Azure Release Pipeline fails when try to pull image from ACR - azure

I try to use Azure pipelines for ci and cd.
1- My application image is built and pushed to azure container registry.
2- Release pipeline try to pull image from ACR it gets error.
Logs from container settings:
INFO - Pulling image: registryname/repo:latest
ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://registry-1.docker.io/v2/registryname/repo/manifests/latest: unauthorized: incorrect username or password"}
ERROR - Pulling docker image registryname/repo:latest failed:
INFO - Pulling image from Docker hub: registryname/repo:latest
ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for registryname/repo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}
ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
INFO - Stopping site appname because it failed during startup.
Ss from configuration:
Thanks for your help.

When you use the ACR to store the image and want to deploy the images in it to Azure Web App, you need to set the image name as ACRName.azurecr.io/image:tag, not just the image name and tag. And set the environment variables like:
DOCKER_REGISTRY_SERVER_USERNAME - The username for the ACR server.
DOCKER_REGISTRY_SERVER_URL - The full URL to the ACR server. (For
example, https://my-server.azurecr.io.)
DOCKER_REGISTRY_SERVER_PASSWORD - The password for the ACR server.
And the credential should have enough permissions. When all things are OK, the container logs will look like this:

Related

How can I create a Dockerfile FROM an Image in Azure Container Registry?

I've pushed an Image (which is a version of R + some libraries) on my private Azure Container Registry. How can build an Image starting from this Image?
In other words, I want to do "FROM registry/env:version" but I'm pretty sure that I need to use other settings to access my repository.
Thanks for help!
You should login your Docker daemon to your Azure Container Registry using the following command : docker login myregistry.azurecr.io --username $SP_APP_ID --password $SP_PASSWD
Then, using the fully qualified path for your image in the Dockerfile should work automatically, as long as the identity provided in the first step (login) has the rights to pull this image.
Sorry I'm trying to figure out your answer, I'm trying to pull a docker image from my Azure Container Registry and build it and push it back to a new repository. I'm starting my Dockerfile as
FROM xxxxxx.azurecr.io/php-7.4:latest AS compiled
how to configure the docker daemon in azure pipelines world?

Azure App Service cannot access image in registry [duplicate]

This question already has answers here:
How to authenticate with Azure ACR from Azure container app service
(4 answers)
How to configure an Azure app service to pull images from an ACR with terraform?
(2 answers)
Azure Container Registry authorization for Azure Web App
(1 answer)
Closed 1 year ago.
I'm deploying an App Service in Azure that has a related container image. I created both the App Service and the image with the Owner user (the only one I have). Still, when I start the App Service I get an error that the "image is not authorized" (see below). How to fix this problem?
The image is created and stored in the registry with no issues.
2021-07-26T15:03:31.157Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
2021-07-26T15:03:37.000Z INFO - Stopping site sofiana because it failed during startup.
2021-07-26T15:06:32.588Z INFO - Starting container for site
2021-07-26T15:06:32.590Z INFO - docker run -d -p 8081:8081 --name sofiana_1_e0d93acf_msiProxy -e PORT=8081 -e WEBSITE_ROLE_INSTANCE_ID=0 -e WEBSITE_HOSTNAME=sofiana.azurewebsites.net -e WEBSITE_INSTANCE_ID=4c49e5ee1c9d26e3d207f81f51be02bb2c4d67839b9f7b25c24fceef7fd9b44e appsvc/msitokenservice:2007200210
2021-07-26T15:06:32.592Z INFO - Logging is not enabled for this container.
Please use https://aka.ms/linux-diagnostics to enable logging to see container logs here.
2021-07-26T15:06:43.616Z INFO - Pulling image from Docker hub: sofacr.azurecr.io/nginx-visualbank:latest
2021-07-26T15:06:43.697Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://sofacr.azurecr.io/v2/nginx-visualbank/manifests/latest: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}
2021-07-26T15:06:43.700Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
2021-07-26T15:06:49.634Z INFO - Stopping site sofiana because it failed during startup.
You need to auth against the repository
az acr login --name sofacr --subscription AZURE-SUB

Push docker image into azure container registries repository using powershell

I am trying to push docker image into azure container registries repository using power-shell command as follows:-
docker push containerregone.azurecr.io/azure-vote-front:V1
it gives me following error
unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
I have tried to find help related to this using following documentation
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-faq
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication
but it gives Azure CLI commands.
I have also tried to do this using following link
https://stackoverflow.com/questions/50817945/what-is-the-powershell-equivalent-to-az-acr-login#:~:text=There%20is%20no%20single%20powershell,docker%20login%20to%20log%20in.
but they are using docker login. i don't have docker login.
My Question :-
How can we accomplish this using power-shell without docker login?
I'm afraid you cannot accomplish that using PowerShell without the command docker login. Let's take a look at the command for the ACR credential.
When you use the CLI command az acr login with the ACR directly without a docker daemon running, then you will get the error similar with this:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is
the docker daemon running?
It means the CLI command az acr login depends on the docker server. When you run the CLI command az acr login --expose-token as the document shows, it just exposes the access token of the ACR without login for docker. You also need to log in yourself for docker. You can see the details here.
For the PowerShell for ACR, the only one is to get the ACR credential: Get-AzContainerRegistryCredential. But it gets the passwords for you only. It's not the access token, nor will log in for you too.
So, if you want to use PowerShell command to get the ACR credential, then you also need to log in yourself with the docker command.
Before push or pull, to azure, you need to login first by az-cli
az login
az acr login -n your-registry
or by docker
docker login your-registry.azurecr.io

