将容器推送到Azure容器注册表时拒绝资源访问 [英] Resource access denied when pushing container to Azure Container Registry

问题描述

使用Docker Compose将容器推入私有Azure容器注册表时，Azure DevOps管道返回以下错误:

When pushing containers into a private Azure Container Registry using Docker Compose the Azure DevOps pipeline returns the following error:

按下[容器]([注册表]/[应用]:最新)...

Pushing [container] ([registry]/[app]:latest)...

推送是指存储库[docker.io/[registry]/[container]]

The push refers to repository [docker.io/[registry]/[container]]

拒绝:请求的对资源的访问被拒绝

denied: requested access to the resource is denied

azure-pipeline.yml文件取自Microsoft Microservices eShopOnContainer示例中显示的Docker Compose示例，

The azure-pipeline.yml file is taken from the Docker Compose example shown in the Microsoft Microservices eShopOnContainer example, here:

variables:
azureContainerRegistry: myregistry
azureSubscriptionEndpoint: My Service Principle
...
task: DockerCompose@0
    displayName: Compose push customer API
    inputs:
        containerregistrytype: Azure Container Registry
        azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
        azureContainerRegistry: $(azureContainerRegistry)
        dockerComposeCommand: 'push [container]'
        dockerComposeFile: docker-compose.yml
        qualifyImageNames: true
        projectName: ""
        dockerComposeFileArgs: |
           TAG=$(Build.SourceBranchName)

AcrPush角色.

推荐答案

解决方案应使用容器名称明确.

The solution is to be explicit with the container name. The documentation is misleading as it states firstly that: the containerregistrytype is Azure Container Registry by default. The example goes on to give Contoso as the value for azureContainerRegistry.

这是错误的.您需要将其显式设置为Azure中的登录服务器"值.因此，注册表应为"contoso.azurecr.io".因此，完整的示例应该为:

This is wrong. You need to explicitly set this to the "Login server" value from Azure. Therefore the registry should be "contoso.azurecr.io". So the full example should be:

variables:
azureContainerRegistry: contoso.azurecr.io
azureSubscriptionEndpoint: Contoso
steps:
- task: DockerCompose@0
  displayName: Container registry login
  inputs:
      containerregistrytype: Azure Container Registry
      azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
      azureContainerRegistry: $(azureContainerRegistry)

这就是为什么它所指的推回购实际上是:docker.io(公共docker hub)，因为它实际上必须是默认值，这说明了拒绝访问错误.

This is why the push repo it was referring to was in fact: docker.io (public docker hub) as that must actually be the default whch explains the access denied error.

这篇关于将容器推送到Azure容器注册表时拒绝资源访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！