[
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16767583#comment-16767583
]
Eric Badger commented on YARN-8927:
-----------------------------------
{quote}
It seems if a user wants lcoal image "repoA/userA/imageA" to be allowed, he/she
should configure "repoA/userA" in the "docker.trusted.registries"? I will try
if this works and get back to you.
{quote}
It's not about wanting repoA/userA/imageA to be allowed. That is an easy
problem to solve as you have described. The hard part is allowing
repoA/userA/imageA to be allowed _only_ if it exists locally.
{quote}
And one thing worthing noting is that if YARN allows an image name, then Docker
will check if it's local and prefer to run it before pulling from a hub. YARN's
checking logic here seems duplicated work because if Docker can pull it and
run. We can hardly say this "repoA/userA/imageA" is a real local image.
{quote}
If we are assuming that Dockerhub and any other default registry is untrusted
(we should), then the assumption has to be that any image by any name can be
published. Let's say I tag a local image as {{hadoop/myimage:latest}} on every
node in my cluster. We have to assume that there could be a repo within the
default registry named {{hadoop}} with an image named {{myimage:latest}}. This
doesn't make my local image {{hadoop/myimage:latest}} any less of a local
image, but it also means that there is an image in Dockerhub by the same name
which will be pulled if, for whatever reason, my local image was deleted, not
uploaded yet, etc.
> Support trust top-level image like "centos" when "library" is configured in
> "docker.trusted.registries"
> -------------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
> Labels: Docker
> Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch
>
>
> There are some missing cases that we need to catch when handling
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu"
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
