问题
When pushing containers into a private Azure Container Registry using Docker Compose the Azure DevOps pipeline returns the following error:
Pushing [container] ([registry]/[app]:latest)...
The push refers to repository [docker.io/[registry]/[container]]
denied: requested access to the resource is denied
The azure-pipeline.yml file is taken from the Docker Compose example shown in the Microsoft Microservices eShopOnContainer example, here:
variables:
azureContainerRegistry: myregistry
azureSubscriptionEndpoint: My Service Principle
...
task: DockerCompose@0
displayName: Compose push customer API
inputs:
containerregistrytype: Azure Container Registry
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureContainerRegistry: $(azureContainerRegistry)
dockerComposeCommand: 'push [container]'
dockerComposeFile: docker-compose.yml
qualifyImageNames: true
projectName: ""
dockerComposeFileArgs: |
TAG=$(Build.SourceBranchName)
The service principle is in the AcrPush role.
回答1:
The solution is to be explicit with the container name. The documentation is misleading as it states firstly that: the containerregistrytype is Azure Container Registry by default. The example goes on to give Contoso as the value for azureContainerRegistry.
This is wrong. You need to explicitly set this to the "Login server" value from Azure. Therefore the registry should be "contoso.azurecr.io". So the full example should be:
variables:
azureContainerRegistry: contoso.azurecr.io
azureSubscriptionEndpoint: Contoso
steps:
- task: DockerCompose@0
displayName: Container registry login
inputs:
containerregistrytype: Azure Container Registry
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureContainerRegistry: $(azureContainerRegistry)
This is why the push repo it was referring to was in fact: docker.io (public docker hub) as that must actually be the default whch explains the access denied error.
来源:https://stackoverflow.com/questions/55421635/resource-access-denied-when-pushing-container-to-azure-container-registry