I am deploying a docker image from ACR to windows based App Service using Azure DevOps release pipeline (with Azure Web App on Container Deploy task). But getting the error as
"Error: Failed to patch App Service '[App Service Name]' configuration. Error: BadRequest - The parameter DOCKER_REGISTRY_SERVER_URL has an invalid value. Unexpected error when connecting to the registry. Cannot find available registry. https://[ACR Name].azurecr.io (CODE: 400) Error: Failed to update deployment history. Error: Ip Forbidden (CODE: 403)"
Both App Service and ACR are using private endpoint. We are using self hosted agent for our pipeline.
Please let me know how to fix this issue.
Here is a trouble shooting advice:
Please check the value of DOCKER_REGISTRY_SERVER_URL in your ARM template or config file.
What's more, if you are using ARM template, try to add "reserved": true to your properties.
Related
Summary:
I have made many attempts to deploy simple C# Blazor image in public DockerHub repo to Azure App Service web site. All attempts using bicep and the azure portal have failed.
Goal:
Use bicep inside of a Github action (CI/CD pipeline) to deploy from public DockerHub repo to Azure App Service Web Site. (I'm also curious as to how to do it on the portal).
What Works:
This powershell command successfully deploys my DockerHub image to the Azure App Service Web site:
az.cmd webapp create --name DockerhubDeployDemo004 --resource-group rg_ --plan Basic-ASP -s siegfried01 -w topsecretet --deployment-container-image-name siegfried01/demovisualstudiocicdforblazorserver
This bicep for creating an azure container instance also works.
Error Messages from Failed Attempts:
From the log files in the azure portal I get:
2022-05-20T21:50:35.914Z ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for demovisualstudiocicdforblazorserver, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}
2022-05-20T21:50:35.915Z ERROR - Pulling docker image docker.io/demovisualstudiocicdforblazorserver failed:
2022-05-20T21:50:35.916Z WARN - Image pull failed. Defaulting to local copy if present.
2022-05-20T21:50:35.923Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
2022-05-20T21:50:35.928Z INFO - Stopping site dockerdeploydemo003 because it failed during startup.
/home/LogFiles/2022_05_20_lw1sdlwk000FX5_docker.log (https://dockerdeploydemo003.scm.azurewebsites.net/api/vfs/LogFiles/2022_05_20_lw1sdlwk000FX5_docker.log)
2022-05-20T21:35:47.559Z WARN - Image pull failed. Defaulting to local copy if present.
2022-05-20T21:35:47.562Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
Failing Bicep Code:
I tried exporting the ARM code from the successful powershell deployment and the failed portal attempts and converting it to bicep. In both cases the code was very similar. In both cases I had to add/edit the app settings containing the dockerhub URL, account and password. I always received the above error messages. After deploying using bicep code, I could go back into the portal and view the appsettings (dockerhub creds & URL). They looked correct.
References:
Nice DockerHub example but no bicep code.. Says to use index.docker.io for the server and I tried that (did not work). I also tried using https://index.docker.io/v1/ for the server URL and that did not work either.
Nice Bicep Example but uses ACR instead of DockerHub
Another nice Bicep Example that uses ACR instead of DockerHub.
I was surprised I could not find the documentation on the DockerHub site!
Please help me correct my bicep code. I suspect I'm not specifying the correct URL or server for DockerHub.
Thanks
Siegfried
I could not find the web page on Dockerhub that gave the detailed information I was looking for (like the URL). However, the docker Info command as described here was very helpful.
This bicep code did the trick for me (with some help from the bicep support on github):
var appConfigNew = {
DOCKER_ENABLE_CI: 'true'
DOCKER_REGISTRY_SERVER_PASSWORD: dockerhubPassword
DOCKER_REGISTRY_SERVER_URL: 'https://index.docker.io/v1/'
DOCKER_REGISTRY_SERVER_USERNAME: dockerUsername
}
resource appSettings 'Microsoft.Web/sites/config#2021-01-15' = {
name: 'appsettings'
parent: web
properties: appConfigNew
}
And lastly, I discovered this by trial and error:
linuxFxVersion: 'DOCKER|${dockerUsername}/demovisualstudiocicdforblazorserver:${tag}'
Wow! I really worked hard for this one!
We have the following scenario:
Current working setup
Web API project using a single DockerFile
A release pipe line with an 'Azure App Service deploy' task.
Proposed new setup
Web API project using multi container Docker Compose file
A release pipe line with an 'Azure Web App for Containers' task.
Upon deploying the new setup we receive the below error message:
ERROR - multi-container unit was not started successfully
Unhandled exception. System.AggregateException: One or more errors occurred.
(Parameters: Connection String: XXX, Resource: https://vault.azure.net, Authority:
https://login.windows.net/xxxxx. Exception Message:
Tried to get token using Managed Service Identity.
