英文:
Azure DevOps self-hosted agent container private registry
问题
我试图运行一个使用来自私有镜像仓库(而非Docker Hub)的容器作业,需要进行身份验证。当我在Azure托管的代理上运行作业时,“初始化容器”步骤会使用配置的服务连接执行docker login
,但如果我切换到自托管代理,它会跳过docker login
直接执行docker pull
,导致作业失败。
如何告诉它在我的自托管代理上对仓库进行身份验证?
编辑:
这是管道中的代码:
jobs:
- job: Deployment
timeoutInMinutes: 120
cancelTimeoutInMinutes: 5
pool:
name: Azure Pipelines
container:
image: ***:latest
endpoint: <SERVICE CONNECTION NAME>
这是来自Azure托管代理的日志:
Starting: Initialize containers
DockerActionRetries variable value: True
/usr/bin/docker version --format '{{.Server.APIVersion}}'
'1.41'
Docker daemon API version: '1.41'
/usr/bin/docker version --format '{{.Client.APIVersion}}'
'1.41'
Docker client API version: '1.41'
/usr/bin/docker ps --all --quiet --no-trunc --filter "label=f760b8"
/usr/bin/docker network prune --force --filter "label=f760b8"
DockerActionRetries variable value: True
/usr/bin/docker login --username "***" --password-stdin https://***
WARNING! Your password will be stored unencrypted in /home/vsts/.docker/config.json.
Login Succeeded
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
DockerActionRetries variable value: True
/usr/bin/docker pull ***:latest
latest: Pulling from ***
这是同一管道更改代理为自托管代理后的日志:
Starting: Initialize containers
DockerActionRetries variable value: True
/usr/bin/docker version --format '{{.Server.APIVersion}}'
'1.43'
Docker daemon API version: '1.43'
/usr/bin/docker version --format '{{.Client.APIVersion}}'
'1.43'
Docker client API version: '1.43'
/usr/bin/docker ps --all --quiet --no-trunc --filter "label=085311"
/usr/bin/docker network prune --force --filter "label=085311"
DockerActionRetries variable value: True
/usr/bin/docker pull ***/installer-pre-reqs:latest
Error response from daemon: Head "https://***/v2/installer-pre-reqs/manifests/latest": unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
##[warning]Docker pull failed with exit code 1, back off 00:00:10 seconds before retry.
在自托管代理的情况下,它直接执行pull
,从不执行login
步骤。
英文:
I'm trying to run a container job that uses an image from a private registry (not Docker Hub) which requires authentication. When I run the job on an Azure-hosted agent the "Initialize containers" step performs a docker login
using the configured Service Connection, but if I switch it to a self-hosted agent, it skips the docker login
and goes straight to docker pull
, causing the job to fail.
How can I tell it to authenticate against the registry on my self-hosted agent?
EDIT:
This is code in the pipeline:
jobs:
- job: Deployment
timeoutInMinutes: 120
cancelTimeoutInMinutes: 5
pool:
name: Azure Pipelines
container:
image: ***:latest
endpoint: <SERVICE CONNECTION NAME>
This is the log from the Azure hosted agent:
Starting: Initialize containers
DockerActionRetries variable value: True
/usr/bin/docker version --format '{{.Server.APIVersion}}'
'1.41'
Docker daemon API version: '1.41'
/usr/bin/docker version --format '{{.Client.APIVersion}}'
'1.41'
Docker client API version: '1.41'
/usr/bin/docker ps --all --quiet --no-trunc --filter "label=f760b8"
/usr/bin/docker network prune --force --filter "label=f760b8"
DockerActionRetries variable value: True
/usr/bin/docker login --username "***" --password-stdin https://***
WARNING! Your password will be stored unencrypted in /home/vsts/.docker/config.json.
Login Succeeded
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
DockerActionRetries variable value: True
/usr/bin/docker pull ***:latest
latest: Pulling from ***
And here's the log from the same pipeline with the agent changed to a self-hosted agent:
Starting: Initialize containers
DockerActionRetries variable value: True
/usr/bin/docker version --format '{{.Server.APIVersion}}'
'1.43'
Docker daemon API version: '1.43'
/usr/bin/docker version --format '{{.Client.APIVersion}}'
'1.43'
Docker client API version: '1.43'
/usr/bin/docker ps --all --quiet --no-trunc --filter "label=085311"
/usr/bin/docker network prune --force --filter "label=085311"
DockerActionRetries variable value: True
/usr/bin/docker pull ***/installer-pre-reqs:latest
Error response from daemon: Head "https://***/v2/installer-pre-reqs/manifests/latest": unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
##[warning]Docker pull failed with exit code 1, back off 00:00:10 seconds before retry.
In the case of the self-host agent it goes straight to doing the pull
and never does the login
step.
答案1
得分: 1
这更像是一个猜测而不是实际知识,但文档中指出(关于多个容器作业的Docker Hub登录问题),容器作业使用基础主机代理的Docker config.json进行镜像注册授权。
因此,除了其他要求(对于基于Linux的自托管代理):
- 确保已安装Docker
- 代理必须具有访问Docker守护程序的权限
我猜测可能需要预先在config.json中创建登录信息。
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops
英文:
This is more of a guess than actual knowledge, but the documentation states (concerning login problems with docker hub for multiple container jobs) that:
"The container job uses the underlying host agent Docker config.json for image registry authorization"
So in addition to the other requirements (for linux-based self-hosted agents):
- Ensure Docker is installed
- The agent must have permission to access the Docker daemon
I would guess might need to have pre-created the login information in config.json.
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops
答案2
得分: 0
奇怪的是,创建一个新的流水线,使用相同的YAML,实际上解决了这个问题。现在会调用docker登录。我找不到原始流水线的任何问题,即使使用“查看完整YAML”选项。
英文:
Strangely, creating a new pipeline, using the same YAML, actually resolves this. The docker login now gets called. I can't find anything wrong the original pipeline, even with the "View Full YAML" option
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论