[
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16674357#comment-16674357
]
Zhankun Tang commented on YARN-8927:
------------------------------------
[~eyang], Thanks for the explanation. To make us in the same context. I list my
understanding and questions as below. Please correct me if anything wrong.
First of all, I understand the above configurations are effective for both
"docker pull" and "docker run". YARN-3854's request of "docker pull" to
container-executor will be denied by if not fit in white-list. The request of a
running container will be denied by c-e if not fit in white-list.
For point 1, "_docker.trusted.registries_" will be all about non-local repo.
The current logic underneath "docker.trusted.registries" already support
private trusted registries and docker hub. But it doesn't implement how to
configure the trust of top-level images like "centos[:tag]". We only need to
add a check related to "library" keyword in c-e. Configured "library" keyword,
top-level pattern image name is trusted. It can be pulled. But when run, the
local image check will be done based on "_docker.trusted.local.image_". Right?
If so, I feel this configuration is only useful for pull ? Maybe the name is
not proper?
For point 2, if we have a "_docker.privileged.registries_", does it mean
"_docker.privileged-containers.enabled_" will be useless? And for the mount
stuff, how will we handle the relationship with existing
"docker.allowed.ro-mounts" and "docker.allowed.rw-mounts"? Also deprecated them?
> Better handling of "docker.trusted.registries" in container-executor's
> "trusted_image_check" function
> -----------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
> Labels: Docker
>
> There are some missing cases that we need to catch when handling
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu"
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
