从 Azure 容器注册表部署到 Azure 容器实例Deploy to Azure Container Instances from Azure Container Registry

Azure 容器注册表是基于 Azure 的托管容器注册表服务,用于存储专用的 Docker 容器映像。Azure Container Registry is an Azure-based, managed container registry service used to store private Docker container images. 本文介绍如何在部署到 Azure 容器实例时拉取 Azure 容器注册表中存储的容器映像。This article describes how to pull container images stored in an Azure container registry when deploying to Azure Container Instances. 建议配置注册表访问权限的方法是创建 Azure Active Directory 服务主体和密码,并将登录凭据存储在 Azure 密钥保管库中。A recommended way to configure registry access is to create an Azure Active Directory service principal and password, and store the login credentials in an Azure key vault.

先决条件Prerequisites

Azure 容器注册表:需要一个 Azure 容器注册表(注册表中的至少一个容器映像)才能完成本文中的步骤。Azure container registry: You need an Azure container registry--and at least one container image in the registry--to complete the steps in this article. 如果需要注册表,请参阅使用 Azure CLI 创建容器注册表If you need a registry, see Create a container registry using the Azure CLI.

Azure CLI:本文中的命令行示例使用 Azure CLI,并采用适用于 Bash shell 的格式。Azure CLI: The command-line examples in this article use the Azure CLI and are formatted for the Bash shell. 可以在本地安装 Azure CLIYou can install the Azure CLI locally.

限制Limitations

  • 无法使用在同一容器组中配置的托管标识向 Azure 容器注册表进行身份验证,以便在容器组部署期间拉取图像。You can't authenticate to Azure Container Registry to pull images during container group deployment by using a managed identity configured in the same container group.
  • 目前,无法从部署到 Azure 虚拟网络的 Azure 容器注册表拉取映像。You can't pull images from Azure Container Registry deployed into an Azure Virtual Network at this time.

配置注册表身份验证Configure registry authentication

在生产方案中,如果要提供对“无外设”服务和应用程序的访问权限,建议使用服务主体配置注册表访问权限。In a production scenario where you provide access to "headless" services and applications, it's recommended to configure registry access by using a service principal. 使用服务主体可以提供对容器映像的 Azure 基于角色的访问控制 (Azure RBAC)A service principal allows you to provide Azure role-based access control (Azure RBAC) to your container images. 例如,可将服务主体配置为拥有注册表的仅限提取的访问权限。For example, you can configure a service principal with pull-only access to a registry.

Azure 容器注册表提供了附加的身份验证选项Azure Container Registry provides additional authentication options.

在以下部分中,将创建一个 Azure 密钥保管库和一个服务主体,并将服务主体的凭据存储在保管库中。In the following section, you create an Azure key vault and a service principal, and store the service principal's credentials in the vault.

创建 Key VaultCreate key vault

如果 Azure Key Vault 中没有保管库,请在 Azure CLI 中使用以下命令创建一个保管库。If you don't already have a vault in Azure Key Vault, create one with the Azure CLI using the following commands.

RES_GROUP 变量更新为要在其中创建 Key Vault 的现有资源组的名称,将 ACR_NAME 更新为容器注册表的名称。Update the RES_GROUP variable with the name of an existing resource group in which to create the key vault, and ACR_NAME with the name of your container registry. 为简洁起见,本文中的命令假设你的注册表、密钥保管库和容器实例都是在同一资源组中创建的。For brevity, commands in this article assume that your registry, key vault, and container instances are all created in the same resource group.

AKV_NAME 中指定新 Key Vault 的名称。Specify a name for your new key vault in AKV_NAME. 保管库名称必须在 Azure 中唯一、长度必须为 3-24 个字母数字字符、以字母开头、以字母或数字结尾,并且不能包含连续的连字符。The vault name must be unique within Azure and must be 3-24 alphanumeric characters in length, begin with a letter, end with a letter or digit, and cannot contain consecutive hyphens.

