使用资源管理器模板运行 ACR 任务Run ACR Tasks using Resource Manager templates

ACR 任务是 Azure 容器注册表中的一套功能,可在整个容器生命周期内帮助管理和修改容器映像。ACR Tasks is a suite of features within Azure Container Registry to help you manage and modify container images across the container lifecycle.

本文演示了如何使用 Azure 资源管理器模板来将快速任务运行排入队列,这与使用 az acr build 命令来手动创建任务运行类似。This article shows Azure Resource Manager template examples to queue a quick task run, similar to one you can create manually using the az acr build command.

用于将任务运行排入队列的资源管理器模板在自动化方案中很有用,它扩展了 az acr build 的功能。A Resource Manager template to queue a task run is useful in automation scenarios and extends the functionality of az acr build. 例如:For example:

  • 使用模板创建容器注册表,并立即将任务运行排入队列,以生成并推送容器映像Use a template to create a container registry and immediately queue a task run to build and push a container image
  • 创建或启用可在快速任务运行中使用的其他资源,例如 Azure 资源的托管标识Create or enable additional resources you can use in a quick task run, such as a managed identity for Azure resources

限制Limitations

  • 必须为任务运行指定一个远程上下文(例如 GitHub 存储库)作为源位置You must specify a remote context such as a GitHub repo as the source location for your task run. 不能使用本地源上下文。You can't use a local source context.
  • 对于使用托管标识的任务运行,只允许使用用户分配的托管标识。For task runs using a managed identity, only a user-assigned managed identity is permitted.

先决条件Prerequisites

示例:创建注册表并将任务运行排入队列Example: Create registry and queue task run

本示例使用示例模板创建容器注册表,并将生成和推送映像的任务运行排入队列。This example uses a sample template to create a container registry and queue a task run that builds and pushes an image.

模板参数Template parameters

对于本示例,请提供以下模板参数的值:For this example, provide values for the following template parameters:

参数Parameter ValueValue
registryNameregistryName 所创建注册表的唯一名称Unique name of registry that's created
repositoryrepository 用于生成任务的目标存储库Target repository for build task
taskRunNametaskRunName 用于指定映像标记的任务运行的名称Name of task run, which specifies image tag
sourceLocationsourceLocation 生成任务的远程上下文,例如 https://github.com/Azure-Samples/acr-build-helloworld-nodeRemote context for the build task, for example, https://github.com/Azure-Samples/acr-build-helloworld-node. 存储库根路径中的 Dockerfile 为小型 Node.js Web 应用生成容器映像。The Dockerfile in the repo root builds a container image for a small Node.js web app. 如有需要,可以使用存储库的分支作为生成上下文。If desired, use your fork of the repo as the build context.

部署模板Deploy the template

使用 az deployment group create 命令部署模板。Deploy the template with the az deployment group create command. 本示例将生成 helloworld-node:testrun 映像,并将该映像推送到名为 mycontainerregistry 的注册表中 。This example builds and pushes the helloworld-node:testrun image to a registry named mycontainerregistry .

az deployment group create \
  --resource-group myResourceGroup \
  --template-uri https://raw.githubusercontent.com/Azure/acr/main/docs/tasks/run-as-deployment/quickdockerbuild/azuredeploy.json \
  --parameters \
    registryName=mycontainerregistry \
    repository=helloworld-node \
    taskRunName=testrun \
    sourceLocation=https://github.com/Azure-Samples/acr-build-helloworld-node.git

上一条命令在命令行上传递了参数。The previous command passes the parameters on the command line. 如有需要,请将这些参数传递到参数文件中。If desired, pass them in a parameters file.

验证部署Verify deployment

部署成功完成后,请运行 az acr repository show-tags,以验证映像是否已生成:After the deployment completes successfully, verify the image is built by running az acr repository show-tags:

az acr repository show-tags \
  --name mycontainerregistry \
  --repository helloworld-node --output table

输出:Output:

Result
--------
testrun

查看运行日志View run log

要查看有关任务运行的详细信息,请查看运行日志。To view details about the task run, view the run log.

