通过 Azure 容器注册表管理公共内容Manage public content with Azure Container Registry

本文概述了使用本地注册表(例如 Azure 容器注册表)维护公共内容副本(例如 Docker Hub 中的容器映像)的做法和工作流。This article is an overview of practices and workflows to use a local registry such as an Azure container registry to maintain copies of public content, such as container images in Docker Hub.

公共内容面临的风险Risks with public content

你的环境可能依赖于公共内容,例如公共容器映像、Helm 图表Open Policy Agent (OPA) 策略或其他项目。Your environment may have dependencies on public content such as public container images, Helm charts, Open Policy Agent (OPA) policies, or other artifacts. 例如,你可以通过直接从 Docker Hub 或其他公共注册表拉取映像来运行适用于服务路由的 nginx 或运行 docker build FROM alpineFor example, you might run nginx for service routing or docker build FROM alpine by pulling images directly from Docker Hub or another public registry.

如果没有正确的控制措施,则依赖于公共注册表内容可能会为映像开发和部署工作流带来风险。Without proper controls, having dependencies on public registry content can introduce risks to your image development and deployment workflows. 若要缓解风险,请在可能的情况下保留公共内容的本地副本。To mitigate the risks, keep local copies of public content when possible. 有关详细信息,请参阅开放容器计划博客For details, see the Open Container Initiative blog.

使用 Docker Hub 进行身份验证Authenticate with Docker Hub

首先,如果你当前在构建或部署工作流时从 Docker Hub 拉取公共映像,建议你使用 Docker Hub 帐户进行身份验证,而不是发出匿名拉取请求。As a first step, if you currently pull public images from Docker Hub as part of a build or deployment workflow, we recommend that you authenticate using a Docker Hub account instead of making an anonymous pull request.

频繁发出匿名拉取请求时,你可能会看到 Docker 错误,类似于 ERROR: toomanyrequests: Too Many Requests.You have reached your pull rate limit.。请对 Docker Hub 进行身份验证以避免这些错误。When making frequent anonymous pull requests you might see Docker errors similar to ERROR: toomanyrequests: Too Many Requests. or You have reached your pull rate limit. Authenticate to Docker Hub to prevent these errors.

备注

自 2020 年 11 月 2 日起,下载速率限制应用于 Docker 免费计划帐户对 Docker Hub 发出的匿名请求和经身份验证的请求,并且分别按 IP 地址和 Docker ID 强制实施。Effective November 2, 2020, download rate limits apply to anonymous and authenticated requests to Docker Hub from Docker Free Plan accounts and are enforced by IP address and Docker ID, respectively.

估计你的拉取请求数量时,请注意,当使用云提供商服务或在公司 NAT 后工作时,多个用户将作为一个 IP 地址子集一起呈现给 Docker Hub。When estimating your number of pull requests, take into account that when using cloud provider services or working behind a corporate NAT, multiple users will be presented to Docker Hub in aggregate as a subset of IP addresses. 在对 Docker Hub 发出的请求中添加 Docker 付费帐户身份验证会避免由于速率限制限流而导致的潜在服务中断。Adding Docker paid account authentication to requests made to Docker Hub will avoid potential service disruptions due to rate-limit throttling.

有关详细信息,请参阅 Docker 定价和订阅Docker 服务条款For details, see Docker pricing and subscriptions and the Docker Terms of Service.

Docker Hub 访问令牌Docker Hub access token

当向 Docker Hub 进行身份验证时,Docker Hub 支持使用个人访问令牌作为 Docker 密码的替代项。Docker Hub supports personal access tokens as alternatives to a Docker password when authenticating to Docker Hub. 建议将令牌用于从 Docker Hub 拉取映像的自动化服务。Tokens are recommended for automated services that pull images from Docker Hub. 你可以为不同的用户或服务生成多个令牌,并在不再需要时撤销令牌。You can generate multiple tokens for different users or services, and revoke tokens when no longer needed.

若要使用令牌通过 docker login 进行身份验证,请在命令行上省略密码。To authenticate with docker login using a token, omit the password on the command line. 当提示输入密码时,改为输入令牌。When prompted for a password, enter the token instead. 如果为你的 Docker Hub 帐户启用了双重身份验证,则在从 Docker CLI 登录时必须使用个人访问令牌。If you enabled two-factor authentication for your Docker Hub account, you must use a personal access token when logging in from the Docker CLI.

