[
https://issues.apache.org/jira/browse/YARN-9184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16762276#comment-16762276
]
Eric Badger commented on YARN-9184:
-----------------------------------
bq. The latest tag does not exist on the node where first container starts. The
first container will need to download the latest image, and find image ID.
This can introduce lag time for other containers to start.
This isn't necessarily true. You can query the docker registry to get the hash
of any arbitrary image and tag.
bq. If image id is used to start other container, container-executor may have
problems to check if the image is coming from a trusted source. Both image
name and ID must be supply through .cmd file to container-executor. However,
hacker can supply incorrect image id and defeat container-executor security
checks.
You'll still need to give a URL for the image that you want to download. The
hash will just replace the tag. So we should still be able to do trusted url
validation.
> Docker run doesn't pull down latest image if the image exists locally
> ----------------------------------------------------------------------
>
> Key: YARN-9184
> URL: https://issues.apache.org/jira/browse/YARN-9184
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: nodemanager
> Affects Versions: 3.1.0, 3.0.3
> Reporter: Zhaohui Xin
> Assignee: Zhaohui Xin
> Priority: Major
> Attachments: YARN-9184.001.patch, YARN-9184.002.patch,
> YARN-9184.003.patch, YARN-9184.004.patch
>
>
> SeeĀ [docker run doesn't pull down latest image if the image exists
> locally|https://github.com/moby/moby/issues/13331].
> So, I think we should pull image before run to make image always latest.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
