I have a weird issue, possible I am missing something. The web app is created as a container with default settings(Quickstart) and I am using Azure Container Registry to push my docker image. I have pipeline which logins to the ACR, build and pushes image, and then deploys the image to the web app. All these tasks are successful. But when I got to the webapp in azure portal, the image source is set to docker hub and not the Azure Container registry.The full inage name and tag are of the ACR. Any suggestion what I am missing?
Update: I have added the pipeline.yml file for reference, if it helps. I am logging in to registry while pushing docker image, I confirm that the image is push in the ACR.
- task: Docker#2
displayName: Login to QA Azure Container Registry
inputs:
command: login
containerRegistry: $(azureSubscriptionContainer) #Docker Registry type Service connection
- task: Docker#2
displayName: Build and Push
inputs:
command: buildAndPush
repository: $(repository) #custom name of repository in ACR
tags: $(Build.BuildId)
- task: AzureRMWebAppDeployment#4
displayName: Azure App Service Deploy
inputs:
appType: webAppContainer
ConnectedServiceName: $(azureSubscription) #ARM service connection
WebAppName: $(webApp)
DockerNamespace: $(dockerNameSpace) #ACR namespace myacr.azurecr.io
DockerRepository: $(repository) #custom name of repository in ACR
DockerImageTag: $(Build.BuildId)
TLDR: You need to either select the repository in the UI; or add the credentials via ARM or AzureCLI.
https://learn.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux?view=azure-devops&tabs=dotnet-core%2Cyaml#configure-registry-credentials-in-web-app
You can use your deployment task like you are doing right now, not all developers need access to the WebApp. However, you need to set up the credentials to the registry at least once. The UI will basically show its "best guess" for how to intepret the underlying configuration.
https://learn.microsoft.com/en-us/azure/app-service/containers/tutorial-custom-docker-image#configure-registry-credentials-in-web-app
You could also do that with every pipeline run, tough I would not recommend that.
Sidenote: You can also have your webapp automatically pull a certain tag whenever it is updated in the container registry if you select "Continuous deployment".
Create App Service with CLI:
az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app-name> --deployment-container-image-name <azure-container-registry-name>.azurecr.io/mydockerimage:v1.0.0
This is for public images, but according the documentation if you want to use private image you must also configure registry credentials to yours Web App and if this is not Docker registry you must provide -docker-registry-server-url:
az webapp config container set --name <app-name> --resource-group myResourceGroup --docker-custom-image-name <azure-container-registry-name>.azurecr.io/mydockerimage:v1.0.0 --docker-registry-server-url https://<azure-container-registry-name>.azurecr.io --docker-registry-server-user <registry-username> --docker-registry-server-password <password>
Related
There are a lot of questions that seem tangentially related to this, but unfortunately, I've not been able to tie these disparate bits of information together to get to a solution.
I'm trying to use a custom docker image with an Azure function and have been following along with this guide.
I've been building up these steps inside a devops pipeline so I can accurately reproduce them, and I've got that working fine as far as provisioning is concerned.
However, I'm struggling when it comes to actually uploading the built image to the ACR.
I've found this yaml snippet in the documentation:
- task: Docker#2
displayName: Build and push an image to container registry
inputs:
command: buildAndPush
repository: "xxx"
dockerfile: "xxx"
containerRegistry: "xxx"
imageRepository: "xxx"
tags: "xxx"
However, when I fill this out with the url for our ACR as the container registry, I get an error about needing to use a service reference.
Now, I've looked through the docs pretty extensively and I can't quite work out how this is all meant to tie together in a devops pipeline...
I've tried to come up with something like this:
resources:
containers:
- container: "xxx" # name of the container (Alias)
type: ACR # type of registry
azureSubscription: arm-connection # name of the ARM service connection
resourceGroup: "$(resourceGroupName)" # Azure resource group with the container
registry: "$(dockerRegistryName)" # Azure container registry name
repository: "xxx" # name of the of container image collection
trigger:
tags:
- "$(dockerTag):$(dockerVersion)" # tag for the container image to use
But that looks like it's creating a pointer to a specific container rather than to the registry...