RES_GROUP=myresourcegroup # Resource Group name
ACR_NAME=myregistry       # Azure Container Registry registry name
AKV_NAME=mykeyvault       # Azure Key Vault vault name

az keyvault create -g $RES_GROUP -n $AKV_NAME

创建服务主体并存储凭据Create service principal and store credentials

现在请创建服务主体,并将其凭据存储在密钥保管库中。Now create a service principal and store its credentials in your key vault.

以下命令使用 az ad sp create-for-rbac 创建服务主体,使用 az keyvault secret set 将服务主体的 密码 存储在保管库中。The following command uses az ad sp create-for-rbac to create the service principal, and az keyvault secret set to store the service principal's password in the vault.

# Create service principal, store its password in vault (the registry *password*)
az keyvault secret set \
  --vault-name $AKV_NAME \
  --name $ACR_NAME-pull-pwd \
  --value $(az ad sp create-for-rbac \
                --name http://$ACR_NAME-pull \
                --scopes $(az acr show --name $ACR_NAME --query id --output tsv) \
                --role acrpull \
                --query password \
                --output tsv)

上述命令中的 --role 参数使用“acrpull”角色配置服务主体,该角色授予其对注册表的只拉取访问权限。The --role argument in the preceding command configures the service principal with the acrpull role, which grants it pull-only access to the registry. 若要同时授予推送和拉取访问权限,请将 --role 参数更改为“acrpush”。To grant both push and pull access, change the --role argument to acrpush.

接下来,将服务主体的 appId(传递给 Azure 容器注册表用于身份验证的 用户名)存储在保管库中。Next, store the service principal's appId in the vault, which is the username you pass to Azure Container Registry for authentication.

# Store service principal ID in vault (the registry *username*)
az keyvault secret set \
    --vault-name $AKV_NAME \
    --name $ACR_NAME-pull-usr \
    --value $(az ad sp show --id http://$ACR_NAME-pull --query appId --output tsv)

现已创建 Azure 密钥保管库并在其中存储了两个机密:You've created an Azure key vault and stored two secrets in it:

  • $ACR_NAME-pull-usr:用作容器注册表 用户名 的服务主体 ID。$ACR_NAME-pull-usr: The service principal ID, for use as the container registry username.
  • $ACR_NAME-pull-pwd:用作容器注册表 密码 的服务主体密码。$ACR_NAME-pull-pwd: The service principal password, for use as the container registry password.

现在,当你或你的应用程序和服务从注册表提取映像时,可以按名称引用这些机密。You can now reference these secrets by name when you or your applications and services pull images from the registry.

使用 Azure CLI 部署容器Deploy container with Azure CLI

将服务主体凭据存储到 Azure Key Vault 机密中后,应用程序和服务可以使用它们来访问专用注册表。Now that the service principal credentials are stored in Azure Key Vault secrets, your applications and services can use them to access your private registry.

首先,使用 az acr show 命令获取注册表的登录服务器名称。First get the registry's login server name by using the az acr show command. 登录服务器名称全部小写,并且类似于 myregistry.azurecr.cnThe login server name is all lowercase and similar to myregistry.azurecr.cn.

ACR_LOGIN_SERVER=$(az acr show --name $ACR_NAME --resource-group $RES_GROUP --query "loginServer" --output tsv)

执行以下 az container create 命令来部署容器实例。Execute the following az container create command to deploy a container instance. 该命令使用 Azure Key Vault 中存储的服务主体凭据对容器注册表进行身份验证,并假设事先已将 aci-helloworld 映像推送到注册表。The command uses the service principal's credentials stored in Azure Key Vault to authenticate to your container registry, and assumes you've previously pushed the aci-helloworld image to your registry. 如果想要使用注册表中的不同映像,请更新 --image 值。Update the --image value if you'd like to use a different image from your registry.

