[
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16663948#comment-16663948
]
Eric Badger commented on YARN-8927:
-----------------------------------
bq. Eric Badger This seems to imply that library keyword will toggle to allow
public image and image without a registry name. Locally built images will not
have registry name. Should we trust all local images without a registry name? I
prefer this idea more than prepending library/* but just want to be sure that
by common sense, local images can be trusted without getting into trouble.
I'm not sure it has to be one or the other. If you specify just {{library}} in
the trusted registries then it would mean that all local images are trusted. If
you specify {{library/centos:latest}}, then only the {{centos:latest}} image
that is local will be trusted and none of the other local images. The main
takeaway I want to have here is that the user should not have to change the
name of what they're specifying. If the image on the node is {{centos:latest}}
then they should ask for {{centos:latest}}, not {{library/centos:latest}}. And
there should be a configuration in {{docker.trusted.registries}} to allow for
that image to be trusted, even if it is a local image that has no "registry"
> Better handling of "docker.trusted.registries" in container-executor's
> "trusted_image_check" function
> -----------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
>
> There are some missing cases that we need to catch when handling
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu"
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
