[jira] [Commented] (YARN-8927) Support trust top-level image like "centos" when "library" is configured in "docker.trusted.registries"

[Eric Badger (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16767744#comment-16767744
 ] 

Eric Badger commented on YARN-8927:
-----------------------------------

This isn't an admin mistakenly naming their local image the same as a 
repository on dockerhub. The admin will name their local images something and 
then after that a nefarious actor will upload a malicious image to that same 
location in dockerhub. Unless you are assuming that dockerhub is to be a 
trusted source, which I don't think it can be.

As for avoiding this issue by using a private repository, this is not possible 
as Docker refuses to remove docker.io from the default registry list 
(https://github.com/moby/moby/issues/33069). So docker.io will always be the 
fallback if the image does not exist locally. 

Again, I would love it if Docker would just allow for you to remove default 
registries or add a --no-pull flag or similar to the run command. But, since 
they are not and will not do those, we have to mitigate in other ways to avoid 
bad apples who can push malicious images to dockerhub.

> Support trust top-level image like "centos" when "library" is configured in 
> "docker.trusted.registries"
> -------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch
>
>
> There are some missing cases that we need to catch when handling 
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env 
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" 
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org