[jira] [Commented] (YARN-8927) Support trust top-level image like "centos" when "library" is configured in "docker.trusted.registries"

[Eric Badger (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16762825#comment-16762825
 ] 

Eric Badger commented on YARN-8927:
-----------------------------------

bq. Patch 002 implies that all local images are trusted as long as the image 
name does not have '/' character.

This is not a good assumption. For example, in our internal clusters, we do 
local tagging of all images and all of our local tags have the "/" character in 
them. This is to signify the repository within the registry that they reside 
(albeit with the registry part chopped off). 

bq. I am unsure if another ACL is required to explicitly trust specific local 
images only
I would prefer this behavior, because I don't think it is that much harder to 
implement. If we see {{library/centos:foobar}} in container-executor.cfg, then 
we strip off the {{library/}} part and trust local images related to the list 
using the suffix (e.g. {centos:foobar}}). If the image exists locally, then we 
continue with the launch. If it does not, then we fail out and do not pull

If we see {{library/}} in container-executor.cfg then we trust all local 
images. 

> Support trust top-level image like "centos" when "library" is configured in 
> "docker.trusted.registries"
> -------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-8927
>                 URL: https://issues.apache.org/jira/browse/YARN-8927
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Zhankun Tang
>            Assignee: Zhankun Tang
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-8927-trunk.001.patch, YARN-8927-trunk.002.patch
>
>
> There are some missing cases that we need to catch when handling 
> "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env 
> YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" 
> and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org