Azure image instance: credential rejected - azure

I have pushed an image to an azure repository correctly, and can see it in the portal. I can also pull with credentialed docker on my local computer after az acr login --name <registry>
I have turned on "admin" in the portal, and can see a username "<username>" and password, "<password>" for the registry
I have installed the az tool (Azure CLI), and have stepped through the tutorials here:
Azure Container Instances
Azure Container Instance Guide
I have run the following command with every combination of user name and password I can think of, from my azure account to the registry admin pass, the second pass, no uid and pass, pre-logging in with az acr login --name <registry name>, etc.
I have performed the same iterations from the Azure portal
In all cases, I receive an error: registry image is inaccessible, please check your credentials.
How do I access the registry and deploy to an instance in Azure?
Here is an anonymized command line example, wherein I use the admin login and password each time.
# image is fully qualified.
# image = server.azurecr.io/tag:version
(base) PS C:\...> az container create --resource-group group --name name \
--image image --cpu 1 --memory 1 \
--registry-login-server server.azurecr.io \
--registry-username server \
--dns-name-label label \
--ports 80
Image registry password: ...
The image 'image' in container group 'group' is not accessible.
Please check the image and registry credential.
# and a success with the same credentials
(base) PS C:\...> docker login server.azurecr.io
Username: server
Password: ...
Login Succeeded

You need to fully qualify the image name with registry name like this
az container create --resource-group demors --name demoaci --image demoacr.azurecr.io/hello-world:v1 --cpu 1 --memory 1 --registry-login-server demoacr.azurecr.io --registry-username demoacr --registry-password ThePassword --dns-name-label demo3 --ports 80

I had similar error while using uppercase characters in the registry name. Since then I'm using lowercase only in my registry names as practice. The below warning message has been shown during the 'az acr login' in my case:
Uppercase characters are detected in the registry name. When using its server url in docker commands, to avoid authentication errors, use all lowercase.

In my case the InaccessibleImage error only occured in the Visual Studio Code terminal. Using the same command in a different terminal worked.

Related

Cannot get Azure container network profile Id

We are actually deploying container to Azure using Azure CLI and the create command as specify the sample documentation below :
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet
In this dosucmentation it is clearly specify from the sample command below that when the container and the Vnet/Subnet gets created, azure create for you a Network Profile Id ( that is need for yaml deplyoement)
az container create --name appcontainer --resource-group myResourceGroup --image mcr.microsoft.com/azuredocs/aci-helloworld --vnet aci-vnet --vnet-address-prefix 10.0.0.0/16 --subnet aci-subnet --subnet-address-prefix 10.0.0.0/24
After the container gets created successfully you are supposed to get Network profile name or ID, which you can obtain using "az network profile list"
Which in fact does not return anything
UPDATE :
I update m Azure CLI to 2.30 in powershell but the result is the same the output of the command return nohing even if container and vnet gets succesfully created
Output result
Thanks for your help
regards
I have tested in my environment.
I deployed a container to a new virtual network using the below command:
az container create --name appcontainer --resource-group myResourceGroup --image mcr.microsoft.com/azuredocs/aci-helloworld --vnet aci-vnet --vnet-address-prefix 10.0.0.0/16 --subnet aci-subnet --subnet-address-prefix 10.0.0.0/24
The container got successfully created.
To get the Network Profile ID, I used the below command:
az network profile list --resource-group myResourceGroup --query [0].id --output tsv
In this way, we can fetch the Network Profile ID
If network profile is not getting created using CLI, try using ARM template
The same happened to me. I solve it using Azure CLI version 2.27.2. Any newer version leaves me with the same problem.
There seems to be a problem with the latest versions of the Azure CLI

Azure Container - can not login to private registry "Error response received from the docker registry"

from Azure we try to create container using the Azure Container Instances with prepared YAML.
From the machine where we execute az container create command we can login successfully to our private registry (e.g private.dev on JFrog Artifactory ) after entering password
docker login private.dev -u svc-faselect
Login succeeded
We have YAML file for deploy, and trying to create container using the az command from the SAME server.
az container create --resource-group FRONT-SELECT-NA2 --registry-login-server="private.dev"
--registry-username=svc-faselect --registry-password="..." --file ads-azure.yaml
An error response is received from the docker registry 'private.dev'. Please retry later.
I have only one image in my YAML file.
I am having real big problem to debug why this error is returned since Error response does not provide any useful information.
Search among the similar network issues but without success:
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-troubleshoot-access
I see few moments that could be the reason of your problem.
There should be no = at az container create options
--registry-login-server --registry-password and --registry-username
https://learn.microsoft.com/en-us/cli/azure/container?view=azure-cli-latest#az_container_create-examples
Command should look like
az container create --resource-group FRONT-SELECT-NA2 --registry-login-server jfrogtraining-docker-dev.jfrog.io --registry-username svc-faselect --registry-password "..." --file ads-azure.yaml

