[
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16767790#comment-16767790
]
Eric Yang edited comment on YARN-8927 at 2/14/19 10:11 PM:
-----------------------------------------------------------
[~ebadger] I think it's still admin mistake because the repository name can be
preconfigured to a host in local domain which would have no chance to contact
docker hub even if a repository is later setup to try to impersonate. YARN's
trusted registry acl can avoid untrusted docker hub repository. The discussion
is digressing. I agree that adding the local image white list can tighten
security further for images without '/' characters or used. This jira can't
solve docker run pulling remote image when image is absent or remote image name
is identical to local image name. [~csingh] is solving the docker image
localization issues in YARN-3854. It may help to solve precheck of image
existence in her story instead.
was (Author: eyang):
[~ebadger] I think it's still admin mistake because the repository name can be
preconfigured to a host in local domain which would have no chance to contact
docker hub even if a repository is later setup to try to impersonate. YARN's
trusted registry acl can avoid untrusted docker hub repository. The discussion
is digressing. I agree that adding the local image white list can tighten
security further for images without '/' characters or used. This jira can't
solve docker run pulling remote image when image is absent or remote image name
is identical to local image name. [~csingh] is solving the docker image
localization issues in YARN-9228. It may help to solve precheck of image
existence in her story instead.
> Support trust top-level image like "centos" when "library" is configured in
> "docker.trusted.registries"
> -------------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
> Labels: Docker
> Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch
>
>
> There are some missing cases that we need to catch when handling
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu"
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
