[jira] [Commented] (YARN-8342) Using docker image from a non-privileged registry, the launch_command is not honored

Tue, 29 May 2018 12:36:29 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-8342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16494120#comment-16494120
 ] 

Eric Yang commented on YARN-8342:
---------------------------------

[~ebadger] {quote}
You have high confidence in everything in this registry and therefore are 
willing to let these images be run as privileged. With a single list for 
registries (with mounts), I believe this use case would be impossible.{quote}

I agree this is a possible area for improvement.

{quote}
I agree with the launch_command change. As for the registries label change, it 
would be nice to have a plan in place for how we're going to tackle this to 
make it less confusing. However, I'm also ok making that a separate change in a 
different JIRA.
{quote}

This is progression improvement that can be enhanced to further lock down 
privileged registry when the demand arises.  I opened YARN-8376 to track the 
separation of white lists to avoid confusions.  At this time, we will label 
type 2 and 3 as docker.trusted.registries.  In YARN-8376, we can label type 2 
as docker.trusted.registries, and type 3 as 
docker.privileged-container.registries.

> Using docker image from a non-privileged registry, the launch_command is not 
> honored
> ------------------------------------------------------------------------------------
>
>                 Key: YARN-8342
>                 URL: https://issues.apache.org/jira/browse/YARN-8342
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Wangda Tan
>            Assignee: Eric Yang
>            Priority: Critical
>              Labels: Docker
>         Attachments: YARN-8342.001.patch
>
>
> During test of the Docker feature, I found that if a container comes from 
> non-privileged docker registry, the specified launch command will be ignored. 
> Container will success without any log, which is very confusing to end users. 
> And this behavior is inconsistent to containers from privileged docker 
> registries.
> cc: [~eyang], [~shaneku...@gmail.com], [~ebadger], [~jlowe]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to