I was trying to push the docker image build to the Azure Container registry using the Azure YAML pipeline. But while pushing i am getting an error like
"denied: requested access to the resource is denied
##[error]denied: requested access to the resource is denied
##[error]/usr/bin/docker failed with return code: 1"
Below is the azure yaml pipeline code part i used for this. Also tried by removing the includeSourceTags and additionalImageTags
variables:
BuildConfiguration: "Release"
AzureSubscription: "ea158397-eb3f-461a-94df-0eb6bbaada60"
AzureContainerRegistry: "microservicecontainerregistry01.azurecr.io"
KubernetesServiceEndpoint: "AKSServiceConnection"
ResourceGroup: "microservicedelivery"
- task: Docker#1
condition: eq(variables['fullCI'],True)
displayName: 'Push runtime image'
inputs:
azureSubscriptionEndpoint: ${{variables.AzureSubscription}}
azureContainerRegistry: ${{variables.AzureContainerRegistry}}
command: 'Push an image'
imageName: '$(imageName)'
includeSourceTags: false
additionalImageTags: $(Build.BuildId)
Same error is happening in the Microsoft hosted machine as well as with the private machine.
Please refer the documentation here with the sample YAML snippet to help you push the images to ACR.
Related
- task: Docker#2
displayName: Build an image
inputs:
command: build
repository: weather-update-project
dockerfile: '**/Dockerfile'
buildContext: '$(Build.SourcesDirectory)'
tags: 'latest'
- task: ECRPushImage#1
inputs:
awsCredentials: 'weather'
regionName: us-west-2
imageSource: 'imagename'
sourceImageName: 'weather-update-project'
sourceImageTag: 'latest'
pushTag: 'latest'
repositoryName: 'weather-update-project'
I'm building an image and then trying to push that image to ECR. When it gets to the ECR push image task, it tries to push a few times and then gives me the error "The process '/usr/bin/docker' failed with exit code 1" and that's it. There's no other information in my logs in regards to the error like there normally is. What is possibly happening? My ECR is public and all of my credentials are correct. Here's my YAML code for the docker build and ecrpushimage tasks in Azure DevOps
My Repository name that contains my dockerfile is 'weather-update-project' and my ECR repository also has the name 'weather-update-project'
Can you please validate on what agent this is running on & if Docker is there or not?
Is the image being created properly?
While executing the ECRPushImage task at the beginning it should show at least the configuration log like below, if not then it is related to docker on that agent.
Configuring credentials for task
...configuring AWS credentials from service endpoint 'xxxxxxxxxxxx'
...endpoint defines standard access/secret key credentials
Configuring region for task
...configured to use region us-east-1, defined in tas
I've setup a Google Cloud Build pipeline that'll build a docker image from a Dockerfile, test the image and push the image into Google Container Registry.
Upon running the pipeline I noticed that all defined steps passed with SUCCESS status but the build summary itself returned with FAILURE status even though I can see the image being produced into Google Container Registry.
I used following command to build the image
gcloud builds submit --config cloudbuild.yml --gcs-log-dir 'gs://<bucket>' .
and below is the error message returned:
ERROR: (gcloud.builds.submit) build www-xxxx-yyyy-zzzz completed with status "FAILURE"
🚨 Error: The command exited with status 1
Is there any reason for the gcloud builds submit command to exit with code 1 as above if all the steps were marked as SUCCESS?
Below is some filtered log data taken from gcloud builds describe command for that specific build.
steps:
- args:
- build
- -t
- <host>/<project/<image>:<tag>
- .
name: gcr.io/cloud-builders/docker
status: SUCCESS
- args:
- test
- --image
- <host>/<project/<image>:<tag>
- --config
- test_config.yml
- -o
- json
name: gcr.io/gcp-runtimes/container-structure-test
status: SUCCESS
Below is Google Cloud Build setup:
# cloudbuild.yml
steps:
# Build the image
- name: 'gcr.io/cloud-builders/docker'
args: [ 'build', '-t', '<host>/<project/<image>:<tag>', '.' ]
# Test the image
- name: 'gcr.io/gcp-runtimes/container-structure-test'
args: [
'test',
'--image',
'<host>/<project/<image>:<tag>',
'--config',
'test_config.yml',
'-o',
'json'
]
# Push the image
images: [ '<host>/<project/<image>:<tag>' ]
I've finally resolved this issue with the assistance of Google Cloud support team.
They found out a 403 Permission Denied error as the Cloud Build container trying to access Google Cloud Storage to delete a certain log object stored in the bucket, this error message is found at the back system of Cloud Build where users/clients have no access to. The 403 Permission Denied error is the result of the object retention policy applied to the bucket.
