Azure 中的私人 Docker 容器登錄的簡介Introduction to private Docker container registries in Azure

Azure Container Registry 是受控的私人 Docker 登錄服務,架構於開放原始碼的 Docker Registry 2.0。Azure Container Registry is a managed, private Docker registry service based on the open-source Docker Registry 2.0. 建立及維護 Azure 容器登錄庫,以儲存和管理您的私人 Docker 容器映像和相關成品。Create and maintain Azure container registries to store and manage your private Docker container images and related artifacts.

使用 Azure 容器登錄與現有容器的開發與部署管線,或使用 Azure Container Registry 工作來建置 Azure 中的容器映像。Use Azure container registries with your existing container development and deployment pipelines, or use Azure Container Registry Tasks to build container images in Azure. 視需求建置,或是使用原始程式碼認可和基礎映像更新等觸發程序來完全自動化地進行建置。Build on demand, or fully automate builds with triggers such as source code commits and base image updates.

如需 Docker 和登錄概念的詳細資訊,請參閱 Docker 概觀關於登錄、存放庫和映像For more about Docker and registry concepts, see the Docker overview and About registries, repositories, and images.

使用案例Use cases

從 Azure 容器登錄庫將映像提取到不同部署目標︰Pull images from an Azure container registry to various deployment targets:

開發人員也可以將推送到容器登錄庫,當做容器開發工作流程的一部分。Developers can also push to a container registry as part of a container development workflow. 例如,從 Azure PipelinesJenkins 等持續整合與傳遞工具中,將容器登錄設定為目標。For example, target a container registry from a continuous integration and delivery tool such as Azure Pipelines or Jenkins.

設定 ACR 工作,在應用程式基礎映像更新時,自動重建應用程式映像,或在您的小組將程式碼認可至 Git 存放庫時,自動建置映像。Configure ACR Tasks to automatically rebuild application images when their base images are updated, or automate image builds when your team commits code to a Git repository. 建立多步驟工作,在雲端中平行地自動建置、測試及修補多個容器映像。Create multi-step tasks to automate building, testing, and patching multiple container images in parallel in the cloud.

Azure 會提供工具 (例如 Azure 命令列介面、Azure 入口網站和 API 支援) 來管理您的 Azure 容器登錄。Azure provides tooling including Azure Command-Line Interface, Azure portal, and API support to manage your Azure container registries. 您可以選擇性地安裝適用於 Visual Studio Code 的 Docker 擴充功能Azure 帳戶擴充功能,來搭配 Azure 容器登錄使用。Optionally install the Docker Extension for Visual Studio Code and the Azure Account extension to work with your Azure container registries. 向 Azure 容器登錄提取及推送映像,或是執行 ACR 工作,都可以在 Visual Studio Code 內完成。Pull and push images to an Azure container registry, or run ACR Tasks, all within Visual Studio Code.

主要功能Key features

  • 登錄服務層 - 在您的 Azure 訂用帳戶中建立一或多個容器登錄。Registry service tiers - Create one or more container registries in your Azure subscription. 登錄可以三個層次提供:基本、標準和進階,每個 SKU 都支援 Webhook 整合、使用 Azure Active Directory 的登錄驗證,以及刪除功能。Registries are available in three tiers: Basic, Standard, and Premium, each of which supports webhook integration, registry authentication with Azure Active Directory, and delete functionality. 在與您的部署相同的 Azure 位置建立登錄,以利用容器映像接近網路的本機儲存體。Take advantage of local, network-close storage of your container images by creating a registry in the same Azure location as your deployments. 將進階登錄庫的異地複寫功能用於進階複寫和容器映像散發案例。Use the geo-replication feature of Premium registries for advanced replication and container image distribution scenarios.

  • 安全性和存取權 - 使用 Azure CLI 或標準 docker login 命令登入登錄。Security and access - You log in to a registry using the Azure CLI or the standard docker login command. Azure Container Registry 會透過 HTTPS 傳輸容器映像並支援 TLS 以保護用戶端連線。Azure Container Registry transfers container images over HTTPS, and supports TLS to secure client connections.


    從 2020 年 1 月 13 日開始,Azure Container Registry 將要求所有安全連線來自伺服器和應用程式,才能使用 TLS 1.2。Starting January 13, 2020, Azure Container Registry will require all secure connections from servers and applications to use TLS 1.2. 使用任何最近的 docker 用戶端 (18.03.0 版或更新版本) 來啟用 TLS 1.2。Enable TLS 1.2 by using any recent docker client (version 18.03.0 or later). TLS 1.0 和 1.1 的支援將會淘汰。Support for TLS 1.0 and 1.1 will be retired.

    您可以使用採用 Azure Active Directory 的服務主體或提供的管理員帳戶,對容器登錄進行存取控制You control access to a container registry using an Azure identity, an Azure Active Directory-backed service principal, or a provided admin account. 使用角色型存取控制 (RBAC),將使用者或系統的細微權限指派給登錄。Use role-based access control (RBAC) to assign users or systems fine-grained permissions to a registry.

    進階服務層的安全性功能包括可供映像標籤簽署的內容信任,以及防火牆和虛擬網路 (預覽)可限制登錄的存取權。Security features of the Premium service tier include content trust for image tag signing, and firewalls and virtual networks (preview) to restrict access to the registry. Azure 資訊安全中心可以選擇性地與 Azure Container Registry 整合,以便在每次將映像推送至登錄時掃描映像Azure Security Center optionally integrates with Azure Container Registry to scan images whenever an image is pushed to a registry.

  • 支援的映像和成品 - 群組在存放庫中,每個映像是 Docker 相容容器的唯讀快照集。Supported images and artifacts - Grouped in a repository, each image is a read-only snapshot of a Docker-compatible container. Azure 容器登錄庫可以包含 Windows 和 Linux 映像。Azure container registries can include both Windows and Linux images. 您可以控制您的所有容器部署的映像名稱。You control image names for all your container deployments. 使用標準 Docker 命令 將映像推送到儲存機制,或從儲存機制提取映像。Use standard Docker commands to push images into a repository, or pull an image from a repository. 除了 Docker 容器映像外,Azure Container Registry 還會將相關的內容格式 (例如所建置的 Helm 圖表和映像) 儲存到 Open Container Initiative (OCI) 映像格式規格In addition to Docker container images, Azure Container Registry stores related content formats such as Helm charts and images built to the Open Container Initiative (OCI) Image Format Specification.

  • 自動化映像組建 - 使用 Azure Container Registry 工作 (ACR 工作) 來簡化 Azure 中的映像建置、測試、推送和部署。Automated image builds - Use Azure Container Registry Tasks (ACR Tasks) to streamline building, testing, pushing, and deploying images in Azure. 例如,使用 ACR 工作將 docker build 作業卸載至 Azure,讓您的開發內部迴圈延伸到雲端。For example, use ACR Tasks to extend your development inner-loop to the cloud by offloading docker build operations to Azure. 設定建置工作以自動化您的容器作業系統與架構修補管線,並在您的小組將程式碼認可至來源控制項時自動建置影像。Configure build tasks to automate your container OS and framework patching pipeline, and build images automatically when your team commits code to source control.

    多步驟工作提供適用於在雲端建置、測試及修補容器映像的步驟型工作定義與執行。Multi-step tasks provide step-based task definition and execution for building, testing, and patching container images in the cloud. 工作步驟會定義個別的容器映像建置和推送作業。Task steps define individual container image build and push operations. 它們也可以定義一或多個容器的執行,其中每個步驟都使用容器作為其執行環境。They can also define the execution of one or more containers, with each step using the container as its execution environment.

後續步驟Next steps