Azure 容器注册表的最佳做法Best practices for Azure Container Registry

通过遵循这些最佳做法,可帮助最大化性能并在 Azure 中经济、高效地利用私有 Docker 注册表。By following these best practices, you can help maximize the performance and cost-effective use of your private Docker registry in Azure.

另请参阅对容器映像进行标记和版本控制的建议,以获取对注册表中的映像进行标记和版本控制的策略。See also Recommendations for tagging and versioning container images for strategies to tag and version images in your registry.

临近网络部署Network-close deployment

在部署容器的 Azure 区域中创建容器注册表。Create your container registry in the same Azure region in which you deploy containers. 将注册表置于容器主机临近网络的区域中可帮助降低延迟和成本。Placing your registry in a region that is network-close to your container hosts can help lower both latency and cost.

临近网络部署是使用私有容器注册表的主要原因之一。Network-close deployment is one of the primary reasons for using a private container registry. Docker 映像具有有效的分层构造,可实现增量部署。Docker images have an efficient layering construct that allows for incremental deployments. 但是,新节点需要拉取给定映像所需的全部构造层。However, new nodes need to pull all layers required for a given image. 此初始 docker pull 可以快速增加多个千兆字节。This initial docker pull can quickly add up to multiple gigabytes. 将私有注册表置于临近部署的位置可最小化网络延迟。Having a private registry close to your deployment minimizes the network latency. 此外,所有公有云(包括 Azure)都实施了网络出口费用。Additionally, all public clouds, Azure included, implement network egress fees. 除了延迟之外,将映像从一个数据中心拉取到另一个数据中心还会增加网络出口费用。Pulling images from one datacenter to another adds network egress fees, in addition to the latency.

异地复制多区域部署Geo-replicate multi-region deployments

如果将容器部署到多个区域,请使用 Azure 容器注册表的异地复制功能。Use Azure Container Registry's geo-replication feature if you're deploying containers to multiple regions. 无论是为本地数据中心的全局客户提供服务还是开发团队处于不同位置,都可以通过异地复制注册表来简化注册表管理并最小化延迟。Whether you're serving global customers from local data centers or your development team is in different locations, you can simplify registry management and minimize latency by geo-replicating your registry. 异地复制仅适用于高级注册表。Geo-replication is available only with Premium registries.

若要了解如何使用异地复制,请参阅 Azure 容器注册表中的异地复制教程,该教程分为三部分。To learn how to use geo-replication, see the three-part tutorial, Geo-replication in Azure Container Registry.

存储库命名空间Repository namespaces

通过利用存储库命名空间,可以在组织中的多个组之间共享单个注册表。By leveraging repository namespaces, you can allow sharing a single registry across multiple groups within your organization. 可在部署和团队之间共享注册表。Registries can be shared across deployments and teams. Azure 容器注册表支持嵌套的命名空间,可实现组隔离。Azure Container Registry supports nested namespaces, enabling group isolation.

例如,考虑以下容器映像标记。For example, consider the following container image tags. 在公司范围内使用的映像(如 aspnetcore)位于根命名空间中,而产品和营销组拥有的容器映像都使用其自己的命名空间。Images that are used corporate-wide, like aspnetcore, are placed in the root namespace, while container images owned by the Products and Marketing groups each use their own namespaces.


专用资源组Dedicated resource group

由于容器注册表是跨多个容器主机使用的资源,注册表应位于其自己的资源组中。Because container registries are resources that are used across multiple container hosts, a registry should reside in its own resource group.

虽然可以试用特定的主机类型(如 Azure 容器实例),但完成操作后可能会删除容器实例。Although you might experiment with a specific host type, such as Azure Container Instances, you'll likely want to delete the container instance when you're done. 但是,你可能还想保留推送到 Azure 容器注册表的映像集合。However, you might also want to keep the collection of images you pushed to Azure Container Registry. 通过将注册表置于其自己的资源组中,可以最小化删除容器实例资源组时在注册表中意外删除映像集合的风险。By placing your registry in its own resource group, you minimize the risk of accidentally deleting the collection of images in the registry when you delete the container instance resource group.


Azure 容器注册表的身份验证有两种主要方案:单个身份验证和服务(或“无外设”)身份验证。When authenticating with an Azure container registry, there are two primary scenarios: individual authentication, and service (or "headless") authentication. 下表提供了这两个方案的简要概述,以及每个方案的推荐身份验证方法。The following table provides a brief overview of these scenarios, and the recommended method of authentication for each.

类型Type 示例方案Example scenario 推荐的方法Recommended method
单个标识Individual identity 开发者从/向其开发计算机推送映像。A developer pulling images to or pushing images from their development machine. az acr loginaz acr login
无外设/服务标识Headless/service identity 用户未直接参与的生成和部署管道。Build and deployment pipelines where the user isn't directly involved. 服务主体Service principal

有关 Azure 容器注册表身份验证的详细信息,请参阅 Azure 容器注册表的身份验证For in-depth information about Azure Container Registry authentication, see Authenticate with an Azure container registry.

管理注册表大小Manage registry size

每个容器注册表服务层级的存储约束旨在与典型方案保持一致:基本层级适用于入门,标准层级适用于大部分生产应用程序,高级层级适用于超大规模性能和异地复制The storage constraints of each container registry service tier are intended to align with a typical scenario: Basic for getting started, Standard for the majority of production applications, and Premium for hyper-scale performance and geo-replication. 在注册表的整个生命周期中,应定期删除未使用的内容,管理注册表大小。Throughout the life of your registry, you should manage its size by periodically deleting unused content.

使用 Azure CLI 命令 az acr show-usage 显示注册表的当前大小:Use the Azure CLI command az acr show-usage to display the current size of your registry:

az acr show-usage --resource-group myResourceGroup --name myregistry --output table
--------  ------------  ---------------  ------
Size      536870912000  185444288        Bytes
Webhooks  100                            Count

此外,在 Azure 门户的注册表“概述”中,还可以找到当前已用存储:You can also find the current storage used in the Overview of your registry in the Azure portal:

Azure 门户中的注册表使用情况信息

删除映像数据Delete image data

Azure 容器注册表支持多种从容器注册表中删除映像数据的方法。Azure Container Registry supports several methods for deleting image data from your container registry. 可以按标记或程序清单摘要删除映像,也可以删除整个存储库。You can delete images by tag or manifest digest, or delete a whole repository.

有关从注册表中删除映像数据(包括无标记映像,有时称为“无关联”映像或“孤立”映像)的详细信息,请参阅删除 Azure 容器注册表中的容器映像For details on deleting image data from your registry, including untagged (sometimes called "dangling" or "orphaned") images, see Delete container images in Azure Container Registry.

后续步骤Next steps

Azure 容器注册表可用于多个层级(也称为 SKU),每个层级提供不同功能。Azure Container Registry is available in several tiers (also called SKUs) that each provide different capabilities. 有关可用服务层级的详细信息,请参阅 Azure 容器注册表服务层级For details on the available service tiers, see Azure Container Registry service tiers.