使用 Az CLI 创建新的 Azure 容器实例时,无法从私有 Azure 容器注册表中提取映像
[英]Can't pull image from private Azure Container Registry when using Az CLI to create a new Azure Container Instance
问题描述
I've created a service principal with push and pull access to/from my private Azure Container Registry.
我已经创建了一个服务主体,具有对我的私有 Azure 容器注册表的推送和拉取访问权限。 Pushing to ACR works perfectly fine with the following command:使用以下命令推送到 ACR 工作得很好:
az login --service-principal -u "someSpID" -p "someSpSecret" --tenant "someTenantID"
az acr login --name "someRegistry"
docker push "someRegistry.azurecr.io/my-image:0.0.1"
And I am also able to pull the image directly with the following command:我还可以使用以下命令直接拉取图像:
docker pull "someRegistry.azurecr.io/my-image:0.0.1"
I want to deploy a container instance into a private subnet and I've configured the network security to allow access for my said subnet.我想将容器实例部署到私有子网中,并且我已经配置了网络安全性以允许访问我的所述子网。
However, when I attempt to deploy a container instance with the following command into my private subnet, where I specified the same service principal which I had previously logged in with, I get an error response.但是,当我尝试使用以下命令将容器实例部署到我的私有子网中时,我在其中指定了我之前登录时使用的相同服务主体,我收到了错误响应。
az container create \
--name myContainerGroup \
--resource-group myResourceGroup \
--image "someRegistry.azurecr.io/my-image:0.0.1" \
--os-type Linux \
--protocol TCP \
--registry-login-server someRegistry.azurecr.io \
--registry-password someSpSecret \
--registry-username someSpID \
--vnet someVNET \
--subnet someSubnet \
--location someLocation \
--ip-address Private
Error:错误:
urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool : https://management.azure.com:443 "PUT /subscriptions/mySubscription/resourceGroups/myResourceGroup/providers/Microsoft.ContainerInstance/containerGroups/myContainerGroup?api-version=2018-10-01 HTTP/1.1" 400
msrest.http_logger : Response status: 400
The image 'someRegistry.azurecr.io/my-image:0.0.1' in container group 'myContainerGroup' is not accessible. Please check the image and registry credential.
The same error ensues when I try and deploy the container instance through Azure Portal.当我尝试通过 Azure 门户部署容器实例时,会发生同样的错误。
When I tried deploying a public image into the same subnet, it succeeds fine so it isn't a deployment permission issue, neither does it seem to be wrong service principal credentials as the docker pull "someRegistry.azurecr.io/my-image:0.0.1" works just fine.当我尝试将公共映像部署到同一个子网时,它成功了,所以它不是部署权限问题,它似乎也不是错误的服务主体凭据,因为docker pull "someRegistry.azurecr.io/my-image:0.0.1"工作得很好。 I can't quite wrap my head around this inconsistent behavior.我无法完全理解这种不一致的行为。 Ideas anyone?任何人的想法?
1 个解决方案
解决方案1
0 2020-01-31 07:17:48
For your issue, here is a possible reason to explain the error you got.对于您的问题,这里有一个可能的原因来解释您遇到的错误。 Let's look at the limitation describe here :让我们看看这里描述的限制:
Only an Azure Kubernetes Service cluster or Azure virtual machine can be used as a host to access a container registry in a virtual network.
This limitation shows the firewall of the Azure Container Registry does not support the Azure Container Instance currently.此限制表明 Azure 容器注册表的防火墙当前不支持 Azure 容器实例。 It only supports that pull/push the image in the Azure VM or AKS cluster.它仅支持在 Azure VM 或 AKS 群集中拉/推映像。
So the solution for you is that change the rules to allow all network and then try again.因此,您的解决方案是更改规则以允许所有网络,然后重试。 Or use the AKS cluster, but it will also cost more.或者使用 AKS 集群,但也会花费更多。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.