向容器注册表导入容器映像Import container images to a container registry

可以轻松将容器映像导入(复制)到 Azure 容器注册表中,无需使用 Docker 命令。You can easily import (copy) container images to an Azure container registry, without using Docker commands. 例如,将映像从开发注册表导入到生产注册表,或者从公共注册表复制基础映像。For example, import images from a development registry to a production registry, or copy base images from a public registry.

Azure 容器注册表可灵活应对许多常见方案,以便从现有注册表复制映像:Azure Container Registry handles a number of common scenarios to copy images from an existing registry:

  • 从公共注册表导入Import from a public registry

  • 在同一或不同 Azure 订阅中从另一个 Azure 容器注册表导入Import from another Azure container registry, in the same or a different Azure subscription

  • 从非 Azure 专用容器注册表导入Import from a non-Azure private container registry

与使用 Docker CLI 命令相比,将映像导入到 Azure 容器注册表具有以下优点:Image import into an Azure container registry has the following benefits over using Docker CLI commands:

  • 由于客户端环境不需要本地 Docker 安装,因此无需考虑受支持的 OS 类型即可导入任何容器映像。Because your client environment doesn't need a local Docker installation, import any container image, regardless of the supported OS type.

  • 导入多体系结构映像(例如正式的 Docker 映像)时,会复制清单列表中指定的所有体系结构和平台的映像。When you import multi-architecture images (such as official Docker images), images for all architectures and platforms specified in the manifest list get copied.

若要导入容器映像,本文要求在 Azure 本地 Shell 中(建议使用 2.0.55 或更高版本)运行 Azure CLI。To import container images, this article requires that you run the Azure CLI in Azure local Shell (version 2.0.55 or later recommended). 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

先决条件Prerequisites

如果还没有 Azure 容器注册表,请创建注册表。If you don't already have an Azure container registry, create a registry. 有关步骤,请参阅快速入门:使用 Azure CLI 创建专用容器注册表For steps, see Quickstart: Create a private container registry using the Azure CLI.

若要将映像导入到 Azure 容器注册表,标识必须具有对目标注册表的写入权限(至少是参与者角色)。To import an image to an Azure container registry, your identity must have write permissions to the target registry (at least Contributor role). 请参阅 Azure 容器注册表角色和权限See Azure Container Registry roles and permissions.

从公共注册表导入Import from a public registry

从 Docker 中心导入Import from Docker Hub

例如,使用 az acr import 命令将多体系结构 hello-world:latest 映像从 Docker Hub 导入到名为 myregistry 的注册表。For example, use the az acr import command to import the multi-architecture hello-world:latest image from Docker Hub to a registry named myregistry. 由于 hello-world 是来自 Docker 中心的官方映像,因此该映像位于默认的 library 存储库中。Because hello-world is an official image from Docker Hub, this image is in the default library repository. --source 映像参数的值中包含存储库名称和(可选)标记。Include the repository name and optionally a tag in the value of the --source image parameter. (可以选择性根据映像的清单摘要而不是标签来标识映像,这确保映像为特定版本。)(You can optionally identify an image by its manifest digest instead of by tag, which guarantees a particular version of an image.)

az acr import --name myregistry --source dockerhub.azk8s.cn/library/hello-world:latest --image hello-world:latest

可以通过运行 az acr repository show-manifests 命令来验证多个清单是否与此映像关联:You can verify that multiple manifests are associated with this image by running the az acr repository show-manifests command:

az acr repository show-manifests --name myregistry --repository hello-world

下面的示例从 Docker 中心中的 tensorflow 存储库导入公共映像:The following example imports a public image from the tensorflow repository in Docker Hub:

az acr import --name myregistry --source dockerhub.azk8s.cn/tensorflow/tensorflow:latest-gpu --image tensorflow:latest-gpu

从 Azure 容器注册表导入Import from Azure Container Registry

例如,从 Azure 容器注册表中的 windows 存储库导入最新的 Windows Server Core 映像。For example, import the latest Windows Server Core image from the windows repository in Azure Container Registry.

az acr import --name myregistry --source mcr.microsoft.com/windows/servercore:latest --image servercore:latest

从另一 Azure 容器注册表导入Import from another Azure container registry

可以使用集成的 Azure Active Directory 权限从另一 Azure 容器注册表导入映像。You can import an image from another Azure container registry using integrated Azure Active Directory permissions.