从 Azure 服务进行身份验证Authenticate from Azure services

多个 Azure 服务(包括应用服务和 Azure 容器实例)支持从公共注册表(例如 Docker Hub)拉取映像来进行容器部署。Several Azure services including App Service and Azure Container Instances support pulling images from public registries such as Docker Hub for container deployments. 如果需要从 Docker Hub 部署映像,建议你配置设置来使用 Docker Hub 帐户进行身份验证。If you need to deploy an image from Docker Hub, we recommend that you configure settings to authenticate using a Docker Hub account. 示例:Examples:

应用服务App Service

  • 映像源:Docker 中心Image source: Docker Hub
  • 存储库访问:专用Repository access: Private
  • 登录名:<Docker Hub username>Login: <Docker Hub username>
  • 密码:<Docker Hub token>Password: <Docker Hub token>

有关详细信息,请参阅应用服务上通过 Docker Hub 进行身份验证的拉取For details, see Docker Hub authenticated pulls on App Service.

Azure 容器实例Azure Container Instances

  • 映像源:Docker Hub 或其他注册表Image source: Docker Hub or other registry
  • 映像类型:专用Image type: Private
  • 映像注册表登录服务器:dockerhub.azk8s.cnImage registry login server: dockerhub.azk8s.cn
  • 映像注册表用户名:<Docker Hub username>Image registry user name: <Docker Hub username>
  • 映像注册表密码:<Docker Hub token>Image registry password: <Docker Hub token>
  • 映像:dockerhub.azk8s.cn/<repo name>:<tag>Image: dockerhub.azk8s.cn/<repo name>:<tag>

将映像导入到 Azure 容器注册表Import images to an Azure container registry

若要开始管理公共映像的副本,你可以创建一个 Azure 容器注册表(如果尚未创建)。To begin managing copies of public images, you can create an Azure container registry if you don't already have one. 使用 Azure CLIAzure 门户Azure PowerShell 或其他工具创建注册表。Create a registry using the Azure CLI, Azure portal, Azure PowerShell, or other tools.

请将基础映像和其他公共内容导入到你的 Azure 容器注册表,这是我们为你建议的一次性步骤。As a recommended one-time step, import base images and other public content to your Azure container registry. Azure CLI 中的 az acr import 命令支持从公共注册表(例如 Docker Hub 和 Azure 容器注册表)和其他专用容器注册表导入映像。The az acr import command in the Azure CLI supports image import from public registries such as Docker Hub and Azure Container Registry and from other private container registries.

az acr import 不需要本地 Docker 安装。az acr import doesn't require a local Docker installation. 你可以使用 Azure CLI 的本地安装运行它,也可以直接在 Azure 本地 Shell 中运行它。You can run it with a local installation of the Azure CLI or directly in Azure local Shell. 它支持任何 OS 类型的映像、多体系结构映像或 OCI 项目(例如 Helm 图表)。It supports images of any OS type, multi-architecture images, or OCI artifacts such as Helm charts.

例如:Example:

az acr import \
  --name myregistry \
  --source dockerhub.azk8s.cn/library/hello-world:latest \
  --image hello-world:latest \
  --username <Docker Hub username> \
  --password <Docker Hub token>

根据你的组织的需求,你可以将内容导入到专用注册表,或导入到共享注册表中的存储库。Depending on your organization's needs, you can import to a dedicated registry or a repository in a shared registry.

自动执行应用程序映像更新Automate application image updates

应用程序映像的开发人员应确保其代码引用受其控制的本地内容。Developers of application images should ensure that their code references local content under their control. 例如,Dockerfile 中的 Docker FROM 语句应当引用专用基础映像注册表而非公共注册表中的映像。For example, a Docker FROM statement in a Dockerfile should reference an image in a private base image registry instead of a public registry.

在映像导入基础上进行扩展,设置一个 Azure 容器注册表任务,以在基础映像更新时自动构建应用程序映像。Expanding on image import, set up an Azure Container Registry task to automate application image builds when base images are updated. 自动化的构建任务可以同时跟踪基础映像更新源代码更新An automated build task can track both base image updates and source code updates.

备注

单个预配置的任务可以自动重新构建引用所依赖的基础映像的每个应用程序映像。A single preconfigured task can automatically rebuild every application image that references a dependent base image.

后续步骤Next steps

  • 详细了解用于在 Azure 中构建、运行、推送和修补容器映像的 ACR 任务Learn more about ACR Tasks to build, run, push, and patch container images in Azure.