Azure DevOps自托管代理容器私有注册表

huangapple go评论83阅读模式
英文:

Azure DevOps self-hosted agent container private registry

问题

我试图运行一个使用来自私有镜像仓库(而非Docker Hub)的容器作业,需要进行身份验证。当我在Azure托管的代理上运行作业时,“初始化容器”步骤会使用配置的服务连接执行docker login,但如果我切换到自托管代理,它会跳过docker login直接执行docker pull,导致作业失败。

如何告诉它在我的自托管代理上对仓库进行身份验证?

编辑:

这是管道中的代码:

jobs:
- job: Deployment
  timeoutInMinutes: 120
  cancelTimeoutInMinutes: 5 
  pool:
     name: Azure Pipelines

   container:
     image: ***:latest
     endpoint: <SERVICE CONNECTION NAME>

这是来自Azure托管代理的日志:

Starting: Initialize containers
DockerActionRetries variable value: True
/usr/bin/docker version --format '{{.Server.APIVersion}}'
'1.41'
Docker daemon API version: '1.41'
/usr/bin/docker version --format '{{.Client.APIVersion}}'
'1.41'
Docker client API version: '1.41'
/usr/bin/docker ps --all --quiet --no-trunc --filter "label=f760b8"
/usr/bin/docker network prune --force --filter "label=f760b8"
DockerActionRetries variable value: True
/usr/bin/docker login --username "***" --password-stdin https://***
WARNING! Your password will be stored unencrypted in /home/vsts/.docker/config.json.
Login Succeeded
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
DockerActionRetries variable value: True
/usr/bin/docker pull ***:latest
latest: Pulling from ***

这是同一管道更改代理为自托管代理后的日志:

Starting: Initialize containers
DockerActionRetries variable value: True
/usr/bin/docker version --format '{{.Server.APIVersion}}'
'1.43'
Docker daemon API version: '1.43'
/usr/bin/docker version --format '{{.Client.APIVersion}}'
'1.43'
Docker client API version: '1.43'
/usr/bin/docker ps --all --quiet --no-trunc --filter "label=085311"
/usr/bin/docker network prune --force --filter "label=085311"
DockerActionRetries variable value: True
/usr/bin/docker pull ***/installer-pre-reqs:latest
Error response from daemon: Head "https://***/v2/installer-pre-reqs/manifests/latest": unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
##[warning]Docker pull failed with exit code 1, back off 00:00:10 seconds before retry.

在自托管代理的情况下,它直接执行pull,从不执行login步骤。

英文:

I'm trying to run a container job that uses an image from a private registry (not Docker Hub) which requires authentication. When I run the job on an Azure-hosted agent the "Initialize containers" step performs a docker login using the configured Service Connection, but if I switch it to a self-hosted agent, it skips the docker login and goes straight to docker pull, causing the job to fail.

How can I tell it to authenticate against the registry on my self-hosted agent?

EDIT:

This is code in the pipeline:

jobs:
- job: Deployment
  timeoutInMinutes: 120
  cancelTimeoutInMinutes: 5 
  pool:
     name: Azure Pipelines

   container:
     image: ***:latest
     endpoint: &lt;SERVICE CONNECTION NAME&gt;

This is the log from the Azure hosted agent:

Starting: Initialize containers
DockerActionRetries variable value: True
/usr/bin/docker version --format &#39;{{.Server.APIVersion}}&#39;
&#39;1.41&#39;
Docker daemon API version: &#39;1.41&#39;
/usr/bin/docker version --format &#39;{{.Client.APIVersion}}&#39;
&#39;1.41&#39;
Docker client API version: &#39;1.41&#39;
/usr/bin/docker ps --all --quiet --no-trunc --filter &quot;label=f760b8&quot;
/usr/bin/docker network prune --force --filter &quot;label=f760b8&quot;
DockerActionRetries variable value: True
/usr/bin/docker login --username &quot;***&quot; --password-stdin https://***
WARNING! Your password will be stored unencrypted in /home/vsts/.docker/config.json.
Login Succeeded
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
DockerActionRetries variable value: True
/usr/bin/docker pull ***:latest
latest: Pulling from ***

And here's the log from the same pipeline with the agent changed to a self-hosted agent:

Starting: Initialize containers
DockerActionRetries variable value: True
/usr/bin/docker version --format &#39;{{.Server.APIVersion}}&#39;
&#39;1.43&#39;
Docker daemon API version: &#39;1.43&#39;
/usr/bin/docker version --format &#39;{{.Client.APIVersion}}&#39;
&#39;1.43&#39;
Docker client API version: &#39;1.43&#39;
/usr/bin/docker ps --all --quiet --no-trunc --filter &quot;label=085311&quot;
/usr/bin/docker network prune --force --filter &quot;label=085311&quot;
DockerActionRetries variable value: True
/usr/bin/docker pull ***/installer-pre-reqs:latest
Error response from daemon: Head &quot;https://***/v2/installer-pre-reqs/manifests/latest&quot;: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
##[warning]Docker pull failed with exit code 1, back off 00:00:10 seconds before retry.

In the case of the self-host agent it goes straight to doing the pull and never does the login step.

答案1

得分: 1

这更像是一个猜测而不是实际知识,但文档中指出(关于多个容器作业的Docker Hub登录问题),容器作业使用基础主机代理的Docker config.json进行镜像注册授权。

因此,除了其他要求(对于基于Linux的自托管代理):

  • 确保已安装Docker
  • 代理必须具有访问Docker守护程序的权限

我猜测可能需要预先在config.json中创建登录信息。

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops

英文:

This is more of a guess than actual knowledge, but the documentation states (concerning login problems with docker hub for multiple container jobs) that:

"The container job uses the underlying host agent Docker config.json for image registry authorization"

So in addition to the other requirements (for linux-based self-hosted agents):

  • Ensure Docker is installed
  • The agent must have permission to access the Docker daemon

I would guess might need to have pre-created the login information in config.json.

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops

答案2

得分: 0

奇怪的是,创建一个新的流水线,使用相同的YAML,实际上解决了这个问题。现在会调用docker登录。我找不到原始流水线的任何问题,即使使用“查看完整YAML”选项。

英文:

Strangely, creating a new pipeline, using the same YAML, actually resolves this. The docker login now gets called. I can't find anything wrong the original pipeline, even with the "View Full YAML" option

huangapple
  • 本文由 发表于 2023年6月19日 21:10:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/76506967.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定