使用 ACR 工作來自動執行 OS 和架構修補Automate OS and framework patching with ACR Tasks

容器提供新的虛擬化層級,並且隔離應用程式和開發人員相依性與基礎結構和作業需求。Containers provide new levels of virtualization, isolating application and developer dependencies from infrastructure and operational requirements. 不過,還必須解決此應用程式虛擬化修補的方式。What remains, however, is the need to address how this application virtualization is patched.

什麼是 ACR 工作?What is ACR Tasks?

「ACR 工作」是 Azure Container Registry 內的一套功能。ACR Tasks is a suite of features within Azure Container Registry. 它能提供適用於 Linux、Windows 及 ARM 的雲端式容器映像建置,並可以自動化針對 Docker 容器的 OS 和架構修補It provides cloud-based container image building for Linux, Windows, and ARM, and can automate OS and framework patching for your Docker containers. 「ACR 工作」不僅可透過依需求進行的容器映像建置,將您的「內部迴圈」開發週期延伸至雲端,也可讓您在認可原始程式碼和更新容器基底映像時,自動執行建置。ACR Tasks not only extends your "inner-loop" development cycle to the cloud with on-demand container image builds, but also enables automated builds on source code commit or when a container's base image is updated. 您可以使用基底映像更新觸發程序,自動進行作業系統和應用程式架構修補工作流程,維護安全的環境,同時還能依循不可變容器的主體。With base image update triggers, you can automate your OS and application framework patching workflow, maintaining secure environments while adhering to the principals of immutable containers.

使用「ACR 工作」以四種方式建置及測試容器映像:Build and test container images with ACR Tasks in four ways:

  • 快速工作:在 Azure 中依需求建置及推送容器映像,而無須安裝本機 Docker 引擎。Quick task: Build and push container images on-demand, in Azure, without needing a local Docker Engine installation. 請思考一下雲端中的 docker builddocker pushThink docker build, docker push in the cloud. 從本機原始程式碼或 Git 存放庫進行建置。Build from local source code or a Git repository.
  • 在原始程式碼認可時建置:將程式碼認可至 Git 存放庫時,自動觸發容器映像建置。Build on source code commit: Trigger a container image build automatically when code is committed to a Git repository.
  • 在基底映像更新時建置:當映像的基底映像已更新時,觸發容器映像建置。Build on base image update: Trigger a container image build when that image's base image has been updated.
  • 多步驟工作:定義建置映像、以命令形式執行容器並將映像推送至登錄的多步驟工作。Multi-step tasks: Define multi-step tasks that build images, run containers as commands, and push images to a registry. ACR 工作支援隨工作執行和平行的映像建置、 測試和推送作業的這項功能。This feature of ACR Tasks supports on-demand task execution and parallel image build, test, and push operations.

快速工作Quick task

內部迴圈開發週期 (在認可至原始檔控制前的撰寫程式碼、建置及測試應用程式的反覆程序) 是容器生命週期管理的開端。The inner-loop development cycle, the iterative process of writing code, building, and testing your application before committing to source control, is really the beginning of container lifecycle management.

「ACR 工作」的快速工作功能可在您認可第一行程式碼之前,藉由將您的容器映像建置卸交給 Azure,提供一個整合式開發體驗。Before you commit your first line of code, ACR Tasks's quick task feature can provide an integrated development experience by offloading your container image builds to Azure. 使用快速工作時,您可以在認可程式碼之前,先確認您的自動化建置定義並攔截可能的問題。With quick tasks, you can verify your automated build definitions and catch potential problems prior to committing your code.

Azure CLI 中的 az acr build命令會使用熟悉的 docker build 格式來取得「內容」(要建置的一組檔案)、將它傳送給「ACR 工作」,然後依預設在完成時將所建置的映像推送至其登錄。Using the familiar docker build format, the az acr build command in the Azure CLI takes a context (the set of files to build), sends it ACR Tasks and, by default, pushes the built image to its registry upon completion.

如需簡介,請參閱快速入門建置和執行容器映像Azure Container Registry 中。For an introduction, see the quickstart to build and run a container image in Azure Container Registry.

