[
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16664324#comment-16664324
]
Eric Badger commented on YARN-8927:
-----------------------------------
[~eyang], I see your concern now. However, that would still be a problem
(albeit to a smaller extent) with using {{library}}. Admins that want to trust
local images don't necessarily want to trust the {{library}} repo on dockerhub.
Outside of removing all default registries, is there a way to allow trusted
local images? We would basically need to make sure that {{docker run}} only ran
on local images (which I don't believe is possible) and have a separate pull
phase before running. Otherwise, if the image doesn't exist locally it will
always go out to the default registries to try and pull it.
I guess maybe we could do a check on the local images when we see that there is
an image that wants to be run, needs to be trusted, has no registry prepended
to the name, and {{docker.trusted.registries}} contains {{library}}. Then we
would only run the container if the image in question was already there. But
then you couldn't run an image from a default registry from the {{library}}
repo unless you gave its full URI. Maybe that's ok.
> Better handling of "docker.trusted.registries" in container-executor's
> "trusted_image_check" function
> -----------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
>
> There are some missing cases that we need to catch when handling
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu"
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
