锁定 Azure 容器注册表中的容器映像Lock a container image in an Azure container registry

在 Azure 容器注册表中,可以锁定某个映像版本或存储库,使之不会被删除或更新。In an Azure container registry, you can lock an image version or a repository so that it can't be deleted or updated. 若要锁定映像或存储库,可使用 Azure CLI 命令 az acr repository update 更新其属性。To lock an image or a repository, update its attributes using the Azure CLI command az acr repository update.

本文要求在 Azure Local Shell 中或本地运行 Azure CLI(建议使用 2.0.55 或更高版本)。This article requires that you run the Azure CLI in Azure local Shell or locally (version 2.0.55 or later recommended). 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

方案Scenarios

默认情况下,Azure 容器注册表中带标记的映像是可变的,因此,如果具有相应的权限,你可以反复更新带有相同标记的映像并将其推送到注册表。By default, a tagged image in Azure Container Registry is mutable, so with appropriate permissions you can repeatedly update and push an image with the same tag to a registry. 还可以根据需要删除容器映像。Container images can also be deleted as needed. 开发映像并需要保持注册表的大小时,此行为很有用。This behavior is useful when you develop images and need to maintain a size for your registry.

但是,将容器映像部署到生产环境时,可能需要不可变的容器映像。However, when you deploy a container image to production, you might need an immutable container image. 不可变的映像是指不能意外删除或覆盖的映像。An immutable image is one that you can't accidentally delete or overwrite. 使用 az acr repository update 命令设置存储库属性,以便可以:Use the az acr repository update command to set repository attributes so you can:

  • 锁定某个映像版本或整个存储库Lock an image version, or an entire repository

  • 防止删除某个映像版本或存储库,但允许更新Protect an image version or repository from deletion, but allow updates

  • 防止针对某个映像版本或整个存储库执行读取(提取)操作Prevent read (pull) operations on an image version, or an entire repository

有关示例,请参阅以下部分。See the following sections for examples.

锁定映像或存储库Lock an image or repository

显示当前存储库属性Show the current repository attributes

若要查看存储库的当前属性,请使用下面的 az acr repository show 命令:To see the current attributes of a repository, run the following az acr repository show command:

az acr repository show \
    --name myregistry --repository myrepo
    --output jsonc

显示当前映像属性Show the current image attributes

若要查看标记的当前属性,请使用下面的 az acr repository show 命令:To see the current attributes of a tag, run the following az acr repository show command:

az acr repository show \
    --name myregistry --image image:tag \
    --output jsonc

按标记锁定映像Lock an image by tag

若要锁定 myregistry 中的 myrepo/myimage:tag 映像,请运行以下 az acr repository update 命令:To lock the myrepo/myimage:tag image in myregistry, run the following az acr repository update command:

az acr repository update \
    --name myregistry --image myrepo/myimage:tag \
    --write-enabled false

按清单摘要锁定映像Lock an image by manifest digest

若要锁定按清单摘要(SHA-256 哈希,以 sha256:... 形式表示)标识的 myrepo/myimage 映像,请运行以下命令。To lock a myrepo/myimage image identified by manifest digest (SHA-256 hash, represented as sha256:...), run the following command. (若要查找与一个或多个映像标记关联的清单摘要,请运行 az acr repository show-manifests 命令。)(To find the manifest digest associated with one or more image tags, run the az acr repository show-manifests command.)

az acr repository update \
    --name myregistry --image myrepo/myimage@sha256:123456abcdefg \
    --write-enabled false

锁定存储库Lock a repository

若要锁定 myrepo/myimage 存储库及其包含的所有映像,请运行以下命令:To lock the myrepo/myimage repository and all images in it, run the following command:

az acr repository update \
    --name myregistry --repository myrepo/myimage \
    --write-enabled false

防止删除映像或存储库Protect an image or repository from deletion

防止删除映像Protect an image from deletion

若要允许对 myrepo / myimage:tag 映像进行更新但防止删除,请运行以下命令:To allow the myrepo/myimage:tag image to be updated but not deleted, run the following command:

az acr repository update \
    --name myregistry --image myrepo/myimage:tag \
    --delete-enabled false --write-enabled true

防止删除存储库Protect a repository from deletion

以下命令设置 myrepo/myimage 存储库,以防止将其删除。The following command sets the myrepo/myimage repository so it can't be deleted. 仍可以更新或删除单个映像。Individual images can still be updated or deleted.

az acr repository update \
    --name myregistry --repository myrepo/myimage \
    --delete-enabled false --write-enabled true

防止针对映像或存储库执行读取操作Prevent read operations on an image or repository

若要防止针对 myrepo/myimage:tag 映像执行读取(提取)操作,请运行以下命令:To prevent read (pull) operations on the myrepo/myimage:tag image, run the following command:

az acr repository update \
    --name myregistry --image myrepo/myimage:tag \
    --read-enabled false

若要防止针对 myrepo/myimage 存储库中的所有映像执行读取操作,请运行以下命令:To prevent read operations on all images in the myrepo/myimage repository, run the following command:

az acr repository update \
    --name myregistry --repository myrepo/myimage \
    --read-enabled false

解锁映像或存储库Unlock an image or repository

若要还原 myrepo / myimage:tag 映像的默认行为,以便能够将其删除和更新,请运行以下命令:To restore the default behavior of the myrepo/myimage:tag image so that it can be deleted and updated, run the following command:

az acr repository update \
    --name myregistry --image myrepo/myimage:tag \
    --delete-enabled true --write-enabled true

若要还原 myrepo/myimage 存储库和所有映像的默认行为,以便能够将其删除和更新,请运行以下命令:To restore the default behavior of the myrepo/myimage repository and all images so that they can be deleted and updated, run the following command:

az acr repository update \
    --name myregistry --repository myrepo/myimage \
    --delete-enabled true --write-enabled true

后续步骤Next steps

本文已介绍如何使用 az acr repository update 命令来防止删除或更新存储库中的映像版本。In this article, you learned about using the az acr repository update command to prevent deletion or updating of image versions in a repository. 若要设置其他属性,请参阅 az acr repository update 命令参考。To set additional attributes, see the az acr repository update command reference.

若要查看针对某个映像版本或存储库设置的属性,请使用 az acr repository show 命令。To see the attributes set for an image version or repository, use the az acr repository show command.

有关删除操作的详细信息,请参阅删除 Azure 容器注册表中的容器映像For details about delete operations, see Delete container images in Azure Container Registry.