教學課程:在 Azure Container Registry 中更新基底映像時自動執行容器映像建置Tutorial: Automate container image builds when a base image is updated in an Azure container registry

ACR 工作支援在容器的基底映像更新時自動執行建置,例如,當您在其中一個基底映像中修補作業系統或應用程式架構時。ACR Tasks supports automated build execution when a container's base image is updated, such as when you patch the OS or application framework in one of your base images. 在本教學課程中,您將了解如何在 ACR 工作中建立工作,以在容器的基底映像已推送至登錄時於雲端中觸發建置。In this tutorial, you learn how to create a task in ACR Tasks that triggers a build in the cloud when a container's base image has been pushed to your registry.

在本教學課程中 (系列的最後一個):In this tutorial, the last in the series:

  • 建置基底映像Build the base image
  • 建立應用程式映像建置工作Create an application image build task
  • 更新基底映像以觸發應用程式映像工作Update the base image to trigger an application image task
  • 顯示已觸發的工作Display the triggered task
  • 確認更新的應用程式映像Verify updated application image

使用 Azure Cloud ShellUse Azure Cloud Shell

Azure Cloud Shell 是裝載於 Azure 中的互動式殼層環境,可在瀏覽器中使用。Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. Cloud Shell 可讓您使用 bashPowerShell 以與 Azure 服務搭配使用。Cloud Shell lets you use either bash or PowerShell to work with Azure services. Azure Cloud Shell 已預先安裝一些命令,可讓您執行本文提到的程式碼,而不必在本機環境上安裝任何工具。You can use the Cloud Shell pre-installed commands to run the code in this article without having to install anything on your local environment.

若要啟動 Azure Cloud Shell:To launch Azure Cloud Shell:

選項Option 範例/連結Example/Link
選取程式碼區塊右上角的 [試試看] 。Select Try It in the upper-right corner of a code block. 選取 [試用] 並不會自動將程式碼複製到 Cloud Shell 中。Selecting Try It doesn't automatically copy the code to Cloud Shell. Azure Cloud Shell 的試試看範例
請前往 https://shell.azure.com 或選取 [啟動 Cloud Shell] 按鈕,在瀏覽器中開啟 Cloud Shell。Go to https://shell.azure.com or select the Launch Cloud Shell button to open Cloud Shell in your browser. 在新視窗中啟動 Cloud ShellLaunch Cloud Shell in a new window
選取 Azure 入口網站右上角功能表列中的 [Cloud Shell] 按鈕。Select the Cloud Shell button on the top-right menu bar in the Azure portal. Azure 入口網站中的 [Cloud Shell] 按鈕

若要在 Azure Cloud Shell 中執行本文中的程式碼:To run the code in this article in Azure Cloud Shell:

  1. 開啟 Cloud Shell。Open Cloud Shell.
  2. 選取程式碼區塊上的 [複製] 按鈕,複製程式碼。Select the Copy button on a code block to copy the code.
  3. 在 Windows 和 Linux 上按 Ctrl+Shift+V;或在 macOS 上按 Cmd+Shift+V,將程式碼貼到 Cloud Shell工作階段中。Paste the code into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS.
  4. 按下 Enter 鍵執行程式碼。Press Enter to run the code.

如果您想要在本機使用 Azure CLI,您必須安裝 Azure CLI 2.0.46 版或更新版本。If you'd like to use the Azure CLI locally, you must have the Azure CLI version 2.0.46 or later installed. 執行 az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級 CLI,請參閱安裝 Azure CLIIf you need to install or upgrade the CLI, see Install Azure CLI.

必要條件Prerequisites

完成先前的教學課程Complete the previous tutorials

本教學課程假設您已完成本系列前兩個教學課程中的步驟,其間您完成了下列作業:This tutorial assumes you've already completed the steps in the first two tutorials in the series, in which you:

  • 建立 Azure Container RegistryCreate Azure container registry
  • 派生範例存放庫Fork sample repository
  • 複製範例存放庫Clone sample repository
  • 建立 GitHub 個人存取權杖Create GitHub personal access token

如果您尚未完成前兩個教學課程,請先加以完成,再繼續操作:If you haven't already done so, complete the first two tutorials before proceeding:

使用 Azure Container Registry 工作在雲端中建置容器映像Build container images in the cloud with Azure Container Registry Tasks

使用 Azure Container Registry 工作自動執行容器映像建置Automate container image builds with Azure Container Registry Tasks

建立環境Configure the environment

請在這些殼層環境變數中填入您的環境適用的值。Populate these shell environment variables with values appropriate for your environment. 此步驟並不是必要動作,但可簡化在本教學課程中執行多行 Azure CLI 命令的作業。This step isn't strictly required, but makes executing the multiline Azure CLI commands in this tutorial a bit easier. 若未填入這些環境變數,則必須在命令範例中的每個對應之處手動取代各個變數。If you don't populate these environment variables, you must manually replace each value wherever they appear in the example commands.