下表顯示「ACR 工作」的幾個所支援內容位置範例:The following table shows a few examples of supported context locations for ACR Tasks:

內容位置Context location 描述Description 範例Example
本機檔案系統Local filesystem 本機檔案系統上目錄內的檔案。Files within a directory on the local filesystem. /home/user/projects/myapp
GitHub 主要分支GitHub master branch GitHub 存放庫之主要 (或其他預設) 分支內的檔案。Files within the master (or other default) branch of a GitHub repository. https://github.com/gituser/myapp-repo.git
GitHub 分支GitHub branch GitHub 存放庫的特定分支。Specific branch of a GitHub repo. https://github.com/gituser/myapp-repo.git#mybranch
GitHub PRGitHub PR GitHub 存放庫中的提取要求。Pull request in a GitHub repo. https://github.com/gituser/myapp-repo.git#pull/23/head
GitHub 子資料夾GitHub subfolder GitHub 存放庫中子資料夾內的檔案。Files within a subfolder in a GitHub repo. 範例顯示的是指定 PR 和子資料夾的組合。Example shows combination of PR and subfolder specification. https://github.com/gituser/myapp-repo.git#pull/24/head:myfolder
遠端 TarballRemote tarball 遠端 Web 伺服器上壓縮封存中的檔案。Files in a compressed archive on a remote webserver. http://remoteserver/myapp.tar.gz

「ACR 工作」已設計為容器生命週期原始物件。ACR Tasks is designed as a container lifecycle primitive. 例如,您可以將「ACR 工作」整合到 CI/CD 解決方案中。For example, integrate ACR Tasks into your CI/CD solution. 透過服務主體執行 az login,您的 CI/CD 解決方案可接著發出 az acr build 命令來開始進行映像建置。By executing az login with a service principal, your CI/CD solution could then issue az acr build commands to kick off image builds.

若要了解如何使用快速工作,請參閱第一個「ACR 工作」教學課程:使用 Azure Container Registry 工作在雲端中建置容器映像Learn how to use quick tasks in the first ACR Tasks tutorial, Build container images in the cloud with Azure Container Registry Tasks.

在來源程式碼認可時自動建置Automatic build on source code commit

您可以使用「ACR 工作」,在將程式碼認可至 Git 存放庫時,自動觸發容器映像建置。Use ACR Tasks to automatically trigger a container image build when code is committed to a Git repository. 建置工作 (可使用 Azure CLI 命令 az acr task 來設定) 可讓您指定 Git 存放庫,並視需要指定分支和 Dockerfile。Build tasks, configurable with the Azure CLI command az acr task, allow you to specify a Git repository and optionally a branch and Dockerfile. 當您的團隊將程式碼認可至存放庫時,「ACR 工作」建立的 Webhook 就會觸發存放庫中所定義容器映像的建置。When your team commits code to the repository, an ACR Tasks-created webhook triggers a build of the container image defined in the repo.

重要

如果您先前已在預覽期間使用 az acr build-task 命令建立工作,則必須使用 az acr task 命令重新建立這些工作。If you previously created tasks during the preview with the az acr build-task command, those tasks need to be re-created using the az acr task command.

若要了解如何在認可原始程式碼時觸發建置,請參閱第二個「ACR 工作」教學課程:使用 Azure Container Registry 工作自動執行容器映像建置Learn how to trigger builds on source code commit in the second ACR Tasks tutorial, Automate container image builds with Azure Container Registry Tasks.

自動進行作業系統和架構修補Automate OS and framework patching

「ACR 工作」之所以能夠真正增強您的容器建置工作流程,是因為它能夠偵測基底映像的更新。The power of ACR Tasks to truly enhance your container build workflow comes from its ability to detect an update to a base image. 當已更新的基底映像被推送至您的登錄時,「ACR 工作」可根據它自動建置任何應用程式映像。When the updated base image is pushed to your registry, ACR Tasks can automatically build any application images based on it.

容器映像可概括地分類為「基底」映像和「應用程式」映像。Container images can be broadly categorized into base images and application images. 您的基底映像通常包含您的應用程式建置所在的作業系統和應用程式架構,以及其他自訂項目。Your base images typically include the operating system and application frameworks upon which your application is built, along with other customizations. 這些基底映像本身通常是以公用上游映像為基礎,例如:Alpine LinuxWindows.NETNode.jsThese base images are themselves typically based on public upstream images, for example: Alpine Linux, Windows, .NET, or Node.js. 您有數個應用程式映像可能會共用一個通用基底映像。Several of your application images might share a common base image.

