使用 ACR 任务自动执行容器映像的生成和维护Automate container image builds and maintenance with ACR Tasks

容器提供新的虚拟化级别,可将应用程序和开发人员依赖项与基础结构和操作要求隔离开来。Containers provide new levels of virtualization, isolating application and developer dependencies from infrastructure and operational requirements. 但是,另外还需要解决在容器生命周期中这种应用程序虚拟化的管理和修补方式。What remains, however, is the need to address how this application virtualization is managed and patched over the container lifecycle.

什么是 ACR 任务?What is ACR Tasks?

ACR 任务 是 Azure 容器注册表中的一个功能套件。ACR Tasks is a suite of features within Azure Container Registry. 它为 Linux、Windows 和 ARM 等平台提供基于云的容器映像生成,并可以针对 Docker 容器自动执行 OS 和框架修补It provides cloud-based container image building for platforms including Linux, Windows, and ARM, and can automate OS and framework patching for your Docker containers. ACR 任务不仅可以使用按需容器映像生成将“内部循环”开发周期扩展到云,而且还能启用源代码更新、容器基础映像或计时器更新所触发的自动生成。ACR Tasks not only extends your "inner-loop" development cycle to the cloud with on-demand container image builds, but also enables automated builds triggered by source code updates, updates to a container's base image, or timers. 例如,使用基本映像更新触发器,可以自动执行 OS 和应用程序框架修补工作流,在遵守不可变容器原则的前提下维护安全的环境。For example, with base image update triggers, you can automate your OS and application framework patching workflow, maintaining secure environments while adhering to the principles of immutable containers.

任务方案Task scenarios

ACR 任务支持使用多种方案来生成和维护容器映像与其他项目。ACR Tasks supports several scenarios to build and maintain container images and other artifacts. 有关详细信息,请参阅本文中的以下部分。See the following sections in this article for details.

每个 ACR 任务有一个关联的源代码上下文 - 用于生成容器映像或其他项目的一组源文件的位置。Each ACR Task has an associated source code context - the location of a set of source files used to build a container image or other artifact. 示例上下文包括 Git 存储库或本地文件系统。Example contexts include a Git repository or a local filesystem.

任务还可以利用运行变量,使你能够重复使用任务定义,并标准化映像和项目的标记。Tasks can also take advantage of run variables, so you can reuse task definitions and standardize tags for images and artifacts.

快速任务Quick task

内部循环开发周期是指编写代码、生成和测试应用程序,然后提交到源代码管理的迭代过程,它事实上是容器生命周期管理的起点。The inner-loop development cycle, the iterative process of writing code, building, and testing your application before committing to source control, is really the beginning of container lifecycle management.

在你提交第一行代码之前,ACR 任务的快速任务功能可以通过将容器映像生成卸载到 Azure,来提供集成式开发体验。Before you commit your first line of code, ACR Tasks's quick task feature can provide an integrated development experience by offloading your container image builds to Azure. 使用快速生成可以在提交代码之前验证自动化生成定义和捕获潜在的问题。With quick tasks, you can verify your automated build definitions and catch potential problems prior to committing your code.

Azure CLI 中的 az acr build 命令使用我们熟悉的 docker build 格式提取上下文(要生成的文件集),将其发送到 ACR 任务,并在完成后,默认将生成的映像推送到其注册表。Using the familiar docker build format, the az acr build command in the Azure CLI takes a context (the set of files to build), sends it ACR Tasks and, by default, pushes the built image to its registry upon completion.

如需简介,请参阅在 Azure 容器注册表中生成和运行容器映像的快速入门。For an introduction, see the quickstart to build and run a container image in Azure Container Registry.

ACR 任务旨在用作容器生命周期基元。ACR Tasks is designed as a container lifecycle primitive. 例如,将 ACR 任务集成到 CI/CD 解决方案。For example, integrate ACR Tasks into your CI/CD solution. 然后,CI/CD 解决方案可以结合服务主体执行 az login,发出 az acr build 命令来启动映像生成。By executing az login with a service principal, your CI/CD solution could then issue az acr build commands to kick off image builds.

