有关 Azure 容器注册表的常见问题解答Frequently asked questions about Azure Container Registry

本文解答有关 Azure 容器注册表的常见问题和已知问题。This article addresses frequently asked questions and known issues about Azure Container Registry.

资源管理Resource management

是否可以使用资源管理器模板创建 Azure 容器注册表?Can I create an Azure Container Registry using a Resource Manager template?

是的。Yes. 下面是可用于创建注册表的模版Here is a template that you can use to create a registry.

“部署到 Azure”Deploy to Azure

是否会对 ACR 中的映像执行安全漏洞扫描?Is there security vulnerability scanning for images in ACR?

是的。Yes. 请参阅 Azure 安全中心的文档。See the documentation from Azure Security Center.

如何使用 Azure 容器注册表配置 Kubernetes?How do I configure Kubernetes with Azure Container Registry?

请参阅 Kubernetes 的文档以及适用于 Azure Kubernetes 服务的步骤。See the documentation for Kubernetes and steps for Azure Kubernetes Service.

如何获取容器注册表的管理员凭据?How do I get admin credentials for a container registry?

重要

管理员用户帐户专门用于单个用户访问注册表,主要用于测试目的。The admin user account is designed for a single user to access the registry, mainly for testing purposes. 建议不要与多个用户共享管理员帐户凭据。We do not recommend sharing the admin account credentials with multiple users. 建议用户和服务主体在无外设方案中使用单个标识。Individual identity is recommended for users and service principals for headless scenarios. 请参阅身份验证概述See Authentication overview.

在获取管理员凭据之前,请确保已启用注册表的管理员用户。Before getting admin credentials, make sure the registry's admin user is enabled.

使用 Azure CLI 获取凭据:To get credentials using the Azure CLI:

az acr credential show -n myRegistry

使用 Azure PowerShell:Using Azure PowerShell:

Invoke-AzureRmResourceAction -Action listCredentials -ResourceType Microsoft.ContainerRegistry/registries -ResourceGroupName myResourceGroup -ResourceName myRegistry

如何在资源管理器模板中获取管理员凭据?How do I get admin credentials in a Resource Manager template?

重要

管理员用户帐户专门用于单个用户访问注册表,主要用于测试目的。The admin user account is designed for a single user to access the registry, mainly for testing purposes. 建议不要与多个用户共享管理员帐户凭据。We do not recommend sharing the admin account credentials with multiple users. 建议用户和服务主体在无外设方案中使用单个标识。Individual identity is recommended for users and service principals for headless scenarios. 请参阅身份验证概述See Authentication overview.

在获取管理员凭据之前,请确保已启用注册表的管理员用户。Before getting admin credentials, make sure the registry's admin user is enabled.

获取第一个密码:To get the first password:

{
    "password": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'myRegistry'), '2017-10-01').passwords[0].value]"
}

获取第二个密码:To get the second password:

{
    "password": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'myRegistry'), '2017-10-01').passwords[1].value]"
}

尽管使用 Azure CLI 或 Azure PowerShell 删除了复制,但删除复制操作仍然失败并出现“已禁止”状态Delete of replication fails with Forbidden status although the replication gets deleted using the Azure CLI or Azure PowerShell

如果用户对某个注册表拥有权限,但对订阅没有读取者级别的权限,则会出现此错误。The error is seen when the user has permissions on a registry but doesn't have Reader-level permissions on the subscription. 若要解决此问题,请向用户分配对订阅的“读取者”权限:To resolve this issue, assign Reader permissions on the subscription to the user:

az role assignment create --role "Reader" --assignee user@contoso.com --scope /subscriptions/<subscription_id> 

防火墙规则已成功更新,但不生效Firewall rules are updated successfully but they do not take effect

传播防火墙规则更改需要一段时间。It takes some time to propagate firewall rule changes. 更改防火墙设置后,请等待几分钟,然后验证此更改。After you change firewall settings, please wait for a few minutes before verifying this change.

注册表操作Registry operations

如何访问 Docker 注册表 HTTP API V2?How do I access Docker Registry HTTP API V2?

