[ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16768760#comment-16768760 ]
Eric Yang commented on YARN-8927: --------------------------------- Patch 2 uses '/' to determine if the image is a top level image. It does not use '/' character to detect local image. If admin wants to authorize local image, he/she can tag local image with trusted registry prefix. As long as the trusted registry prefix does not have the same name as docker hub registry name, authorized local images are safe to use. If local image is named without '/' character, they are also allowed for now until YARN-9306 is addressed. It would take admin rights to tag local image without '/' character. The possibility of using library keyword to trigger unauthorized image to run is hard to accomplish. Patch 2 is good enough for me. +1 for patch 2. I will commit patch 2 if no objection. > Support trust top-level image like "centos" when "library" is configured in > "docker.trusted.registries" > ------------------------------------------------------------------------------------------------------- > > Key: YARN-8927 > URL: https://issues.apache.org/jira/browse/YARN-8927 > Project: Hadoop YARN > Issue Type: Improvement > Reporter: Zhankun Tang > Assignee: Zhankun Tang > Priority: Major > Labels: Docker > Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch > > > There are some missing cases that we need to catch when handling > "docker.trusted.registries". > The container-executor.cfg configuration is as follows: > {code:java} > docker.trusted.registries=tangzhankun,ubuntu,centos{code} > It works if run DistrubutedShell with "tangzhankun/tensorflow" > {code:java} > "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env > YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow > {code} > But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" > and "ubuntu[:tagName]" fails: > The error message is like: > {code:java} > "image: centos is not trusted" > {code} > We need better handling the above cases. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org