So yeah, I'm a bit stuck... Could someone please help by pointing out what I'm misunderstanding here and ideally providing an example of how I can build and push an image to the ACR?
Command called buildAndPush allows for build and push of images to a container registry in a single command, you can find an example in Azure DevOps documentation
You will need to create Service Connection for Azure Container Registry in your Azure DevOps to configure an access, please see doc
The following YAML snippet is an example of building and pushing an image to ACR
steps:
- task: Docker#2
displayName: Build and Push
inputs:
command: buildAndPush
containerRegistry: azureContainerRegistryServiceConnectionName
repository: repositoryName
Dockerfile: '**/Dockerfile'
buildContext: .
addPipelineData: true
tags: |
tag1
I am trying to automate my deployment process by creating a pipeline in Azure DevOps that does the following
Build my project, create a docker image, then pushed the image to a private Azure Registry service.
Deploy the image on a slot called staging in Azure Web Service.
Here is the .yaml file that I am using
trigger:
- master
resources:
- repo: self
variables:
dockerRegistryServiceConnection: 'MyPrivateRegistry'
imageRepository: 'MyPrivateRepositoryName'
containerRegistry: 'MyPrivateRepositoryName.azurecr.io'
dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'
tag: '$(Build.BuildId)'
azureSubscription: 'MyPrivateSubscribtionName(5c4b9a4b-private-subscribtion-id-91503531e1a0)'
appName: 'private_appname'
resourceGroupName: 'PrivateResourceGroup'
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Push and Build
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: Docker#2
displayName: Build and push an image
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: '$(dockerRegistryServiceConnection)'
tags: |
$(tag)
- job: DeployToStaging
displayName: Deploy To staging
dependsOn: Build
condition: succeeded()
pool:
vmImage: $(vmImageName)
steps:
- task: AzureWebAppContainer#1
inputs:
azureSubscription: $(azureSubscription)
appName: $(appName)
deployToSlotOrASE: true
resourceGroupName: $(resourceGroupName)
slotName: 'staging'
containers: '$(containerRegistry)/$(imageRepository):$(tag)'
The projects is built successfully and pushed to the private registry as expected. I can verify that the new image in pushed with a new tagId. However, my container fails to start with the following error
Image pull failed since Inspect image returned null: MyPrivateRepositoryName.azurecr.io/MyPrivateRepositoryName:151
Here is the suggestion I see
Please check the repository name, image name, and container definitions defined by DOCKER_REGISTRY_SERVER_USERNAME, DOCKER_REGISTRY_SERVER_URL, and DOCKER_REGISTRY_SERVER_PASSWORD.
When I go to the staging slot configuration I see the following and the values are all correct. I copied these values from the "Access keys" section in the Container Registry service after enabling the Admin user
What am I missing here? How can I get the slot to correctly pull the docker image from the contain registry?
Updated
Looking more at the logs gives me this error
2022-04-01T20:36:21.409Z ERROR - Pull image threw Exception: Input string was not in a correct format.
2022-04-01T20:36:21.411Z INFO - Pulling image from Docker hub: privateregistry.azurecr.io/privateimage:152
2022-04-01T20:36:21.594Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://privateregistry.azurecr.io/v2/privateimage/manifests/152: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}
It sounds like something does not have permission to pull the docker image from the repository. Question is what object need to have this permission? Would I add permission to the private repository of would I add it to the Web Service?
Few things you can check if Enable Admin Access does not work.
Is your app service in the same subscription as your ACR? If not, try moving it to the same subscription.
In Azure Portal -> App Service -> Deployment Center, see if you have conflicting settings. If it's empty, try set up the container registry information here instead of passing in app settings as env variables.
