[
https://issues.apache.org/jira/browse/YARN-8376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16791855#comment-16791855
]
Jim Brennan commented on YARN-8376:
-----------------------------------
[~eyang] [~ebadger] sorry for joining this late. It seems like the intent of
this Jira is to provide the ability to separately configure the full set of
registries that can be used to run in privileged mode. I think this is a
reasonable thing to enable.
[~ebadger], the proposed patch does not preclude putting a registry in both
lists if you want to enable running its images privileged and unprivileged. If
you want to enable all of the registries for both types of use
(privileged/non-privileged), you can just specify the trusted registries list
as [~eyang] said. But if you have any that you want to restrict to privileged
mode only, you need the separate list. I think you are suggesting that when
running non-privileged mode, you should be able to use the registries in the
privileged list. While there may be reasons to enable that, I think it is a
little confusing/surprising.
That said, I think it would be even clearer if the privileged mode required the
use of the privileged-registries-list instead of falling back on the
trusted-registries-list if it's not defined. I assume it's being done this way
for backward compatibility? That would make it simple - if privileged mode is
enabled and requested, only use the privileged-registries list. If privileged
mode is disabled or not requested, only use the trusted-registries list.
> Separate white list for docker.trusted.registries and
> docker.privileged-container.registries
> --------------------------------------------------------------------------------------------
>
> Key: YARN-8376
> URL: https://issues.apache.org/jira/browse/YARN-8376
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: docker
> Attachments: YARN-8376.001.patch, YARN-8376.002.patch
>
>
> In the ideal world, it would be possible to have separate white lists for
> docker registry depending on the security requirement for each type of docker
> images:
> 1. Registries from which we can run non-privileged containers without mounts
> 2. Registries from which we can run non-privileged containers with mounts
> 3. Registries from which we can run privileged or non-privileged containers
> with mounts
> In the current implementation, there are only type 1 and type 2 or 3. It
> would be nice to definite a separate white list to differentiate between 2
> and 3.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
