[jira] [Commented] (YARN-8927) Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check" function

[Eric Yang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16674740#comment-16674740
 ] 

Eric Yang commented on YARN-8927:
---------------------------------

[~tangzhankun] Pseudo code is:

{code}
if trust local image (or trust local image in a list) {
  docker image
  if exists {
    docker run
  } else {
    helper();
  }
} else {
  helper();
}

function helper() {
  allow=false;
  if (image does not container "/" and docker.trusted.registry has "library") {
    allowed = true;
  } else {
    allowed = image in docker.trusted.registry or 
docker.privileged-containers-registry;
  }
  if (allow) {
    docker pull
    docker run
  }
}
{code}

When local image is disable or not listed, then registry image take precedence. 
 This solves the 78% of majority who trust latest greatest image from remote 
repositories.  If trust local image option is enabled, local image take 
precedence over remote repositories.  There is no state to remember in Java 
because docker image command retains the memory if the image is available 
locally.  C-e test is simple and fast by comparing config value with docker 
image command without having to touch remote repository for the checks.

> Better handling of "docker.trusted.registries" in container-executor's 
> "trusted_image_check" function
> -----------------------------------------------------------------------------------------------------
>
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
>              Labels: Docker
>
> There are some missing cases that we need to catch when handling 
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env 
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" 
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org