[
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16674444#comment-16674444
]
Eric Yang commented on YARN-8927:
---------------------------------
{quote}But for point 1, "docker.trusted.registries" will be all about non-local
repo. The problem is that doesn't implement how to configure the trust of
top-level images like "centos[:tag]". Let's say, configured "library" keyword,
top-level pattern image name is trusted.{quote}
In pseudo code, can we write:
{code}
if (image does not container "/" and docker.trusted.registry has "library") {
allowed = true;
} else {
check image repository in docker.trusted.registry;
}
{code}
We should never split the configuration by pull and run. They are executed in
the same flow, making distinction between them can prevent program from working
and confuse system admin.
{quote}For point 2, if we have a "docker.privileged.registries", does it mean
the existing "docker.privileged-containers.enabled" will be useless? And for
the mount stuff, how will we handle the relationship with existing
"docker.allowed.ro-mounts" and "docker.allowed.rw-mounts"? Also deprecated
them?{quote}
Sorry, it is a typo. I meant to say docker.privileged-containers.registries.
I am trying to allow implementation to happen in the order of 1, 2 and 3
without having to revisit logic for 1, when 2 is implementing.
> Better handling of "docker.trusted.registries" in container-executor's
> "trusted_image_check" function
> -----------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
> Labels: Docker
>
> There are some missing cases that we need to catch when handling
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu"
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
