You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Zhankun Tang (JIRA)" <ji...@apache.org> on 2018/11/04 09:52:00 UTC
[jira] [Comment Edited] (YARN-8927) Better handling of
"docker.trusted.registries" in container-executor's "trusted_image_check"
function
[ https://issues.apache.org/jira/browse/YARN-8927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16674357#comment-16674357 ]
Zhankun Tang edited comment on YARN-8927 at 11/4/18 9:51 AM:
-------------------------------------------------------------
[~eyang], Thanks for the explanation. To make us in the same context. I list my understanding and questions as below. Please correct me if anything wrong.
First of all, I understand the above configurations are effective for both "docker pull" and "docker run". YARN-3854's request of "docker pull" to container-executor will be denied if not fit in white-list. The request of a running container will be denied by c-e if not fit in white-list.
For point 1, "_docker.trusted.registries_" will be all about non-local repo. The current logic underneath "docker.trusted.registries" already support private trusted registries and docker hub. But it doesn't implement how to configure the trust of top-level images like "centos[:tag]". We only need to add a check related to "library" keyword in c-e. Configured "library" keyword, top-level pattern image name is trusted. It can be pulled. But when run, the local image check will be done based on "_docker.trusted.local.image_". Right?
If so, I feel this configuration is only useful for pull ? Maybe the name is not proper?
For point 2, if we have a "_docker.privileged.registries_", does it mean "_docker.privileged-containers.enabled_" will be useless? And for the mount stuff, how will we handle the relationship with existing "docker.allowed.ro-mounts" and "docker.allowed.rw-mounts"? Also deprecated them?
was (Author: tangzhankun):
[~eyang], Thanks for the explanation. To make us in the same context. I list my understanding and questions as below. Please correct me if anything wrong.
First of all, I understand the above configurations are effective for both "docker pull" and "docker run". YARN-3854's request of "docker pull" to container-executor will be denied by if not fit in white-list. The request of a running container will be denied by c-e if not fit in white-list.
For point 1, "_docker.trusted.registries_" will be all about non-local repo. The current logic underneath "docker.trusted.registries" already support private trusted registries and docker hub. But it doesn't implement how to configure the trust of top-level images like "centos[:tag]". We only need to add a check related to "library" keyword in c-e. Configured "library" keyword, top-level pattern image name is trusted. It can be pulled. But when run, the local image check will be done based on "_docker.trusted.local.image_". Right?
If so, I feel this configuration is only useful for pull ? Maybe the name is not proper?
For point 2, if we have a "_docker.privileged.registries_", does it mean "_docker.privileged-containers.enabled_" will be useless? And for the mount stuff, how will we handle the relationship with existing "docker.allowed.ro-mounts" and "docker.allowed.rw-mounts"? Also deprecated them?
> Better handling of "docker.trusted.registries" in container-executor's "trusted_image_check" function
> -----------------------------------------------------------------------------------------------------
>
> Key: YARN-8927
> URL: https://issues.apache.org/jira/browse/YARN-8927
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Zhankun Tang
> Assignee: Zhankun Tang
> Priority: Major
> Labels: Docker
>
> There are some missing cases that we need to catch when handling "docker.trusted.registries".
> The container-executor.cfg configuration is as follows:
> {code:java}
> docker.trusted.registries=tangzhankun,ubuntu,centos{code}
> It works if run DistrubutedShell with "tangzhankun/tensorflow"
> {code:java}
> "yarn ... -shell_env YARN_CONTAINER_RUNTIME_TYPE=docker -shell_env YARN_CONTAINER_RUNTIME_DOCKER_IMAGE=tangzhankun/tensorflow
> {code}
> But run a DistrubutedShell job with "centos", "centos[:tagName]", "ubuntu" and "ubuntu[:tagName]" fails:
> The error message is like:
> {code:java}
> "image: centos is not trusted"
> {code}
> We need better handling the above cases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org