docker - 将容器推送到 Azure 容器注册表时资源访问被拒绝
问题描述
使用 Docker Compose 将容器推送到私有 Azure 容器注册表时,Azure DevOps 管道返回以下错误:
推送 [container] ([registry]/[app]:latest)...
推送是指存储库 [docker.io/[registry]/[container]]
denied:请求的资源访问被拒绝
该azure-pipeline.yml
文件取自 Microsoft 微服务 eShopOnContainer 示例中显示的 Docker Compose 示例,此处为:
variables:
azureContainerRegistry: myregistry
azureSubscriptionEndpoint: My Service Principle
...
task: DockerCompose@0
displayName: Compose push customer API
inputs:
containerregistrytype: Azure Container Registry
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureContainerRegistry: $(azureContainerRegistry)
dockerComposeCommand: 'push [container]'
dockerComposeFile: docker-compose.yml
qualifyImageNames: true
projectName: ""
dockerComposeFileArgs: |
TAG=$(Build.SourceBranchName)
服务原则在AcrPush 角色中。
解决方案
The solution is to be explicit with the container name. The documentation is misleading as it states firstly that: the containerregistrytype
is Azure Container Registry by default. The example goes on to give Contoso as the value for azureContainerRegistry
.
This is wrong. You need to explicitly set this to the "Login server" value from Azure. Therefore the registry should be "contoso.azurecr.io". So the full example should be:
variables:
azureContainerRegistry: contoso.azurecr.io
azureSubscriptionEndpoint: Contoso
steps:
- task: DockerCompose@0
displayName: Container registry login
inputs:
containerregistrytype: Azure Container Registry
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureContainerRegistry: $(azureContainerRegistry)
This is why the push repo it was referring to was in fact: docker.io (public docker hub) as that must actually be the default whch explains the access denied error.
推荐阅读
- javascript - 文本选择功能的实现无法正常工作
- vb.net - 在运行时定义/声明一个对象 VB.Net
- google-apps-script - Google Web App 多个 Google 帐户错误
- java - JPA 存储库方法相同或不同
- drools - 在 Drool 7.5 中加载多个规则文件
- ckeditor4.x - 使用第三方 API 修改 HTML
- string - 如何在 Cordova 中读取 String.xml
- async-await - 当我从邮递员发送帖子请求时,出现此错误
- c# - 2sxc 自定义 API 返回实体列表
- azure-active-directory - 如何仅授予部署到特定插槽的权限?