ACR_NAME=<registry-name>        # The name of your Azure container registry
GIT_USER=<github-username>      # Your GitHub user account name
GIT_PAT=<personal-access-token> # The PAT you generated in the second tutorial

基礎映像Base images

定義大多數容器映像的 Dockerfile,會指定供其作為基礎的父映像,通常稱為其基底映像Dockerfiles defining most container images specify a parent image from which it is based, often referred to as its base image. 基底映像通常包含會套用容器其餘各層的作業系統,例如 Alpine LinuxWindows Nano ServerBase images typically contain the operating system, for example Alpine Linux or Windows Nano Server, on which the rest of the container's layers are applied. 此外也可能包含應用程式架構,例如 Node.js.NET CoreThey might also include application frameworks such as Node.js or .NET Core.

基底映像更新Base image updates

基底映像常會由映像維護程式進行更新,以在映像中納入作業系統或架構的新功能或增強功能。A base image is often updated by the image maintainer to include new features or improvements to the OS or framework in the image. 安全性修補程式是基底映像進行更新的另一個常見原因。Security patches are another common cause for a base image update.

基底映像進行更新時,您將需要據以在登錄中重建任何容器映像,以納入新功能和修正程式。When a base image is updated, you're presented with the need to rebuild any container images in your registry based on it to include the new features and fixes. ACR 工作具有在容器的基底映像更新時自動為您建置映像的能力。ACR Tasks includes the ability to automatically build images for you when a container's base image is updated.

由基底映像更新觸發的工作Tasks triggered by a base image update

  • 目前針對來自 Dockerfile 的映像組建,ACR 工作會偵測相同 Azure Container Registry 中的基底映像、公用 Docker Hub 存放庫或 Microsoft Container Registry 中公用存放庫的相依性。Currently, for image builds from a Dockerfile, an ACR task detects dependencies on base images in the same Azure container registry, a public Docker Hub repo, or a public repo in Microsoft Container Registry. 如果 FROM 陳述式所指定的基底映像位於其中一個位置,則 ACR 工作會新增一個 Hook,以確保映像會在其基底有所更新時進行重建。If the base image specified in the FROM statement resides in one of these locations, the ACR task adds a hook to ensure the image is rebuilt any time its base is updated.

  • 當您使用 az acr task create 命令建立 ACR 工作時,工作預設為「啟用」 由基底映像更新觸發。When you create an ACR task with the az acr task create command, by default the task is enabled for trigger by a base image update. 也就是 base-image-trigger-enabled 屬性設定為 True。That is, the base-image-trigger-enabled property is set to True. 如果您想要在工作中停用此行為,請將屬性更新為 False。If you want to disable this behavior in a task, update the property to False. 例如,執行以下 az acr task update 命令:For example, run the following az acr task update command:

    az acr task update --myregistry --name mytask --base-image-trigger-enabled False
    
  • 若要讓 ACR 工作能夠判斷和追蹤容器映像的相依性 (包括其基底映像),您必須先觸發工作至少一次To enable an ACR task to determine and track a container image's dependencies -- which include its base image -- you must first trigger the task at least once. 例如,使用 az acr task run 命令以手動觸發工作。For example, trigger the task manually using the az acr task run command.

  • 若要在基底映像更新時觸發工作,基底映像必須具有「穩定」 標籤,例如 node:9-alpineTo trigger a task on base image update, the base image must have a stable tag, such as node:9-alpine. 這個標籤通常適用於隨著 OS 和架構修補程式更新到最新穩定版本的基底映像。This tagging is typical for a base image that is updated with OS and framework patches to a latest stable release. 如果基底映像是隨著新版本標籤更新,它就不會觸發工作。If the base image is updated with a new version tag, it does not trigger a task. 如需有關映像標籤的詳細資訊,請參閱最佳做法指引For more information about image tagging, see the best practices guidance.

基底映像更新案例Base image update scenario

本教學課程將逐步說明基底映像更新案例。This tutorial walks you through a base image update scenario. 程式碼範例包含兩個 Dockerfile:一個應用程式映像,及其指定作為基底的映像。The code sample includes two Dockerfiles: an application image, and an image it specifies as its base. 在以下幾節中,您會建立一項 ACR 工作,以在基底映像的新版本推送至相同容器登錄時自動觸發應用程式映像的建置。In the following sections, you create an ACR task that automatically triggers a build of the application image when a new version of the base image is pushed to the same container registry.