當上游維護程式 (例如重要 OS 安全性修補程式) 更新作業系統或應用程式架構映像時,您也必須更新您的基底映像以包含重要修正。When an OS or app framework image is updated by the upstream maintainer, for example with a critical OS security patch, you must also update your base images to include the critical fix. 接著,還必須重建每個應用程式映像,以包含現在包含在基底映像中的這些上游修正。Each application image must then also be rebuilt to include these upstream fixes now included in your base image.

由於「ACR 工作」會在建置容器映像時動態地探索基底映像相依性,因此它可以偵測到應用程式映像的基底映像何時更新。Because ACR Tasks dynamically discovers base image dependencies when it builds a container image, it can detect when an application image's base image is updated. 「ACR 工作」會接著使用一個預先設定的建置工作,為您自動重建每個應用程式映像With one preconfigured build task, ACR Tasks then automatically rebuilds every application image for you. 透過這個自動偵測和重建功能,「ACR 工作」便可讓您針對參考已更新之基底映像的每個應用程式映像,省下手動追蹤及更新通常所需的時間與精力。With this automatic detection and rebuilding, ACR Tasks saves you the time and effort normally required to manually track and update each and every application image referencing your updated base image.

若要了解 OS 和架構修補,請參閱第三個「ACR 工作」教學課程:使用 Azure Container Registry 工作在基底映像更新時自動執行映像建置Learn about OS and framework patching in the third ACR Tasks tutorial, Automate image builds on base image update with Azure Container Registry Tasks.

注意

只有當基底和應用程式映像都位於相同的 Azure 容器登錄,或當基底位於公用 Docker Hub 存放庫時,基底映像更新才會觸發建置。Base image updates trigger builds only when both the base and application images reside in the same Azure container registry, or the base resides in a public Docker Hub repository.

多步驟工作Multi-step tasks

多重步驟的工作提供的步驟為基礎的工作定義和建置、 測試和修復的容器映像,在雲端中執行。Multi-step tasks provide step-based task definition and execution for building, testing, and patching container images in the cloud. 工作步驟會定義個別的容器映像建置和推送作業。Task steps define individual container image build and push operations. 它們也可以定義一或多個容器的執行,其中每個步驟都使用容器作為其執行環境。They can also define the execution of one or more containers, with each step using the container as its execution environment.

例如,您可以建立一個自動執行下列操作的多步驟工作:For example, you can create a multi-step task that automates the following:

  1. 建置 Web 應用程式映像Build a web application image
  2. 執行 Web 應用程式容器Run the web application container
  3. 建置 Web 應用程式測試映像Build a web application test image
  4. 執行會針對執行中應用程式容器執行測試的 Web 應用程式測試容器Run the web application test container which performs tests against the running application container
  5. 如果測試通過,便建置 Helm 圖表封存套件If the tests pass, build a Helm chart archive package
  6. 使用新的 Helm 圖表封存套件來執行 helm upgradePerform a helm upgrade using the new Helm chart archive package

多步驟工作可讓您將映像的建置、執行及測試,分割成更多可組合且具有步驟間相依性支援的步驟。Multi-step tasks enable you to split the building, running, and testing of an image into more composable steps, with inter-step dependency support. 藉由「ACR 工作」中的多步驟工作,您可以更細微地控制映像建置、測試及 OS 和架構修補工作流程。With multi-step tasks in ACR Tasks, you have more granular control over image building, testing, and OS and framework patching workflows.

如需了解多步驟工作,請參閱執行 ACR 工作中的多步驟建置、測試及修補工作Learn about multi-step tasks in Run multi-step build, test, and patch tasks in ACR Tasks.

後續步驟Next steps

當您準備好自動化 OS 和修補藉由建置您的容器映像,在雲端中的 framework 時,請參閱三段ACR 工作的教學課程系列When you're ready to automate OS and framework patching by building your container images in the cloud, check out the three-part ACR Tasks tutorial series.

您可以選擇性地安裝適用於 Visual Studio Code 的 Docker 擴充功能Azure 帳戶擴充功能,來搭配 Azure 容器登錄使用。Optionally install the Docker Extension for Visual Studio Code and the Azure Account extension to work with your Azure container registries. 通过 Azure 容器注册表拉取和推送映像,或者运行 ACR 任务,这一切都可以在 Visual Studio Code 中进行。Pull and push images to an Azure container registry, or run ACR Tasks, all within Visual Studio Code.