Azure Container Registry
Beyond Container Images
https://github.com/rstropek/rust-request-bin
Introduction
Rainer Stropek
- Passionate developer since 25+ years
Β - Microsoft MVP, Regional Director
Β - Trainer, Teacher, Mentor
Β - π community
ACR
Some Basics...
What's ACR and why would you need it?
- Managed Docker registry service
- Based on OSS Docker Registry 2.0
- Supports OCI Image Format Spec, OCI Distribution Spec π
- Avoid Docker Hub download rate limits π
- Network-close storage of container images to deployments
- Including geo-replication
- Secured by AAD
- Public images are supported, too π
- Advanced security features
- Image tag signing
- VNet integration
- Image scanning by Defender for cloud
- Run CI/CD processes as ACR Tasks
Demo
Time!
Webhooks
Webhooks π
Demo
# Create Azure Container Registry
# Assumption: Name of ACR is acrbeyondimages
# Setup webhook to https://acr-beyond-images.azurewebsites.net/bin
docker pull alpine:latest
docker pull rust:alpine
docker tag alpine:latest acrbeyondimages.azurecr.io/alpine:latest
docker tag rust:alpine acrbeyondimages.azurecr.io/rust:alpine
docker push acrbeyondimages.azurecr.io/alpine:latest
docker push acrbeyondimages.azurecr.io/rust:alpine
# Show webhook call
# Show webhook log in portal
# Ping webhook interactively
Demo
Time!
Tasks
Quick Recap
Multi-step Dockerfiles
Quick Tasks
-
Replace docker build with az acr build
-
Runs your build task in Azure instead of on your computer
-
Build context is automatically sent to ACR
-
No need to change Dockerfile
-
-
Pushes resulting image automatically in ACR
-
Note: Set default registry with az config set defaults.acr=myregistry
# Usual command:
docker build \
--build-arg BASE=acrbeyondimages.azurecr.io/rust:alpine \
-t acrbeyondimages.azurecr.io/request-bin \
.
# ACR Quick Task:
az acr build \
--registry acrbeyondimages \
--build-arg BASE=acrbeyondimages.azurecr.io/rust:alpine \
-t acrbeyondimages.azurecr.io/request-bin \
.Demo
Time!
Quick Tasks - Why?
Examples:
- Security
- Cloud servers are more trustworthy than dev desktop
- BYOD
- Dev does not have Docker daemon
- Network distance
- Pulling/pushing is fast
- OSs/architectures
- Build for environments that you don't have locally π
Agent Pools (Preview) π
- Run ACR tasks in dedicated compute environment
- VMs managed by Microsoft
- No updating/patching required
- Currently in preview
- Only Linux
- Limited regional availability
- Why?
- Scale as needed (horizontally, vertically)
- VNet support
Multi-Step
ACR Tasks
Multi-step ACR Tasks
- Automate more complex container update tasks
- Fully cloud-based
- Sourcecode read from Git
- Controlled by yaml file
- Task definition π
- build
- cmd
- push
- Secrects, volumes, networks
Task Triggers π
-
Manually triggered ("quick tasks")
-
Source code update (Github/Azure DevOps webhooks)
-
βNeeds PAT for setting-up webhook
-
-
Base image update
-
βBase images from ACRs, Docker Hub, publish MS registries
-
Note: No running of tasks on updates of intermediate images
(e.g. build steps in multi-stage Dockerfiles) -
Note: Consider importing base images from Docker Hub into ACR
(az acr import) and use them as base images
-
-
Schedule
Demo
Time!
Create GH Task
# Run quicktask
just build-image-acr-cloud
# Create ACR Task
az acr task create \
--registry acrbeyondimages \
--name request-bin-gh \
--image request-bin-gh:{{.Run.ID}} \
--context https://github.com/rstropek/rust-request-bin.git#main \
--file Dockerfile \
--git-access-token $GIT_PATPricing
Azure ACR Pricing
- Serverless at its best
- https://azure.microsoft.com/en-us/pricing/details/container-registry/
- Quick calculation
- Assumption: 10 minutes build time
- = 600 seconds
- = 0,06β¬
Summary
- ACR is much more than just a place to store container images
- Can cover many aspects of CI/CD
- Advantages
- Purely based on container technology
- Standardized, no-ops build environment
- Auto-triggered particularly on base image updates
ACR - Beyond Container Images
By Rainer Stropek