第一篇 ACR 任务教程使用 Azure 容器注册表任务在云中生成容器映像中介绍了快速任务的用法。Learn how to use quick tasks in the first ACR Tasks tutorial, Build container images in the cloud with Azure Container Registry Tasks.


Azure 容器注册表提供 az acr pack build 命令(预览版)让你直接从源代码生成和推送映像,而无需使用 Dockerfile。If you want to build and push an image directly from source code, without a Dockerfile, Azure Container Registry provides the az acr pack build command (preview). 此工具使用云原生生成包基于应用程序源代码生成和推送映像。This tool builds and pushes an image from application source code using Cloud Native Buildpacks.

源代码更新时触发任务Trigger task on source code update

向 GitHub 或 Azure DevOps 中的公共或专用 Git 存储库提交代码或者发出或更新拉取请求时,触发容器映像生成或多步骤任务。Trigger a container image build or multi-step task when code is committed, or a pull request is made or updated, to a public or private Git repository in GitHub or Azure DevOps. 例如,使用 Azure CLI 命令 az acr task create 并指定 Git 存储库以及可选的分支和 Dockerfile,来配置生成任务。For example, configure a build task with the Azure CLI command az acr task create by specifying a Git repository and optionally a branch and Dockerfile. 当团队在存储库中更新代码时,ACR 任务创建的 Webhook 会触发存储库中定义的容器映像的生成。When your team updates code in the repository, an ACR Tasks-created webhook triggers a build of the container image defined in the repo.

将 Git 存储库设置为任务的上下文时,ACR 任务支持以下触发器:ACR Tasks supports the following triggers when you set a Git repo as the task's context:

触发器Trigger 默认已启用Enabled by default
提交Commit Yes
拉取请求Pull request No

若要配置源代码更新触发器,你需要为任务提供个人访问令牌 (PAT),以便在公共或专用 GitHub 或 Azure DevOps 存储库中设置 Webhook。To configure a source code update trigger, you need to provide the task a personal access token (PAT) to set the webhook in the public or private GitHub or Azure DevOps repo.


目前,ACR 任务不支持 GitHub Enterprise 存储库中的提交或拉取请求触发器。Currently, ACR Tasks doesn't support commit or pull request triggers in GitHub Enterprise repos.

第二篇 ACR 任务教程使用 Azure 容器注册表任务自动执行容器映像生成中介绍了如何在提交源代码时触发生成。Learn how to trigger builds on source code commit in the second ACR Tasks tutorial, Automate container image builds with Azure Container Registry Tasks.

自动执行 OS 和框架修补Automate OS and framework patching

真正增强容器生成工作流的 ACR 任务的强大之处在于,它能够检测“基础映像” 的更新。The power of ACR Tasks to truly enhance your container build workflow comes from its ability to detect an update to a base image. 基础映像是大多数容器映像的一项功能,它是一个或多个应用程序映像所基于的父映像。A feature of most container images, a base image is a parent image on which one or more application images are based. 基础映像通常包含操作系统,有时候包含应用程序框架。Base images typically contain the operating system, and sometimes application frameworks.

可以设置一个 ACR 任务,在它生成应用程序映像时跟踪对基础映像的依赖关系。You can set up an ACR task to track a dependency on a base image when it builds an application image. 将更新的基础映像将推送到注册表时,或者在公共存储库(例如 Docker Hub)中更新基础映像时,ACR 任务可以基于该映像自动生成任何应用程序映像。When the updated base image is pushed to your registry, or a base image is updated in a public repo such as in Docker Hub, ACR Tasks can automatically build any application images based on it. 通过这种自动检测和重新生成,ACR 任务能够节省在正常情况下手动跟踪和更新引用已更新基础映像的每个应用程序映像所需的时间和精力。With this automatic detection and rebuilding, ACR Tasks saves you the time and effort normally required to manually track and update each and every application image referencing your updated base image.

