'InvalidContainerGroupUpdate' when using 'create group container' in logic apps azure - azure

I have been looking into the "logic apps designer' of Microsoft azure for a couple of days. Thank you for your help! I am stuck on the following:
Context
I wanted to perform some actions interacting between multiple files in a Dropbox. The logic app was not proposing an off-the-self solution, hence I created a python script that did exactly what I wanted.
I then decided to create an image of this script in order to be able to use it from the azure platform within the Logic Apps.
The containers registry contains the image I pushed to Azure and I created the container instance that includes only one image which is the python script.
Everything works.
Current structure
From what I read, it seems that we can run the container instance by using the action called create group container then adding a until action (run until state is equal to Succeeded) and finally using delete the container group.
I have a trigger that has been tested and that works.
Issue
When running the Logic App, the action create group container is failing:
"code": "InaccessibleImage",
"message": "The image '<name_of_the_image>' in container group '<name_of_the_group>' is not accessible. Please check the image and registry credential."
Question
How can I correct what seems to be a basic error on my part?
Where can this registry credential be appropriately corrected?
Update
I have tried removing everything, assigning myself "owner" role in the container registry, then adding the container instance, assigning myself "owner" role in the container instance, then rebuilt the logic app. I ran it again and I get the same error.

I figured the issue.
Since in my case, it is a private container registry, I needed to add the following the the action 'create group container': properties.imageRegistryCredentials.
In this, you will be required to enter the following information that are available in the Access keys of the container registry:
[
{
"password": "<yourpassword>",
"server": "<yourloginserver>",
"username": "<yourusername>"
}
]
So glad and I hope it helps others!

To set the credentials of ACI inside Create or update container group task in logic app you need to add a parameter (See the picture).
add parameter for ACI credentials

Related

trying update azure container instances with azure cli

I have an Azure Container Instance. Now I want to update this Container. I try to integrate the Log Analytics workspace and I have a WORKSPACE_ID and WORKSPACE_KEY.
I'm following this Azure Documentation but it has only created Container Example. But I need an Update example.
Can anyone help me to update the Azure Container Instance? Or any example or any documentation.
Restart Policy of the Container Instance Group should be 'Always' if it is 'On Failure' I think it may not work ...

Azure Container Registry in Azure Web App for Containers across subscriptions

I'm currently trying to set up an Azure Web App for Containers, linking it to a Azure Container Registry that lives inside a different subscription. That's why my initial thought was to use the Private Registrytab inside the Web apps Container Settings to enter the credentials of said Registry.
However when I save and reload the page the settings of the Azure Container Registry tab are now populated and the Private Registry tab is empty. The issue is, that I get now get following error:
2020-01-21 21:51:12.951 ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for cliswebapi, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}
I assume because no password was stored. How do I configure this properly?
While you use the private registry, the Azure Container Registry is also a private registry, and deploy to Web App for Containers, you need to set the environment variables here:
DOCKER_REGISTRY_SERVER_USERNAME - The username for the ACR server.
DOCKER_REGISTRY_SERVER_URL - The full URL to the ACR server. (For example, https://my-server.azurecr.io.)
DOCKER_REGISTRY_SERVER_PASSWORD - The password for the ACR server.
See more details in If you're using Azure Container Registry, you need to set some app settings.
And if you create multiple containers, all the images must be in the same registry. All in Docker Hub or Azure Container Registry. See more details in All images must use the same registry.
Update:
With the message that you deploy the Web App using the image in the ACR in a different subscription. It seems it's a bug in Web App and you can see the issue in the Github. And the suggestion is that maybe you can use the service principal for the ACR to authenticate and the steps here.
I have spend some time on this issue and figured it out. Here is my solution:
Assuming we are having two subscriptions, let's call them SUB-A and SUB-B, where we are having an Azure Container Registry in SUB-A (called azurebluedev in my example).
Now we'd like to create an App Service in SUB-B that pulls its image of our container registry by using the admin username.
It's critical that you use the correct format under Image and tag in the docker blade when creating the app service. It must follow the format url/image:tag (without https) otherwise you will run into the described problem. I was using image:tag format beforehand which didn't work.
This worked for me!

Update environment variables of provisioned Container Instance

Has anyone ever tried to update the existing environment variable values after the container instance is provisioned in azure using Azure ACI?
Currently, it seems that there is no way to update them either using portal or using Azure CLI.
Thanks in advance.
This is covered in the following GitHub issue:
https://github.com/MicrosoftDocs/azure-docs/issues/31168
In that issue, we point to the following document:
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-environment-variables
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-update
All in all, you can update the variables however it still means recreating the container or "Redeploying" it with the update variables which in turns terminates the container and deploys a new one. So a bit of a yes and no answer and scenario.

Docker task : How to set the Azure container registry name or id from build/release variable?

I have a problem on my build/release pipeline with Azure Container Reigstry.
I use a Azure Resource Group Deployment task to deploy Azure Container Registry (and other stuff) and it works perfectly.
I have the loginServer, username and password in output variables to reuse it.
Then I want to build and push image to ACR but I can't set the name of the registry (that I get from output variable) with a variable. I have to choose the registry when I setup the definition, but it is not created at this moment.
Is there a way to do this ?
As a workaround, I use the Azure Resource Group Deployment the create the registry and then I send output variables to a powershell script which build, tag and push my images to the registry.
If nobody has a better way, I think I will post a uservoice to change that.
When you say you use an Azure Resource Group Deployment task, are you referring to VSTS?
If you could provide more specific repro steps, I might be more helpful.
I'd also suggest you might take a look at https://aka.ms/acr/build as easy way to natively docker build images with your registry. ACR Build is now available in all regions and simplifies may of the experiences you may be hitting.
Daniel just made this post that helps with the VSTS integration: https://www.danielstechblog.io/building-arm-based-container-images-with-vsts-and-azure-container-registry-build/
Steve
Sorry for the delay, I was off the office.
I just retry to fix my problem and it seems that I can now enter a free text (and so, a release variable) to the VSTS docker task to specify the ACR I just created before with a Azure Resource Group Deployment task.
So no problem anymore.
Thank you for your response, I will take a look to ACR build :)
Bastien

In Azure Container Instances, is it ok to reuse container groups or should each deployment use its own?

When working with Azure Container Instances, is it ok to reuse an existing container group or should we be creating a new container group each time we deploy a container?
You don't have this choice when using the portal, the CLI or PowerShell, but when using the REST API, you can add a container to an existing container group. As long as the container name is unique, it will get provisioned in the existing container group and run. The question is, just because this works, is it meant to be used this way or is the designed way to create a new container group for each container deployment and once the container finished running, delete the container group.
The question is, just because this works, is it meant to be used this
way or is the designed way to create a new container group for each
container deployment and once the container finished running, delete
the container group.
For your issue, I think you are right. The container group cannot be updated. To change an existing group, you need to delete and recreate it.
There are some other limitations with the container group, you can get more details about the container in Azure from this link, also about the container group.
If you're deploying a new image for an existing application/task, then using an existing container group is fine. However, if this is a new set of functionality, then you should probably create a new container grouip.

Resources