Context: We are managing a central azure container registry which is holding around 350 repository. Each repositories are having good amount of image. Now because of Log4J issue, we are trying to inform all image owner to take care of their repositories. Because there is no owner name associated with images/repo, we are not able to find who they are and not able to communication.
I am trying to find a way how we can set owner name to image in azure container registry so that i can extract and send communication to them.
I tested in my environment where multiple images have built by many user in a ACR.
But it doesn’t record who created the images in ACR.
For Workaround There is two way you can track who has created an image in ACR
you can look at the activity log to see who the last user is who pushed the image to a particular repository. Please keep in mind that the activity logs are kept for 90 days by default.
Another way you can do is introduce a process in your team to create the images with a tag on theirs name or specific ID if any.
For information you can refer this: https://azure.microsoft.com/en-in/blog/azure-container-registry-preview-of-diagnostics-and-audit-logs/
Related
Scenario:
There is an azure container registry(acr) with many repositories (around 20)
Each repository has different tags like image:dev0.1, dev0.2, prod0.1, prod0.2
There are more than 100 images which include all available tags within each repository
I know about the acr task, which can be used to update an image automatically when we update its base image.
In my scenario, I need to create more than 100 acr tasks for each tag and also maintain a backup of old images for recovery in case of production failures.
I would like to know, Is there any standard and/or simple way to deal with this case?
I have a container that is needed per customer(about 5000 customers). For each customer that signs up on my website, one container goes up (with a different port) and the customer sends his/her logs to it, then logs are processed and ingested to the data storage container (one for all customers). in Kubernetes (In terms of security and other conditions), is it better to separate each customer container in a specific namespace or not?
It doesn't matter you can create the as many namespaces you want in Kertnetes however if you have any requirement to give K8s access to customers it would be better to separate them out by namespaces.
Keeping different containers themselves creates one layer of separation however if you still want to create a virtual env you can do it and use the namespace.
I am experiencing a sporadic issue running containers on ACI that seems to cause Azure to "lose track" of my container instance and result in an orphaned container. My containers always run successfully, but every now and then I get this weird issue. Some peculiarities:
the container instance will still succeed internally (the code in it runs successfully), and the parent container group even says "Succeeded", but Azure never tells me the container instance itself has been created. It just says "Started". Typically the events you see are Pulling-->Pulled-->Created-->Started. Why is "Created" missing?
I can't view logs of the container without hooking up Azure Log Analytics. The "Logs" tab on the container blade in the Azure portal just says No logs available. Normally you can see the logs of a successful container
in cases of this issue occurring, it tries to pull the image twice (and appears to succeed twice - see image below).
sometimes there will be a 4th event displayed in the portal, "Killed"
I am creating a single-container container group via Logic Apps' Azure Container Instance connector - I do this reliably for many automated workflows. The logic app monitors the container group's state, and pulls the instance's logs and then deletes the group when done. All of my images are hosted on Azure Container Registry. The Python code inside the container pulls data from SQL, generates a PDF report, and posts it on an Azure Blob. I know the code is running/succeeding because I can see the report being posted! I have also hooked up Log Analytics to the container, so I can see my internal python logging. There are NO other errors I see reported by Log Analytics. I get a failure in the logic app though when I try to pull container logs and it can't find them (see bullet point 2 above).
Here's output from log analytics on container events (a more detailed version of above screenshot) - so bizarre that the container REPULLS 10 seconds after the first one successfully pulled. You can then see my first container actually runs successfully and exits with 0, and we then have this orphan container left over that is killed.
I have noticed one thing VERY consistent when this issue occurs. Typically when I look at a successful container creation event in Azure, the event message specifies that it is pulling my image via its tag: myregistry.azurecr.io/riptuskimage:1.2.5. When this issue occurs, the event messages specifies that the image is being pulled by its digest instead: myregistry.azurecr.io/riptuskimage#shah256:d98fja.... EVERY time the issue has occurred, I've noticed this. I have no idea why Azure is doing this. I most certainly specify the tag in my creation request.
I have viewed this post and this post and neither really help.
