SriniBanala
djyou
yuwaMSFT2
sivagms
mnltejaswini
sajayantony
mmacy
martinpf
ankurkhemani
Azure Container Registry - Frequently Asked Questions
Can I create Azure Container Registry using ARM Template?
Yes. Here is the template that you can use to create a registry - https://github.com/Azure/azure-cli/blob/master/src/command_modules/azure-cli-acr/azure/cli/command_modules/acr/template.json
Is there security vulnerability scanning for images in ACR?
Yes. Please check the following links
Twistlock - https://www.twistlock.com/2016/11/07/twistlock-supports-azure-container-registry/
Aqua - http://blog.aquasec.com/image-vulnerability-scanning-in-azure-container-registry
How to configure Kubernetes with Azure Container Registry?
http://kubernetes.io/docs/user-guide/images/#using-azure-container-registry-acr
How to access Docker Registry HTTP API V2?
ACR supports Docker Registry HTTP API V2. The APIs can be accessed at https://<your registry login server>/v2/
Is Azure Premium Storage account supported?
Azure Premium Storage account is not supported.
How to get login credentials for a container registry?
Please make sure admin is enabled.
Using az cli
az acr credential show -n myRegistry
Using Azure Powershell
Invoke-AzureRmResourceAction -Action listCredentials -ResourceType Microsoft.ContainerRegistry/registries -ResourceGroupName myResourceGroup -ResourceName myRegistry
How to get login credentials in an ARM deployment template?
Please make sure admin is enabled.
{
"password": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'myRegistry'), '2017-10-01').passwords[0].value]"
}
To get the second password
{
"password": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'myRegistry'), '2017-10-01').passwords[1].value]"
}
How to update my registry to use the regenerated storage account access key?
Using az cli to update the storage account for your registry
az acr update -n myRegistry --storage-account-name myStorageAccount
Your can find myStorageAccount to your registry by the following command
az acr show -n myRegistry --query storageAccount
How to delete all manifests that are not referenced by any tag in a repository?
If you are on bash
az acr repository show-manifests -n myRegistry --repository myRepository --query "[?tags[0]==null].digest" -o tsv | xargs -I% az acr repository delete -n myRegistry -t myRepository@%
For Powershell
az acr repository show-manifests -n myRegistry --repository myRepository --query "[?tags[0]==null].digest" -o tsv | %{ az acr repository delete -n myRegistry -t myRepository@$_ }
Note: You can add -y in the delete command to skip confirmation
I deleted some images to free up registry quota usage but the available quota doesn't get updated.
This can happen if the underlying layers are still being referenced by other container images. If you delete an image with no references, the registry usage will be updated in a few minutes.
How do I validate storage quota changes?
Create an image with a 1GB layer using the following docker file. This ensures that the image has has a layer that is not shared by any other image in the registry.
FROM alpine
RUN dd if=/dev/urandom of=1GB.bin bs=32M count=32
RUN ls -lh 1GB.bin
Build and push the image to your registry using the docker CLI.
docker build -t myregistry.azurecr.io/1gb:latest .
docker push myregistry.azurecr.io/1gb:latest
You should be able to see that the storage used, has increased in the portal or you can query usage using the CLI.
az acr show-usage -n myregistry
Delete the image using the Azure CLI or portal and check the updated usage in a few minutes.
az acr repository delete -n myregistry --image 1gb
How to log into my registry when running the CLI in a container?
You need to run the CLI container by mounting the Docker socket
docker run -it -v /var/run/docker.sock:/var/run/docker.sock azuresdk/azure-cli-python:dev
In the container, you can install docker by
apk --update add docker
Then you can log into your registry by
az acr login -n MyRegistry
How to enable and get the debug logs of docker daemon?
-
You need to start dockerd with debug option.
First, create the docker daemon configuration file (
/etc/docker/daemon.json) if it doesn't exist, and add thedebugoption:{ "debug": true }Then, restart the daemon. For Ubuntu 14.04 user, you can do
sudo service docker restartDetails can be found here.
-
The logs may be generated at different locations, depending on your system. For example, for Ubuntu 14.04, it's
/var/log/upstart/docker.log. You can refer to the link for details: -
For Docker for Windows, the logs are generated under %LOCALAPPDATA%/docker/. However it may not contain all the debug information yet. In order to access full daemon log, you may need some extra steps:
docker run --privileged -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v /usr/local/bin/docker:/usr/local/bin/docker alpine sh docker run --net=host --ipc=host --uts=host --pid=host -it --security-opt=seccomp=unconfined --privileged --rm -v /:/host alpine /bin/sh chroot /hostNow you have access to all the files of the VM running dockerd. The log is at
/var/log/docker.log.
Does Azure Container Registry offer TLS v1.2 only configuration and how to enable TLS v1.2?
Yes. By using any latest docker client (version 18.03.0 and above).
Does Azure Container Registry support Content Trust?
Yes, you can use trusted images in Azure Container Registry as the Docker Notary has been integrited into ACR and can be enabled.