ACR 支持 Docker 注册表 HTTP API V2。ACR supports Docker Registry HTTP API V2. 可通过 https://<your registry login server>/v2/ 访问 API。The APIs can be accessed at https://<your registry login server>/v2/. 示例: https://mycontainerregistry.azurecr.cn/v2/Example: https://mycontainerregistry.azurecr.cn/v2/

如何删除不由存储库中的任何标记引用的所有清单?How do I delete all manifests that are not referenced by any tag in a repository?

如果你使用的是 bash:If you are on bash:

az acr repository show-manifests -n myRegistry --repository myRepository --query "[?tags[0]==null].digest" -o tsv  | xargs -I% az acr repository delete -n myRegistry -t myRepository@%

对于 PowerShell:For PowerShell:

az acr repository show-manifests -n myRegistry --repository myRepository --query "[?tags[0]==null].digest" -o tsv | %{ az acr repository delete -n myRegistry -t myRepository@$_ }

注意:可以在删除命令中添加 -y 以跳过确认。Note: You can add -y in the delete command to skip confirmation.

有关详细信息,请参阅删除 Azure 容器注册表中的容器映像For more information, see Delete container images in Azure Container Registry.

为何删除映像后,注册表配额用量未减少?Why does the registry quota usage not reduce after deleting images?

如果其他容器映像仍在引用基础层,则可能会发生这种情况。This situation can happen if the underlying layers are still being referenced by other container images. 如果删除不带引用的映像,则注册表用量在几分钟后即会更新。If you delete an image with no references, the registry usage updates in a few minutes.

如何验证存储配额更改?How do I validate storage quota changes?

使用以下 Docker 文件创建使用 1GB 层的映像。Create an image with a 1GB layer using the following docker file. 这可以确保该映像的某个层不会由注册表中的任何其他映像共享。This ensures that the image has a layer that is not shared by any other image in the registry.

FROM alpine
RUN dd if=/dev/urandom of=1GB.bin  bs=32M  count=32
RUN ls -lh 1GB.bin

使用 Docker CLI 生成映像并将其推送到注册表。Build and push the image to your registry using the docker CLI.

docker build -t myregistry.azurecr.cn/1gb:latest .
docker push myregistry.azurecr.cn/1gb:latest

在 Azure 门户中应该可以看到存储用量已增加,或者可以使用 CLI 查询用量。You should be able to see that the storage usage has increased in the Azure portal, or you can query usage using the CLI.

az acr show-usage -n myregistry

使用 Azure CLI 或门户删除映像,并在几分钟后检查更新的用量。Delete the image using the Azure CLI or portal and check the updated usage in a few minutes.

az acr repository delete -n myregistry --image 1gb

在容器中运行 CLI 时如何对注册表进行身份验证?How do I authenticate with my registry when running the CLI in a container?

需要通过装载 Docker 套接字来运行 Azure CLI 容器:You need to run the Azure CLI container by mounting the Docker socket:

docker run -it -v /var/run/docker.sock:/var/run/docker.sock azuresdk/azure-cli-python:dev

在容器中安装 dockerIn the container, install docker:

apk --update add docker

然后对注册表进行身份验证:Then authenticate with your registry:

az acr login -n MyRegistry

如何启用 TLS 1.2?How to enable TLS 1.2?

使用任何最近发布的 Docker 客户端(18.03.0 和更高版本)启用 TLS 1.2。Enable TLS 1.2 by using any recent docker client (version 18.03.0 and above).

重要

从 2020 年 1 月 13 日开始,Azure 容器注册表将要求服务器和应用程序的所有安全连接都使用 TLS 1.2。Starting January 13, 2020, Azure Container Registry will require all secure connections from servers and applications to use TLS 1.2. 对 TLS 1.0 和 1.1 的支持将停用。Support for TLS 1.0 and 1.1 will be retired.

Azure 容器注册表是否支持内容信任?Does Azure Container Registry support Content Trust?

支持,可以在 Azure 容器注册表中使用受信任映像,因为 Docker Notary 已集成且可以启用。Yes, you can use trusted images in Azure Container Registry, since the Docker Notary has been integrated and can be enabled. 有关详细信息,请参阅 Azure 容器注册表中的内容信任For details, see Content Trust in Azure Container Registry.

