1

I am trying to automate my deployment process by creating a pipeline in Azure DevOps that does the following

  1. Build my project, create a docker image, then pushed the image to a private Azure Registry service.
  2. Deploy the image on a slot called staging in Azure Web Service.

Here is the .yaml file that I am using

trigger:
- master

resources:
- repo: self

variables:
  dockerRegistryServiceConnection: 'MyPrivateRegistry'
  imageRepository: 'MyPrivateRepositoryName'
  containerRegistry: 'MyPrivateRepositoryName.azurecr.io'
  dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'
  tag: '$(Build.BuildId)'
  azureSubscription: 'MyPrivateSubscribtionName(5c4b9a4b-private-subscribtion-id-91503531e1a0)'
  appName: 'private_appname'
  resourceGroupName: 'PrivateResourceGroup'
  vmImageName: 'ubuntu-latest'

stages:
- stage: Build
  displayName: Push and Build
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: Docker@2
      displayName: Build and push an image
      inputs:
        command: buildAndPush
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: '$(dockerRegistryServiceConnection)'
        tags: |
          $(tag)
  - job: DeployToStaging
    displayName: Deploy To staging
    dependsOn: Build
    condition: succeeded()
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: AzureWebAppContainer@1
      inputs:
        azureSubscription: $(azureSubscription)
        appName: $(appName)
        deployToSlotOrASE: true
        resourceGroupName: $(resourceGroupName)
        slotName: 'staging'
        containers: '$(containerRegistry)/$(imageRepository):$(tag)'

The projects is built successfully and pushed to the private registry as expected. I can verify that the new image in pushed with a new tagId. However, my container fails to start with the following error

Image pull failed since Inspect image returned null: MyPrivateRepositoryName.azurecr.io/MyPrivateRepositoryName:151

Here is the suggestion I see

Please check the repository name, image name, and container definitions defined by DOCKER_REGISTRY_SERVER_USERNAME, DOCKER_REGISTRY_SERVER_URL, and DOCKER_REGISTRY_SERVER_PASSWORD.

When I go to the staging slot configuration I see the following and the values are all correct. I copied these values from the "Access keys" section in the Container Registry service after enabling the Admin user

What am I missing here? How can I get the slot to correctly pull the docker image from the contain registry?

enter image description here

Updated

Looking more at the logs gives me this error

2022-04-01T20:36:21.409Z ERROR - Pull image threw Exception: Input string was not in a correct format.
2022-04-01T20:36:21.411Z INFO  - Pulling image from Docker hub: privateregistry.azurecr.io/privateimage:152
2022-04-01T20:36:21.594Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://privateregistry.azurecr.io/v2/privateimage/manifests/152: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}

It sounds like something does not have permission to pull the docker image from the repository. Question is what object need to have this permission? Would I add permission to the private repository of would I add it to the Web Service?

Jay
  • 1,168
  • 13
  • 41
  • Please, consider read [this so question](https://stackoverflow.com/questions/60163440/docker-fails-to-pull-the-image-from-within-azure-app-service), I think it could be of help. – jccampanero Apr 01 '22 at 21:40
  • @jccampaneroI did the 5 steps in the answer, expect using managed identity instead of the system identity and did not work. – Jay Apr 01 '22 at 21:56

1 Answers1

1

Few things you can check if Enable Admin Access does not work.

  • Is your app service in the same subscription as your ACR? If not, try moving it to the same subscription.
  • In Azure Portal -> App Service -> Deployment Center, see if you have conflicting settings. If it's empty, try set up the container registry information here instead of passing in app settings as env variables.

If still having errors, I recommend you creating another credential to login to ACR instead of using the admin one. (For this, it won't involve system identity or managed identity)

  1. Register a new app in Azure that will read from ACR
  2. In ACR -> Access Control -> give this app ACR PULL permission
  3. Replace your app service app setting with the following
  • DOCKER_REGISTRY_SERVER_USERNAME = Client Id of the created app
  • DOCKER_REGISTRY_SERVER_PASSWORD = Client Secret of the created app
curtispy
  • 156
  • 8