详细了解 ACR 任务的基础映像更新触发器Learn more about base image update triggers for ACR Tasks. 参阅在 Azure 容器注册表中更新基础映像时自动生成容器映像教程,了解在将基础映像推送到容器注册表时如何触发映像生成。And learn how to trigger an image build when a base image is pushed to a container registry in the tutorial Automate container image builds when a base image is updated in a Azure container registry

计划任务Schedule a task

(可选)创建或更新任务时,通过设置一个或多个计时器触发器来计划任务。 Optionally schedule a task by setting up one or more timer triggers when you create or update the task. 计划任务有助于按定义的计划运行容器工作负荷,或者对定期推送到注册表的映像运行维护操作或测试。Scheduling a task is useful for running container workloads on a defined schedule, or running maintenance operations or tests on images pushed regularly to your registry. 有关详细信息,请参阅按定义的计划运行 ACR 任务For details, see Run an ACR task on a defined schedule.

多步骤任务Multi-step tasks

多步骤任务提供用于在云中构建、测试和修补容器映像的基于步骤的任务定义和执行。Multi-step tasks provide step-based task definition and execution for building, testing, and patching container images in the cloud. YAML 文件中定义的任务步骤将指定针对容器映像或其他项目执行的各项生成和推送操作。Task steps defined in a YAML file specify individual build and push operations for container images or other artifacts. 它们还可以定义一个或多个容器的执行,每个步骤都使用容器作为其执行环境。They can also define the execution of one or more containers, with each step using the container as its execution environment.

例如,可以创建一个多步骤任务来自动完成以下操作:For example, you can create a multi-step task that automates the following:

  1. 生成 Web 应用程序映像Build a web application image
  2. 运行 Web 应用程序容器Run the web application container
  3. 生成 Web 应用程序测试映像Build a web application test image
  4. 运行针对正在运行的应用程序容器执行测试的 Web 应用程序测试容器Run the web application test container, which performs tests against the running application container
  5. 如果测试通过,则生成 Helm 图表存档包If the tests pass, build a Helm chart archive package
  6. 使用新的 Helm 图表存档包执行 helm upgradePerform a helm upgrade using the new Helm chart archive package

使用多步骤任务可将映像的生成、运行和测试操作拆分成组合性更强的步骤,并支持步骤间的依赖关系。Multi-step tasks enable you to split the building, running, and testing of an image into more composable steps, with inter-step dependency support. 使用 ACR 任务中的多步骤任务,可以更精细地控制映像生成、测试,以及 OS 和框架修补工作流。With multi-step tasks in ACR Tasks, you have more granular control over image building, testing, and OS and framework patching workflows.

若要了解多步骤任务,请参阅在 ACR 任务中运行多步骤生成、测试和修补任务Learn about multi-step tasks in Run multi-step build, test, and patch tasks in ACR Tasks.

上下文位置Context locations

下表显示了 ACR 任务支持的上下文位置的示例:The following table shows examples of supported context locations for ACR Tasks:

上下文位置Context location 说明Description 示例Example
本地文件系统Local filesystem 本地文件系统上某个目录中的文件。Files within a directory on the local filesystem. /home/user/projects/myapp
GitHub 主分支GitHub main branch 公共或专用 GitHub 存储库的主分支(或其他默认分支)中的文件。Files within the main (or other default) branch of a public or private GitHub repository. https://github.com/gituser/myapp-repo.git
GitHub 分支GitHub branch 公共或专用 GitHub 存储库的特定分支。Specific branch of a public or private GitHub repo. https://github.com/gituser/myapp-repo.git#mybranch
GitHub 子文件夹GitHub subfolder 公共或专用 GitHub 存储库中某个子文件夹内的文件。Files within a subfolder in a public or private GitHub repo. 示例显示了分支和子文件夹规范的组合。Example shows combination of a branch and subfolder specification. https://github.com/gituser/myapp-repo.git#mybranch:myfolder
GitHub 提交GitHub commit 公共或专用 GitHub 存储库中的特定提交。Specific commit in a public or private GitHub repo. 示例显示了提交哈希 (SHA) 和子文件夹规范的组合。Example shows combination of a commit hash (SHA) and subfolder specification. https://github.com/gituser/myapp-repo.git#git-commit-hash:myfolder
Azure DevOps 子文件夹Azure DevOps subfolder 公共或专用 Azure 存储库中某个子文件夹内的文件。Files within a subfolder in a public or private Azure repo. 示例显示了分支和子文件夹规范的组合。Example shows combination of branch and subfolder specification. https://dev.azure.com/user/myproject/_git/myapp-repo#mybranch:myfolder
远程 tarballRemote tarball 远程 Web 服务器上某个压缩存档中的文件。Files in a compressed archive on a remote webserver. http://remoteserver/myapp.tar.gz
容器注册表中的项目Artifact in container registry 容器注册表存储库中的 OCI 项目文件。OCI artifact files in a container registry repository. oci://myregistry.azurecr.cn/myartifact:mytag


使用专用 Git 存储库作为任务的上下文时,需要提供个人访问令牌 (PAT)。When using a private Git repo as a context for a task, you need to provide a personal access token (PAT).

映像平台Image platforms

默认情况下,ACR 任务为 Linux OS 和 amd64 体系结构生成映像。By default, ACR Tasks builds images for the Linux OS and the amd64 architecture. 指定 --platform 标记可为其他体系结构生成 Windows 映像或 Linux 映像。Specify the --platform tag to build Windows images or Linux images for other architectures. 请以“OS/体系结构”格式(例如 --platform Linux/arm)指定 OS 和(可选)支持的体系结构。Specify the OS and optionally a supported architecture in OS/architecture format (for example, --platform Linux/arm). 对于 ARM 体系结构,可以选择性地以“OS/体系结构/变体”格式(例如 --platform Linux/arm64/v8)指定变体:For ARM architectures, optionally specify a variant in OS/architecture/variant format (for example, --platform Linux/arm64/v8):

操作系统OS 体系结构Architecture
LinuxLinux amd64amd64
WindowsWindows amd64amd64

查看任务输出View task output

每个任务运行都会生成日志输出,检查该输出即可确定任务步骤是否已成功运行。Each task run generates log output that you can inspect to determine whether the task steps ran successfully. 手动触发某个任务时,会将任务运行的日志输出流式传输到控制台,并将其存储起来供以后检索。When you trigger a task manually, log output for the task run is streamed to the console and also stored for later retrieval. 自动触发某个任务后(例如,提交源代码或更新基础映像后触发),只会存储任务日志。When a task is automatically triggered, for example by a source code commit or a base image update, task logs are only stored. 在 Azure 门户中查看运行日志,或者使用 az acr task logs 命令。View the run logs in the Azure portal, or use the az acr task logs command.

请参阅有关查看和管理任务日志的详细信息。See more about viewing and managing task logs.

后续步骤Next steps

如果你已准备好在云中自动执行容器映像的生成和维护,请查看 ACR 任务教程系列When you're ready to automate container image builds and maintenance in the cloud, check out the ACR Tasks tutorial series.

可以选择安装适用于 Visual Studio Code 的 Docker 扩展以及适用于 Azure 容器注册表的 Azure 帐户扩展。Optionally install the Docker Extension for Visual Studio Code and the Azure Account extension to work with your Azure container registries. 通过 Azure 容器注册表拉取和推送映像,或者运行 ACR 任务,这一切都可以在 Visual Studio Code 中进行。Pull and push images to an Azure container registry, or run ACR Tasks, all within Visual Studio Code.