指纹文件位于何处?Where is the file for the thumbprint located?

~/.docker/trust/tuf/myregistry.azurecr.cn/myrepository/metadata 下:Under ~/.docker/trust/tuf/myregistry.azurecr.cn/myrepository/metadata:

  • 所有角色(委托角色除外)的公钥和证书都存储在 root.json 中。Public keys and certificates of all roles (except delegation roles) are stored in the root.json.
  • 委托角色的公钥和证书将存储在其父角色的 JSON 文件(例如,targets/releases 角色的 targets.json)中。Public keys and certificates of the delegation role are stored in the JSON file of its parent role (for example targets.json for the targets/releases role).

建议在 Docker 和 Notary 客户端完成总体 TUF 验证后验证这些公钥和证书。It is suggested to verify those public keys and certificates after the overall TUF verification done by the Docker and Notary client.

在无权管理注册表资源的情况下如何授予提取或推送映像的访问权限?How do I grant access to pull or push images without permission to manage the registry resource?

ACR 支持提供不同权限级别的自定义角色ACR supports custom roles that provide different levels of permissions. 具体而言,AcrPullAcrPush 角色允许用户在无权管理 Azure 中的注册表资源的情况下提取和/或推送映像。Specifically, AcrPull and AcrPush roles allow users to pull and/or push images without the permission to manage the registry resource in Azure.

  • Azure 门户:你的注册表 >“访问控制(IAM)”->“添加”(为“角色”选择 AcrPullAcrPush)。Azure portal: Your registry -> Access Control (IAM) -> Add (Select AcrPull or AcrPush for the Role).

  • Azure CLI:运行以下命令找到注册表的资源 ID:Azure CLI: Find the resource ID of the registry by running the following command:

    az acr show -n myRegistry
    

    然后,可将 AcrPullAcrPush 角色分配给用户(以下示例使用 AcrPull):Then you can assign the AcrPull or AcrPush role to a user (the following example uses AcrPull):

    az role assignment create --scope resource_id --role AcrPull --assignee user@example.com
    

    或者,将角色分配到由应用程序 ID 标识的服务主体:Or, assign the role to a service principal identified by its application ID:

    az role assignment create --scope resource_id --role AcrPull --assignee 00000000-0000-0000-0000-000000000000
    

然后,被分配者可以验证和访问注册表中的映像。The assignee is then able to authenticate and access images in the registry.

  • 对注册表进行身份验证:To authenticate to a registry:

    az acr login -n myRegistry 
    
  • 列出存储库:To list repositories:

    az acr repository list -n myRegistry
    
  • 提取映像:To pull an image:

    docker pull myregistry.azurecr.cn/hello-world
    

如果只使用 AcrPullAcrPush 角色,则被分配者将无权管理 Azure 中的注册表资源。With the use of only the AcrPull or AcrPush role, the assignee doesn't have the permission to manage the registry resource in Azure. 例如,az acr listaz acr show -n myRegistry 不会显示注册表。For example, az acr list or az acr show -n myRegistry won't show the registry.

如何为注册表启用自动映像隔离?How do I enable automatic image quarantine for a registry?

映像隔离目前是 ACR 的预览版功能。Image quarantine is currently a preview feature of ACR. 可以启用注册表的隔离模式,使普通用户只能看到已成功通过安全扫描的映像。You can enable the quarantine mode of a registry so that only those images which have successfully passed security scan are visible to normal users. 有关详细信息,请参阅 ACR GitHub 存储库For details, see the ACR GitHub repo.

如何实现匿名提取访问?How do I enable anonymous pull access?

为匿名(公共)提取访问设置 Azure 容器注册表目前是一项预览功能。Setting up an Azure container registry for anonymous (public) pull access is currently a preview feature. 若要启用公共访问,请在 https://support.azure.cn/support/support-azure/ 中开具支持票证。To enable public access, please open a support ticket at https://support.azure.cn/support/support-azure/. 有关详细信息,请参阅 Azure 反馈论坛For details, see the Azure Feedback Forum.

