[
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16667381#comment-16667381
]
Eric Badger commented on YARN-8927:
-----------------------------------
Given the risk that's involved with privileged containers, I think it's prudent
to be more careful with what images are allowed to be run as privileged. Of
course, this is why we have {{docker.trusted.registries}} in the first place.
So I'm thinking from the perspective of the sysadmin that wants to have very
fine-grained control over exactly what can be run as privileged. There is
inherent risk in allowing privileged containers from a docker registry that is
not owned by the sysadmin. If that registry is compromised or bad images are
pushed, etc. then the cluster could be running malicious images as privileged
containers. If the sysadmin can force that the only images that can be run as
privileged are local images, then they have control over exactly what images
can be run, since they would be the one that puts the local images on the node
(could be pulled from a registry, built locally, loaded from a tarball, etc).
Basically, the mode I'm talking about is allowing users to run privileged
containers, but preventing the users from hitting a docker registry. If the
{{library}} keyword is used, then the user can either specify a local image
that exists, _or_ an image in a default registry that exists in the {{library}}
repository. That's what I'm not comfortable with. I want sysadmins to be able
to define that _only_ certain local images can be run as privileged. The way
I'd love to do this would be by removing all default registries in Docker
itself, but the Docker people seem to be pretty hostile to trying to get rid of
default registries or anything related to that
(https://github.com/moby/moby/issues/11815).
> Better handling of "docker.trusted.registries" in container-executor's
> "trusted_image_check" function
> -----------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
>
> There are some missing cases that we need to catch when handling
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu"
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