首先,使用 az acr task list-runs 获取运行 IDFirst, get the run ID with az acr task list-runs

az acr task list-runs \
  --registry mycontainerregistry --output table

输出类似于:Output is similar to:

RUN ID    TASK    PLATFORM    STATUS     TRIGGER    STARTED               DURATION
--------  ------  ----------  ---------  ---------  --------------------  ----------
ca1               linux       Succeeded  Manual     2020-03-23T17:54:28Z  00:00:48

运行 az acr task logs 以查看运行 ID 的任务运行日志,在本例中为 ca1:Run az acr task logs to view task run logs for the run ID, in this case ca1 :

az acr task logs \
  --registry mycontainerregistry \
  --run-id ca1

输出显示任务运行日志。The output shows the task run log.

还可以在 Azure 门户中查看任务运行日志。You can also view the task run log in the Azure portal.

  1. 导航到容器注册表Navigate to your container registry
  2. 在“服务”下,选择“任务” > “运行” 。Under Services , select Tasks > Runs .
  3. 选择运行 ID,在本例中为 ca1。Select the run ID, in this case ca1 .

门户将显示任务运行日志。The portal shows the task run log.

示例:具有托管标识的任务运行Example: Task run with managed identity

使用示例模板将启用用户分配托管标识的任务运行排入队列。Use a sample template to queue a task run that enables a user-assigned managed identity. 在任务运行期间,会对标识进行身份验证,以从其他 Azure 容器注册表中拉取映像。During the task run, the identity authenticates to pull an image from another Azure container registry.

此方案与在 ACR 任务中使用 Azure 托管标识进行跨注册表身份验证类似。This scenario is similar to Cross-registry authentication in an ACR task using an Azure-managed identity. 例如,一个组织可能维护一个集中注册表,其中包含许多基础映像,多个开发团队都会访问这些映像。For example, an organization might maintain a centralized registry with base images accessed by multiple development teams.

准备基础注册表Prepare base registry

出于演示目的,创建一个单独的容器注册表作为基础注册表,然后推送从 Docker Hub 拉取的 Node.js 基础映像。For demonstration purposes, create a separate container registry as your base registry, and push a Node.js base image pulled from Docker Hub.

  1. 创建第二个容器注册表(例如 mybaseregistry),用于存储基础映像。Create a second container registry, for example mybaseregistry , to store base images.

  2. 从 Docker Hub 中拉取 node:9-alpine 映像,将其标记为基础映像,然后推送到基础注册表:Pull the node:9-alpine image from Docker Hub, tag it for your base registry, and push it to the base registry:

    docker pull node:9-alpine
    docker tag node:9-alpine mybaseregistry.azurecr.cn/baseimages/node:9-alpine
    az acr login -n mybaseregistry
    docker push mybaseregistry.azurecr.cn/baseimages/node:9-alpine
    

创建新的 DockerfileCreate new Dockerfile

创建从基础注册表中拉取基础映像的 Dockerfile。Create a Dockerfile that pulls the base image from your base registry. 在 GitHub 存储库的本地分支中执行以下步骤,例如,https://github.com/myGitHubID/acr-build-helloworld-node.gitPerform the following steps in your local fork of the GitHub repo, for example, https://github.com/myGitHubID/acr-build-helloworld-node.git.

  1. 在 GitHub UI 中,选择“创建新文件”。In the GitHub UI, select Create new file .
  2. 将文件命名为 Dockerfile-test,并粘贴以下内容。Name your file Dockerfile-test and paste the following contents. 将注册表名称替换为 mybaseregistry。Substitute your registry name for mybaseregistry .
    FROM mybaseregistry.azurecr.cn/baseimages/node:9-alpine
    COPY . /src
    RUN cd /src && npm install
    EXPOSE 80
    CMD ["node", "/src/server.js"]
    
  3. 选择“提交新文件”。Select Commit new file .

创建用户分配的标识Create a user-assigned identity

使用 az identity create 命令在订阅中创建一个名为 myACRTasksId 的标识。Create an identity named myACRTasksId in your subscription using the az identity create command. 可以使用之前用于创建容器注册表的同一资源组,也可以使用其他资源组。You can use the same resource group you used previously to create a container registry, or a different one.

az identity create \
  --resource-group myResourceGroup \
  --name myACRTasksId

为了在以下步骤中配置用户分配的标识,请使用 az identity show 命令将标识的资源 ID、主体 ID 和客户端 ID 存储在变量中。To configure the user-assigned identity in the following steps, use the az identity show command to store the identity's resource ID, principal ID, and client ID in variables.

