag] " end user can pull(YARN-3854) or run.
To keep the end user's experience of running image without repository name
consistent with "Docker", I guess we all agreed that leave "library" in
"{{docker.trusted.registries}}" by default to enable local images.
Since Docker will try to pull it from docker hub if not in local, should we
avoid this pull? I think probably no. The Docker hub could be a trusted repo
for YARN. And if not, another problem comes up when only allow real local
images: how do we configure Docker hub repo for YARN-3854 to pull images? Use
another convention preserved words?
So maybe set "library" to "docker.trusted.registries" allowing both local and
Docker hub is clean and simple?
> Better handling of "docker.trusted.registries" in container-executor's
> "trusted_image_check" function
> -----------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
>
> There are some missing cases that we need to catch when handling
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu"
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
