使用 ACR 工作自動化容器映射組建和維護Automate container image builds and maintenance with ACR Tasks

容器提供新的虛擬化層級,並且隔離應用程式和開發人員相依性與基礎結構和作業需求。Containers provide new levels of virtualization, isolating application and developer dependencies from infrastructure and operational requirements. 不過, 仍然需要解決此應用程式虛擬化如何透過容器生命週期進行管理和修補。What remains, however, is the need to address how this application virtualization is managed and patched over the container lifecycle.

什麼是 ACR 工作?What is ACR Tasks?

「ACR 工作」是 Azure Container Registry 內的一套功能。ACR Tasks is a suite of features within Azure Container Registry. 它提供以雲端為基礎的容器映射,適用于包含 Linux、Windows 和 ARM 的平臺,並可自動為您的 Docker 容器進行OS 和架構修補It provides cloud-based container image building for platforms including Linux, Windows, and ARM, and can automate OS and framework patching for your Docker containers. ACR 工作不僅會使用隨選容器映射組建將您的「內部迴圈」開發週期延伸到雲端,還可讓原始程式碼更新所觸發的自動化組建、容器基底映射或計時器的更新。ACR Tasks not only extends your "inner-loop" development cycle to the cloud with on-demand container image builds, but also enables automated builds triggered by source code updates, updates to a container's base image, or timers. 例如,透過基底映射更新觸發程式,您可以將作業系統和應用程式架構修補工作流程自動化,維護安全環境,同時遵守不可變容器的原則。For example, with base image update triggers, you can automate your OS and application framework patching workflow, maintaining secure environments while adhering to the principles of immutable containers.

工作案例Task scenarios

ACR 工作支援數種建立和維護容器映射和其他成品的案例。ACR Tasks supports several scenarios to build and maintain container images and other artifacts. 如需詳細資訊,請參閱本文中的下列各節。See the following sections in this article for details.

每個 ACR 工作都有相關聯的原始程式碼內容,也就是用來建立容器映射或其他成品的一組原始程式檔的位置。Each ACR Task has an associated source code context - the location of a set of source files used to build a container image or other artifact. 範例內容包含 Git 存放庫或本機檔案系統。Example contexts include a Git repository or a local filesystem.

工作也可以利用執行變數,因此您可以重複使用工作定義,並將影像和成品的標記標準化。Tasks can also take advantage of run variables, so you can reuse task definitions and standardize tags for images and artifacts.

快速工作Quick task

內部迴圈開發週期 (在認可至原始檔控制前的撰寫程式碼、建置及測試應用程式的反覆程序) 是容器生命週期管理的開端。The inner-loop development cycle, the iterative process of writing code, building, and testing your application before committing to source control, is really the beginning of container lifecycle management.

「ACR 工作」的快速工作功能可在您認可第一行程式碼之前,藉由將您的容器映像建置卸交給 Azure,提供一個整合式開發體驗。Before you commit your first line of code, ACR Tasks's quick task feature can provide an integrated development experience by offloading your container image builds to Azure. 使用快速工作時,您可以在認可程式碼之前,先確認您的自動化建置定義並攔截可能的問題。With quick tasks, you can verify your automated build definitions and catch potential problems prior to committing your code.

使用熟悉docker build的格式時, Azure CLI 中的az acr build命令會採用內容(要建立的一組檔案), 將它傳送 ACR 工作, 而且根據預設, 會在完成時將建立的映射推送至其登錄。Using the familiar docker build format, the az acr build command in the Azure CLI takes a context (the set of files to build), sends it ACR Tasks and, by default, pushes the built image to its registry upon completion.

如需簡介, 請參閱在 Azure Container Registry 中建立和執行容器映射的快速入門。For an introduction, see the quickstart to build and run a container image in Azure Container Registry.

「ACR 工作」已設計為容器生命週期原始物件。ACR Tasks is designed as a container lifecycle primitive. 例如,您可以將「ACR 工作」整合到 CI/CD 解決方案中。For example, integrate ACR Tasks into your CI/CD solution. 藉由執行az login服務主體,您的 CI/CD 解決方案就可以發出az acr build命令來啟動映射組建。By executing az login with a service principal, your CI/CD solution could then issue az acr build commands to kick off image builds.