Access token could not be acquired. Connection refused)
The exception thrown is because it can't connect to Azure MSI (Managed Service Identity). It does this to obtain a token before connecting to key vault.
I have tried the following based upon some research and solutions others have found:
Connecting with "RunAs=App" (this seems to be the default parameter-less constructor anyway)
Building up the connection string myself manually by pulling the "MSI_SECRET" environment variable from the machine. This is always blank.
Restarting MSI.
Upgrading and downgrading AppAuthentication package
MSI appears to be configured correctly as it works perfectly with our current working setup so we can rule that out.
It's worth noting that this is System assigned identity not a user assigned one.
The documentation that states which services support managed identites only mentions 'Azure Container Instances' not 'Azure Managed Container Instances' and that is for Linux/Preview too so that it could be not supported.
Services that support managed identities for Azure resources
We've spent a considerable amount of time getting to this point with the configuration and deployment and it would be great if we could resolve this last issue.
Any help appreciated.
Unfortunately, there currently is no multi-container support for managed identities. The multi-container feature is in preview and so does not have all its functionality working yet.
However, the documentation you linked to is also not as clear about the supported scenarios, so I am working on getting this documentation updated to better clarify this. I can update this answer once that's done.
I am having a visual studio subscription. From that I am having a benefit of accessing azure devops. I have used docker container registry for image build and push, and it is successful. Now I have changed to Azure container registry, this time image build is successful, but push failed saying unauthorized access. See below error
The push refers to repository [(registryname).azurecr.io/(myname)/myfirstproject]. unauthorized: authentication required
I have tried to select Service Principal Authentication option, but saying
**Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation.**
So, I have used Managed Identity Authentication option, but the push image failed.
Is it like I have to use Service Principal Authentication option only to push the image in ACS or am I missing anything.
I can provide more information if required.
Thanks in advance.
Trying to deploy VM and web app using Azure Resource Group Deployment and Azure app service tasks in VSTS CI/CDP with Azure Stack.
The task is failing with following errors:
Error: unable to get local
issuer certificate
Any suggestion on this issue?
To ignore SSL error set a Variable of name VSTS_ARM_REST_IGNORE_SSL_ERRORS with value: true in the release definition
Reference: Azure App Service Task Documentation
I'm building a docker image via jenkins and want to deploy it to google cloud registry using the jenkins plugin (docker-build-step, Google Container Registry Auth Plugin, Google OAuth Credentials plugin), using the following instructions: https://wiki.jenkins-ci.org/display/JENKINS/Google+Container+Registry+Auth+Plugin
I have a VM instance on GCE where I have both jenkins and docker installed.
The build works OK, but it fails when I'm trying to push it to the Registry:
Successfully built c2ddc81c66d1
[Docker] INFO: Sucessfully created image eu.gcr.io/$project-id/base
[Docker] INFO: Pushing image eu.gcr.io/$project-id/base
ERROR: Build step failed with exception
javax.ws.rs.ProcessingException: org.apache.http.NoHttpResponseException: 127.0.0.1:2375 failed to respond
at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:513)
at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:246)
at org.glassfish.jersey.client.JerseyInvocation$1.call(JerseyInvocation.java:667)
at org.glassfish.jersey.client.JerseyInvocation$1.call(JerseyInvocation.java:664)
at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
--
But when I try to push it via SSH, it works:
bash-4.2$ whoami
jenkins
bash-4.2$ gcloud docker push eu.gcr.io/$project-id/base
The push refers to a repository [eu.gcr.io/$project-id/base]
41772e41ab05: Layer already exists
a03f60753e4e: Pushing [=========> ] 9.223 MB/47.44 MB
I believe that if it was some kind of scope from the google VM, I shouldn't be able to do it via ssh either. Could it be the jenkins user environment variables?
Anyone has a working configuration for a similar scenario? Anyone that knows Jenkins well knows what kind of config could be causing this?
Also, before using http://127.0.0.1:2375 as the docker url, I had unix:///var/run/docker.sock, and with that configuration, instead of "127.0.0.1:2375 no HttpResponseExpcetion" I had "localhost:80 no HttpResponseExpcetion" on the log, so using the socket isn't the solution either.
Regards,
JS
The error is related with failed a connection between Jenkins and Google Registry. I'm assuming there's no problem with the network connection, since it's calling the localhost.
[Docker] INFO: Sucessfully created image eu.gcr.io/$project-id/base
[Docker] INFO: Pushing image eu.gcr.io/$project-id/base
ERROR: Build step failed with exception
javax.ws.rs.ProcessingException: org.apache.http.NoHttpResponseException: 127.0.0.1:2375 failed to respond
So, that leaves us with an applicational problem. Check your Google oAuth credentials, it can be an unauthorized access exception being throwed, in which you'll have to create the credentials.
In any case, check your logs and elevate the log level to see if there's any important info that went unnoticed.