概述
Azure 容器注册表是基于开源 Docker 注册表 2.0 的托管 Docker 注册表服务。 容器注册表是私有的,托管于 Azure 中,使用它可生成、存储和管理所有类型的容器部署的映像。
可以使用 Docker CLI 或 Azure CLI 通过容器注册表推送和拉取容器映像。 通过 Azure 门户集成,可直观检查容器注册表中的容器映像。 在分布式环境中,容器注册表异地复制功能可用于将容器映像分发到多个 Azure 数据中心以进行本地分发。
除了存储容器映像之外,Azure 容器注册表任务还可在 Azure 中生成容器映像。 任务使用标准 Dockerfile,在 Azure 容器注册表中创建和存储容器映像,而无需本地 Docker 工具。
生成容器注册表
使用Cloud Shell:
ACR_NAME=zyiAcr01
az acr create --resource-group etaon.top --name $ACR_NAME --sku Premium
{
"sku": {
"name": "Premium",
"tier": "Premium"
},
"type": "Microsoft.ContainerRegistry/registries",
"id": "/subscriptions/14adb214-7b29-422a-ac8a-df2af1e51201/resourceGroups/etaon.top/providers/Microsoft.ContainerRegistry/registries/zyiAcr01",
"name": "zyiAcr01",
"location": "eastasia",
"tags": {},
"properties": {
"loginServer": "zyiacr01.azurecr.io",
"creationDate": "2021-12-07T02:09:33.8907826Z",
"provisioningState": "Succeeded",
"adminUserEnabled": false,
"networkRuleSet": {
"defaultAction": "Allow",
"virtualNetworkRules": [],
"ipRules": []
},
"policies": {
"quarantinePolicy": {
"status": "disabled"
},
"trustPolicy": {
"type": "Notary",
"status": "disabled"
},
"retentionPolicy": {
"days": 7,
"lastUpdatedTime": "2021-12-07T02:09:36.3080961+00:00",
"status": "disabled"
}
}
}
}创建容器映像
Dockerfile
使用实验通过 Azure 容器注册表任务生成容器映像中提供的官方Dockerfile
FROM node:9-alpine
ADD https://raw.githubusercontent.com/Azure-Samples/acr-build-helloworld-node/master/package.json /
ADD https://raw.githubusercontent.com/Azure-Samples/acr-build-helloworld-node/master/server.js /
RUN npm install
EXPOSE 80
CMD ["node", "server.js"]生成镜像
az acr build --registry $ACR_NAME --image helloacrtasks:v1 .
izhao_yiyi@Azure:~/tmp$ az acr build --registry $ACR_NAME --image helloacrtasks:v1 .
Packing source code into tar to upload...
Uploading archived source code from '/tmp/build_archive_cb15788d2bfc4bcb9eedfd9066760bcc.tar.gz'...
Sending context (406.000 Bytes) to registry: zyiAcr01...
Queued a build with ID: ck1
Waiting for an agent...
2021/12/07 02:25:12 Downloading source code...
2021/12/07 02:25:13 Finished downloading source code
2021/12/07 02:25:14 Using acb_vol_f5f7399f-6348-4d5b-a83f-70d028516e55 as the home volume
2021/12/07 02:25:14 Setting up Docker configuration...
2021/12/07 02:25:14 Successfully set up Docker configuration
2021/12/07 02:25:14 Logging in to registry: zyiacr01.azurecr.io
2021/12/07 02:25:15 Successfully logged into zyiacr01.azurecr.io
2021/12/07 02:25:15 Executing step ID: build. Timeout(sec): 28800, Working directory: '', Network: ''
2021/12/07 02:25:15 Scanning for dependencies...