I've been scratching my head for a while on this one. The fact that it's sporadic (doesn't always happen), and when it does the images pull twice gives me the suspicion it has something to do with my container registry. The image I'm pulling is large - about 1.6GB. I checked the container registry's throttle limits and I don't think a single pull of a 1.6GB image should end up throttling - but the ACI container creation doesn't really give me a way to see if the registry is returning a 429 HTTP error. I'm not pulling anything else at that time.
Anyone have any ideas? Thanks!
Edit: This is a recent phenomenon! I have logic apps in place that have been creating containers for over a year, and this issue only starting occurring in the last few weeks (as of this posting 9/24/2021)
When your container is not working properly in Azure Container Instances, start by viewing its logs with az container logs, and stream its standard out and standard error with az container attach.
The az container attach command provides diagnostic information during container startup.
Also view the diagnostic information provided by the Azure Container Instances resource provider. To view the events for your container, run the az container show command.
With this your first problem will be solved. Check this document for more information.
Azure is pulling the container image twice from the Azure Container Registry because the container is taking a long time to start. Because Azure Container Instances pulls your container image on demand, the startup time you see is directly related to its size. One factor that contributes to container startup time in Azure Container Instances is Image Size.
Check this document for more information.
You can solve this problem by adding a delay after pulling your image from the registry in your logic app.
I created a scale set with managed disks and a custom image (something like /subscriptions/<SUB-ID>/resourceGroups/my-rg/providers/Microsoft.Compute/images/my-base-image) and also an ARM template to deploy a new scale set with this custom image.
The template deployment works fine if I deploy to the same subscription where my custom image is located. But it fails when I try to deploy it to another subscription - even if these two subscription are part of the same tenant/directory and the user has access to both subscriptions.
So am I right that it's not possible to use a custom image from a different subscription?
If yes: it would be ok (not best solution, but ok), if I could copy the custom image from subscription A to subscription B - But I can't see a way to copy this ressource. I think the only way is to recreate everything and use unmanged disks, because here I can download and upload the .vhd file from/to the storage account.
Any other ideas?
For now, Azure doesn’t support move a managed Image to anther subscription .But, this function will come soon. Also , I supply a way for this issue.
Create a temporary VM in A subscription using your Image.
Move this temporary VM to B subscription.
Capture a new Image and delete the temporary VM.
Then, you can use this image to do what you want to do.
NOTE: Moving a VM to another subscription is very easy. You just need to click Move button on VM’s overview in portal.
Also, this link supply another solution and it may be helpful to your case.
I have some Selenium test code that I need to run in parallel. In order for Selenium to run effectively, certain configurations have to be done on the machine (I.E. zone settings, Chrome and Firefox installs, etc.) and these settings are hard (if not impossible) to apply via an automated approach. I've manually created a VM, done all the setup and created an image following the directions in Microsoft's documentation.
Now I need to setup my code so that I can specify a VM image to use when creating the nodes. I've searched as much as I can and not found any documentation that explains how I can go about doing this. The example in the DotNetTutorial sample doesn't seem to have any way to specify an image.
There is a feedback item here on this same topic and shows the request as started on Jun 1st 2015. I'm hoping this means that it's done now and that it just hasn't been documented well.
Q: How I can specify a custom VM image as the source for my Azure Batch nodes?
https://github.com/Azure/azure-sdk-for-net/blob/AutoRest/src/Batch/Client/changelog.md
• Added support for deploying nodes using custom VHDs, via the OSDisk property of VirtualMachineConfiguration. Note that the Batch account being used must have been created with PoolAllocationMode = UserSubscription to allow this.
Updated Answer on 2017-12-05:
Custom images are now supported through normal Batch accounts (i.e., Batch service pool allocation mode accounts). You will need to specify a valid ARM Image Id and use Azure Active Directory authentication to create custom images (shared key auth does not support custom images).
Updated Answer on 2017-03-17:
Custom images are now supported through "User Subscription" Batch accounts. You can create these types of accounts in Azure Portal or through the newest management SDKs for supported languages.
Previous Answer:
Currently, custom VM images are not supported. As you noted, this is a feature that is being worked on. In addition to uservoice, you can periodically check for product updates at this site.