诊断和运行状况检查Diagnostics and health checks

使用 az acr check-health 检查运行状况Check health with az acr check-health

若要排查常见的环境和注册表问题,请参阅检查 Azure 容器注册表的运行状况To troubleshoot common environment and registry issues, see Check the health of an Azure container registry.

Docker 提取失败并出现错误:net/http: 等待连接时取消了请求(等待标头时超过了 Client.Timeout)docker pull fails with error: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

  • 如果此错误是暂时性的,则重试后,提取将会成功。If this error is a transient issue, then retry will succeed.

  • 如果 docker pull 连续失败,则原因可能是 Docker 守护程序出现了问题。If docker pull fails continuously, then there could be a problem with the Docker daemon. 重启 Docker 守护程序通常可以缓解此问题。The problem can generally be mitigated by restarting the Docker daemon.

  • 如果重启 Docker 守护程序后仍旧出现此问题,则原因可能是计算机上出现了一些网络连接问题。If you continue to see this issue after restarting Docker daemon, then the problem could be some network connectivity issues with the machine. 若要检查计算机上的常规网络是否正常,请运行以下命令来测试终结点连接。To check if general network on the machine is healthy, run the following command to test endpoint connectivity. 包含此连接性检查命令的最低 az acr 版本为 2.2.9。The minimum az acr version that contains this connectivity check command is 2.2.9. 如果使用早期的版本,请升级 Azure CLI。Upgrade your Azure CLI if you are using an older version.

    az acr check-health -n myRegistry
    
  • 始终应该对所有 Docker 客户端操作使用重试机制。You should always have a retry mechanism on all Docker client operations.

Docker 提取速度缓慢Docker pull is slow

使用工具测试计算机的网络下载速度。Use this tool to test your machine network download speed. 如果计算机网络速度较慢,请考虑在注册表所在的同一区域中使用 Azure VM。If machine network is slow, consider using Azure VM in the same region as your registry. 这通常可以加快网络速度。This usually gives you faster network speed.

Docker 推送速度缓慢Docker push is slow

使用工具测试计算机的网络上传速度。Use this tool to test your machine network upload speed. 如果计算机网络速度较慢,请考虑在注册表所在的同一区域中使用 Azure VM。If machine network is slow, consider using Azure VM in the same region as your registry. 这通常可以加快网络速度。This usually gives you faster network speed.

Docker 推送成功,但 Docker 提取失败并出现错误:未授权: 需要身份验证Docker push succeeds but docker pull fails with error: unauthorized: authentication required

默认启用 --signature-verification 的 Red Hat 版 Docker 守护程序可能会发生此错误。This error can happen with the Red Hat version of the Docker daemon, where --signature-verification is enabled by default. 可以运行以下命令来检查 Red Hat Enterprise Linux (RHEL) 或 Fedora 的 Docker 守护程序选项:You can check the Docker daemon options for Red Hat Enterprise Linux (RHEL) or Fedora by running the following command:

grep OPTIONS /etc/sysconfig/docker

例如,Fedora 28 服务器使用以下 Docker 守护程序选项:For instance, Fedora 28 Server has the following docker daemon options:

OPTIONS='--selinux-enabled --log-driver=journald --live-restore'

如果缺少 --signature-verification=falsedocker pull 将会失败并出现如下所示的错误:With --signature-verification=false missing, docker pull fails with an error similar to:

Trying to pull repository myregistry.azurecr.cn/myimage ...
unauthorized: authentication required

若要解决该错误:To resolve the error:

  1. 将选项 --signature-verification=false 添加到 Docker 守护程序配置文件 /etc/sysconfig/dockerAdd the option --signature-verification=false to the Docker daemon configuration file /etc/sysconfig/docker. 例如:For example:

    OPTIONS='--selinux-enabled --log-driver=journald --live-restore --signature-verification=false'

  2. 运行以下命令重启 Docker 守护程序服务:Restart the Docker daemon service by running the following command:

    sudo systemctl restart docker.service
    

运行 man dockerd 可以找到 --signature-verification 的详细信息。Details of --signature-verification can be found by running man dockerd.

az acr login 成功,但 Docker 失败并出现错误:未授权: 需要身份验证az acr login succeeds but docker fails with error: unauthorized: authentication required

请确保使用全小写的服务器 URL(例如 docker push myregistry.azurecr.cn/myimage:latest),即使注册表资源名称是大写的或大小写混合的(例如 myRegistry)。Make sure you use an all lowercase server URL, for example, docker push myregistry.azurecr.cn/myimage:latest, even if the registry resource name is uppercase or mixed case, like myRegistry.

