关于注册表、存储库和映像About registries, repositories, and images

本文介绍容器注册表、存储库和容器映像以及相关项目的重要概念。This article introduces the key concepts of container registries, repositories, and container images and related artifacts.

注册表Registry

容器注册表是一项存储和分发容器映像的服务 。A container registry is a service that stores and distributes container images. Docker Hub 是一个公共容器注册表,支持开放源社区并充当映像的通用目录。Docker Hub is a public container registry that supports the open source community and serves as a general catalog of images. Azure 容器注册表为用户提供映像直接控制、集成身份验证、支持全局分发和网络邻近部署可靠性的异地复制虚拟网络和防火墙配置标记锁定以及许多其他的增强功能。Azure Container Registry provides users with direct control of their images, with integrated authentication, geo-replication supporting global distribution and reliability for network-close deployments, virtual network and firewall configuration, tag locking, and many other enhanced features.

除了 Docker 容器映像以外,Azure 容器注册表还支持相关的内容项目,包括开放容器计划 (OCI) 映像格式。In addition to Docker container images, Azure Container Registry supports related content artifacts including Open Container Initiative (OCI) image formats.

项目的内容可寻址元素Content addressable elements of an artifact

Azure 容器注册表中的项目地址包括以下元素。The address of an artifact in an Azure container registry includes the following elements.

[loginUrl]/[repository:][tag]

  • loginUrl - 注册表主机的完全限定名称。loginUrl - The fully qualified name of the registry host. Azure 容器注册表中的注册表主机采用 myregistry.azurecr.cn 格式(全小写)。The registry host in an Azure container registry is in the format myregistry.azurecr.cn (all lowercase). 使用 Docker 或其他客户端工具将项目提取或推送到 Azure 容器注册表时,必须指定 loginUrl。You must specify the loginUrl when using Docker or other client tools to pull or push artifacts to an Azure container registry.
  • repository - 一个或多个相关映像或项目(例如,应用程序或基本操作系统的映像)的逻辑分组的名称。repository - Name of a logical grouping of one or more related images or artifacts - for example, the images for an application or a base operating system. 可能包括命名空间路径。May include namespace path.
  • tag - 存储在存储库中的映像或项目的特定版本的标识符。tag - Identifier of a specific version of an image or artifact stored in a repository.

例如,Azure 容器注册表中映像的完整名称可能类似于:For example, the full name of an image in an Azure container registry might look like:

myregistry.azurecr.cn/marketing/campaign10-18/email-sender:v2myregistry.azurecr.cn/marketing/campaign10-18/email-sender:v2

有关这些元素的详细信息,请参阅以下部分。See the following sections for details about these elements.

存储库名称Repository name

存储库是名称相同但标记不同的容器映像或其他项目的集合。A repository is a collection of container images or other artifacts with the same name, but different tags. 例如,以下三个映像位于“acr-helloworld”存储库中:For example, the following three images are in the "acr-helloworld" repository:

  • acr-helloworld:latestacr-helloworld:latest
  • acr-helloworld:v1acr-helloworld:v1
  • acr-helloworld:v2acr-helloworld:v2

存储库名称还可包括命名空间Repository names can also include namespaces. 命名空间允许你使用正斜杠分隔的名称标识组织中的相关存储库和项目所有权。Namespaces allow you to identify related repositories and artifact ownership in your organization by using forward slash-delimited names. 但是,注册表独立管理所有存储库,而不是将其作为层次结构进行管理。However, the registry manages all repositories independently, not as a hierarchy. 例如:For examples:

  • marketing/campaign10-18/web:v2marketing/campaign10-18/web:v2
  • marketing/campaign10-18/api:v3marketing/campaign10-18/api:v3
  • marketing/campaign10-18/email-sender:v2marketing/campaign10-18/email-sender:v2
  • product-returns/web-submission:20180604product-returns/web-submission:20180604
  • product-returns/legacy-integrator:20180715product-returns/legacy-integrator:20180715

存储库名称只能包含小写字母数字字符、句点、短划线、下划线和正斜杠。Repository names can only include lowercase alphanumeric characters, periods, dashes, underscores, and forward slashes.

有关完整的存储库命名规则,请参阅开放容器计划分发规范For complete repository naming rules, see the Open Container Initiative Distribution Specification.

映像Image

注册表中的容器映像或其他项目与一个或多个标记相关联,具有一个或多个层,并由一个清单标识。A container image or other artifact within a registry is associated with one or more tags, has one or more layers, and is identified by a manifest. 了解这些组件之间的关系有助于有效管理注册表。Understanding how these components relate to each other can help you manage your registry effectively.

标记Tag

映像或其他项目的标记指定了其版本。The tag for an image or other artifact specifies its version. 存储库中的单个项目可分配有一个或多个标记,但也可能“无标记”。A single artifact within a repository can be assigned one or many tags, and may also be "untagged." 也就是说,可删除映像中的所有标记,而映像的数据(其层)保留在注册表中。That is, you can delete all tags from an image, while the image's data (its layers) remain in the registry.

映像的名称由存储库(或存储库和命名空间)和标记进行定义。The repository (or repository and namespace) plus a tag defines an image's name. 在推送或拉取操作中指定映像名称,可以推送和拉取映像。You can push and pull an image by specifying its name in the push or pull operation. 如果未在 Docker 命令中提供标记,则默认使用标记 latestThe tag latest is used by default if you don't provide one in your Docker commands.