Dockerfile-app:一個小型 Node.js Web 應用程式,會呈現一個靜態網頁,顯示它所依據的 Node.js 版本。Dockerfile-app: A small Node.js web application that renders a static web page displaying the Node.js version on which it's based. 系統會模擬版本字串:它會顯示基底映像中定義的環境變數 NODE_VERSION 的內容。The version string is simulated: it displays the contents of an environment variable, NODE_VERSION, that's defined in the base image.

Dockerfile-baseDockerfile-app 指定作為其基底的映像。Dockerfile-base: The image that Dockerfile-app specifies as its base. 它本身會以節點映像為基礎,且包含 NODE_VERSION 環境變數。It is itself based on a Node image, and includes the NODE_VERSION environment variable.

在以下幾節中,您會建立工作、更新基底映像 Dockerfile 中的 NODE_VERSION 值,然後使用 ACR 工作來建置基底映像。In the following sections, you create a task, update the NODE_VERSION value in the base image Dockerfile, then use ACR Tasks to build the base image. 當 ACR 工作將新的基底映像推送至您的登錄時,它會自動觸發應用程式映像的建置。When the ACR task pushes the new base image to your registry, it automatically triggers a build of the application image. 您可以選擇性地在本機執行應用程式容器映像,以查看已建置的映像中不同的版本字串。Optionally, you run the application container image locally to see the different version strings in the built images.

在本教學課程中,您的 ACR 工作會建置並推送在 Dockerfile 中指定的應用程式容器映像。In this tutorial, your ACR task builds and pushes an application container image specified in a Dockerfile. ACR 工作也可執行多步驟工作,使用 YAML 檔案來定義相關步驟,以建置、推送並選擇性地測試多個容器。ACR Tasks can also run multi-step tasks, using a YAML file to define steps to build, push, and optionally test multiple containers.

建置基底映像Build the base image

首先請使用 ACR 工作快速工作來建置基底映像。Start by building the base image with an ACR Tasks quick task. 如本系列的第一個教學課程所討論的,此程序不僅會建置映像,也會在建置成功時將映像推送至您的容器登錄。As discussed in the first tutorial in the series, this process not only builds the image, but pushes it to your container registry if the build is successful.

az acr build --registry $ACR_NAME --image baseimages/node:9-alpine --file Dockerfile-base .

建立工作Create a task

接著,請使用 az acr task create 建立工作:Next, create a task with az acr task create:

az acr task create \
    --registry $ACR_NAME \
    --name taskhelloworld \
    --image helloworld:{{.Run.ID}} \
    --arg REGISTRY_NAME=$ACR_NAME.azurecr.io \
    --context https://github.com/$GIT_USER/acr-build-helloworld-node.git \
    --file Dockerfile-app \
    --branch master \
    --git-access-token $GIT_PAT

重要

如果您先前已在預覽期間使用 az acr build-task 命令建立工作,則必須使用 az acr task 命令重新建立這些工作。If you previously created tasks during the preview with the az acr build-task command, those tasks need to be re-created using the az acr task command.

此工作類似於上一個教學課程中建立的快速工作。This task is similar to the quick task created in the previous tutorial. 它會指示 ACR 工作在認可推送至 --context 所指定的存放庫時觸發映像建置。It instructs ACR Tasks to trigger an image build when commits are pushed to the repository specified by --context. 在上一個教學課程中用來建置映像的 Dockerfile 會指定公用基底映像 (FROM node:9-alpine),而此工作中的 Dockerfile Dockerfile-app,則是會指定相同登錄中的基底映像:While the Dockerfile used to build the image in the previous tutorial specifies a public base image (FROM node:9-alpine), the Dockerfile in this task, Dockerfile-app, specifies a base image in the same registry:

FROM ${REGISTRY_NAME}/baseimages/node:9-alpine

此組態可以讓稍後在本教學課程中的基底映像模擬架構修補程式變得容易。This configuration makes it easy to simulate a framework patch in the base image later in this tutorial.

建置應用程式容器Build the application container

請使用 az acr task run 手動觸發工作,並建置應用程式映像。Use az acr task run to manually trigger the task and build the application image. 這個步驟可確保工作會在基底映像上追蹤應用程式映像的相依性。This step ensures that the task tracks the application image's dependency on the base image.

az acr task run --registry $ACR_NAME --name taskhelloworld

工作完成後,如果您想要完成下列選擇性步驟,請記下回合識別碼 (例如 "da6")。Once the task has completed, take note of the Run ID (for example, "da6") if you wish to complete the following optional step.