If still having errors, I recommend you creating another credential to login to ACR instead of using the admin one. (For this, it won't involve system identity or managed identity)
Register a new app in Azure that will read from ACR
In ACR -> Access Control -> give this app ACR PULL permission
Replace your app service app setting with the following
DOCKER_REGISTRY_SERVER_USERNAME = Client Id of the created app
DOCKER_REGISTRY_SERVER_PASSWORD = Client Secret of the created app
Push and image to Azure Container Registry task in Azure DevOps pipeline fails. Previous tasks are executed fine ie. docker image is created and login to ACR is successful. However, push-task fails with the following result:
unauthorized: authentication required
[error]unauthorized: authentication required
[error]/usr/bin/docker failed with return code: 1
[section]Finishing: Push Docker image
docker push to that given acr works fine from local command line.
# Docker image
# Build a Docker image to deploy, run, or push to a container registry.
# Add steps that use Docker Compose, tag images, push to a registry, run an image, and more:
# https://learn.microsoft.com/azure/devops/pipelines/languages/docker
trigger:
- master
pool:
vmImage: 'Ubuntu-16.04'
variables:
imageName: 'renamed:$(build.buildId)'
azureSubscriptionEndpoint: Renamed
azureContainerRegistry: renamed.azurecr.io
steps:
- task: Docker#1
displayName: Build docker image
inputs:
command: Build an image
dockerFile: Dockerfile
imageName: $(imageName)
containerregistrytype: Azure Container Registry
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureContainerRegistry: $(azureContainerRegistry)
- task: Docker#1
displayName: Login to container registry
inputs:
command: login
containerregistrytype: Azure Container Registry
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureContainerRegistry: $(azureContainerRegistry)
dockerFile: Dockerfile
imageName: $(imageName)
- task: Docker#1
displayName: Push Docker image
inputs:
command: Push an image
containerregistrytype: Azure Container Registry
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureContainerRegistry: $(azureContainerRegistry)
imageName: $(imageName)
I had the same issue when I used an Azure Container Registry Service Connection in Azure DevOps.
The work around was to not choose ‘Azure Container Registry’ when creating the Docker Registry Service Connection and to instead choose ‘Others’. Then in the Azure Portal enable admin user on your container registry and use the credentials from that to create the service connection.
remove the docker login step from your build, docker tasks handle auth for you using azure subscription endpoint (if it is properly configured), if not - give your service principal permissions to acrpush).
I had this issue when pushing a docker image to Azure Container Registry.
I get the error
unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
Here's how I fixed it:
My user already had the Owner role to the Container Registry so I had the permission to push and pull images.
The issue was that the admin_user was not enabled in the Azure Container Registry.
All I had to do was to enable the admin user. This generates a username, password, and password2.
Next, you can log in now to Azure Container Registry using the command:
az acr login --name my-container-registry
Tag your docker image
docker tag image-name:image-tag my-container-registry.azurecr.io/image-name:image-tag
And now push image to Azure Container Registry using the command:
docker push my-container-registry.azurecr.io/image-name:image-tag
That's all
Case sensitive issue
I created an ACR name: blaH
I can login: az acr login -n blaH
Uppercase characters are detected in the registry name. When using its server url in docker commands, to avoid authentication errors, use all lowercase.
Login Succeeded
docker build -f Dockerfile -t blaH.azurecr.io/some-app:1.0 ..
unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
switch to lowercase h, i.e. docker build -f Dockerfile -t blah.azurecr.io/some-app:1.0 .. & success 🎉:
1.0: digest: sha256:b1e6749eae625e6a3fca3eea36466530460e8cd544af67e88687139a37522ba6 size: 1495
note: it even tells me/us but I wasn't reading it 🤦♂️, see the warning printed in yellow in the CLI on acr login.
note 2: I stumbled upon this on reviewing the azure portal & notice the login server was all lowercase:
Go to Project Settings --> Service connection --> Edit --> revalidate the permission
should fix the problem
In my case I am tagging my images with 433.
ex: <containerRegistryName>.azurecr.io:443/<imageName>
after removing the 433, and tried to push again, it succeeded!
I had to drop sudo on my final command as nothing was working for me:
docker push acrname.azurecr.io/image:version
I try to build a CI/CD Pipeline with Azure Devops.