如何对容器映像进行标记由其开发或部署方案引导。How you tag container images is guided by your scenarios to develop or deploy them. 例如,建议使用稳定标记来维护基础映像,使用唯一标记来部署映像。For example, stable tags are recommended for maintaining your base images, and unique tags for deploying images. 有关详细信息,请参阅有关对容器映像进行标记和版本控制的建议For more information, see Recommendations for tagging and versioning container images.

有关标记命名规则,请参阅 Docker 文档For tag naming rules, see the Docker documentation.

Layer

容器映像由一个或多个层构成,每个层对应于 Dockerfile 中定义该映像的某行。Container images are made up of one or more layers, each corresponding to a line in the Dockerfile that defines the image. 注册表中的映像共享常用层,从而提高存储效率。Images in a registry share common layers, increasing storage efficiency. 例如,不同存储库中的多个映像可能共享同一个 Alpine Linux 基础层,但注册表中仅存储该层的一个副本。For example, several images in different repositories might share the same Alpine Linux base layer, but only one copy of that layer is stored in the registry.

由于多个映像共享常用层,层共享也可优化到节点的层分发。Layer sharing also optimizes layer distribution to nodes with multiple images sharing common layers. 例如,如果某节点上已有的映像包含 Alpine Linux 层作为其基础层,则在后续拉取引用同一层的不同映像时,不会将层传输到节点。For example, if an image already on a node includes the Alpine Linux layer as its base, the subsequent pull of a different image referencing the same layer doesn't transfer the layer to the node. 相反,它会引用节点上已存在的层。Instead, it references the layer already existing on the node.

为了针对潜在的层操作提供安全隔离和保护,层不会在注册表之间共享。To provide secure isolation and protection from potential layer manipulation, layers are not shared across registries.

清单Manifest

推送到容器注册表的每个容器映像或项目都与一个清单相关联。Each container image or artifact pushed to a container registry is associated with a manifest. 推送映像时由注册表生成的清单唯一标识映像并指定其层。The manifest, generated by the registry when the image is pushed, uniquely identifies the image and specifies its layers. 可以使用 Azure CLI 命令 az acr repository show-manifests 列出存储库的清单:You can list the manifests for a repository with the Azure CLI command az acr repository show-manifests:

az acr repository show-manifests --name <acrName> --repository <repositoryName>

例如,列出“acr-helloworld”存储库的清单:For example, list the manifests for the "acr-helloworld" repository:

az acr repository show-manifests --name myregistry --repository acr-helloworld
[
  {
    "digest": "sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108",
    "tags": [
      "latest",
      "v3"
    ],
    "timestamp": "2018-07-12T15:52:00.2075864Z"
  },
  {
    "digest": "sha256:3168a21b98836dda7eb7a846b3d735286e09a32b0aa2401773da518e7eba3b57",
    "tags": [
      "v2"
    ],
    "timestamp": "2018-07-12T15:50:53.5372468Z"
  },
  {
    "digest": "sha256:7ca0e0ae50c95155dbb0e380f37d7471e98d2232ed9e31eece9f9fb9078f2728",
    "tags": [
      "v1"
    ],
    "timestamp": "2018-07-11T21:38:35.9170967Z"
  }
]

清单摘要Manifest digest

清单由唯一的 SHA-256 哈希(即清单摘要)进行标识 。Manifests are identified by a unique SHA-256 hash, or manifest digest. 每个映像或项目(无论是否标记)均由其摘要标识。Each image or artifact--whether tagged or not--is identified by its digest. 即便映像的层数据与其他映像的层数据相同,摘要值也是唯一的。The digest value is unique even if the image's layer data is identical to that of another image. 此机制使你能够反复向注册表推送标记相同的映像。This mechanism is what allows you to repeatedly push identically tagged images to a registry. 例如,你可反复向注册表推送 myimage:latest 而不出任何错误,因为每个映像均由其唯一摘要标识。For example, you can repeatedly push myimage:latest to your registry without error because each image is identified by its unique digest.

通过在拉取操作中指定映像的摘要,可从注册表拉取该映像。You can pull an image from a registry by specifying its digest in the pull operation. 某些系统可能配置为按摘要拉取,因为它保证即便后续向注册表推送标记相同的映像,仍将拉取映像版本。Some systems may be configured to pull by digest because it guarantees the image version being pulled, even if an identically tagged image is subsequently pushed to the registry.

例如,按清单摘要拉取“acr-helloworld”存储库中的映像:For example, pull an image from the "acr-helloworld" repository by manifest digest:

docker pull myregistry.azurecr.cn/acr-helloworld@sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108

重要

如果反复推送修改后的标记相同的映像,可能创建孤立的映像;此类映像不带标记,但仍占用注册表中的空间。If you repeatedly push modified images with identical tags, you might create orphaned images--images that are untagged, but still consume space in your registry. 按标记列出或查看映像时,Azure CLI 或 Azure 门户中不显示无标记的映像。Untagged images are not shown in the Azure CLI or in the Azure portal when you list or view images by tag. 但是,它们的层仍然存在,且占用注册表中的空间。However, their layers still exist and consume space in your registry. 当清单是指向特定层的唯一清单或最后一个清单时,删除未标记的映像将释放注册表空间。Deleting an untagged image frees registry space when the manifest is the only one, or the last one, pointing to a particular layer. 有关释放未标记映像所用空间的信息,请参阅删除 Azure 容器注册表中的容器映像For information about freeing space used by untagged images, see Delete container images in Azure Container Registry.

后续步骤Next steps

详细了解 Azure 容器注册表中的映像存储支持的内容格式Learn more about image storage and supported content formats in Azure Container Registry.