您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

关于 ACR 任务的基础映像更新About base image updates for ACR Tasks

本文介绍了有关应用程序基础映像的更新的背景信息,并介绍了这些更新如何触发 Azure 容器注册表任务。This article provides background information about updates to an application's base image and how these updates can trigger an Azure Container Registry task.

什么是基础映像?What are base images?

定义了大部分容器映像的 Dockerfile 会指定映像所基于的父级映像,通常将父级映像称为它的基础映像 。Dockerfiles defining most container images specify a parent image from which the image is based, often referred to as its base image. 基础映像通常包含操作系统,例如 Alpine LinuxWindows Nano Server,其余的容器层应用于这些操作系统上。Base images typically contain the operating system, for example Alpine Linux or Windows Nano Server, on which the rest of the container's layers are applied. 这些映像可能还包括应用程序框架,例如 Node.js.NET CoreThey might also include application frameworks such as Node.js or .NET Core. 这些基础映像本身通常基于公共上游映像。These base images are themselves typically based on public upstream images. 多个应用程序映像可以共享一个通用基本映像。Several of your application images might share a common base image.

基础映像通常通过映像维护程序更新,以将 OS 或框架的新功能或改进添加进该映像中。A base image is often updated by the image maintainer to include new features or improvements to the OS or framework in the image. 安全补丁是更新基础映像的另一常见原因。Security patches are another common cause for a base image update. 当这些上游更新发生时,你还必须更新基础映像,使之包括关键修复。When these upstream updates occur, you must also update your base images to include the critical fix. 然后,还必须重新生成每个应用程序映像,以包含目前已包含在基础映像中的这些上游修复。Each application image must then also be rebuilt to include these upstream fixes now included in your base image.

在某些情况下(例如当有专用开发团队时),基础映像可能不止指定 OS 或框架。In some cases, such as a private development team, a base image might specify more than OS or framework. 例如,基础映像可以是需要跟踪的共享服务组件映像。For example, a base image could be a shared service component image that needs to be tracked. 团队成员可能需要跟踪此基础映像以进行测试,或者在开发应用程序映像时需要定期更新该映像。Members of a team might need to track this base image for testing, or need to regularly update the image when developing application images.

跟踪基础映像更新Track base image updates

更新容器的基础映像时,ACR 任务能够自动生成映像。ACR Tasks includes the ability to automatically build images for you when a container's base image is updated.

在生成容器映像时,ACR 任务会动态发现基础映像依赖项。ACR Tasks dynamically discovers base image dependencies when it builds a container image. 因此,它可以检测应用程序映像的基础映像何时更新。As a result, it can detect when an application image's base image is updated. 使用一个预配置的生成任务,ACR 任务可以自动重新生成引用基础映像的每个应用程序映像。With one preconfigured build task, ACR Tasks can automatically rebuild every application image that references the base image. 通过这种自动检测和重新生成,ACR 任务能够节省在正常情况下手动跟踪和更新引用已更新基础映像的每个应用程序映像所需的时间和精力。With this automatic detection and rebuilding, ACR Tasks saves you the time and effort normally required to manually track and update each and every application image referencing your updated base image.

基础映像位置Base image locations

对于从 Dockerfile 生成的映像,ACR 任务将在以下位置检测对基础映像的依赖关系:For image builds from a Dockerfile, an ACR task detects dependencies on base images in the following locations:

  • 运行任务所在的同一 Azure 容器注册表The same Azure container registry where the task runs
  • 同一或不同区域中的另一个专用 Azure 容器注册表Another private Azure container registry in the same or a different region
  • Docker Hub 中的公共存储库A public repo in Docker Hub
  • Microsoft 容器注册表中的公共存储库A public repo in Microsoft Container Registry

如果 FROM 语句中指定的基础映像驻留在上述某个位置,则 ACR 任务会添加一个挂钩,以确保它的基础映像更新时会重新生成该映像。If the base image specified in the FROM statement resides in one of these locations, the ACR task adds a hook to ensure the image is rebuilt anytime its base is updated.

基本映像通知Base image notifications

更新基本映像和触发依赖任务之间的时间取决于基准映像位置:The time between when a base image is updated and when the dependent task is triggered depends on the base image location:

  • 基于Docker 中心内的公共存储库中的映像或 MCR -对于公共存储库中的基础映像,ACR 任务会以10到60分钟之间的随机间隔来检查图像更新。Base images from a public repo in Docker Hub or MCR - For base images in public repositories, an ACR task checks for image updates at a random interval of between 10 and 60 minutes. 相关任务会相应运行。Dependent tasks are run accordingly.
  • Azure 容器注册表中的基本映像-azure 容器注册表中的基础映像,ACR 任务会在更新其基本映像时立即触发运行。Base images from an Azure container registry - For base images in Azure container registries, an ACR task immediately triggers a run when its base image is updated. 基本映像可以在运行任务的同一 ACR 中,也可以位于任何区域中的不同 ACR 中。The base image may be in the same ACR where the task runs or in a different ACR in any region.

其他注意事项Additional considerations

  • 应用程序映像的基本映像-当前,ACR 任务仅跟踪应用程序(运行时)映像的基本图像更新。Base images for application images - Currently, an ACR task only tracks base image updates for application (runtime) images. 它不跟踪多阶段 Dockerfile 中使用的中间 (buildtime**) 映像的基础映像更新。It doesn't track base image updates for intermediate (buildtime) images used in multi-stage Dockerfiles.

  • 默认情况下启用-当你使用az ACR task CREATE命令创建 ACR 任务时,默认情况下,基础映像更新将为该任务启用触发器。Enabled by default - When you create an ACR task with the az acr task create command, by default the task is enabled for trigger by a base image update. 即,base-image-trigger-enabled 属性设置为 True。That is, the base-image-trigger-enabled property is set to True. 若要在任务中禁用此行为,请将该属性更新为 False。If you want to disable this behavior in a task, update the property to False. 例如,运行以下 az acr task update 命令:For example, run the following az acr task update command:

    az acr task update --myregistry --name mytask --base-image-trigger-enabled False
    
  • 用于跟踪依赖项的触发器-若要启用 ACR 任务来确定和跟踪容器映像的依赖项(包括其基本映像),必须首先触发任务以至少生成映像。Trigger to track dependencies - To enable an ACR task to determine and track a container image's dependencies -- which include its base image -- you must first trigger the task to build the image at least once. 例如,使用 az acr task run 命令手动触发该任务。For example, trigger the task manually using the az acr task run command.

  • 基本映像的稳定标记-若要在基础映像更新上触发任务,基本映像必须具有稳定标记,例如 node:9-alpineStable tag for base image - To trigger a task on base image update, the base image must have a stable tag, such as node:9-alpine. 在将 OS 和框架修补到最新稳定版本时会更新的基础映像往往带有此标记。This tagging is typical for a base image that is updated with OS and framework patches to a latest stable release. 如果使用新的版本标记更新基础映像,则不会触发任务。If the base image is updated with a new version tag, it does not trigger a task. 有关映像标记的详细信息,请参阅最佳做法指南For more information about image tagging, see the best practices guidance.

  • 其他任务触发器-在由基本映像更新触发的任务中,你还可以基于源代码提交计划启用触发器。Other task triggers - In a task triggered by base image updates, you can also enable triggers based on source code commit or a schedule. 基本映像更新还可以触发多步骤任务A base image update can also trigger a multi-step task.

后续步骤Next steps

请参阅以下教程,了解在更新基本映像后自动执行应用程序映像构建的方案:See the following tutorials for scenarios to automate application image builds after a base image is updated: