Azure pipeline pull docker image from ACR (azure container registry) authentication required - azure

I created a docker image and pushed it to my azure container registry.
Now I would like to perform the pipeline steps inside a container created with that docker image but I get this error message:
Error response from daemon: Head "https://my_docker_registry.azurecr.io/v2/test_image/manifests/1": unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information
##[warning]Docker pull failed with exit code 1, back off 6.501 seconds before retry.
where am i wrong?
this is my azure-pipeline.yml:
trigger:
- main
resources:
containers:
- container: firstpipeline
type: ACR
azureSubscription: 814dfd24-6f11-4r4c-ae2r-ag6ke91231g2
resourceGroup: resource_group_1
registry: my_docker_registry.azurecr.io
repository: test_image:1
pool:
vmImage: ubuntu-latest
steps:
- script: |
cat /etc/os-release
displayName: 'execute inside docker container' ```

Related

Unable to run Azure Web Service from a docker image in an Azure Registry

I am trying to automate my deployment process by creating a pipeline in Azure DevOps that does the following
Build my project, create a docker image, then pushed the image to a private Azure Registry service.
Deploy the image on a slot called staging in Azure Web Service.
Here is the .yaml file that I am using
trigger:
- master
resources:
- repo: self
variables:
dockerRegistryServiceConnection: 'MyPrivateRegistry'
imageRepository: 'MyPrivateRepositoryName'
containerRegistry: 'MyPrivateRepositoryName.azurecr.io'
dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'
tag: '$(Build.BuildId)'
azureSubscription: 'MyPrivateSubscribtionName(5c4b9a4b-private-subscribtion-id-91503531e1a0)'
appName: 'private_appname'
resourceGroupName: 'PrivateResourceGroup'
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Push and Build
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: Docker#2
displayName: Build and push an image
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: '$(dockerRegistryServiceConnection)'
tags: |
$(tag)
- job: DeployToStaging
displayName: Deploy To staging
dependsOn: Build
condition: succeeded()
pool:
vmImage: $(vmImageName)
steps:
- task: AzureWebAppContainer#1
inputs:
azureSubscription: $(azureSubscription)
appName: $(appName)
deployToSlotOrASE: true
resourceGroupName: $(resourceGroupName)
slotName: 'staging'
containers: '$(containerRegistry)/$(imageRepository):$(tag)'
The projects is built successfully and pushed to the private registry as expected. I can verify that the new image in pushed with a new tagId. However, my container fails to start with the following error
Image pull failed since Inspect image returned null: MyPrivateRepositoryName.azurecr.io/MyPrivateRepositoryName:151
Here is the suggestion I see
Please check the repository name, image name, and container definitions defined by DOCKER_REGISTRY_SERVER_USERNAME, DOCKER_REGISTRY_SERVER_URL, and DOCKER_REGISTRY_SERVER_PASSWORD.
When I go to the staging slot configuration I see the following and the values are all correct. I copied these values from the "Access keys" section in the Container Registry service after enabling the Admin user
What am I missing here? How can I get the slot to correctly pull the docker image from the contain registry?
Updated
Looking more at the logs gives me this error
2022-04-01T20:36:21.409Z ERROR - Pull image threw Exception: Input string was not in a correct format.
2022-04-01T20:36:21.411Z INFO - Pulling image from Docker hub: privateregistry.azurecr.io/privateimage:152
2022-04-01T20:36:21.594Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://privateregistry.azurecr.io/v2/privateimage/manifests/152: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}
It sounds like something does not have permission to pull the docker image from the repository. Question is what object need to have this permission? Would I add permission to the private repository of would I add it to the Web Service?
Few things you can check if Enable Admin Access does not work.
Is your app service in the same subscription as your ACR? If not, try moving it to the same subscription.
In Azure Portal -> App Service -> Deployment Center, see if you have conflicting settings. If it's empty, try set up the container registry information here instead of passing in app settings as env variables.
If still having errors, I recommend you creating another credential to login to ACR instead of using the admin one. (For this, it won't involve system identity or managed identity)
Register a new app in Azure that will read from ACR
In ACR -> Access Control -> give this app ACR PULL permission
Replace your app service app setting with the following
DOCKER_REGISTRY_SERVER_USERNAME = Client Id of the created app
DOCKER_REGISTRY_SERVER_PASSWORD = Client Secret of the created app

Pull and Push Docker Image task to ACR fails in Azure Devops Pipeline "unauthorized: Invalid clientid or client secret."

Pushing and pulling of image to Azure Container Registry task in Azure DevOps pipeline fails. When tried to pull or push from local system, there's no problem but when tried to do it using the Azure Devops pipeline it fails. Docker login was successful but it fails when I want to pull the image from the ACR with the following result:
**Error response from daemon: Head "***/a2/abcd/manifest/latest": unauthorized: Invalid clientid or client secret.
##[error]Bash exited with code '1'.
##[debug]Processed: ##vso[task.issue type=error;]Bash exited with code '1'.
I checked all the service connections in Az Devops, and they all look correctly configured. Checked the associated service principals as well if they have AcrPull and AcrPush permissions, all of them are in place. Just couldn't understand what's going wrong.
My Yaml looks like this:
trigger: none
schedules:
- cron: "0 0 0 * *"
displayName: **** *
branches:
include:
- abcd
always: true
pool:
vmImage: 'ubuntu-latest'
variables:
- name: acrname
value: *****.azurecr.io
stages:
- stage: abcd
displayName: "pull images from acr"
jobs:
- job: abcdef
displayName: "abcdef"
pool:
vmImage: ubuntu-latest
steps:
- task: Docker#2
displayName: Login to ACR
inputs:
command: login
containerRegistry: '*****.azurecr.io'
- bash: |
docker pull $(acrname)/abc-def:latest
docker pull $(acrname)/igh-jkl:latest
name: pull
displayName: 'pull acr images'
Can anyone help?
I had the same issue with the ACR service connection was expired. So I had to create a new service connection by using these steps.
Docker ID and Docker Password can be obtained from ACR --> Settings --> Access keys
Update your pipeline with this new service connection and you are good to go. Please rate if this solution helps you.
In my case, when I ran into this issue, the simple and clean resolution was to use the docker login. In your situation, it looks like this would be a good solution :
docker login $(acrname)
prior to your calls to get your images
docker pull $(acrname)/abc-def:latest
In my case, the docker login password expired. So I have to do the following:
Go azure and generate the new password for the docker app authentication.
Copy the newly generated password.
Go to your virtual machine where docker is running.
Try the below command
docker login blah.azurecr.io --username your-user-name-here --password yourhaspasswordhere~5Crf9b
Now you are good to go.

run spring boot application on azure container registry instance

I'm trying to run a spring boot application on azure. This is what I'm trying to accomplish:
local project > Azure Devops Git Repos > Azure container registry
From my local, I push the changes to Azure Devops Repos. Repository has a pipeline that does maven package, create docker image and push the image to Azure Container registry. And I'm running the container image using Azure container instance. Container instance is deploying successfully, but when I try to access a rest api defined in spring boot application, nothing happens. Page keeps on loading.
I try to access the GET api like this:
my_public_ip:8080/hello
DockerFile:
FROM openjdk:8
VOLUME /tmp
ADD target/command-center.jar command-center.jar
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "/command-center.jar"]
azure-pipeline.yaml
# Docker
# Build and push an image to Azure Container Registry
# https://learn.microsoft.com/azure/devops/pipelines/languages/docker
trigger:
- master
resources:
- repo: self
variables:
# Container registry service connection established during pipeline creation
dockerRegistryServiceConnection: 'f4031dc5-3c27-4f41-be8c-2abdf064eaf2'
imageRepository: 'commandcenter'
containerRegistry: 'sapcemission.azurecr.io'
dockerfilePath: '**/command-center/Dockerfile'
tag: '$(Build.BuildId)'
# Agent VM image name
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Build and push stage
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: Maven#3
inputs:
mavenPomFile: 'pom.xml'
publishJUnitResults: true
testResultsFiles: '**/surefire-reports/TEST-*.xml'
javaHomeOption: 'JDKVersion'
mavenVersionOption: 'Default'
mavenAuthenticateFeed: false
effectivePomSkip: false
sonarQubeRunAnalysis: false
- task: Docker#2
displayName: Build and push an image to container registry
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: $(dockerRegistryServiceConnection)
tags: |
$(tag)
Azure container instance settings:
What am I doing wrong here?
Azure Container Instance doesnt support port mapping like docker. So in your case when you setup ACI, port property should be set to 8080 (not default 80).