若要了解如何使用快速工作,請參閱第一個「ACR 工作」教學課程:使用 Azure Container Registry 工作在雲端中建置容器映像Learn how to use quick tasks in the first ACR Tasks tutorial, Build container images in the cloud with Azure Container Registry Tasks.

提示

如果您想要直接從原始程式碼建立和推送映射,但沒有 Dockerfile,Azure Container Registry 提供az acr pack build命令(preview)。If you want to build and push an image directly from source code, without a Dockerfile, Azure Container Registry provides the az acr pack build command (preview). 此工具會使用雲端原生 Buildpacks,從應用程式原始程式碼建立和推送映射。This tool builds and pushes an image from application source code using Cloud Native Buildpacks.

原始程式碼更新的觸發程式工作Trigger task on source code update

在 GitHub 或 Azure DevOps 中將程式碼認可或提取要求或更新至 Git 存放庫時,觸發容器映射組建或多步驟工作。Trigger a container image build or multi-step task when code is committed, or a pull request is made or updated, to a Git repository in GitHub or Azure DevOps. 例如,藉由指定 Git 存放庫和選擇性的分支和 Dockerfile,使用 Azure CLI 命令az acr task create來設定組建工作。For example, configure a build task with the Azure CLI command az acr task create by specifying a Git repository and optionally a branch and Dockerfile. 當您的小組更新儲存機制中的程式碼時,ACR 工作建立的 webhook 會觸發存放庫中所定義之容器映射的組建。When your team updates code in the repository, an ACR Tasks-created webhook triggers a build of the container image defined in the repo.

當您將 Git 存放庫設定為工作的內容時,ACR 工作支援下列觸發程式:ACR Tasks supports the following triggers when you set a Git repo as the task's context:

觸發程序Trigger 預設為啟用Enabled by default
認可Commit Yes
提取要求Pull request No

若要設定觸發程式,請提供工作個人存取權杖(PAT),以在 GitHub 或 Azure DevOps 存放庫中設定 webhook。To configure the trigger, you provide the task a personal access token (PAT) to set the webhook in the GitHub or Azure DevOps repo.

若要了解如何在認可原始程式碼時觸發建置,請參閱第二個「ACR 工作」教學課程:使用 Azure Container Registry 工作自動執行容器映像建置Learn how to trigger builds on source code commit in the second ACR Tasks tutorial, Automate container image builds with Azure Container Registry Tasks.

自動進行作業系統和架構修補Automate OS and framework patching

「ACR 工作」之所以能夠真正增強您的容器建置工作流程,是因為它能夠偵測基底映像的更新。The power of ACR Tasks to truly enhance your container build workflow comes from its ability to detect an update to a base image. 當更新的基底映射推送至您的登錄, 或在公用儲存機制 (例如 Docker Hub) 中更新基底映射時, ACR 工作可以根據它自動建立任何應用程式映射。When the updated base image is pushed to your registry, or a base image is updated in a public repo such as in Docker Hub, ACR Tasks can automatically build any application images based on it.

容器映像可概括地分類為「基底」映像和「應用程式」映像。Container images can be broadly categorized into base images and application images. 您的基底映像通常包含您的應用程式建置所在的作業系統和應用程式架構,以及其他自訂項目。Your base images typically include the operating system and application frameworks upon which your application is built, along with other customizations. 這些基底映像本身通常是以公用上游映像為基礎,例如:Alpine LinuxWindows.netnode.jsThese base images are themselves typically based on public upstream images, for example: Alpine Linux, Windows, .NET, or Node.js. 您有數個應用程式映像可能會共用一個通用基底映像。Several of your application images might share a common base image.

當上游維護程式 (例如重要 OS 安全性修補程式) 更新作業系統或應用程式架構映像時,您也必須更新您的基底映像以包含重要修正。When an OS or app framework image is updated by the upstream maintainer, for example with a critical OS security patch, you must also update your base images to include the critical fix. 接著,還必須重建每個應用程式映像,以包含現在包含在基底映像中的這些上游修正。Each application image must then also be rebuilt to include these upstream fixes now included in your base image.

