关于注册表、存储库和项目About registries, repositories, and artifacts

本文介绍容器注册表、存储库和容器映像以及相关项目的重要概念。This article introduces the key concepts of container registries, repositories, and container images and related artifacts.

注册表、存储库和项目

注册表Registry

容器注册表是一项用来存储和分发容器映像和相关项目的服务。A container registry is a service that stores and distributes container images and related artifacts. Docker Hub 是公共容器注册表的一个示例,它充当 Docker 容器映像的一般目录。Docker Hub is an example of a public container registry that serves as a general catalog of Docker container images. Azure 容器注册表为用户提供对容器内容的直接控制、集成身份验证、支持全局分发和网络邻近部署可靠性的异地复制采用专用链接的虚拟网络配置标记锁定以及许多其他的增强功能。Azure Container Registry provides users with direct control of their container content, with integrated authentication, geo-replication supporting global distribution and reliability for network-close deployments, virtual network configuration with Private Link, tag locking, and many other enhanced features.

除了 Docker 兼容的容器映像以外,Azure 容器注册表还支持广泛的内容项目,包括 Helm 图表和开放容器计划 (OCI) 映像格式。In addition to Docker-compatible container images, Azure Container Registry supports a range of content artifacts including Helm charts and Open Container Initiative (OCI) image formats.

存储库Repository

存储库是注册表中名称相同但标记不同的容器映像或其他项目的集合。A repository is a collection of container images or other artifacts in a registry that have the same name, but different tags. 例如,以下三个映像位于 acr-helloworld 存储库中:For example, the following three images are in the acr-helloworld repository:

  • acr-helloworld:latestacr-helloworld:latest
  • acr-helloworld:v1acr-helloworld:v1
  • acr-helloworld:v2acr-helloworld:v2

存储库名称还可包括命名空间Repository names can also include namespaces. 命名空间允许你使用正斜杠分隔的名称标识组织中的相关存储库和项目所有权。Namespaces allow you to identify related repositories and artifact ownership in your organization by using forward slash-delimited names. 但是,注册表独立管理所有存储库,而不是将其作为层次结构进行管理。However, the registry manages all repositories independently, not as a hierarchy. 例如:For example:

  • marketing/campaign10-18/web:v2marketing/campaign10-18/web:v2
  • marketing/campaign10-18/api:v3marketing/campaign10-18/api:v3
  • marketing/campaign10-18/email-sender:v2marketing/campaign10-18/email-sender:v2
  • product-returns/web-submission:20180604product-returns/web-submission:20180604
  • product-returns/legacy-integrator:20180715product-returns/legacy-integrator:20180715

存储库名称只能包含小写字母数字字符、句点、短划线、下划线和正斜杠。Repository names can only include lowercase alphanumeric characters, periods, dashes, underscores, and forward slashes.

有关完整的存储库命名规则,请参阅开放容器计划分发规范For complete repository naming rules, see the Open Container Initiative Distribution Specification.

项目Artifact

注册表中的容器映像或其他项目与一个或多个标记相关联,具有一个或多个层,并由一个清单标识。A container image or other artifact within a registry is associated with one or more tags, has one or more layers, and is identified by a manifest. 了解这些组件之间的关系有助于有效管理注册表。Understanding how these components relate to each other can help you manage your registry effectively.

标记Tag

映像或其他项目的标记指定了其版本。The tag for an image or other artifact specifies its version. 存储库中的单个项目可分配有一个或多个标记,但也可能“无标记”。A single artifact within a repository can be assigned one or many tags, and may also be "untagged." 也就是说,可删除映像中的所有标记,而映像的数据(其层)保留在注册表中。That is, you can delete all tags from an image, while the image's data (its layers) remain in the registry.

映像的名称由存储库(或存储库和命名空间)和标记进行定义。The repository (or repository and namespace) plus a tag defines an image's name. 在推送或拉取操作中指定映像名称,可以推送和拉取映像。You can push and pull an image by specifying its name in the push or pull operation. 如果未在 Docker 命令中提供标记,则默认使用标记 latestThe tag latest is used by default if you don't provide one in your Docker commands.

