[jira] [Commented] (YARN-8927) Support trust top-level image like "centos" when "library" is configured in "docker.trusted.registries"

[Eric Yang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16767636#comment-16767636
 ] 

Eric Yang commented on YARN-8927:
---------------------------------

[~ebadger] {quote}If we are assuming that Dockerhub and any other default 
registry is untrusted (we should), then the assumption has to be that any image 
by any name can be published. Let's say I tag a local image as 
hadoop/myimage:latest on every node in my cluster. We have to assume that there 
could be a repo within the default registry named hadoop with an image named 
myimage:latest. This doesn't make my local image hadoop/myimage:latest any less 
of a local image, but it also means that there is an image in Dockerhub by the 
same name which will be pulled if, for whatever reason, my local image was 
deleted, not uploaded yet, etc.{quote}

The last point is covered by YARN-9184.  Can you confirm?

> Support trust top-level image like "centos" when "library" is configured in 
> "docker.trusted.registries"
> -------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch
>
>
> There are some missing cases that we need to catch when handling 
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env 
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" 
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org