- To push trusted images, you need to grant yourself or related service principles the
AcrImageSignerrole scoped to your registry, in addition to theContributor(orOwner) role for signing. Role assignment can be done by the following methods.- Azure Portal: Your registry -> Access Control (IAM) -> Add (Select
AcrImageSignerfor the Role). - Azure CLI: Find the resource id
idof the registry by running
Then you can assign theaz acr show -n myRegistryAcrImageSignerrole to a user
or a service principle identified by its application IDaz role assignment create --scope resource_id --role AcrImageSigner --assignee user@example.comaz role assignment create --scope resource_id --role AcrImageSigner --assignee 00000000-0000-0000-0000-000000000000
- Azure Portal: Your registry -> Access Control (IAM) -> Add (Select
- To pull trusted images, a
Readerrole is enough for normal users. No additional roles like anAcrImageSignerrole are required.
You can use Docker Client and Notary Client to interact trusted images with ACR. Detailed documentation can be found at Content trust in Docker.
Which is the file to check the thumbprint?
Under ~/.docker/trust/tuf/myregistry.azurecr.io/myrepository/metadata,
- Public keys / certificates of all roles (except delegation roles) are stored in the
root.json. - Public keys / certificates of the delegation role are stored in the json file of its parent role (for example
targets.jsonfor thetargets/releasesrole).
It is suggested to verify those public keys / certificates after the overall TUF verification done by the Docker / Notary client.
docker pull fails with error: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
- If this error is a transient issue, then retry will succeed.
- If it is failing continuously then there could be a problem with the docker daemon, which can be mitigated by restarting the docker daemon. We have seen such issues before and restarting daemon generally works.
- If you continue to see this issue after restarting docker daemon, then the problem could be some network connectivity issues with the machine. To check if general network on the machine is healthy, try pinging www.bing.com and see if it works.
- You should always have a retry mechanism on all docker client operations.
docker push succeeds but docker pull fails with error: unauthorized: authentication required
This error usually happens with the Red Hat version of docker daemon where --signature-verification is enabled by default. You can check the docker daemon options for Red Hat Enterprise Linux (RHEL) or Fedora by running
grep OPTIONS /etc/sysconfig/docker
For instance, Fedora 28 Server has the docker daemon options
OPTIONS='--selinux-enabled --log-driver=journald --live-restore'
With --signature-verification=false missing, you will experience docker pull failures like
Trying to pull repository myregistry.azurecr.io/myimage ...
unauthorized: authentication required
To resolve the error,
- Add the option
--signature-verification=falseto the docker daemon configuration file/etc/sysconfig/docker. For example,OPTIONS='--selinux-enabled --log-driver=journald --live-restore --signature-verification=false' - Restart docker daemon service by running
sudo systemctl restart docker.service
Details of --signature-verification can be found by running man dockerd.
Delete of replication fails with Forbidden status , although the replication gets deleted using CLI or Remove-AzureRmContainerRegistryReplication.
The error is usually seen when the user has permissions on a Registry but doesn't have reader level permission on the subscription. To resolve this issue
Assign the user the reader permission on the subscription.
az role assignment create --role "Reader" --assignee user@contoso.com --scope /subscriptions/<subscription_id>
How to grant access to pull or push images without the permission to manage the registry resource
ACR supports custom roles that provide different levels of permissions. Specifically, AcrPull and AcrPush roles allow users to pull and/or push images without the permission to manage the registry resource in Azure.
- Azure Portal: Your registry -> Access Control (IAM) -> Add (Select
AcrPullorAcrPushfor the Role). - Azure CLI: Find the resource id
idof the registry by running
Then you can assign theaz acr show -n myRegistryAcrPullorAcrPushrole to a user (the following example usesAcrPull)
or a service principle identified by its application IDaz role assignment create --scope resource_id --role AcrPull --assignee user@example.comaz role assignment create --scope resource_id --role AcrPull --assignee 00000000-0000-0000-0000-000000000000
The assignee is then able to login and access images in the registry.
- To login to a registry:
az acr login -n myRegistry - To list repositories:
az acr repository list -n myRegistry - To pull an image:
docker pull myregistry.azurecr.io/hello-world
Note that with the use of only AcrPull or AcrPush roles, the assignee doesn't have the permission to manage the registry resource in Azure. For example, az acr list or az acr show -n myRegistry won't show the registry.
New user permissions may not be effective immediately after updating
When you grant new permissions (new roles) to a Service Principal, you may find out that the change is not effective immediately. There are two possible reasons:
- AAD role assignment delay. Normally it's fast; but it could take minutes due to propagation delay.
- Permission delay on ACR token server. This could take up to 10 minutes. To mitigate, user can do a logout and then login again with the same user after 1 minute:
docker logout myregistry.azurecr.io docker login myregistry.azurecr.io
How to enable automatic image quarantine for a registry
Image quarantine is currently a preview feature of ACR. You can enable the Quarantine mode of a registry so that only those images which have successfully passed security scan can be visible to normal users. You can find more details here
ACR Geo replication create using ARM deployment template with Complete mode hangs with repeated HomeReplicationCannotBeDeleted errors
Currently ACR doesn't support home replication deletion by the users. The workaround is to include the home replication create in the template but skip its creation by using the condition:false as shown below
{
"name": "[concat(parameters('acrName'), '/', parameters('location'))]",
"condition": false,
"type": "Microsoft.ContainerRegistry/registries/replications",
"apiVersion": "2017-10-01",
"location": "[parameters('location')]",
"properties": {},
"dependsOn": [
"[concat('Microsoft.ContainerRegistry/registries/', parameters('acrName'))]"
]
},