如何对容器映像进行标记由其开发或部署方案引导。How you tag container images is guided by your scenarios to develop or deploy them. 例如,建议使用稳定标记来维护基础映像,使用唯一标记来部署映像。For example, stable tags are recommended for maintaining your base images, and unique tags for deploying images. 有关详细信息,请参阅有关对容器映像进行标记和版本控制的建议For more information, see Recommendations for tagging and versioning container images.

有关标记命名规则,请参阅 Docker 文档For tag naming rules, see the Docker documentation.

Layer

容器映像和项目由一个或多个层组成。Container images and artifacts are made up of one or more layers. 不同的项目类型以不同的方式定义层。Different artifact types define layers differently. 例如,在 Docker 容器映像中,每个层都对应于 Dockerfile 中定义了映像的一行:For example, in a Docker container image, each layer corresponds to a line in the Dockerfile that defines the image:

容器映像的层

注册表中的项目共享公用的层,因而提高了存储效率。Artifacts in a registry share common layers, increasing storage efficiency. 例如,不同存储库中的多个映像可能有一个公用的 Alpine Linux 基础层,但注册表中仅存储该层的一个副本。For example, several images in different repositories might have a common ASP.NET Core base layer, but only one copy of that layer is stored in the registry. 通过让多个项目共享公用层,层共享还优化了到节点的层分布。Layer sharing also optimizes layer distribution to nodes, with multiple artifacts sharing common layers. 如果某个节点上已有的映像包含 ASP.NET Core 层作为其基础层,则在后续拉取引用同一层的不同映像时,不会将层传输到节点。If an image already on a node includes the ASP.NET Core layer as its base, the subsequent pull of a different image referencing the same layer doesn't transfer the layer to the node. 相反,它会引用节点上已存在的层。Instead, it references the layer already existing on the node.

为了针对潜在的层操作提供安全隔离和保护,层不会在注册表之间共享。To provide secure isolation and protection from potential layer manipulation, layers are not shared across registries.

清单Manifest

推送到容器注册表的每个容器映像或项目都与一个清单相关联。Each container image or artifact pushed to a container registry is associated with a manifest. 推送内容时由注册表生成的清单唯一标识映像并指定其层。The manifest, generated by the registry when the content is pushed, uniquely identifies the artifacts and specifies the layers. 可以使用 Azure CLI 命令 az acr repository show-manifests 列出存储库的清单。You can list the manifests for a repository with the Azure CLI command az acr repository show-manifests.

Linux hello-world 映像的基本清单类似于以下内容:A basic manifest for a Linux hello-world image looks similar to the following:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "config": {
    "mediaType": "application/vnd.docker.container.image.v1+json",
    "size": 1510,
    "digest": "sha256:fbf289e99eb9bca977dae136fbe2a82b6b7d4c372474c9235adc1741675f587e"
  },
  "layers": [
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 977,
      "digest": "sha256:2c930d010525941c1d56ec53b97bd057a67ae1865eebf042686d2a2d18271ced"
    }
  ]
}

可以使用 Azure CLI 命令 az acr repository show-manifests 列出存储库的清单:You can list the manifests for a repository with the Azure CLI command az acr repository show-manifests:

az acr repository show-manifests --name <acrName> --repository <repositoryName>

例如,列出“acr-helloworld”存储库的清单:For example, list the manifests for the "acr-helloworld" repository:

az acr repository show-manifests --name myregistry --repository acr-helloworld
[
  {
    "digest": "sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108",
    "tags": [
      "latest",
      "v3"
    ],
    "timestamp&quot;: &quot;2018-07-12T15:52:00.2075864Z"
  },
  {
    "digest": "sha256:3168a21b98836dda7eb7a846b3d735286e09a32b0aa2401773da518e7eba3b57",
    "tags": [
      "v2"
    ],
    "timestamp&quot;: &quot;2018-07-12T15:50:53.5372468Z"
  },
  {
    "digest": "sha256:7ca0e0ae50c95155dbb0e380f37d7471e98d2232ed9e31eece9f9fb9078f2728",
    "tags": [
      "v1"
    ],
    "timestamp&quot;: &quot;2018-07-11T21:38:35.9170967Z"
  }
]

清单摘要Manifest digest

清单由唯一的 SHA-256 哈希(即清单摘要)进行标识 。Manifests are identified by a unique SHA-256 hash, or manifest digest. 每个映像或项目(无论是否标记)均由其摘要标识。Each image or artifact--whether tagged or not--is identified by its digest. 即便项目的层数据与其他项目的层数据相同,摘要值也是唯一的。The digest value is unique even if the artifact's layer data is identical to that of another artifact. 此机制使你能够反复向注册表推送标记相同的映像。This mechanism is what allows you to repeatedly push identically tagged images to a registry. 例如,你可反复向注册表推送 myimage:latest 而不出任何错误,因为每个映像均由其唯一摘要标识。For example, you can repeatedly push myimage:latest to your registry without error because each image is identified by its unique digest.

