I am managing one Azure Container Registry which is having good amount of repository and image inside. Time-to-time I see some security issue with few images for which I need to reach out to image owner to fix it, but I don't know how to find owner of the image. Is there any way I can find owner of ACR Image or ACR repo at least?
Also, is there a way we can set image owner while pushing image from pipeline?
Cheers
Den
ACR does not record who owns an image.
The activity log records who pushed the image to the repository. Activity logs are kept for 90 days by default.
A strategy is to add labels to images when they are pushed.
Related
I have a azure app service to host a docker image from out Azure Container Registry.
The full process is as follow:
Run Pipeline
Run Release pipeline
Azure app pulls the latest release from azure container registry
But what happen is that after Each realise, for some reason, the app service tries to pull the image from Docker Hubinstead of pulling from azure Container Registry.
Can somebody help to understand where is the issue here?
For your issue, I can guess the problem you made, you must set the image with the tag as, for example, nginx:latest. But if you push the image in the ACR and need to pull it from the ACR, you must set the image with the tag as myacr.azurecr.io/nginx:latest. In addition, you also need to configure the credential for your ACR.
I have followed this tutorial microsoft_website to pull images from an azure container. My yaml successfully creates a pod job, which can pull the image, BUT only when it runs on the agentpool node in my cluster.
For example, adding nodeName: aks-agentpool-33515997-vmss000000 to the yamlworks fine, but specifying a different node name, e.g. nodeName: aks-cpu1-33515997-vmss000000, the pod fails. The error message I get with describe pods is Failed to pull image and then kubelet Error: ErrImagePull.
What I'm missing?
Create secret:
kubectl create secret docker-registry <secret-name> \
--docker-server=<container-registry-name>.azurecr.io \
--docker-username=<service-principal-ID> \
--docker-password=<service-principal-password>
As #user1571823 told solution to the problem is deleting the old image from the acr and creating/pushing a new one.
The problem was related to some sort of corruption in the image saved in the azure container registry (acr). The reason why one agent pool could pulled the image was actually because the image already existed in the VM.
Henceforth as #andov said it is good option to open an incident case to Azure support for AKS from your subscription, where AKS is deployed. The support team has full access to the AKS service backend and they can tell exactly what was causing your problem.
Four things to check:
Is it a subscription issue? Are the nodes in different subscriptions?
Is it a rights issue? Does the service principle of the node have rights to pull the image.
Is it a network issue? Are the nodes on different subnets?
Is there something with the image size or configuration, that means that it cannot run on the other cluster.
Edit
New-AzAksNodePool has a parameter -DefaultProfile
It can be AzContext, AzureRmContext, AzureCredential
If this is different between your nodes it would explain the error
I have a bunch of repositories in an Azure container registry. Each repository can have several versions of an image, tagged like this, imagename:v_1_0 or imagename:v_1_2. Almost all of these images uses the base image mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim.
My question is, how do I create an acr task that updates all of my images when that base image is updated by microsoft? I have seen tutorials on creating an acr task but almost all of them assume that the source code is pushed from github and that I am only updating a single image. I would like to avoid creating a task for n number of images in each repository but I suppose I could create a job that automatically creates a task whenever I publish from visual studio.
Has anyone else solved this problem?
So, if you are building your images via ACR tasks they do that automatically for the following base images:
The same Azure container registry where the task runs
Another private Azure container registry in the same or a different region
A public repo in Docker Hub
A public repo in Microsoft Container Registry
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tasks-base-images#base-image-notifications
if you are building them outside of ACR and pushing to ACR - you probably need to handle that in the same place you are building them. ACR cant do that for images its not building (seems fair).
I'm using terraform to create container on Azure using azure_container_group. My container is based on a docker image stored on a private registry. When I update this image by pushing a new version with the latest tag my docker image have a new SHA256 ... but terraform seems not able to trigger this update.
Am i missing something ?
Thanks,
Dan
First of all, Azure Container Instance does not have the feature that automatically updates the images. So you need to update the images yourself manually. And Terraform is just a tool to create the Azure Container Instance, you can use it to create a trigger to update the images, but you cannot use Terraform itself to do it.
To automatically update the images, I recommend you use the Azure Container Registry, it provides the trigger on the commit to update the images. Take a look at Automate container image builds in the cloud when you commit source code.
Im new to Azure Container Registry. How can I know the number of images per repository? It is possible by Portal? And also I want to know to do it by command-line
Well, I will show you something to you to understand what is the difference between the image tag and the repository.
When you create an image, it must have a tag, then you push the image with the tag to Azure Container Registry. This time, there will be a repository with the name of your image to store the image manifest and tag.
Here will be two conditions:
If you update the image with a new tag and do not change the image name, then you push it to Azure Container Registry. The image will still store in the old repository with the new tag. Now your Azure Container Registry has one repository with two tags for the image.
If you update the image with a new tag or still the old one and change the image name, then you push it to Azure Container Registry. It will create a new repository to store the image with the new name. Now you have two repositories, and each one has a tag for the image.
Now, come back to your question:
How can I know the number of images per repository?
If you want to know the number of the images in the same repository, you just need to calculate the number of the tags.
If you want to know the number of the image with different names, you need to calculate the number of repositories.
There is no Azure command to get the number of the images directly, you need to do it yourself. For example, use Azure CLI in bash:
az acr repository list -n yourACR | wc -l
This command will show you a number, but it's not the real number of the repositories. You need to subtract 2. Hope it helps :-)