dimButTries
Reputation: 878
Pipeline unable to pull a ACR Image
When running a DevOps Pipeline, I can build and push the Docker image, the build fails when pulling image inside a Azure VM. Due to this error message:
##[error]Error response from daemon: Head "https://<ACR_NAME>.azurecr.io/v2/<IMAGE_NAME>/manifests/latest": unauthorized: {"errors":[{"code":"UNAUTHORIZED","message":"authentication required, visit https://aka.ms/acr/authorization for more information."}]}
I am unsure how to successfully SSH into a Linux VM and pull the image. Any guidance would be appreciated.
Here are the steps I have tried:
- Installed the Azure CLI on the VM and used the AzureCLI@2 task to establish a session for pulling the image.
- Created Service Connections for SSH and Docker Registry, as well as a Service Principal for authentication.
- Tried without using the Azure CLI as well.
Here is my pipeline file:
variables:
ACR_NAME: '<ACR_NAME>'
IMAGE_NAME: '<IMAGE_NAME>'
ACR_USER: '<ACR_USER>'
VM_USER: '<VM_USER>'
VM_HOST: '<VM_HOST>'
SSH_CONN_NAME: '<SSH_CONN_NAME>'
ACR_CONN_NAME: '<ACR_CONN_NAME>'
RESOURCE_MANAGER_CONN: '<RESOURCE_MANAGER_CONN>'
AIRFLOW_UID: '50000'
stages:
- stage: BuildAndDeploy
displayName: 'Build and Deploy Stage'
jobs:
- job: BuildAndPush
displayName: 'Build and Push Docker Image'
pool:
vmImage: 'ubuntu-latest'
steps:
- task: DockerInstaller@0
inputs:
dockerVersion: '27.0.2'
- task: Docker@2
displayName: 'Build the Docker Img'
inputs:
command: 'build'
repository: '$(ACR_NAME).azurecr.io/$(IMAGE_NAME)'
dockerfile: '$(Build.SourcesDirectory)/Dockerfile'
tags: 'latest'
- task: DockerCompose@0
displayName: 'Push the Docker Img'
inputs:
action: 'Push services'
azureSubscriptionEndpoint: '$(RESOURCE_MANAGER_CONN)'
azureContainerRegistry: '$(ACR_NAME)'
dockerComposeFile: 'docker-compose.prod.yaml'
projectName: '$(Build.Repository.Name)'
additionalImageTags: |
$(Build.BuildId)
prod
qualifyImageNames: true
- job: Deploy
displayName: 'Deploy to Azure VM'
pool:
vmImage: 'ubuntu-latest'
steps:
- task: AzureCLI@2
displayName: 'Azure CLI Login'
inputs:
azureSubscription: '$(RESOURCE_MANAGER_CONN)'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
az acr login --name $(ACR_NAME)
- task: SSH@0
displayName: 'Deploy using docker-compose on Azure VM'
inputs:
sshEndpoint: $(SSH_CONN_NAME)
runOptions: 'inline'
inline: |
az acr login --name $(ACR_NAME)
docker stop $(IMAGE_NAME) || true
docker rm $(IMAGE_NAME) || true
docker pull $(ACR_NAME).azurecr.io/$(IMAGE_NAME):latest
cd $(Build.Repository.LocalPath)
docker-compose -f docker-compose.p.yaml up -d
Upvotes: 2
Views: 236
Answers (1)
dimButTries
Reputation: 878
I managed to resolve this by:
- Going to the Azure VM > Identity > System Assigned > set to True and hit save
- Azure role positions button > Added ArcPull and ArcPush roles
- Back into the Project Settings > Service Connections > modified the Docker Registry to use the Managed Service Identity
- In the azure-pipelines.yml in the job added to the existing inline script:
runOptions: 'inline'
inline: |
# Step 1: Login into Azure
az login --identity
# Step 2: Authenticate ACR
az acr login --name $(THE NAME OF YOUR ACR REGISTRY)
Upvotes: 2
Related Questions
- Push Docker Image task to ACR fails in Azure "unauthorized: authentication required"
- Execute Load Runner test integration in Azure pipeline unable to read test scenario file
- How can I push an image to an Azure Container Registry on a different account than the ADO Pipeline
- Pull and Run a Linux docker image on an azure pipeline
- In Azure pipeline - how to build docker image with multiple image tags
- Unable to Push docker image to AzureContainer Registry from Azure Devops
- Is it possible to download files during the build pipeline on Azure DevOps?
- How to have conditional image tags on azure devops build yaml pipeline?