選用:在本機執行應用程式容器Optional: Run application container locally

如果您在本機工作 (而不是在 Cloud Shell 中),且您已安裝 Docker,請先執行容器以檢視在網頁瀏覽器中呈現的應用程式,再重建其基底映像。If you're working locally (not in the Cloud Shell), and you have Docker installed, run the container to see the application rendered in a web browser before you rebuild its base image. 如果您使用 Cloud Shell,請略過本節 (Cloud Shell 不支援 az acr logindocker run)。If you're using the Cloud Shell, skip this section (Cloud Shell does not support az acr login or docker run).

首先,使用 az acr login 驗證您的容器登錄:First, authenticate to your container registry with az acr login:

az acr login --name $ACR_NAME

現在,請使用 docker run 在本機執行容器。Now, run the container locally with docker run. 請將 <run-id> 取代為在上一個步驟的輸出中找到的回合識別碼 (例如 "da6")。Replace <run-id> with the Run ID found in the output from the previous step (for example, "da6"). 此範例將容器命名為 myapp,並且包含 --rm 參數以在您停止容器時將其移除。This example names the container myapp and includes the --rm parameter to remove the container when you stop it.

docker run -d -p 8080:80 --name myapp --rm $ACR_NAME.azurecr.io/helloworld:<run-id>

在瀏覽器中瀏覽至 http://localhost:8080,您應該會看到 Node.js 版本號碼呈現於網頁中,如下所示。Navigate to http://localhost:8080 in your browser, and you should see the Node.js version number rendered in the web page, similar to the following. 在後續步驟中,您可以在版本字串中加上 "a",以變更版本。In a later step, you bump the version by adding an "a" to the version string.

呈現在瀏覽器中的範例應用程式的螢幕擷取畫面

若要停止和移除容器,請執行下列命令:To stop and remove the container, run the following command:

docker stop myapp

列出組建List the builds

接著,使用 az acr task list-runs 命令,列出 ACR 工作已為登錄完成的工作回合:Next, list the task runs that ACR Tasks has completed for your registry using the az acr task list-runs command:

az acr task list-runs --registry $ACR_NAME --output table

如果您已完成上一個教學課程 (且未刪除登錄),您應該會看到如下的輸出。If you completed the previous tutorial (and didn't delete the registry), you should see output similar to the following. 請記下工作回合數目和最新的回合識別碼,以便在下一節更新基底映像後比較輸出。Take note of the number of task runs, and the latest RUN ID, so you can compare the output after you update the base image in the next section.

$ az acr task list-runs --registry $ACR_NAME --output table

RUN ID    TASK            PLATFORM    STATUS     TRIGGER     STARTED               DURATION
--------  --------------  ----------  ---------  ----------  --------------------  ----------
da6       taskhelloworld  Linux       Succeeded  Manual      2018-09-17T23:07:22Z  00:00:38
da5                       Linux       Succeeded  Manual      2018-09-17T23:06:33Z  00:00:31
da4       taskhelloworld  Linux       Succeeded  Git Commit  2018-09-17T23:03:45Z  00:00:44
da3       taskhelloworld  Linux       Succeeded  Manual      2018-09-17T22:55:35Z  00:00:35
da2       taskhelloworld  Linux       Succeeded  Manual      2018-09-17T22:50:59Z  00:00:32
da1                       Linux       Succeeded  Manual      2018-09-17T22:29:59Z  00:00:57

更新基底映像Update the base image

在此您將模擬基底映像中的架構修補程式。Here you simulate a framework patch in the base image. 請編輯 Dockerfile-base,並在 NODE_VERSION 中定義的版本號碼後面加上 "a":Edit Dockerfile-base, and add an "a" after the version number defined in NODE_VERSION:

ENV NODE_VERSION 9.11.2a

執行快速工作,以建置經過修改的基底映像。Run a quick task to build the modified base image. 請記下輸出中的回合識別碼Take note of the Run ID in the output.

az acr build --registry $ACR_NAME --image baseimages/node:9-alpine --file Dockerfile-base .

當建置完成,且 ACR 工作已將新的基底映像推送至您的登錄後,它會觸發應用程式映像的建置。Once the build is complete and the ACR task has pushed the new base image to your registry, it triggers a build of the application image. 您先前建立的工作可能需要一些時間才能觸發應用程式映像建置,因為它必須偵測最新建置並推送的基底映像。It may take few moments for the task you created earlier to trigger the application image build, as it must detect the newly built and pushed base image.

