[
https://issues.apache.org/jira/browse/YARN-8376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16792100#comment-16792100
]
Jim Brennan commented on YARN-8376:
-----------------------------------
To be clear, I am ok with the approach used in patch 002, where
docker.trusted.registries is used for the privileged path if
docker.privileged.registries is not defined. It seems like the least impact
approach.
I have a minor code suggestion for patch 002:
{noformat}
char *privileged = NULL;
char **privileged_registry = NULL;
privileged = get_configuration_value("privileged", DOCKER_COMMAND_FILE_SECTION,
command_config);
if (privileged != NULL && strcasecmp(privileged, "true") == 0 ) {
privileged_registry =
get_configuration_values_delimiter("docker.privileged-containers.registries",
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
if (privileged_registry == NULL) {
privileged_registry =
get_configuration_values_delimiter("docker.trusted.registries",
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
}
} else {
privileged_registry =
get_configuration_values_delimiter("docker.trusted.registries",
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
}{noformat}
You could move the if (privileged_registry == NULL) section outside the first
if and remove the else clause.
{noformat}
char *privileged = NULL;
char **privileged_registry = NULL;
privileged = get_configuration_value("privileged",
DOCKER_COMMAND_FILE_SECTION, command_config);
if (privileged != NULL && strcasecmp(privileged, "true") == 0 ) {
privileged_registry =
get_configuration_values_delimiter("docker.privileged-containers.registries",
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
}
if (privileged_registry == NULL) {
privileged_registry =
get_configuration_values_delimiter("docker.trusted.registries",
CONTAINER_EXECUTOR_CFG_DOCKER_SECTION, conf, ",");
}
{noformat}
Removes a little code duplication.
> Separate white list for docker.trusted.registries and
> docker.privileged-container.registries
> --------------------------------------------------------------------------------------------
>
> Key: YARN-8376
> URL: https://issues.apache.org/jira/browse/YARN-8376
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: docker
> Attachments: YARN-8376.001.patch, YARN-8376.002.patch
>
>
> In the ideal world, it would be possible to have separate white lists for
> docker registry depending on the security requirement for each type of docker
> images:
> 1. Registries from which we can run non-privileged containers without mounts
> 2. Registries from which we can run non-privileged containers with mounts
> 3. Registries from which we can run privileged or non-privileged containers
> with mounts
> In the current implementation, there are only type 1 and type 2 or 3. It
> would be nice to definite a separate white list to differentiate between 2
> and 3.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