启用和获取 Docker 守护程序的调试日志Enable and get the debug logs of the Docker daemon

使用 debug 选项启动 dockerdStart dockerd with the debug option. 首先创建 Docker 守护程序配置文件 (/etc/docker/daemon.json)(如果不存在),并添加 debug 选项:First, create the Docker daemon configuration file (/etc/docker/daemon.json) if it doesn't exist, and add the debug option:

{   
    "debug": true   
}

然后重启守护程序。Then, restart the daemon. 例如,对于 Ubuntu 14.04:For example, with Ubuntu 14.04:

sudo service docker restart

可以在 Docker 文档中找到详细信息。Details can be found in the Docker documentation.

  • 日志可能在不同的位置生成,具体取决于所用的系统。The logs may be generated at different locations, depending on your system. 例如,对于 Ubuntu 14.04,日志位置为 /var/log/upstart/docker.logFor example, for Ubuntu 14.04, it's /var/log/upstart/docker.log.
    有关详细信息,请参阅 Docker 文档See Docker documentation for details.

  • 对于用于 Windows 的 Docker,将在 %LOCALAPPDATA%/docker/ 下生成日志。For Docker for Windows, the logs are generated under %LOCALAPPDATA%/docker/. 但是,此位置不一定包含所有调试信息。However it may not contain all the debug information yet.

    若要访问完整的守护程序日志,可能需要执行一些额外的步骤:In order to access the full daemon log, you may need some extra steps:

    docker run --privileged -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v /usr/local/bin/docker:/usr/local/bin/docker alpine sh
    
    docker run --net=host --ipc=host --uts=host --pid=host -it --security-opt=seccomp=unconfined --privileged --rm -v /:/host alpine /bin/sh
    chroot /host
    

    现在,可以访问运行 dockerd 的 VM 的所有文件。Now you have access to all the files of the VM running dockerd. 日志位于 /var/log/docker.logThe log is at /var/log/docker.log.

新用户权限在更新后可能不会立即生效New user permissions may not be effective immediately after updating

向服务主体授予新权限(新角色)时,更改可能不会立即生效。When you grant new permissions (new roles) to a service principal, the change might not take effect immediately. 有两种可能的原因:There are two possible reasons:

  • Azure Active Directory 角色分配延迟。Azure Active Directory role assignment delay. 通常分配速度很快,但由于传播延迟,此过程可能需要几分钟时间。Normally it's fast, but it could take minutes due to propagation delay.

  • ACR 令牌服务器上出现权限延迟。Permission delay on ACR token server. 分配权限最长可能需要 10 分钟。This could take up to 10 minutes. 若要缓解此情况,可以运行 docker logout,并在 1 分钟后使用同一用户的身份再次进行身份验证:To mitigate, you can docker logout and then authenticate again with the same user after 1 minute:

    docker logout myregistry.azurecr.cn
    docker login myregistry.azurecr.cn
    

目前,ACR 不支持用户删除宿主复制。Currently ACR doesn't support home replication deletion by the users. 解决方法是在模板中包括宿主复制创建指令,但通过添加如下所示的 "condition": false 来跳过宿主复制的创建:The workaround is to include the home replication create in the template but skip its creation by adding "condition": false as shown below:

{
    "name": "[concat(parameters('acrName'), '/', parameters('location'))]",
    "condition": false,
    "type": "Microsoft.ContainerRegistry/registries/replications",
    "apiVersion": "2017-10-01",
    "location": "[parameters('location')]",
    "properties": {},
    "dependsOn": [
        "[concat('Microsoft.ContainerRegistry/registries/', parameters('acrName'))]"
     ]
},

