无法在Azure DevOps(发布管道)中获得Azure容器注册表的服务连接 [英] Unable to get the service connection for Azure Container Registry in Azure DevOps (Release Pipeline)
问题描述
我正在尝试从Azure DevOps服务在Azure App Service上部署docker容器.我已将docker映像推送到Azure容器注册表.当我尝试创建版本定义时,无法找到Azure容器注册表的服务连接.我已经为ACR创建了服务连接,但未在Azure DevOps门户的列表中显示.
I'm trying to deploy the docker container on Azure App Service from Azure DevOps services. I've pushed the docker image to Azure Container Registry. When I try to create the release definition, I could not able to find the service connection for Azure Container Registry. I have created the service connection for ACR but it's not showing up in the list in Azure DevOps portal.
当我选择"Azure容器存储库"作为源类型时,服务连接在下拉框中不可见.我正在使用DockerHub作为另一种选择.它在列表中显示服务连接.
When I selected 'Azure Container Repository' as the source type, the service connection is not visible in the drop down box. I'm using DockerHub as another option. It's displaying the service connection in the list.
为ACR创建服务连接所遵循的步骤:
The steps I followed to create the service connection for ACR:
- 从列表中选择 Docker注册表.
- 选择 Azure Container Registry 作为注册表类型.从ACR提供了订阅ID和注册表.
- 提供了服务连接名称并保存.
- Selected Docker Registry from the list.
- Selected Azure Container Registry as Registry Type. Provided the subscription ID and the registry from ACR.
- Provided the service connection name and saved.
更新
我通过提供订阅ID和租户ID来使用托管身份验证为Azure Resource Manager创建服务连接.我正在尝试在Artifact设置中使用此连接.我收到以下错误.
I have created service connection for Azure Resource Manager using managed identity authentication by providing both subscription id and tenant id. I'm trying to use this connection in Artifact settings. I got the below error.
找不到名称为end.serviceprincipalid的变量,用于给定的服务连接.
无法从ACR中提取docker映像. App服务的日志显示拒绝对存储库的请求访问.
It's failing to pull the docker image from ACR. The logs from App service shows the pull access denied for the repository.
服务连接问题已解决,但面临来自App服务的docker权限问题
Service Connection problem solved but facing docker permission issue from App service
2020-02-10 12:31:11.781 INFO - Pulling image from Docker hub:
kbdockerregis/kbdockerimage:15
2020-02-10 12:31:14.406 ERROR - DockerApiException: Docker API responded with
status code=NotFound, response={"message":"pull access denied for
kbdockerregis/kbdockerimage, repository does not exist or may require 'docker
login': denied: requested access to the resource is denied"}
2020-02-10 12:31:14.408 ERROR - Image pull failed: Verify docker image
configuration and credentials (if using private repository)
2020-02-10 12:31:14.412 INFO - Stoping site kbapp1 because it failed during
startup.
推荐答案
当我选择"Azure容器存储库"作为源类型时, 服务连接在下拉框中不可见.
When I selected 'Azure Container Repository' as the source type, the service connection is not visible in the drop down box.
对于第一个问题,这是因为当您选择ACR作为发布源时,我们的系统使用的api如下所示:
For this first issue, this because the api our system used is shown as below while you choosing ACR as release source:
https://dev.azure.com/{org}/{project}/_apis/serviceendpoint/endpoints?type=azurerm
您可以看到此api附加的参数为type=azurerm.它仅获取类型为Azure Resource Manager的服务连接.但是容器注册表不属于此.
You can see the parameters this api attached is type=azurerm. It only fetched the service connection which type is Azure Resource Manager. But Container Registry does not belong to this.
因此,最好创建和使用类型为Azure Resource Manager type的服务连接.
So, you'd better to create and use a service connection which type is Azure Resource Manager type.
找不到名称为endpoint.serviceprincipalid的变量 给定的服务连接.
Variable with name endpoint.serviceprincipalid could not be found for the given service connection.
对于第二个问题,您没有得到太多信息(例如检查股权跟踪).因此,根据我的了解,我建议您将类型从Managed Identity Authentication更改为Service Principal Authentication.然后按照此 doc 进行配置.
For this second issue, haven't get too much info from you (like checking stake trace). So based on my known, I'd suggest you changed the type from Managed Identity Authentication to Service Principal Authentication. Then follow this doc to config it.
这是更安全的方法,可以首先进行授权.
This is more secure and can authorized firstly.
服务主体客户端ID ,它是您在Azure应用注册中创建应用后的应用ID:
Service Principal Client id, it is the application id after you create the app in Azure app registrations:
服务主体键:
堆栈溢出是一个开放的论坛,并不安全地共享我需要并用于从后端进行调查的一些关键信息(尤其是 Fiddler跟踪).您最好此处,因为您可以选择Microsoft Only那里.如果可能,我可以去那个社区,让那个社区的工程师向我展示.这样我就可以继续研究它了.
Stack overflow is a open forum and not secure to share some key info(especially Fiddler trace) which I need and used to investigate from backend. You'd better go here because you could choose Microsoft Only there. If possible, I can go that community and let that community's engineer show it to me. So that I could continue dig into it.
这篇关于无法在Azure DevOps(发布管道)中获得Azure容器注册表的服务连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
