[ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16767790#comment-16767790 ]
Eric Yang edited comment on YARN-8927 at 2/14/19 10:11 PM: ----------------------------------------------------------- [~ebadger] I think it's still admin mistake because the repository name can be preconfigured to a host in local domain which would have no chance to contact docker hub even if a repository is later setup to try to impersonate. YARN's trusted registry acl can avoid untrusted docker hub repository. The discussion is digressing. I agree that adding the local image white list can tighten security further for images without '/' characters or used. This jira can't solve docker run pulling remote image when image is absent or remote image name is identical to local image name. [~csingh] is solving the docker image localization issues in YARN-3854. It may help to solve precheck of image existence in her story instead. was (Author: eyang): [~ebadger] I think it's still admin mistake because the repository name can be preconfigured to a host in local domain which would have no chance to contact docker hub even if a repository is later setup to try to impersonate. YARN's trusted registry acl can avoid untrusted docker hub repository. The discussion is digressing. I agree that adding the local image white list can tighten security further for images without '/' characters or used. This jira can't solve docker run pulling remote image when image is absent or remote image name is identical to local image name. [~csingh] is solving the docker image localization issues in YARN-9228. It may help to solve precheck of image existence in her story instead. > Support trust top-level image like "centos" when "library" is configured in > "docker.trusted.registries" > ------------------------------------------------------------------------------------------------------- > > Key: YARN-8927 > URL: https://issues.apache.org/jira/browse/YARN-8927 > Project: Hadoop YARN > Issue Type: Improvement > Reporter: Zhankun Tang > Assignee: Zhankun Tang > Priority: Major > Labels: Docker > Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch > > > There are some missing cases that we need to catch when handling > "docker.trusted.registries". > The container-executor.cfg configuration is as follows: > {code:java} > docker.trusted.registries=tangzhankun,ubuntu,centos{code} > It works if run DistrubutedShell with "tangzhankun/tensorflow" > {code:java} > "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env > YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow > {code} > But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" > and "ubuntu[:tagName]" fails: > The error message is like: > {code:java} > "image: centos is not trusted" > {code} > We need better handling the above cases. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org