2021/12/07 02:25:15 Successfully scanned dependencies
2021/12/07 02:25:15 Launching container with name: build
Sending build context to Docker daemon 3.072kB
Step 1/6 : FROM node:9-alpine
9-alpine: Pulling from library/node
a073c86ecf9e: Pulling fs layer
0e28711eb56d: Pulling fs layer
e460dd483fdd: Pulling fs layer
e460dd483fdd: Verifying Checksum
e460dd483fdd: Download complete
a073c86ecf9e: Verifying Checksum
a073c86ecf9e: Download complete
a073c86ecf9e: Pull complete
0e28711eb56d: Verifying Checksum
0e28711eb56d: Download complete
0e28711eb56d: Pull complete
e460dd483fdd: Pull complete
Digest: sha256:8dafc0968fb4d62834d9b826d85a8feecc69bd72cd51723c62c7db67c6dec6fa
Status: Downloaded newer image for node:9-alpine
---> a56170f59699
Step 2/6 : ADD https://raw.githubusercontent.com/Azure-Samples/acr-build-helloworld-node/master/package.json /
---> a69ae18465f6
Step 3/6 : ADD https://raw.githubusercontent.com/Azure-Samples/acr-build-helloworld-node/master/server.js /
---> 67d111a501a6
Step 4/6 : RUN npm install
---> Running in f021a2b3be4d
npm notice created a lockfile as package-lock.json. You should commit this file.
up to date in 0.056s
npm WARN helloworld@1.0.0 No repository field.
Removing intermediate container f021a2b3be4d
---> 030e8adf199f
Step 5/6 : EXPOSE 80
---> Running in a8a3d27b2595
Removing intermediate container a8a3d27b2595
---> c886b7d794ec
Step 6/6 : CMD ["node", "server.js"]
---> Running in a50140136229
Removing intermediate container a50140136229
---> d041f7450cfd
Successfully built d041f7450cfd
Successfully tagged zyiacr01.azurecr.io/helloacrtasks:v1
2021/12/07 02:25:29 Successfully executed container: build
2021/12/07 02:25:29 Executing step ID: push. Timeout(sec): 3600, Working directory: '', Network: ''
2021/12/07 02:25:29 Pushing image: zyiacr01.azurecr.io/helloacrtasks:v1, attempt 1
The push refers to repository [zyiacr01.azurecr.io/helloacrtasks]
40f54f1fa8b9: Preparing
105fab5e99d4: Preparing
51978827661c: Preparing
172ed8ca5e43: Preparing
8c9992f4e5dd: Preparing
8dfad2055603: Preparing
8dfad2055603: Waiting
40f54f1fa8b9: Pushed
51978827661c: Pushed
105fab5e99d4: Pushed
172ed8ca5e43: Pushed
8dfad2055603: Pushed
8c9992f4e5dd: Pushed
v1: digest: sha256:d7c504d1656b9b9773f2ebe4d7ed181a2e9acaa19c6f3e9d5ae7c069a7a1ec9c size: 1572
2021/12/07 02:25:33 Successfully pushed image: zyiacr01.azurecr.io/helloacrtasks:v1
2021/12/07 02:25:33 Step ID: build marked as successful (elapsed time in seconds: 13.716688)
2021/12/07 02:25:33 Populating digests for step ID: build...
2021/12/07 02:25:35 Successfully populated digests for step ID: build
2021/12/07 02:25:35 Step ID: push marked as successful (elapsed time in seconds: 4.827214)
2021/12/07 02:25:35 The following dependencies were found:
2021/12/07 02:25:35
- image:
registry: zyiacr01.azurecr.io
repository: helloacrtasks
tag: v1
digest: sha256:d7c504d1656b9b9773f2ebe4d7ed181a2e9acaa19c6f3e9d5ae7c069a7a1ec9c
runtime-dependency:
registry:
repository: library/node
tag: 9-alpine
digest: sha256:8dafc0968fb4d62834d9b826d85a8feecc69bd72cd51723c62c7db67c6dec6fa
git: {}
Run ID: ck1 was successful after 23s
验证映像
在 Cloud Shell 中运行以下命令以验证映像是否已创建并将其存储在注册表中
az acr repository list --name $ACR_NAME --output table
