Azure 中的专用 Docker 容器注册表简介Introduction to private Docker container registries in Azure

Azure 容器注册表是基于开源 Docker 注册表 2.0 的托管专用 Docker 注册表服务。Azure Container Registry is a managed, private Docker registry service based on the open-source Docker Registry 2.0. 可以创建和维护 Azure 容器注册表来存储与管理专用的 Docker 容器映像和相关项目。Create and maintain Azure container registries to store and manage your private Docker container images and related artifacts.

将 Azure 容器注册表与现有的容器开发和部署管道配合使用,也可使用 Azure 容器注册表任务在 Azure 中生成容器映像。Use Azure container registries with your existing container development and deployment pipelines, or use Azure Container Registry Tasks to build container images in Azure. 可以通过源代码提交和基础映像更新等触发器按需生成或完全自动生成。Build on demand, or fully automate builds with triggers such as source code commits and base image updates.

有关 Docker 和注册表概念的详细信息,请参阅 Docker 概述关于注册表、存储库和映像For more about Docker and registry concepts, see the Docker overview and About registries, repositories, and images.

用例Use cases

将 Azure 容器注册表中的映像提取到各种部署目标:Pull images from an Azure container registry to various deployment targets:

开发人员还可以在执行容器开发工作流的过程中将内容推送到容器注册表。Developers can also push to a container registry as part of a container development workflow. 例如,通过持续集成和交付工具(例如 Jenkins)将容器注册表作为目标。For example, target a container registry from a continuous integration and delivery tool such as Jenkins.

配置 ACR 任务,在应用程序映像的基础映像发生更新时自动重新生成应用程序映像,或者在团队将代码提交到 Git 存储库时自动完成映像生成。Configure ACR Tasks to automatically rebuild application images when their base images are updated, or automate image builds when your team commits code to a Git repository. 创建多步骤任务,在云中以并行方式自动完成多个容器映像的生成、测试和修补。Create multi-step tasks to automate building, testing, and patching multiple container images in parallel in the cloud.

Azure 提供包括 Azure 命令行界面、Azure 门户和 API 支持在内的工具,用于管理 Azure 容器注册表。Azure provides tooling including Azure Command-Line Interface, Azure portal, and API support to manage your Azure container registries. 可以选择安装适用于 Visual Studio Code 的 Docker 扩展以及适用于 Azure 容器注册表的 Azure 帐户扩展。Optionally install the Docker Extension for Visual Studio Code and the Azure Account extension to work with your Azure container registries. 通过 Azure 容器注册表拉取和推送映像,或者运行 ACR 任务,这一切都可以在 Visual Studio Code 中进行。Pull and push images to an Azure container registry, or run ACR Tasks, all within Visual Studio Code.

主要功能Key features

  • 注册表服务层级 - 在 Azure 订阅中创建一个或多个容器注册表。Registry service tiers - Create one or more container registries in your Azure subscription. 注册表以三种层级提供:基本、标准和高级,每一种都支持 Webhook 集成、通过 Azure Active Directory 进行的注册表身份验证,以及删除功能。Registries are available in three tiers: Basic, Standard, and Premium, each of which supports webhook integration, registry authentication with Azure Active Directory, and delete functionality. 在与部署相同的 Azure 位置创建注册表,充分利用容器映像的本地闭合网络存储。Take advantage of local, network-close storage of your container images by creating a registry in the same Azure location as your deployments. 将高级注册表的异地复制功能用于高级复制和容器映像分发方案。Use the geo-replication feature of Premium registries for advanced replication and container image distribution scenarios.

  • 安全性和访问 - 使用 Azure CLI 或标准的 docker login 命令登录到注册表。Security and access - You log in to a registry using the Azure CLI or the standard docker login command. Azure 容器注册表通过 HTTPS 传输容器映像,并支持通过 TLS 来保护客户端连接。Azure Container Registry transfers container images over HTTPS, and supports TLS to secure client connections.

    重要

    从 2020 年 1 月 13 日开始,Azure 容器注册表将要求服务器和应用程序的所有安全连接都使用 TLS 1.2。Starting January 13, 2020, Azure Container Registry will require all secure connections from servers and applications to use TLS 1.2. 使用任何最近的 Docker 客户端(版本 18.03.0 或更高版本)启用 TLS 1.2。Enable TLS 1.2 by using any recent docker client (version 18.03.0 or later). 对 TLS 1.0 和 1.1 的支持将停用。Support for TLS 1.0 and 1.1 will be retired.

    可以使用 Azure 标识、Azure Active Directory 支持的服务主体或提供的管理员帐户来控制访问(针对容器注册表)。You control access to a container registry using an Azure identity, an Azure Active Directory-backed service principal, or a provided admin account. 使用基于角色的访问控制 (RBAC) 向用户或系统分配对注册表的精细权限。Use role-based access control (RBAC) to assign users or systems fine-grained permissions to a registry.

    高级服务层级的安全功能包括用于映像标记签名的内容信任,以及用于限制对注册表的访问的防火墙和虚拟网络(预览版)Security features of the Premium service tier include content trust for image tag signing, and firewalls and virtual networks (preview) to restrict access to the registry. Azure 安全中心可以选择与 Azure 容器注册表集成,以便在将映像推送到注册表时扫描映像Azure Security Center optionally integrates with Azure Container Registry to scan images whenever an image is pushed to a registry.

  • 支持的映像和项目 - 每个映像都在存储库中进行了分组,是兼容 Docker 的容器的只读快照。Supported images and artifacts - Grouped in a repository, each image is a read-only snapshot of a Docker-compatible container. Azure 容器注册表可以包含 Windows 和 Linux 映像。Azure container registries can include both Windows and Linux images. 可以控制所有容器部署的映像名称。You control image names for all your container deployments. 使用标准 Docker 命令可将映像推送到存储库,或者从存储库中提取映像。Use standard Docker commands to push images into a repository, or pull an image from a repository. 除了 Docker 容器映像外,Azure 容器注册表还存储相关的内容格式,例如 Helm 图表和为开放容器计划 (OCI) 映像格式规范构建的映像。In addition to Docker container images, Azure Container Registry stores related content formats such as Helm charts and images built to the Open Container Initiative (OCI) Image Format Specification.

  • 自动生成映像 - 使用 Azure 容器注册表任务(ACR 任务)可简化在 Azure 中生成、测试、推送和部署映像的过程。Automated image builds - Use Azure Container Registry Tasks (ACR Tasks) to streamline building, testing, pushing, and deploying images in Azure. 例如,使用 ACR 任务可以通过将 docker build 操作产生的负荷转移到 Azure 来将开发内部循环扩展到云。For example, use ACR Tasks to extend your development inner-loop to the cloud by offloading docker build operations to Azure. 配置生成任务以使其自动执行容器 OS 和框架修补管道,并使其在团队将代码提交到源代码管理时自动生成映像。Configure build tasks to automate your container OS and framework patching pipeline, and build images automatically when your team commits code to source control.

    多步骤任务提供用于在云中构建、测试和修补容器映像的基于步骤的任务定义和执行。Multi-step tasks provide step-based task definition and execution for building, testing, and patching container images in the cloud. 任务步骤定义各个容器映像构建和推送操作。Task steps define individual container image build and push operations. 它们还可以定义一个或多个容器的执行,每个步骤都使用容器作为其执行环境。They can also define the execution of one or more containers, with each step using the container as its execution environment.

后续步骤Next steps