通过在拉取操作中指定项目的摘要,可从注册表拉取该项目。You can pull an artifact from a registry by specifying its digest in the pull operation. 某些系统可能配置为按摘要拉取,因为它保证即便以后向注册表推送标记相同的映像,也会拉取该映像版本。Some systems may be configured to pull by digest because it guarantees the image version being pulled, even if an identically tagged image is pushed later to the registry.

重要

如果反复推送具有相同标记的已修改项目,则可能会创建孤立的项目;此类项目不带标记,但仍占用注册表中的空间。If you repeatedly push modified artifacts with identical tags, you might create "orphans"--artifacts that are untagged, but still consume space in your registry. 按标记列出或查看映像时,Azure CLI 或 Azure 门户中不显示无标记的映像。Untagged images are not shown in the Azure CLI or in the Azure portal when you list or view images by tag. 但是,它们的层仍然存在,且占用注册表中的空间。However, their layers still exist and consume space in your registry. 当清单是指向特定层的唯一清单或最后一个清单时,删除未标记的映像将释放注册表空间。Deleting an untagged image frees registry space when the manifest is the only one, or the last one, pointing to a particular layer. 有关释放未标记映像所用空间的信息,请参阅删除 Azure 容器注册表中的容器映像For information about freeing space used by untagged images, see Delete container images in Azure Container Registry.

对项目进行寻址Addressing an artifact

若要使用 Docker 或其他客户端工具对用于推送和拉取操作的注册表项目进行寻址,请将完全限定的注册表名称、存储库名称(包括适用的命名空间路径)以及项目标记或清单摘要组合到一起。To address a registry artifact for push and pull operations with Docker or other client tools, combine the fully qualified registry name, repository name (including namespace path if applicable), and an artifact tag or manifest digest. 有关这些术语的解释,请参阅前面的部分。See previous sections for explanations of these terms.

按标记进行寻址[loginServerUrl]/[repository][:tag]Address by tag: [loginServerUrl]/[repository][:tag]

按摘要进行寻址[loginServerUrl]/[repository@sha256][:digest]Address by digest: [loginServerUrl]/[repository@sha256][:digest]

使用 Docker 或其他客户端工具将项目拉取或推送到 Azure 容器注册表时,请使用注册表的完全限定 URL,也称为登录服务器名称。When using Docker or other client tools to pull or push artifacts to an Azure container registry, use the registry's fully qualified URL, also called the login server name. 在 Azure 云中,Azure 容器注册表的完全限定 URL 的格式为 myregistry.azurecr.cn(全小写)。In the Azure cloud, the fully qualified URL of an Azure container registry is in the format myregistry.azurecr.cn (all lowercase).

备注

  • 不能在注册表登录服务器 URL 中指定端口号,例如 myregistry.azurecr.cn:443You can't specify a port number in the registry login server URL, such as myregistry.azurecr.cn:443.
  • 如果未在命令中提供标记,则默认使用标记 latestThe tag latest is used by default if you don't provide a tag in your command.

按标记推送Push by tag

示例:Examples:

docker push myregistry.azurecr.cn/samples/myimage:20210106

docker push myregistry.azurecr.cn/marketing/email-sender

按标记拉取Pull by tag

例如:Example:

docker pull myregistry.azurecr.cn/marketing/campaign10-18/email-sender:v2

按清单摘要拉取Pull by manifest digest

示例:Example:

docker pull myregistry.azurecr.cn/acr-helloworld@sha256:0a2e01852872580b2c2fea9380ff8d7b637d3928783c55beb3f21a6e58d5d108

后续步骤Next steps

详细了解 Azure 容器注册表中的注册表存储支持的内容格式Learn more about registry storage and supported content formats in Azure Container Registry.

了解如何从 Azure 容器注册表推送和拉取映像。Learn how to push and pull images from Azure Container Registry.