docker - 将容器推送到 Azure 容器注册表时资源访问被拒绝

问题描述

使用 Docker Compose 将容器推送到私有 Azure 容器注册表时，Azure DevOps 管道返回以下错误：

推送 [container] ([registry]/[app]:latest)...

推送是指存储库 [docker.io/[registry]/[container]]

denied：请求的资源访问被拒绝

该azure-pipeline.yml文件取自 Microsoft 微服务 eShopOnContainer 示例中显示的 Docker Compose 示例，此处为：

variables:
azureContainerRegistry: myregistry
azureSubscriptionEndpoint: My Service Principle
...
task: DockerCompose@0
    displayName: Compose push customer API
    inputs:
        containerregistrytype: Azure Container Registry
        azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
        azureContainerRegistry: $(azureContainerRegistry)
        dockerComposeCommand: 'push [container]'
        dockerComposeFile: docker-compose.yml
        qualifyImageNames: true
        projectName: ""
        dockerComposeFileArgs: |
           TAG=$(Build.SourceBranchName)

服务原则在AcrPush 角色中。

标签： dockerdocker-composeazure-devopsdevopsazure-container-registry

The solution is to be explicit with the container name. The documentation is misleading as it states firstly that: the containerregistrytype is Azure Container Registry by default. The example goes on to give Contoso as the value for azureContainerRegistry.

This is wrong. You need to explicitly set this to the "Login server" value from Azure. Therefore the registry should be "contoso.azurecr.io". So the full example should be:

variables:
azureContainerRegistry: contoso.azurecr.io
azureSubscriptionEndpoint: Contoso
steps:
- task: DockerCompose@0
  displayName: Container registry login
  inputs:
      containerregistrytype: Azure Container Registry
      azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
      azureContainerRegistry: $(azureContainerRegistry)

This is why the push repo it was referring to was in fact: docker.io (public docker hub) as that must actually be the default whch explains the access denied error.

docker - 将容器推送到 Azure 容器注册表时资源访问被拒绝

问题描述

解决方案

推荐阅读