[jira] [Commented] (YARN-8927) Support trust top-level image like "centos" when "library" is configured in "docker.trusted.registries"

[Eric Yang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16768760#comment-16768760
 ] 

Eric Yang commented on YARN-8927:
---------------------------------

Patch 2 uses '/' to determine if the image is a top level image.  It does not 
use '/' character to detect local image.  If admin wants to authorize local 
image, he/she can tag local image with trusted registry prefix.  As long as the 
trusted registry prefix does not have the same name as docker hub registry 
name, authorized local images are safe to use.  If local image is named without 
'/' character, they are also allowed for now until YARN-9306 is addressed.  It 
would take admin rights to tag local image without '/' character.  The 
possibility of using library keyword to trigger unauthorized image to run is 
hard to accomplish.  Patch 2 is good enough for me.  +1 for patch 2.  I will 
commit patch 2 if no objection.

> Support trust top-level image like "centos" when "library" is configured in 
> "docker.trusted.registries"
> -------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch
>
>
> There are some missing cases that we need to catch when handling 
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env 
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" 
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org