[jira] [Commented] (YARN-8376) Separate white list for docker.trusted.registries and docker.privileged-container.registries

Wed, 13 Mar 2019 13:18:17 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-8376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16792080#comment-16792080
 ] 

Eric Badger commented on YARN-8376:
-----------------------------------

bq. What happen docker.trusted.registries and 
docker.trusted.non-privileged.registries both exists, but 
docker.trusted.privileged.registries doesn't exist? Or 
docker.trusted.registries and docker.trusted.privileged.registries both exists, 
but docker.trusted.non-privileged.registries doesn't exist?

Both of these cases would either require {{docker.trusted.registries}} to be 
ignored or for an error to be thrown. 

bq. The new names are too similar, it is harder to get the proper config 
correct. It'll cause more friction to adopt to the new scheme.

I don't see how to maintain full backwards compatibility if we continue to use 
{{docker.trusted.registries}}, but in a different way. Are you ok with this?

> Separate white list for docker.trusted.registries and 
> docker.privileged-container.registries
> --------------------------------------------------------------------------------------------
>
>                 Key: YARN-8376
>                 URL: https://issues.apache.org/jira/browse/YARN-8376
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: docker
>         Attachments: YARN-8376.001.patch, YARN-8376.002.patch
>
>
> In the ideal world, it would be possible to have separate white lists for 
> docker registry depending on the security requirement for each type of docker 
> images:
> 1. Registries from which we can run non-privileged containers without mounts
> 2. Registries from which we can run non-privileged containers with mounts
> 3. Registries from which we can run privileged or non-privileged containers 
> with mounts
> In the current implementation, there are only type 1 and type 2 or 3.  It 
> would be nice to definite a separate white list to differentiate between 2 
> and 3.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to