由於「ACR 工作」會在建置容器映像時動態地探索基底映像相依性,因此它可以偵測到應用程式映像的基底映像何時更新。Because ACR Tasks dynamically discovers base image dependencies when it builds a container image, it can detect when an application image's base image is updated. 「ACR 工作」會接著使用一個預先設定的建置工作,為您自動重建每個應用程式映像With one preconfigured build task, ACR Tasks then automatically rebuilds every application image for you. 透過這個自動偵測和重建功能,「ACR 工作」便可讓您針對參考已更新之基底映像的每個應用程式映像,省下手動追蹤及更新通常所需的時間與精力。With this automatic detection and rebuilding, ACR Tasks saves you the time and effort normally required to manually track and update each and every application image referencing your updated base image.

針對來自 Dockerfile 的映射組建,當基底映射位於下列其中一個位置時,ACR 工作會追蹤基底映射更新:For image builds from a Dockerfile, an ACR task tracks a base image update when the base image is in one of the following locations:

  • 執行工作所在的相同 Azure 容器登錄The same Azure container registry where the task runs
  • 相同區域中的其他 Azure 容器登錄Another Azure container registry in the same region
  • Docker Hub 中的公用存放庫A public repo in Docker Hub
  • Microsoft 容器登錄中的公用存放庫A public repo in Microsoft Container Registry

注意

  • 預設會在 ACR 工作中啟用基底映射更新觸發程式。The base image update trigger is enabled by default in an ACR task.
  • 目前,ACR 工作只會追蹤應用程式(運行時間)映射的基底映射更新。Currently, ACR Tasks only tracks base image updates for application (runtime) images. ACR 工作不會追蹤用於多階段 Dockerfile 之中繼(buildtime)映射的基底映射更新。ACR Tasks doesn't track base image updates for intermediate (buildtime) images used in multi-stage Dockerfiles.

在第三個 ACR 工作教學課程中深入瞭解 OS 和架構修補、使用 Azure Container Registry 工作自動化基底映射更新上的映射組建Learn more about OS and framework patching in the third ACR Tasks tutorial, Automate image builds on base image update with Azure Container Registry Tasks.

排程工作Schedule a task

當您建立或更新工作時,藉由設定一或多個計時器觸發程式,選擇性地排程工作。Optionally schedule a task by setting up one or more timer triggers when you create or update the task. 排程工作適用于依照定義的排程執行容器工作負載,或對定期推送至您的登錄的映射執行維護作業或測試。Scheduling a task is useful for running container workloads on a defined schedule, or running maintenance operations or tests on images pushed regularly to your registry. 如需詳細資訊,請參閱依定義的排程執行 ACR工作。For details, see Run an ACR task on a defined schedule.

多步驟工作Multi-step tasks

多步驟工作提供以步驟為基礎的工作定義和執行, 以便在雲端中建立、測試及修補容器映射。Multi-step tasks provide step-based task definition and execution for building, testing, and patching container images in the cloud. YAML檔中定義的工作步驟會指定容器映射或其他成品的個別組建和推送作業。Task steps defined in a YAML file specify individual build and push operations for container images or other artifacts. 它們也可以定義一或多個容器的執行,其中每個步驟都使用容器作為其執行環境。They can also define the execution of one or more containers, with each step using the container as its execution environment.

例如,您可以建立一個自動執行下列操作的多步驟工作:For example, you can create a multi-step task that automates the following:

  1. 建置 Web 應用程式映像Build a web application image
  2. 執行 Web 應用程式容器Run the web application container
  3. 建置 Web 應用程式測試映像Build a web application test image
  4. 執行 web 應用程式測試容器,它會對執行中的應用程式容器執行測試Run the web application test container, which performs tests against the running application container
  5. 如果測試通過,便建置 Helm 圖表封存套件If the tests pass, build a Helm chart archive package
  6. 使用新的 Helm 圖表封存套件來執行 helm upgradePerform a helm upgrade using the new Helm chart archive package

多步驟工作可讓您將映像的建置、執行及測試,分割成更多可組合且具有步驟間相依性支援的步驟。Multi-step tasks enable you to split the building, running, and testing of an image into more composable steps, with inter-step dependency support. 藉由「ACR 工作」中的多步驟工作,您可以更細微地控制映像建置、測試及 OS 和架構修補工作流程。With multi-step tasks in ACR Tasks, you have more granular control over image building, testing, and OS and framework patching workflows.

如需了解多步驟工作,請參閱執行 ACR 工作中的多步驟建置、測試及修補工作Learn about multi-step tasks in Run multi-step build, test, and patch tasks in ACR Tasks.