Azure Devops kubectl task deployed image is with status ErrImagePull/ImagePullBackOff

I have created a deployment pipeline using Azure Devops through which I am building and pushing an image to Azure Container Registry.
In the next step I am deploying from ACR to an AKS cluster which I have created and attached to ACR using the following command:
az aks create -n HealthCareAKSCluster -g AKSCICDRG --generate-ssh-keys --attach-acr HealthCareAKSCICDACR
Following is my yaml code:
# Docker
# Build and push an image to Azure Container Registry
# https://learn.microsoft.com/azure/devops/pipelines/languages/docker
trigger:
- master
resources:
- repo: self
variables:
# Container registry service connection established during pipeline creation
dockerRegistryServiceConnection: 'XXXXXXXXXX'
imageRepository: 'patientservice'
containerRegistry: 'healthcareakscicdacr.azurecr.io'
dockerfilePath: './PatientService/Dockerfile'
tag: '$(Build.BuildId)'
# Agent VM image name
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Build and push stage
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: Docker#2
displayName: Build and push an image to container registry
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: $(dockerRegistryServiceConnection)
tags: |
$(tag)
- stage: Deploy
displayName: Deploy
jobs:
- job: Deploy
displayName: Deploy
pool:
vmImage: $(vmImageName)
steps:
- task: Kubernetes#1
displayName: Deploy an image to AKS
inputs:
connectionType: 'Azure Resource Manager'
azureSubscriptionEndpoint: 'XXXXXXX'
azureResourceGroup: 'AKSCICDRG'
kubernetesCluster: 'HealthCareAKSCluster'
command: 'apply'
arguments: '-f patientservice.yaml'
secretType: 'dockerRegistry'
containerRegistryType: 'Azure Container Registry'
The image is getting pushed to ACR successfully and Build step is running fine.
Even deploy step is running fine but when I do 'kubectl get pods' in my AKS cluster I am getting the pod status as ImagePullBackOff or ErrImagePull.
When I did 'kubectl describe pod' I am getting the following message:
Failed to pull image "patientservice": rpc error: code = Unknown desc
= Error response from daemon: pull access denied for patientservice, repository does not exist or may require 'docker login': denied:
requested access to the resource is denied
Please help as to how can I deploy a proper image.
The issue was in patientservice.yaml file. I overlooked it. Previously image had only the name of the service.I added the following to the image in patientservice.yaml:
image: healthcareakscicdacr.azurecr.io/patientservice:latest
The deployment worked fine.

Azure DevOps Service Connection does not work with custom job

In Azure Devops I am able to create an ACR Service Connection and use the Docker#2 task to login, build and push an image - as part of the first job of my pipeline.
In the second job of my pipeline I want to use the image I built in the first job and run some stuff inside it. However even though I supply the service connection name(the same as first job) my pipeline keeps failing with 'docker login': denied: requested access to the resource is denied.
How can I make this work with using the Service Connection that works just fine for the 1st job?
- job: BuildDockerImage
pool:
vmImage: 'ubuntu-16.04'
steps:
- task: Docker#2
displayName: Build /push image
inputs:
command: buildAndPush
repository: XYZ
dockerfile: Dockerfile
containerRegistry: ABC
tags: |
$(Build.SourceVersion)
- job: TestCode
dependsOn: BuildDockerImage
condition: succeeded()
timeoutInMinutes: 200
pool:
vmImage: 'ubuntu-16.04'
container:
image: ABC/XYZ:$(Build.SourceVersion)
For this issue , it could be the lack of endpoint parameter.
Containers can be hosted on registries other than Docker Hub. To host an image on Azure Container Registry or another private container registry, add a service connection to the private registry. Then you can reference it in a container spec:
container:
image: myprivate/registry:xxx
endpoint: private_dockerhub_connection
Here is a document you can refer to .

Resources