izhao_yiyi@Azure:~/tmp$ az acr repository list --name $ACR_NAME --output table
Result
-------------
helloacrtasks看到的结果和在控制台一致。
从 Azure 容器注册表部署映像
注册表身份验证
Azure 容器注册表不支持未经身份验证的访问,并且要求对所有操作进行身份验证。 注册表支持两种类型的标识:
- Azure Active Directory 实体,包括用户主体和服务主体。
使用 Azure Active Directory 标识访问注册表是基于角色的,可以为标识分配以下三种角色之一:读者(仅限拉取访问权限)、参与者(推送和拉取访问权限)或所有者(拉取、推送和向其他用户分配角色)。 - 每个注册表中都包含“管理员帐户”。 默认情况下禁用管理员帐户。
管理员帐户会提供尝试新注册表的快速选项。 启用该帐户并在需要访问的工作流和应用中使用其用户名和密码。
建议:仅使用注册表管理员帐户进行早期测试和浏览,并且不共享用户名和密码。
注册表管理员帐户
az acr update -n $ACR_NAME --admin-enabled true
izhao_yiyi@Azure:~/tmp$ az acr update -n $ACR_NAME --admin-enabled true
{
"adminUserEnabled": true,
"anonymousPullEnabled": false,
"creationDate": "2021-12-07T02:09:33.890782+00:00",
"dataEndpointEnabled": false,
"dataEndpointHostNames": [],
"encryption": {
"keyVaultProperties": null,
"status": "disabled"
},
"id": "/subscriptions/14adb214-7b29-422a-ac8a-df2af1e51201/resourceGroups/etaon.top/providers/Microsoft.ContainerRegistry/registries/zyiAcr01",
"identity": null,
"location": "eastasia",
"loginServer": "zyiacr01.azurecr.io",
"name": "zyiAcr01",
"networkRuleBypassOptions": "AzureServices",
"networkRuleSet": {
"defaultAction": "Allow",
"ipRules": [],
"virtualNetworkRules": []
},
"policies": {
"exportPolicy": {
"status": "enabled"
},
"quarantinePolicy": {
"status": "disabled"
},
"retentionPolicy": {
"days": 7,
"lastUpdatedTime": "2021-12-07T02:09:36.308096+00:00",
"status": "disabled"
},
"trustPolicy": {
"status": "disabled",
"type": "Notary"
}
},
"privateEndpointConnections": [],
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
"resourceGroup": "etaon.top",
"sku": {
"name": "Premium",
"tier": "Premium"
},
"status": null,
"systemData": {
"createdAt": "2021-12-07T02:09:33.890782+00:00",
"createdBy": "izhao.yiyi@hotmail.com",
"createdByType": "User",
"lastModifiedAt": "2021-12-07T03:05:17.346554+00:00",
"lastModifiedBy": "izhao.yiyi@hotmail.com",
"lastModifiedByType": "User"
},
"tags": {},
"type": "Microsoft.ContainerRegistry/registries",
"zoneRedundancy": "Disabled"
}检索在上一步中启用的管理员帐户的用户名和密码
az acr credential show --name $ACR_NAME
izhao_yiyi@Azure:~/tmp$ az acr credential show --name $ACR_NAME
{
"passwords": [
{
"name": "password",
"value": "cVagEwjt0seBQa+fvzj7vGyj"
},
{
"name": "password2",
"value": "3LWP7JlNycqYZOE9JLGvH/kZpJ"
}
],
"username": "zycr01"
}使用 Azure CLI 部署容器
使用命令:
az container create \
--resource-group etaon.top \
--name acr-tasks \
--image $ACR_NAME.azurecr.io/helloacrtasks:v1 \
--registry-login-server $ACR_NAME.azurecr.io \
--ip-address Public \
--location eastasia \
--registry-username zyir01 \
--registry-password 3LWP7JlaqYZOE9JLGvH/kZpJ返回:
{
"containers": [
{
"command": null,
"environmentVariables": [],
"image": "zyiAcr01.azurecr.io/helloacrtasks:v1",
"instanceView": {
"currentState": {
"detailStatus": "",
"exitCode": null,
"finishTime": null,
"startTime": "2021-12-07T03:14:46.561000+00:00",
"state": "Running"
},
"events": null,
"previousState": null,
"restartCount": 0
},
"livenessProbe": null,
"name": "acr-tasks",
"ports": [
{
"port": 80,
"protocol": "TCP"
}
],
"readinessProbe": null,
"resources": {
"limits": null,
"requests": {
"cpu": 1.0,
"gpu": null,
"memoryInGb": 1.5
}
},
"volumeMounts": null
}
],
"diagnostics": null,
"dnsConfig": null,
"encryptionProperties": null,