未在 REST API 调用中以正确的格式指定身份验证信息Authentication information is not given in the correct format on direct REST API calls

你可能会遇到 InvalidAuthenticationInfo 错误,尤其是结合选项 -L--location,跟踪重定向)使用 curl 工具时。You may encounter an InvalidAuthenticationInfo error, especially using the curl tool with the option -L, --location (to follow redirects). 例如,结合 -L 选项和基本身份验证使用 curl 提取 Blob:For example, fetching the blob using curl with -L option and basic authentication:

curl -L -H "Authorization: basic $credential" https://$registry.azurecr.cn/v2/$repository/blobs/$digest

可能会生成以下响应:may result in the following response:

<?xml version="1.0" encoding="utf-8"?>
<Error><Code>InvalidAuthenticationInfo</Code><Message>Authentication information is not given in the correct format. Check the value of Authorization header.
RequestId:00000000-0000-0000-0000-000000000000
Time:2019-01-01T00:00:00.0000000Z</Message></Error>

根本原因是某些 curl 实现使用原始请求中的标头跟踪重定向。The root cause is that some curl implementations follow redirects with headers from the original request.

若要解决此问题,需要在不使用标头的情况下手动跟踪重定向。To resolve the problem, you need to follow redirects manually without the headers. 使用 curl-D - 选项输出响应标头,然后提取 Location 标头:Print the response headers with the -D - option of curl and then extract: the Location header:

redirect_url=$(curl -s -D - -H "Authorization: basic $credential" https://$registry.azurecr.cn/v2/$repository/blobs/$digest | grep "^Location: " | cut -d " " -f2 | tr -d '\r')
curl $redirect_url

为何 Azure 门户不列出我的所有存储库或标记?Why does the Azure portal not list all my repositories or tags?

如果使用 Microsoft Edge/IE 浏览器,则最多可以查看 100 个存储库或标记。If you are using the Microsoft Edge/IE browser, you can see at most 100 repositories or tags. 如果注册表中的存储库或标记超过 100 个,则我们建议使用 Firefox 或 Chrome 浏览器将其列出。If your registry has more than 100 repositories or tags, we recommend that you use either the Firefox or Chrome browser to list them all.

为何 Azure 门户无法提取存储库或标记?Why does the Azure portal fail to fetch repositories or tags?

浏览器可能无法向服务器发送请求来提取存储库或标记。The browser might not be able to send the request for fetching repositories or tags to the server. 可能有各种原因,例如:There could be various reasons such as:

  • 缺少网络连接Lack of network connectivity
  • 防火墙Firewall
  • 广告阻止程序Ad blockers
  • DNS 错误DNS errors

请与网络管理员联系,或者检查网络配置和连接性。Please contact your network administrator or check your network configuration and connectivity. 尝试使用 Azure CLI 来运行 az acr check-health -n yourRegistry,以便检查环境是否能够连接到容器注册表。Try running az acr check-health -n yourRegistry using your Azure CLI to check if your environment is able to connect to the Container Registry. 另外,也可尝试在浏览器中使用 incognito 或专用会话,避免使用任何过时的浏览器缓存或 Cookie。In addition, you could also try an incognito or private session in your browser to avoid any stale browser cache or cookies.

为什么我的拉取或推送请求失败,出现操作不被允许的情况?Why does my pull or push request fail with disallowed operation?

下面是操作可能不被允许的一些情况:Here are some scenarios where operations maybe disallowed:

  • 不再支持经典注册表。Classic registries are no longer supported. 请使用 az acr update或 Azure 门户升级到受支持的服务层Please upgrade to a supported service tier using az acr update or the Azure portal.
  • 映像或存储库可能已锁定,因此无法进行删除或更新。The image or repository maybe locked so that it can't be deleted or updated. 可以使用 az acr show repository 命令来查看当前属性。You can use the az acr show repository command to view current attributes.
  • 如果映像处于隔离状态,则会禁用某些操作。Some operations are disallowed if the image is in quarantine. 详细了解隔离Learn more about quarantine.
  • 注册表可能已达到其存储限制Your registry may have reached its storage limit.