# Get resource ID of the user-assigned identity
resourceID=$(az identity show \
  --resource-group myResourceGroup \
  --name myACRTasksId \
  --query id --output tsv)

# Get principal ID of the task's user-assigned identity
principalID=$(az identity show \
  --resource-group myResourceGroup \
  --name myACRTasksId \
  --query principalId --output tsv)

# Get client ID of the user-assigned identity
clientID=$(az identity show \
  --resource-group myResourceGroup \
  --name myACRTasksId \
  --query clientId --output tsv)

为标识授予对基础注册表的提取权限Give identity pull permissions to the base registry

授予托管标识从基础注册表 mybaseregistry 中拉取映像的权限。Give the managed identity permissions to pull from the base registry, mybaseregistry .

使用 az acr show 命令获取基础注册表的资源 ID,并将其存储在变量中:Use the az acr show command to get the resource ID of the base registry and store it in a variable:

baseregID=$(az acr show \
  --name mybaseregistry \
  --query id --output tsv)

使用 az role assignment create 命令向基础注册表分配 Acrpull 角色标识。Use the az role assignment create command to assign the identity the Acrpull role to the base registry. 此角色仅有权从该注册表提取映像。This role has permissions only to pull images from the registry.

az role assignment create \
  --assignee $principalID \
  --scope $baseregID \
  --role acrpull

模板参数Template parameters

对于本示例,请提供以下模板参数的值:For this example, provide values for the following template parameters:

参数Parameter ValueValue
registryNameregistryName 在其中生成映像的注册表名称Name of registry where image is built
repositoryrepository 用于生成任务的目标存储库Target repository for build task
taskRunNametaskRunName 用于指定映像标记的任务运行的名称Name of task run, which specifies image tag
userAssignedIdentityuserAssignedIdentity 在任务中启用的用户分配标识的资源 IDResource ID of user-assigned identity enabled in the task
customRegistryIdentitycustomRegistryIdentity 在任务中启用的用户分配标识的客户端 ID,用于向自定义注册表进行身份验证Client ID of user-assigned identity enabled in the task, used to authenticate with custom registry
customRegistrycustomRegistry 在任务中访问的自定义注册表的登录服务器名称,例如 mybaseregistry.azurecr.cnLogin server name of the custom registry accessed in the task, for example, mybaseregistry.azurecr.cn
sourceLocationsourceLocation 生成任务的远程上下文,例如 https://github.com/\<your-GitHub-ID> /acr-build-helloworld-node。Remote context for the build task, for example, https://github.com/\<your-GitHub-ID>/acr-build-helloworld-node.
dockerFilePathdockerFilePath 远程上下文中 Dockerfile 的路径,用于生成映像。Path to the Dockerfile at the remote context, used to build the image.

部署模板Deploy the template

使用 az deployment group create 命令部署模板。Deploy the template with the az deployment group create command. 本示例将生成 helloworld-node:testrun 映像,并将该映像推送到名为 mycontainerregistry 的注册表中 。This example builds and pushes the helloworld-node:testrun image to a registry named mycontainerregistry . 基础映像从 mybaseregistry.azurecr.cn 中拉取。The base image is pulled from mybaseregistry.azurecr.cn .

az deployment group create \
  --resource-group myResourceGroup \
  --template-uri https://raw.githubusercontent.com/Azure/acr/main/docs/tasks/run-as-deployment/quickdockerbuildwithidentity/azuredeploy.json \
  --parameters \
    registryName=mycontainerregistry \
    repository=helloworld-node \
    taskRunName=basetask \
    userAssignedIdentity=$resourceID \
    customRegistryIdentity=$clientID \
    sourceLocation=https://github.com/<your-GitHub-ID>/acr-build-helloworld-node.git \
    dockerFilePath=Dockerfile-test \
    customRegistry=mybaseregistry.azurecr.cn

上一条命令在命令行上传递了参数。The previous command passes the parameters on the command line. 如有需要,请将这些参数传递到参数文件中。If desired, pass them in a parameters file.

验证部署Verify deployment

部署成功完成后,请运行 az acr repository show-tags,以验证映像是否已生成:After the deployment completes successfully, verify the image is built by running az acr repository show-tags:

az acr repository show-tags \
  --name mycontainerregistry \
  --repository helloworld-node --output table

输出:Output:

Result
--------
basetask

查看运行日志View run log

要查看运行日志,请参阅前面部分中的步骤。To view the run log, see steps in the preceding section.

后续步骤Next steps