  • 你的身份必须具有 Azure Active Directory 权限,才能从源注册表(读者角色)读取数据并写入到目标注册表(参与者角色)。Your identity must have Azure Active Directory permissions to read from the source registry (Reader role) and to write to the target registry (Contributor role).

  • 注册表可以位于同一 Active Directory 租户的同一或不同 Azure 订阅中。The registry can be in the same or a different Azure subscription in the same Active Directory tenant.

从同一订阅的注册表中导入Import from a registry in the same subscription

例如,在同一 Azure 订阅中,将 aci-helloworld:latest 映像从源注册表 mysourceregistry 导入到 myregistry 。For example, import the aci-helloworld:latest image from a source registry mysourceregistry to myregistry in the same Azure subscription.

az acr import --name myregistry --source mysourceregistry.azurecr.cn/aci-helloworld:latest --image hello-world:latest

下面的示例通过清单摘要(SHA-256 哈希代码,表示为 sha256:...)而非标记导入映像:The following example imports an image by manifest digest (SHA-256 hash, represented as sha256:...) instead of by tag:

az acr import --name myregistry --source mysourceregistry.azurecr.cn/aci-helloworld@sha256:123456abcdefg 

从不同订阅的注册表导入Import from a registry in a different subscription

在下面的示例中,mysourceregistry 与 myregistry 处于同一 Active Directory 租户的不同订阅中 。In the following example, mysourceregistry is in a different subscription from myregistry in the same Active Directory tenant. 使用 --registry 参数提供源注册表的资源 ID。Supply the resource ID of the source registry with the --registry parameter. 注意,--source 参数只指定源存储库和映像名,而非注册表登录服务器名称。Notice that the --source parameter specifies only the source repository and image name, not the registry login server name.

az acr import --name myregistry --source sourcerepo/aci-helloworld:latest --image aci-hello-world:latest --registry /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sourceResourceGroup/providers/Microsoft.ContainerRegistry/registries/mysourceregistry

使用服务主体凭据从注册表导入Import from a registry using service principal credentials

若要使用 Active Directory 权限从无法访问的注册表导入,可以使用服务主体凭据(如果可用)。To import from a registry that you can't access using Active Directory permissions, you can use service principal credentials (if available). 提供对源注册表具有 ACRPull 访问权限的 Active Directory 服务主体的 appID 和密码。Supply the appID and password of an Active Directory service principal that has ACRPull access to the source registry. 服务主体适用于需将映像导入到注册表的生成系统和其他无人参与系统。Using a service principal is useful for build systems and other unattended systems that need to import images to your registry.

az acr import --name myregistry --source sourceregistry.azurecr.cn/sourcerepo/sourceimage:tag --image targetimage:tag --username <SP_App_ID> --password <SP_Passwd>

从非 Azure 专用容器注册表导入Import from a non-Azure private container registry

通过指定启用对注册表的拉取访问的凭据,从专用注册表导入映像。Import an image from a private registry by specifying credentials that enable pull access to the registry. 例如,从专用 Docker 注册表拉取映像:For example, pull an image from a private Docker registry:

az acr import --name myregistry --source dockerhub.azk8s.cn/sourcerepo/sourceimage:tag --image sourceimage:tag --username <username> --password <password>

后续步骤Next steps

在本文中,你了解了如何从公共注册表或其他专用注册表将容器映像导入 Azure 容器注册表。In this article, you learned about importing container images to an Azure container registry from a public registry or another private registry. 关于其他映像导入选项,请参阅 az acr import 命令参考。For additional image import options, see the az acr import command reference.