az container create \
    --name aci-demo \
    --resource-group $RES_GROUP \
    --image $ACR_LOGIN_SERVER/aci-helloworld:v1 \
    --registry-login-server $ACR_LOGIN_SERVER \
    --registry-username $(az keyvault secret show --vault-name $AKV_NAME -n $ACR_NAME-pull-usr --query value -o tsv) \
    --registry-password $(az keyvault secret show --vault-name $AKV_NAME -n $ACR_NAME-pull-pwd --query value -o tsv) \
    --dns-name-label aci-demo-$RANDOM \
    --query ipAddress.fqdn

--dns-name-label 值必须在 Azure 中唯一,因此,上述命令会将一个随机数字追加到容器的 DNS 名称标签。The --dns-name-label value must be unique within Azure, so the preceding command appends a random number to the container's DNS name label. 该命令的输出显示容器的完全限定域名 (FQDN),例如:The output from the command displays the container's fully qualified domain name (FQDN), for example:

"aci-demo-25007.chinaeast2.azurecontainer.console.azure.cn"

成功启动容器后,可在浏览器导航到容器的 FQDN,以验证应用程序是否成功运行。Once the container has started successfully, you can navigate to its FQDN in your browser to verify the application is running successfully.

使用 Azure 资源管理器模板进行部署Deploy with Azure Resource Manager template

通过将 imageRegistryCredentials 属性包含到容器组定义中,可以在 Azure 资源管理器模板中指定 Azure 容器注册表的属性。You can specify the properties of your Azure container registry in an Azure Resource Manager template by including the imageRegistryCredentials property in the container group definition. 例如,可以直接指定注册表凭据:For example, you can specify the registry credentials directly:

[...]
"imageRegistryCredentials": [
  {
    "server": "imageRegistryLoginServer",
    "username": "imageRegistryUsername",
    "password": "imageRegistryPassword"
  }
]
[...]

有关在资源管理器模板中引用 Azure Key Vault 机密的详细信息,请参阅在部署过程中使用 Azure Key Vault 传递安全参数值For details on referencing Azure Key Vault secrets in a Resource Manager template, see Use Azure Key Vault to pass secure parameter value during deployment.

使用 Azure 门户仅部署Deploy with Azure portal

如果在 Azure 容器注册表中维护容器映像,可通过 Azure 门户在 Azure 容器实例中轻松创建容器。If you maintain container images in an Azure container registry, you can easily create a container in Azure Container Instances using the Azure portal. 使用门户从容器注册表部署容器实例时,必须启用注册表的管理员帐户When using the portal to deploy a container instance from a container registry, you must enable the registry's admin account. 管理员帐户专门用于单个用户访问注册表,主要用于测试目的。The admin account is designed for a single user to access the registry, mainly for testing purposes.

  1. 在 Azure 门户中,导航到容器注册表。In the Azure portal, navigate to your container registry.

  2. 若要确保启用管理员帐户,请选择“访问密钥”,然后在“管理员用户”下选择“启用”。To confirm that the admin account is enabled, select Access keys, and under Admin user select Enable.

  3. 选择“存储库”,然后选择想要从中进行部署的存储库,右键单击想要部署的容器映像的标记,然后选择“运行实例”。Select Repositories, then select the repository that you want to deploy from, right-click the tag for the container image you want to deploy, and select Run instance.

    Azure 门户中 Azure 容器注册表中的“运行实例”

  4. 输入容器和资源组的名称。Enter a name for the container and a name for the resource group. 也可根据需要更改默认值。You can also change the default values if you wish.

    Azure 容器实例的创建菜单

  5. 部署完成后,可从通知窗格导航至容器组,查找其 IP 地址和其他属性。Once the deployment completes, you can navigate to the container group from the notifications pane to find its IP address and other properties.

    Azure 容器实例容器组的详细信息视图

后续步骤Next steps

有关 Azure 容器注册表身份验证的详细信息,请参阅使用 Azure 容器注册表进行身份验证For more information about Azure Container Registry authentication, see Authenticate with an Azure container registry.