存储库格式无效或不受支持Repository format is invalid or unsupported

如果在存储库操作中指定存储库名称时出现“存储库格式不受支持”、“无效格式”或“请求的数据不存在”等错误,请检查名称的拼写和大小写。If you see an error such as "unsupported repository format", "invalid format", or "the requested data does not exist" when specifying a repository name in repository operations, check the spelling and case of the name. 有效的存储库名称只能包含小写字母数字字符、句点、短划线、下划线和正斜杠。Valid repository names can only include lowercase alphanumeric characters, periods, dashes, underscores, and forward slashes.

有关完整的存储库命名规则,请参阅打开容器计划分发规范For complete repository naming rules, see the Open Container Initiative Distribution Specification.

如何在 Windows 上收集 HTTP 跟踪?How do I collect http traces on Windows?

先决条件Prerequisites

Windows 容器Windows containers

将 Docker 代理配置为 127.0.0.1:8888Configure Docker proxy to 127.0.0.1:8888

Linux 容器Linux containers

查找 Docker VM 虚拟交换机的 IP:Find the ip of the Docker vm virtual switch:

(Get-NetIPAddress -InterfaceAlias "*Docker*" -AddressFamily IPv4).IPAddress

将 Docker 代理配置为上一命令的输出和端口 8888(例如 10.0.75.1:8888)Configure the Docker proxy to output of the previous command and the port 8888 (for example 10.0.75.1:8888)

任务Tasks

如何批量取消运行?How do I batch cancel runs?

以下命令可取消指定的注册表中所有正在运行的任务。The following commands cancel all running tasks in the specified registry.

az acr task list-runs -r $myregistry --run-status Running --query '[].runId' -o tsv \
| xargs -I% az acr task cancel-run -r $myregistry --run-id %

如何在 az acr build 命令中包含 .git 文件夹?How do I include the .git folder in az acr build command?

如果将本地源文件夹传递到 az acr build 命令,则默认会从上传的包中排除 .git 文件夹。If you pass a local source folder to the az acr build command, the .git folder is excluded from the uploaded package by default. 可以使用以下设置创建 .dockerignore 文件。You can create a .dockerignore file with the following setting. 这会告知命令还原已上传包中 .git 下的所有文件。It tells the command to restore all files under .git in the uploaded package.

!.git/**

此设置也适用于 az acr run 命令。This setting also applies to the az acr run command.

任务是否支持用于源触发器的 GitLab?Does Tasks support GitLab for Source triggers?

我们目前不支持用于源触发器的 GitLab。We currently do not support GitLab for Source triggers.

任务支持什么 git 存储库管理服务?What git repository management service does Tasks support?

Git 服务Git service 源上下文Source context 手动生成Manual build 通过“提交”触发器自动生成Auto build through commit trigger
GitHubGitHub https://github.com/user/myapp-repo.git#mybranch:myfolder “是”Yes “是”Yes
Azure ReposAzure Repos https://dev.azure.com/user/myproject/_git/myapp-repo#mybranch:myfolder “是”Yes Yes
GitLabGitLab https://gitlab.com/user/myapp-repo.git#mybranch:myfolder Yes No
BitBucketBitBucket https://user@bitbucket.org/user/mayapp-repo.git#mybranch:myfolder Yes No

运行错误消息故障排除操作Run Error Message Troubleshooting

错误消息Error message 故障排除指南Troubleshooting guide
未为 VM 配置任何访问权限,因此未找到订阅No access was configured for the VM, hence no subscriptions were found 如果在 ACR 任务中使用 az login --identity,则可能发生这种情况。This could happen if you are using az login --identity in your ACR Task. 这是暂时性错误,在托管标识的角色分配无法传播时发生。This is a transient error and occurs when the role assignment of your Managed Identity hasn't propagated. 请等几秒钟,然后重试即可。Waiting a few seconds before retrying works.

CI/CD 集成CI/CD integration

后续步骤Next steps