This question already has answers here:
How to authenticate with Azure ACR from Azure container app service
(4 answers)
How to configure an Azure app service to pull images from an ACR with terraform?
(2 answers)
Azure Container Registry authorization for Azure Web App
(1 answer)
Closed 1 year ago.
I'm deploying an App Service in Azure that has a related container image. I created both the App Service and the image with the Owner user (the only one I have). Still, when I start the App Service I get an error that the "image is not authorized" (see below). How to fix this problem?
The image is created and stored in the registry with no issues.
2021-07-26T15:03:31.157Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
2021-07-26T15:03:37.000Z INFO - Stopping site sofiana because it failed during startup.
2021-07-26T15:06:32.588Z INFO - Starting container for site
2021-07-26T15:06:32.590Z INFO - docker run -d -p 8081:8081 --name sofiana_1_e0d93acf_msiProxy -e PORT=8081 -e WEBSITE_ROLE_INSTANCE_ID=0 -e WEBSITE_HOSTNAME=sofiana.azurewebsites.net -e WEBSITE_INSTANCE_ID=4c49e5ee1c9d26e3d207f81f51be02bb2c4d67839b9f7b25c24fceef7fd9b44e appsvc/msitokenservice:2007200210
2021-07-26T15:06:32.592Z INFO - Logging is not enabled for this container.
Please use https://aka.ms/linux-diagnostics to enable logging to see container logs here.
2021-07-26T15:06:43.616Z INFO - Pulling image from Docker hub: sofacr.azurecr.io/nginx-visualbank:latest
2021-07-26T15:06:43.697Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://sofacr.azurecr.io/v2/nginx-visualbank/manifests/latest: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}
2021-07-26T15:06:43.700Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
2021-07-26T15:06:49.634Z INFO - Stopping site sofiana because it failed during startup.
You need to auth against the repository
az acr login --name sofacr --subscription AZURE-SUB
Related
I have a shell script that deploys containers to Azure Container Instances that runs fine locally using the Azure CLI (on Linux) but I'm having trouble performing the login to Azure from a pipeline task.
Locally the following command will open a browser to login:
docker login azure
The docs suggest that to do the same in a pipeline task I can pass in a client id and client secret. I think that it should look like this:
docker login azure --client-id $servicePrincipalId --client-secret $servicePrincipalKey --tenant-id $tenantId
However, when I run this in my pipeline I get this error:
unknown flag: --client-id
docker login azure --help run locally tells me that --client-id is a valid flag, so I'm wondering is there another way to do this in an Azure DevOps pipeline?
At the moment the problem is that there is no docker cli azure module installed on Microsoft Hosted agents, Installation instructions can be found here:
https://docs.docker.com/cloud/aci-integration/
The workaround I have used to solve the problem:
- script: |
# Add the compose-cli module;
curl -L https://raw.githubusercontent.com/docker/compose-cli/main/scripts/install/install_linux.sh | sh
# Login to Azure using docker CLI, you can use variables here;
# Note: Docker#2 task with Login Action will not help here;
docker login azure --client-id xxx --client-secret yyy --tenant-id zzz
# Check Context list;
docker context aci list
# Create ACI Context;
docker context create aci myaci --location <Azure Location> --resource-group <RG NAME> --subscription-id <subscription ID>
# Check It again.
docker context list
The Azure pipeline task for Docker allows you to use a service connection for the 'docker login' style task. To use a username / password combination, you'll start by creating a Service Connection of type 'Docker Registry'. Then specify 'other' for type. Here you can enter your credentials. The password is obfuscated for security as you would expect.
Now you can use this service connection in your azure devops pipeline docker tasks.
Sources cited:
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-registry-service-connection
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-hub-or-others
Deployed an Azure App service for Containers with a custom image (from Centos 7 base image).
Based on the following documentation There is an environment variable that should be set by Azure and used for creating the REST API request to obtain an access token:
IDENTITY_ENDPOINT - the URL to the local token service.
However, when checking inside the container, this variable is not set:
[root#f22dfd74be31 ~]# echo $IDENTITY_ENDPOINT
(empty result here)
I've also tried to invoke az cli, which fails as well:
[root#f22dfd74be31 ~]# az login -i
AzureConnectionError: Failed to connect to MSI. Please make sure MSI is configured correctly
and check the network connection.
Error detail: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with
url: /metadata/identity/oauth2/token?resource=https%3
A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9e0c4
c72e8>: Failed to establish a new connection: [Errno 110] Connection timed out',))
I've successfully used managed identity with both Virtual machines and App Service (code deployment not containers), is it supported with App Service for containers, with custom containers?
When working with App service for containers the "platform" environment variables, including managed identity and app settings are only available when the container is initialized.
In order to make these variables accessible from the container, the following line must be incorporated in the container startup script (called from Dockerfile ENTRYPOINT):
eval $(printenv | sed -n "s/^\([^=]\+\)=\(.*\)$/export \1=\2/p" | sed 's/"/\\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)
It should support MSI, make sure you enable the MSI like below.
