[
https://issues.apache.org/jira/browse/YARN-8376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16789937#comment-16789937
]
Eric Badger commented on YARN-8376:
-----------------------------------
Hey, [~eyang] thanks for the patch.
The current patch only uses {{docker.privileged-container.registries}} and
{{docker.trusted.registries}} separately. However, I think that there is a need
for use them together. To me, it makes sense that
{{docker.privileged-containers.registries}} should be a superset of
{{docker.trusted.registries}}. So if the container is privileged, we would only
check {{docker.privileged-containers.registries}}. But, if a container isn't
privileged, we should check both {{docker.privileged-containers.registries}}
and {{docker.trusted.registries}}. Because if you're trusting an image to be
run as privileged, it is implied that you would also trust it to be run as
non-privileged. That way an admin wouldn't have to configure both of the
configs if they wanted an image to be run in either privileged or
non-privileged configurations.
Also, there needs to be a mode where you can specify for there to be no
privileged registries. I think that this should be the default option. It would
be nice to have that as an option without having to explicitly having to
specify an empty list for {{docker.privileged-containers.registries}}. I
understand that this will be incompatible, but I believe that it is still a
good thing to do because of the security concerns and making sure that we err
on the side of security out of the box.
> Separate white list for docker.trusted.registries and
> docker.privileged-container.registries
> --------------------------------------------------------------------------------------------
>
> Key: YARN-8376
> URL: https://issues.apache.org/jira/browse/YARN-8376
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: docker
> Attachments: YARN-8376.001.patch, YARN-8376.002.patch
>
>
> In the ideal world, it would be possible to have separate white lists for
> docker registry depending on the security requirement for each type of docker
> images:
> 1. Registries from which we can run non-privileged containers without mounts
> 2. Registries from which we can run non-privileged containers with mounts
> 3. Registries from which we can run privileged or non-privileged containers
> with mounts
> In the current implementation, there are only type 1 and type 2 or 3. It
> would be nice to definite a separate white list to differentiate between 2
> and 3.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