My goal is to
Build a docker Image an upload this to a private docker Respository in Dockerhub within the CI Pipeline
Deploy this image to an Azure Kubernetes Cluster within the CD Pipeline
The CI Pipeline works well:
The image is pushed successfully to dockerhub
The pipeline docker push task:
steps:
- task: Docker#1
displayName: 'Push an image'
inputs:
containerregistrytype: 'Container Registry'
dockerRegistryEndpoint: DockerHubConnection
command: 'Push an image'
imageName: 'jastechgmbh/microservice-demo:$(Build.BuildId)'
After that I trigger my release pipeline manually an it shows success as well
The apply pipeline task:
steps:
- task: Kubernetes#0
displayName: 'kubectl apply'
inputs:
kubernetesServiceConnection: MicroserviceTestClusterConnection
command: apply
useConfigurationFile: true
configuration: '$(System.DefaultWorkingDirectory)/_MicroservicePlayground-MavenCI/drop/deployment.azure.yaml'
containerRegistryType: 'Container Registry'
dockerRegistryConnection: DockerHubConnection
But when I check the deployment on my kubernetes dashboard an error message pops up:
Failed to pull image "jastechgmbh/microservice-demo:38": rpc error: code = Unknown desc = Error response from daemon: pull access denied for jastechgmbh/microservice-demo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
I use the same dockerhub service connection in the CI & CD Pipeline.
I would be very happy about your help.
I believe this error indicates your kubernetes cluster doesnt have access to docker registry. You'd need to create docker secret for that. like so:
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=<path/to/.docker/config.json> \
--type=kubernetes.io/dockerconfigjson
or from command line:
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
Configure ACR integration for existing AKS clusters
az aks update -n myAKSClusterName -g myAKSResourceGroupName --attach-acr acr-name
https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration
Solved the issue for me
The answer above is correct, just need to add that you have to put imagePullsecrets on your deployment. Read the link provided on the other answer, it explain it in detail:
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
I am deploying containers from Azure Container Registry using Azure Release and the Azure App Service Deploy task. I have a Subscription Level Service connection defined. Container Registry Settings are set as:
Registry or Namespace: <registry>.azurecr.io
Image: rrez/vnext/dev/booking
Tag: latest
Startup command: "dotnet", "Booking.API.dll"
The task completes successfully, but when reviewing in Container Log on the App Service I see:
2019_02_25_RD00155D9B2488_docker.log:
2019-02-25 22:27:07.101 INFO - Issuing docker pull: imagename =<registry>.azurecr.io/rrez/vnext/dev/booking:latest
2019-02-25 22:27:07.260 INFO - Issuing docker pull: imagename =<registry>.azurecr.io/rrez/vnext/dev/booking:latest
2019-02-25 22:27:07.410 INFO - Issuing docker pull <registry>.azurecr.io/rrez/vnext/dev/booking:latest
2019-02-25 22:27:07.487 ERROR - docker pull returned STDERR>> Error response from daemon: Get https://<registry>.azurecr.io/v2/rrez/vnext/dev/booking/manifests/latest: unauthorized: authentication required
This seems to be an ACR access issue, but I would expect the Subscription Level Service Connection to be authority enough.
Since this is Azure Release there is no YAML configuration available to add additional authentication details.
I pasted the YAML from the Release Task into the successfully completing Build and received the same error.
The YAML is:
- task: AzureRmWebAppDeployment#4
displayName: 'Azure App Service Deploy: P-RREZ-BOOKING-PREPROD'
inputs:
ConnectionType: AzureRM
azureSubscription: 'RightRez.Services SubscriptionSC'
appType: webAppContainer
WebAppName: 'P-RREZ-BOOKING-PREPROD'
deployToSlotOrASE: true
ResourceGroupName: '<ResourceGroup>-RG'
DockerNamespace: <registry>.azurecr.io
DockerRepository: rrez/vnext/dev/booking
DockerImageTag: latest
StartupCommand: '"dotnet", "Booking.API.dll"'
Not sure where the problem lies.
Have you set the Access level in the ACR? If not please try setting up one from here. I had similar issue and I tried setting up the role assignment and it worked.