Besides, step 4 in this doc also mentions the CLI command to enable MSI.
az webapp identity assign --resource-group AppSvc-DockerTutorial-rg --name <app-name> --query principalId --output tsv
I try to use Azure pipelines for ci and cd.
1- My application image is built and pushed to azure container registry.
2- Release pipeline try to pull image from ACR it gets error.
Logs from container settings:
INFO - Pulling image: registryname/repo:latest
ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://registry-1.docker.io/v2/registryname/repo/manifests/latest: unauthorized: incorrect username or password"}
ERROR - Pulling docker image registryname/repo:latest failed:
INFO - Pulling image from Docker hub: registryname/repo:latest
ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for registryname/repo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}
ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
INFO - Stopping site appname because it failed during startup.
Ss from configuration:
Thanks for your help.
When you use the ACR to store the image and want to deploy the images in it to Azure Web App, you need to set the image name as ACRName.azurecr.io/image:tag, not just the image name and tag. And set the environment variables like:
DOCKER_REGISTRY_SERVER_USERNAME - The username for the ACR server.
DOCKER_REGISTRY_SERVER_URL - The full URL to the ACR server. (For
example, https://my-server.azurecr.io.)
DOCKER_REGISTRY_SERVER_PASSWORD - The password for the ACR server.
And the credential should have enough permissions. When all things are OK, the container logs will look like this:
I am trying to push docker image into azure container registries repository using power-shell command as follows:-
docker push containerregone.azurecr.io/azure-vote-front:V1
it gives me following error
unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
I have tried to find help related to this using following documentation
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-faq
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication
but it gives Azure CLI commands.
I have also tried to do this using following link
https://stackoverflow.com/questions/50817945/what-is-the-powershell-equivalent-to-az-acr-login#:~:text=There%20is%20no%20single%20powershell,docker%20login%20to%20log%20in.
but they are using docker login. i don't have docker login.
My Question :-
How can we accomplish this using power-shell without docker login?
I'm afraid you cannot accomplish that using PowerShell without the command docker login. Let's take a look at the command for the ACR credential.
When you use the CLI command az acr login with the ACR directly without a docker daemon running, then you will get the error similar with this:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is
the docker daemon running?
It means the CLI command az acr login depends on the docker server. When you run the CLI command az acr login --expose-token as the document shows, it just exposes the access token of the ACR without login for docker. You also need to log in yourself for docker. You can see the details here.
For the PowerShell for ACR, the only one is to get the ACR credential: Get-AzContainerRegistryCredential. But it gets the passwords for you only. It's not the access token, nor will log in for you too.
So, if you want to use PowerShell command to get the ACR credential, then you also need to log in yourself with the docker command.
Before push or pull, to azure, you need to login first by az-cli
az login
az acr login -n your-registry
or by docker
docker login your-registry.azurecr.io
I have a Linux App Service deployed within Azure, using an image from a private Azure Container Registry.
The service was up and running fine, and despite there being no changes to the image (no new pushes), the App Service was redeployed. I understand this to be an expected part of how Azure handles containers, swapping instances in and out with as it sees fit.
However, this image is no longer able to deploy successfully, here are the logs from Kudu (names changed):
2018-04-09 07:28:11.817 INFO - Starting container for site
2018-04-09 07:28:11.818 INFO - docker run -d -p 36165:8080 --name my-service_0 -e WEBSITES_ENABLE_APP_SERVICE_STORAGE=false -e WEBSITES_PORT=8080 -e WEBSITE_SITE_NAME=my-service -e WEBSITE_AUTH_ENABLED=False -e WEBSITE_ROLE_INSTANCE_ID=0 -e WEBSITE_INSTANCE_ID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -e HTTP_LOGGING_ENABLED=1 myacr.azurecr.io/images/my-image:latest
2018-04-09 07:28:14.200 INFO - Issuing docker pull myacr.azurecr.io/images/my-image:latest
2018-04-09 07:28:14.327 ERROR - docker pull returned STDERR>> Error response from daemon: Get https://myacr.azurecr.io/v2/images/my-image/manifests/latest: unauthorized: authentication required
Here are the results of pulling the image locally:
docker pull myacr.azurecr.io/images/my-image:latest
latest: Pulling from images/my-image
53478ce18e19: Already exists
d1c225ed7c34: Already exists
c6724ba0c09a: Already exists
377ae380bb14: Pulling fs layer
ab6e212b3598: Pulling fs layer
377ae380bb14: Downloading
ab6e212b3598: Verifying Checksum
ab6e212b3598: Download complete
unknown blob
I'm fairly sure that the image was successfully deployed 3 days ago and that there has been no pushes to the tag since then.
Is there anything I can do to recover this image?
Is there any way I could have known this deployment had started failing?
It seems your Web App for Containers instance is unable to authenticate with Azure Container Registry.
The Azure Container Registry to Linux Web App connection is a bit problematic at times. Using the "private registry" tab on the container settings page instead of ACR usually solves the problem for me.
Just provide your ACR repo credentials as below instead of selecting your repo on the ACR tab.