"id": "/subscriptions/14adb214-7b29-422a-ac8a-df2af1e51201/resourceGroups/etaon.top/providers/Microsoft.ContainerInstance/containerGroups/acr-tasks",
"identity": null,
"imageRegistryCredentials": [
{
"identity": null,
"identityUrl": null,
"password": null,
"server": "zyiAcr01.azurecr.io",
"username": "zyiAcr01"
}
],
"initContainers": [],
"instanceView": {
"events": [],
"state": "Running"
},
"ipAddress": {
"dnsNameLabel": null,
"fqdn": null,
"ip": "20.195.94.60",
"ports": [
{
"port": 80,
"protocol": "TCP"
}
],
"type": "Public"
},
"location": "eastasia",
"name": "acr-tasks",
"osType": "Linux",
"provisioningState": "Succeeded",
"resourceGroup": "etaon.top",
"restartPolicy": "Always",
"sku": "Standard",
"subnetIds": null,
"tags": {},
"type": "Microsoft.ContainerInstance/containerGroups",
"volumes": null,
"zones": null
}
在Azure Cli查看
izhao_yiyi@Azure:~/tmp$ az container show --resource-group etaon.top --name acr-tasks --query ipAddress.ip --output table
Result
20.195.94.60此容器提供http
将容器映像复制到不同的 Azure 区域
异地复制允许 Azure 容器注册表充当单个注册表,向多个区域提供多主区域注册表。
优点:
- 单个注册表/映像/标记的名称可跨多个区域使用
- 由区域部署实现近网络注册表访问
- 由于是从与容器主机处于相同区域的本地复制注册表中拉取映像,因此无额外传输费用
- 跨多个区域对注册表进行单一管理
将注册表从一个区域复制到另一个区域
选择japaneast作为复制区域
az acr replication create --registry $ACR_NAME --location japaneast
izhao_yiyi@Azure:~/tmp$ az acr replication create --registry $ACR_NAME --location japaneast
{
"id": "/subscriptions/14adb214-7b29-422a-ac8a-df2af1e51201/resourceGroups/etaon.top/providers/Microsoft.ContainerRegistry/registries/zyiAcr01/replications/japaneast",
"location": "japaneast",
"name": "japaneast",
"provisioningState": "Succeeded",
"regionEndpointEnabled": true,
"resourceGroup": "etaon.top",
"status": {
"displayStatus": "Ready",
"message": null,
"timestamp": "2021-12-07T03:27:47.188615+00:00"
},
"systemData": {
"createdAt": "2021-12-07T03:27:24.120509+00:00",
"createdBy": "izhao.yiyi@hotmail.com",
"createdByType": "User",
"lastModifiedAt": "2021-12-07T03:27:24.120509+00:00",
"lastModifiedBy": "izhao.yiyi@hotmail.com",
"lastModifiedByType": "User"
},
"tags": {},
"type": "Microsoft.ContainerRegistry/registries/replications",
"zoneRedundancy": "Disabled"
}
也可以通过命令行检索
izhao_yiyi@Azure:~/tmp$ az acr replication list --registry $ACR_NAME --output table
NAME LOCATION PROVISIONING STATE STATUS
--------- ---------- -------------------- --------
japaneast japaneast Succeeded Ready
eastasia eastasia Succeeded Ready上传images
登录
[root@worker-03 ~]# docker login zyiacr01.azurecr.io
Username: zyiAcr01
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded改变tag
[root@worker-03 ~]# docker tag 293c239dd855 zyiacr01.azurecr.io/network-multitool:v1.1
[root@worker-03 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
...
/tanzu/network-multitool 1.1 293c239dd855 7 months ago 38.1MB
zyiacr01.azurecr.io/network-multitool v1.1 293c239dd855 7 months ago 38.1MB上传
[root@worker-03 ~]# docker push zyiacr01.azurecr.io/network-multitool:v1.1
The push refers to repository [zyiacr01.azurecr.io/network-multitool]
1d7bbe9a9a95: Pushed
a3f5f0fbb011: Pushed
d1cedc16831d: Pushed
6f594e0f85a0: Pushed
b2d5eeeaba3a: Pushed
v1.1: digest: sha256:1a546071c99290fa1d02f8ded26070e1e5711efeb02b3208752b92834f058948 size: 1361在控制台查看
以上
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