Azure CLI cannot conect to the Docker Daemon

I'm new with Kubernetes and Azure. I want to Deply my application and I am floowing the microsoft tutorial about kubernetes. At first I have created the resouce group and ACR instance. When I try to login in ACR console show this error:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
I'm using azure cli localy and I have docker running.
You can try below options to connect ACR :
run az acr login first with the --expose-token parameter. This option exposes an access token instead of logging in through the Docker CLI.
az acr login --name <acrName> --expose-token
Output displays the access token, abbreviated here:
{
"accessToken": "eyJhbGciOiJSUzI1NiIs[...]24V7wA",
"loginServer": "myregistry.azurecr.io"
}
For registry authentication, we recommend that you store the token credential in a safe location and follow recommended practices to manage docker login credentials. For example, store the token value in an environment variable:
TOKEN=$(az acr login --name <acrName> --expose-token --output tsv --query accessToken)
Then, run docker login, passing 00000000-0000-0000-0000-000000000000 as the username and using the access token as password:
docker login myregistry.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password $TOKEN
you will get the below promt if you follow the above method :
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
Seems your Docker Desktop is not running. Make sure you installed the Docker for Desktop on your machine and start it if not. You should be good once you start.

Can't pull image from private Azure Container Registry when using Az CLI to create a new Azure Container Instance

I've created a service principal with push and pull access to/from my private Azure Container Registry. Pushing to ACR works perfectly fine with the following command:
az login --service-principal -u "someSpID" -p "someSpSecret" --tenant "someTenantID"
az acr login --name "someRegistry"
docker push "someRegistry.azurecr.io/my-image:0.0.1"
And I am also able to pull the image directly with the following command:
docker pull "someRegistry.azurecr.io/my-image:0.0.1"
I want to deploy a container instance into a private subnet and I've configured the network security to allow access for my said subnet.
However, when I attempt to deploy a container instance with the following command into my private subnet, where I specified the same service principal which I had previously logged in with, I get an error response.
az container create \
--name myContainerGroup \
--resource-group myResourceGroup \
--image "someRegistry.azurecr.io/my-image:0.0.1" \
--os-type Linux \
--protocol TCP \
--registry-login-server someRegistry.azurecr.io \
--registry-password someSpSecret \
--registry-username someSpID \
--vnet someVNET \
--subnet someSubnet \
--location someLocation \
--ip-address Private
Error:
urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool : https://management.azure.com:443 "PUT /subscriptions/mySubscription/resourceGroups/myResourceGroup/providers/Microsoft.ContainerInstance/containerGroups/myContainerGroup?api-version=2018-10-01 HTTP/1.1" 400
msrest.http_logger : Response status: 400
The image 'someRegistry.azurecr.io/my-image:0.0.1' in container group 'myContainerGroup' is not accessible. Please check the image and registry credential.
The same error ensues when I try and deploy the container instance through Azure Portal.
When I tried deploying a public image into the same subnet, it succeeds fine so it isn't a deployment permission issue, neither does it seem to be wrong service principal credentials as the docker pull "someRegistry.azurecr.io/my-image:0.0.1" works just fine. I can't quite wrap my head around this inconsistent behavior. Ideas anyone?
For your issue, here is a possible reason to explain the error you got. Let's look at the limitation describe here:
Only an Azure Kubernetes Service cluster or Azure virtual machine can
be used as a host to access a container registry in a virtual network.
Other Azure services including Azure Container Instances aren't
currently supported.
This limitation shows the firewall of the Azure Container Registry does not support the Azure Container Instance currently. It only supports that pull/push the image in the Azure VM or AKS cluster.
So the solution for you is that change the rules to allow all network and then try again. Or use the AKS cluster, but it will also cost more.

Azure Container Group Instance

I am working with Azure Container Instance group.. and one of my containers is constantly restarting.. it goes to a terminated state and restarts. Everything looks good in logs.. The container is running a spring framework + React application. When I run the containers locally.. it works perfectly.
Am not sure what is happening behind the scenes?
You could use Azure CLI to set a restart policy of OnFailure or Never.
az container create \
--resource-group myResourceGroup \
--name mycontainer \
--image mycontainerimage \
--restart-policy OnFailure
If you specify the restart policy and the issue still exists,there might be some problems with the application or script executed in your container. You could use az container show command to check the restartCount property.
az container show --name
--resource-group
For more details, refer to this article.

Resources