列出更新的組建List updated build

現在您已更新基底映像,接下來可以再次列出您的工作回合,將其與先前的清單比較。Now that you've updated the base image, list your task runs again to compare to the earlier list. 若起初輸出並無差異,請定期執行命令,以查看清單中出現的新工作回合。If at first the output doesn't differ, periodically run the command to see the new task run appear in the list.

az acr task list-runs --registry $ACR_NAME --output table

輸出大致如下。Output is similar to the following. 最後執行之建置的 TRIGGER 應為 "Image Update",表示工作是由基底映像的快速工作所起始。The TRIGGER for the last-executed build should be "Image Update", indicating that the task was kicked off by your quick task of the base image.

$ az acr task list-builds --registry $ACR_NAME --output table

Run ID    TASK            PLATFORM    STATUS     TRIGGER       STARTED               DURATION
--------  --------------  ----------  ---------  ------------  --------------------  ----------
da8       taskhelloworld  Linux       Succeeded  Image Update  2018-09-17T23:11:50Z  00:00:33
da7                       Linux       Succeeded  Manual        2018-09-17T23:11:27Z  00:00:35
da6       taskhelloworld  Linux       Succeeded  Manual        2018-09-17T23:07:22Z  00:00:38
da5                       Linux       Succeeded  Manual        2018-09-17T23:06:33Z  00:00:31
da4       taskhelloworld  Linux       Succeeded  Git Commit    2018-09-17T23:03:45Z  00:00:44
da3       taskhelloworld  Linux       Succeeded  Manual        2018-09-17T22:55:35Z  00:00:35
da2       taskhelloworld  Linux       Succeeded  Manual        2018-09-17T22:50:59Z  00:00:32
da1                       Linux       Succeeded  Manual        2018-09-17T22:29:59Z  00:00:57

如果您想要執行下列選擇性步驟以執行新建置的容器,並查看更新的版本號碼,請記下映像更新觸發之組建的 RUN ID 值 (在上述輸出中,其值為 "da8")。If you'd like to perform the following optional step of running the newly built container to see the updated version number, take note of the RUN ID value for the Image Update-triggered build (in the preceding output, it's "da8").

選用:執行新建置的映像Optional: Run newly built image

如果您在本機工作 (而不是在 Cloud Shell 中),且您已安裝 Docker,請在新的應用程式映像建置完成後執行該映像。If you're working locally (not in the Cloud Shell), and you have Docker installed, run the new application image once its build has completed. 請將 <run-id> 取代為您在上一個步驟中取得的 RUN ID。Replace <run-id> with the RUN ID you obtained in the previous step. 如果您使用 Cloud Shell,請略過本節 (Cloud Shell 不支援 docker run)。If you're using the Cloud Shell, skip this section (Cloud Shell does not support docker run).

docker run -d -p 8081:80 --name updatedapp --rm $ACR_NAME.azurecr.io/helloworld:<run-id>

在瀏覽器中瀏覽至 http://localhost:8081 ,您應該會在網頁中看到更新的 Node.js 版本號碼 (附有 "a"):Navigate to http://localhost:8081 in your browser, and you should see the updated Node.js version number (with the "a") in the web page:

呈現在瀏覽器中的範例應用程式的螢幕擷取畫面

務必留意的是,您是使用新的版本號碼更新基底映像,但最後建置的應用程式映像會顯示新版本。What's important to note is that you updated your base image with a new version number, but the last-built application image displays the new version. ACR 工作會取用您對基底映像的變更,並自動重建您的應用程式映像。ACR Tasks picked up your change to the base image, and rebuilt your application image automatically.

若要停止和移除容器,請執行下列命令:To stop and remove the container, run the following command:

docker stop updatedapp

清除資源Clean up resources

若要移除您在本教學課程系列中建立的所有資源 (包括容器登錄、容器執行個體、金鑰保存庫和服務主體),請發出下列命令:To remove all resources you've created in this tutorial series, including the container registry, container instance, key vault, and service principal, issue the following commands:

az group delete --resource-group $RES_GROUP
az ad sp delete --id http://$ACR_NAME-pull

後續步驟Next steps

在本教學課程中,您已了解如何使用工作,在映像的基底映像有所更新時自動觸發容器映像建置。In this tutorial, you learned how to use a task to automatically trigger container image builds when the image's base image has been updated. 接下來請了解關於容器登錄驗證的資訊。Now, move on to learning about authentication for your container registry.