7

Pushing and pulling of image to Azure Container Registry task in Azure DevOps pipeline fails. When tried to pull or push from local system, there's no problem but when tried to do it using the Azure Devops pipeline it fails. Docker login was successful but it fails when I want to pull the image from the ACR with the following result:

**Error response from daemon: Head "***/a2/abcd/manifest/latest": unauthorized: Invalid clientid or client secret. 

##[error]Bash exited with code '1'.
##[debug]Processed: ##vso[task.issue type=error;]Bash exited with code '1'.

I checked all the service connections in Az Devops, and they all look correctly configured. Checked the associated service principals as well if they have AcrPull and AcrPush permissions, all of them are in place. Just couldn't understand what's going wrong.

My Yaml looks like this:

trigger: none
schedules:
- cron: "0 0 0 * *"
  displayName: ****  *
  branches:
    include:
    - abcd
  always: true

pool:
  vmImage: 'ubuntu-latest'

variables:
- name: acrname
  value: *****.azurecr.io


stages:
- stage: abcd
  displayName: "pull images from acr"
  jobs:
  - job: abcdef
    displayName: "abcdef"
    pool:
      vmImage: ubuntu-latest
    steps:
      - task: Docker@2
        displayName: Login to ACR
        inputs:
          command: login
          containerRegistry: '*****.azurecr.io'
          

      - bash: |
            docker pull $(acrname)/abc-def:latest
            docker pull $(acrname)/igh-jkl:latest
        name: pull
        displayName: 'pull acr images'

Can anyone help?

tuomastik
  • 4,559
  • 5
  • 36
  • 48
Neoneuron
  • 103
  • 1
  • 2
  • 7
  • If you do it this way you must use a service connection https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/build/docker?view=azure-devops#login – The Fool Dec 10 '21 at 17:42
  • the client id and secret was given to the service connection in Az Devops in the docker registry @The Fool – Neoneuron Dec 10 '21 at 18:18
  • but your you use the name of the acr and not the service connection name from the way it looks. Or did you name your service connection the same way your acr is named? – The Fool Dec 10 '21 at 18:22
  • Yeah I used the name of the acr server as the service connection name – Neoneuron Dec 10 '21 at 18:30
  • I'm guessing that the bash task where you are running the docker pull isn't going to inherit the authentication credentials from previous docker login task. You may need to run `docker login` within the bash task. What's the reason for pulling the image onto the hosted agent? I don't think you will be able to run the container on a hosted agent, you would need your own private agents for that. – Marky Dec 10 '21 at 19:51
  • @Marky, afaik you can run container on hosted agents. I have pipelines where I am using docker compose task to run tests. https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/build/docker-compose?view=azure-devops#run-service-images – The Fool Dec 12 '21 at 02:12
  • The issue is resolved guys,I reconfigured the service connection and it seems to work! Thanks for all the help! – Neoneuron Dec 13 '21 at 13:56

3 Answers3

9
  1. I had the same issue with the ACR service connection was expired. So I had to create a new service connection by using these steps.

enter image description here

  1. Docker ID and Docker Password can be obtained from ACR --> Settings --> Access keys

enter image description here

  1. Update your pipeline with this new service connection and you are good to go. Please rate if this solution helps you.
iamattiq1991
  • 746
  • 9
  • 11
1

In my case, when I ran into this issue, the simple and clean resolution was to use the docker login. In your situation, it looks like this would be a good solution :

docker login $(acrname)

prior to your calls to get your images

docker pull $(acrname)/abc-def:latest
Kim Gentes
  • 1,496
  • 1
  • 18
  • 38
  • 1
    Had the same problem with the Docker push command in Azure DevOps. After adding a dedicated pipeline job with the login step problem was solved. During the months before it was not required. – KEMBL May 23 '22 at 10:01
0

In my case, the docker login password expired. So I have to do the following:

  1. Go azure and generate the new password for the docker app authentication.

  2. Copy the newly generated password.

  3. Go to your virtual machine where docker is running.

  4. Try the below command

    docker login blah.azurecr.io --username your-user-name-here --password yourhaspasswordhere~5Crf9b

  5. Now you are good to go.

Mukesh Salaria
  • 3,345
  • 1
  • 16
  • 21