Unable to deploy specific image to App Service from Azure Container Registry

I have a Linux App Service deployed within Azure, using an image from a private Azure Container Registry.
The service was up and running fine, and despite there being no changes to the image (no new pushes), the App Service was redeployed. I understand this to be an expected part of how Azure handles containers, swapping instances in and out with as it sees fit.
However, this image is no longer able to deploy successfully, here are the logs from Kudu (names changed):
2018-04-09 07:28:11.817 INFO - Starting container for site
2018-04-09 07:28:11.818 INFO - docker run -d -p 36165:8080 --name my-service_0 -e WEBSITES_ENABLE_APP_SERVICE_STORAGE=false -e WEBSITES_PORT=8080 -e WEBSITE_SITE_NAME=my-service -e WEBSITE_AUTH_ENABLED=False -e WEBSITE_ROLE_INSTANCE_ID=0 -e WEBSITE_INSTANCE_ID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -e HTTP_LOGGING_ENABLED=1 myacr.azurecr.io/images/my-image:latest
2018-04-09 07:28:14.200 INFO - Issuing docker pull myacr.azurecr.io/images/my-image:latest
2018-04-09 07:28:14.327 ERROR - docker pull returned STDERR>> Error response from daemon: Get https://myacr.azurecr.io/v2/images/my-image/manifests/latest: unauthorized: authentication required
Here are the results of pulling the image locally:
docker pull myacr.azurecr.io/images/my-image:latest
latest: Pulling from images/my-image
53478ce18e19: Already exists
d1c225ed7c34: Already exists
c6724ba0c09a: Already exists
377ae380bb14: Pulling fs layer
ab6e212b3598: Pulling fs layer
377ae380bb14: Downloading
ab6e212b3598: Verifying Checksum
ab6e212b3598: Download complete
unknown blob
I'm fairly sure that the image was successfully deployed 3 days ago and that there has been no pushes to the tag since then.
Is there anything I can do to recover this image?
Is there any way I could have known this deployment had started failing?
It seems your Web App for Containers instance is unable to authenticate with Azure Container Registry.
The Azure Container Registry to Linux Web App connection is a bit problematic at times. Using the "private registry" tab on the container settings page instead of ACR usually solves the problem for me.
Just provide your ACR repo credentials as below instead of selecting your repo on the ACR tab.

How to pull from GitLab's Docker Registry in .gitlab-ci.yml?

I recently switched on GitLab's Docker Registry feature and it works quite well on my desktop. The next step for us is to use the registry when building our software via GitLab CI. Instead of build a docker image, which is described in various ways in the documentation and on several medium.com posts which the official twitter account mentions, I can not find a way to pull our own images from GitLab's registry.
If we specify an image from the registry via the image directive in .gitlab-ci.yml we get an authorization error (I expected that the worker perhaps authorize themselves transparently, but this is not the case):
Running with gitlab-ci-multi-runner 1.4.1 (fae8f18)
Using Docker executor with image registry.host.tld/NAMESPACE/PROJECT:latest ...
Pulling docker image registry.host.tld/NAMESPACE/PROJECT:latest ...
ERROR: Build failed (system failure): API error (500): Get https://registry.host.tld/v2/NAMESPACE/PROJECT/manifests/latest: error parsing HTTP 403 response body: no error details found in HTTP response body: "{\"message\":\"forbidden\",\"status\":\"error\",\"http_status\":403}"
So someone on the worker should call docker login. Two problems with that:
We authenticate our users via LDAP. Should we really create a static user just for the CI server?
We have quite a few worker running here. That's a lot of work to SSH'd into every single one.
Do I have overlooked something very obvious or should I go the route of docker login on every worker node?
We run GitLab 8.10.6.
I had this problem, too.
There is also an issue about that on the gitlab-ci-multi-runner project:
https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/issues/1663
Refering to the docs you should just Login in to the private registry on the machine qhere the gitlab-runner runs:
enter link description here
If you are using the gitlab-runner inside a docker container you have to mount the file with the login credentials into the gitlab runner container.
So the command to run the gitlab container looks like this:
docker run -d --name gitlab-runner --restart always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /srv/gitlab-runner/config:/etc/gitlab-runner \
-v /root/.docker/config.json:/root/.docker/config.json \
gitlab/gitlab-runner
Refering to this example root musst login to the registry:
docker login https://registry.host.tld:5000
The important part here is the URI for the registration. I got an error similar to your's and overcame it by running:
docker login https://registry.host.tld:5000/v2/
This may be different on other registries, you have to look at the eoor message and use the part before 'namespace/project/ as login path.
E.g. if the Error message looks like this:
ERROR: Build failed (system failure): API error (500):
Get https://registry.host.tld/v1/NAMESPACE/PROJECT/manifests/latest:
error parsing HTTP 403 response body: no error details found in HTTP response body: "
{\"message\":\"forbidden\",\"status\":\"error\",\"http_status\":403}"
The login musst be:
docker login https://registry.host.tld/v1/
Hope this helps.

Resources