內容位置Context locations

下表顯示「ACR 工作」的幾個所支援內容位置範例:The following table shows a few examples of supported context locations for ACR Tasks:

內容位置Context location 描述Description 範例Example
本機檔案系統Local filesystem 本機檔案系統上目錄內的檔案。Files within a directory on the local filesystem. /home/user/projects/myapp
GitHub 主要分支GitHub master branch GitHub 存放庫之主要 (或其他預設) 分支內的檔案。Files within the master (or other default) branch of a GitHub repository. https://github.com/gituser/myapp-repo.git
GitHub 分支GitHub branch GitHub 存放庫的特定分支。Specific branch of a GitHub repo. https://github.com/gituser/myapp-repo.git#mybranch
GitHub 子資料夾GitHub subfolder GitHub 存放庫中子資料夾內的檔案。Files within a subfolder in a GitHub repo. 範例會顯示分支和子資料夾規格的組合。Example shows combination of a branch and subfolder specification. https://github.com/gituser/myapp-repo.git#mybranch:myfolder
遠端 TarballRemote tarball 遠端 Web 伺服器上壓縮封存中的檔案。Files in a compressed archive on a remote webserver. http://remoteserver/myapp.tar.gz

映射平臺Image platforms

根據預設,ACR 工作會建立 Linux OS 和 amd64 架構的映射。By default, ACR Tasks builds images for the Linux OS and the amd64 architecture. --platform指定標記以建立其他架構的 Windows 映像或 Linux 映射。Specify the --platform tag to build Windows images or Linux images for other architectures. 指定 os/架構格式(例如, --platform Linux/arm)的作業系統和選擇性的支援架構。Specify the OS and optionally a supported architecture in OS/architecture format (for example, --platform Linux/arm). 針對 ARM 架構,選擇性地指定 OS/架構/變異格式的 variant (例如, --platform Linux/arm64/v8):For ARM architectures, optionally specify a variant in OS/architecture/variant format (for example, --platform Linux/arm64/v8):

OSOS 架構Architecture
LinuxLinux amd64amd64
armarm
arm64arm64
386386
WindowsWindows amd64amd64

查看工作記錄View task logs

每個工作執行都會產生可供您檢查的記錄輸出, 以判斷工作步驟是否已順利執行。Each task run generates log output that you can inspect to determine whether the task steps ran successfully. 如果您使用az acr buildaz acr runaz acr task run命令來觸發工作, 則會將工作執行的記錄輸出串流處理到主控台, 並儲存以供日後抓取。If you use the az acr build, az acr run, or az acr task run command to trigger the task, log output for the task run is streamed to the console and also stored for later retrieval. 當工作自動觸發時(例如,由原始程式碼認可或基底映射更新),只會儲存工作記錄。When a task is automatically triggered, for example by a source code commit or a base image update, task logs are only stored. 查看在 Azure 入口網站中執行之工作的記錄, 或使用az acr task logs命令。View the logs for a task run in the Azure portal, or use the az acr task logs command.

根據預設,在登錄中執行工作的資料和記錄會保留30天,然後自動清除。By default, data and logs for task runs in a registry are retained for 30 days and then automatically purged. 如果您想要封存工作執行的資料, 請使用az acr task update-run命令來啟用保存。If you want to archive the data for a task run, enable archiving using the az acr task update-run command. 下列範例會在登錄myregistry中啟用 [工作執行cf11 ] 的封存。The following example enables archiving for the task run cf11 in registry myregistry.

az acr task update-run --registry myregistry --run-id cf11 --no-archive false

後續步驟Next steps

當您準備好在雲端中自動執行容器映射組建和維護時,請參閱ACR 工作教學課程系列When you're ready to automate container image builds and maintenance in the cloud, check out the ACR Tasks tutorial series.

您可以選擇性地安裝適用於 Visual Studio Code 的 Docker 擴充功能Azure 帳戶擴充功能,來搭配 Azure 容器登錄使用。Optionally install the Docker Extension for Visual Studio Code and the Azure Account extension to work with your Azure container registries. 向 Azure 容器登錄提取及推送映像,或是執行 ACR 工作,都可以在 Visual Studio Code 內完成。Pull and push images to an Azure container registry, or run ACR Tasks, all within Visual Studio Code.