[
https://issues.apache.org/jira/browse/YARN-8376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16792064#comment-16792064
]
Eric Yang commented on YARN-8376:
---------------------------------
[~ebadger] What happen docker.trusted.registries and
docker.trusted.non-privileged.registries both exists, but
docker.trusted.privileged.registries doesn't exist? Or
docker.trusted.registries and docker.trusted.privileged.registries both exists,
but docker.trusted.non-privileged.registries doesn't exist? Both cases seem to
require error to be thrown. The new names are too similar, it is harder to get
the proper config correct. It'll cause more friction to adopt to the new
scheme.
> Separate white list for docker.trusted.registries and
> docker.privileged-container.registries
> --------------------------------------------------------------------------------------------
>
> Key: YARN-8376
> URL: https://issues.apache.org/jira/browse/YARN-8376
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: docker
> Attachments: YARN-8376.001.patch, YARN-8376.002.patch
>
>
> In the ideal world, it would be possible to have separate white lists for
> docker registry depending on the security requirement for each type of docker
> images:
> 1. Registries from which we can run non-privileged containers without mounts
> 2. Registries from which we can run non-privileged containers with mounts
> 3. Registries from which we can run privileged or non-privileged containers
> with mounts
> In the current implementation, there are only type 1 and type 2 or 3. It
> would be nice to definite a separate white list to differentiate between 2
> and 3.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
