[ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16667455#comment-16667455 ]
Eric Yang commented on YARN-8927: --------------------------------- {quote}Basically, the mode I'm talking about is allowing users to run privileged containers, but preventing the users from hitting a docker registry. If the library keyword is used, then the user can either specify a local image that exists, or an image in a default registry that exists in the library repository. That's what I'm not comfortable with. I want sysadmins to be able to define that only certain local images can be run as privileged.{quote} There are 3 related issues to what we are discuss here. # The trust of top level public image. (this JIRA) # Privileged container using privileged registry. (YARN-8376) # Trust and privileged local image. (need a new JIRA) It may be best to open a new JIRA to discuss how local image should be trusted and enable privileged container. There are depths in each of the items that need to be designed separately. I am becoming less favoring to use library keyword to combine 1 and 3 together. This JIRA should focus on the original user experience problem of public image. [~ebadger] [~tangzhankun] Do you agree that this is the way forward? > Better handling of "docker.trusted.registries" in container-executor's > "trusted_image_check" function > ----------------------------------------------------------------------------------------------------- > > Key: YARN-8927 > URL: https://issues.apache.org/jira/browse/YARN-8927 > Project: Hadoop YARN > Issue Type: Improvement > Reporter: Zhankun Tang > Assignee: Zhankun Tang > Priority: Major > > There are some missing cases that we need to catch when handling > "docker.trusted.registries". > The container-executor.cfg configuration is as follows: > {code:java} > docker.trusted.registries=tangzhankun,ubuntu,centos{code} > It works if run DistrubutedShell with "tangzhankun/tensorflow" > {code:java} > "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env > YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow > {code} > But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" > and "ubuntu[:tagName]" fails: > The error message is like: > {code:java} > "image: centos is not trusted" > {code} > We need better handling the above cases. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org