[jira] [Commented] (YARN-8376) Separate white list for docker.trusted.registries and docker.privileged-container.registries

[Eric Badger (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-8376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16791936#comment-16791936
 ] 

Eric Badger commented on YARN-8376:
-----------------------------------

bq. That would make it simple - if privileged mode is enabled and requested, 
only use the privileged-registries list.  If privileged mode is disabled or not 
requested, only use the trusted-registries list.

While I still don't see a reason that an image from a privileged registry 
shouldn't be allowed to run without privilege, I am ok with this approach. It 
makes things very clear and should unstick us so that we can move the patch 
forward.

bq. Yes, it is written for backward compatibility to use trusted registry as 
source for privileged container image. I like the straight forward mapping as 
well, but too bad that this couldn't have been delivered sooner.

To maintain backwards compatibility could we change the variable names around a 
little bit? We could use {{docker.trusted.non-privileged.registries}} and 
{{docker.trusted.privileged.registries}}. We then could map 
{{docker.trusted.registries}} to {{trusted.privileged.registries}} to maintain 
backwards compatibility. 

> Separate white list for docker.trusted.registries and 
> docker.privileged-container.registries
> --------------------------------------------------------------------------------------------
>
>                 Key: YARN-8376
>                 URL: https://issues.apache.org/jira/browse/YARN-8376
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: docker
>         Attachments: YARN-8376.001.patch, YARN-8376.002.patch
>
>
> In the ideal world, it would be possible to have separate white lists for 
> docker registry depending on the security requirement for each type of docker 
> images:
> 1. Registries from which we can run non-privileged containers without mounts
> 2. Registries from which we can run non-privileged containers with mounts
> 3. Registries from which we can run privileged or non-privileged containers 
> with mounts
> In the current implementation, there are only type 1 and type 2 or 3.  It 
> would be nice to definite a separate white list to differentiate between 2 
> and 3.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org