In my case, I've replaced retention policy with lifecycle policy to resolve this issue and it worked. We do this as we consider keeping Cloud Build log size under control is our primary objective and, to prevent any accidental deletion/modification to the log file, we ended up with setting read-only access to the resources in the log bucket except for the service account used by Cloud Build.
I am using Azure Pipelines (with YAML format) to build Dockerfile and push the image to Azure Container Registry.
Here is part of the YAML definition:
- task: Docker#2
displayName: Build Dockerfile
inputs:
command: 'build'
containerRegistry: 'containerRegistry'
repository: '$(imageRepository)'
Dockerfile: 'src/Api/Dockerfile'
buildContext: '.'
tags: '$(imageTag)'
- task: Docker#2
displayName: Push image
inputs:
command: push
containerRegistry: 'containerRegistry'
repository: '$(imageRepository)'
tags: '$(imageTag)'
So my question is, is there a way to retrieve the digest value on docker push task, so I can use it in the next tasks?
It seems that in the older versions of the Docker task, that was possible and there was a task parameter imageDigestFile, I am referring to Docker#0.
Unfortunately now that looks deprecated and I can't find a way to do it using the latest version.
Thanks!
Best regards,
Nikolay
Unfortunately now that looks deprecated and I can't find a way to do it using the latest version.
This is a known issue for the latest version of docker push task:
How to use output of DockerV2 task
That because that product team have tried to limit the number of inputs to the task to simplify it in DockerV2. So they have not provided the support for image digest files. But image digest is written to the output called DockerOutput.
The source code here.
And the product team will work with the people involved in the design of this task and see how to do this work.
To resolve this issue, we could try to use the older versions of the Docker task or parse the output DockerOutput and fetch the image digest
I am new to Azure Devops and am having some difficulty building my first pipeline. So far I have three steps that work just fine:
Maven build from POM, successfully packages my war file
Copy files to $(system.defaultworkingdirectory), copying the files I want from the target folder
Successful Publish of the artifact to a private Azure package repository
My 4th step runs a DevOps Docker Task to build a Docker image to be used to deploy the web app. This has been a challenge because my dockerfile COPY commands are failing. I can't locate the target folder, the one that step 3 just used to build the war file! In an effort to locate the target folder I added this command to my dockerfile:
RUN ls -R -la /
It appears to have dumped the entire file system and the target folder is nowhere to be found in the listing.
Any thoughts regarding where I can find my target files?
I am very close to making this work the way I want. If I comment out the COPY command it builds a fundamentally empty image which my 5th step successfully pushes to my private Docker repository. Of course the image is useless without the web app.
Any help you might offer will be greatly appreciated.
After a lot of trial and error I came up with the following azure-pipelines.yml file:
trigger:
- master
jobs:
- job: build
pool:
vmImage: 'Ubuntu-16.04'
steps:
- script: |
echo Starting the build
env
java -version
./mvnw clean package -Dmaven.test.failure.ignore=true -e -U
ls -la *
displayName: 'Build with Maven'
- task: Docker#0
displayName: 'Build an image'
inputs:
azureSubscription: 'Visual Studio Enterprise (******)'
azureContainerRegistry: '{"loginServer":"testingcontainerregistry******.azurecr.io", "id" : "/subscriptions/******/resourceGroups/******/providers/Microsoft.ContainerRegistry/registries/testingContainerRegistry******"}'
action: 'Build an image'
- task: Docker#0
displayName: 'Push an image'
inputs:
azureSubscription: 'Visual Studio Enterprise (******)'
azureContainerRegistry: '{"loginServer":"testingcontainerregistry******.azurecr.io", "id" : "/subscriptions/******/resourceGroups/******/providers/Microsoft.ContainerRegistry/registries/testingContainerRegistry******"}'
action: 'Push an image'
- job: test
dependsOn: build
condition: succeeded()
pool:
vmImage: 'Ubuntu-16.04'
steps:
- script: |
echo Performing tests
env
ls -la
displayName: 'Running integration tests'
The testing job is not doing anything useful yet, but you can see that the Maven build and the Docker build&push are done by the same job.
Essentially I struggled with the same issue as you did. I created a GitHub ticket to make them aware of the fact that the basic concepts are not easy to understand from the current documentation: https://github.com/MicrosoftDocs/vsts-docs/issues/2851
I am trying to build and push image to docker cloud with Jenkins using the docker-build-step plugin. Added password for docker hub with Jenkins Password Manager plugin.
I am doing this in two steps. First step uses Build/Create Image command. The command builds image and tags it with build ID.
Second step pushes image to docker hub. Here is console trace:
[Docker] INFO: Build image id:5240329f9db6
[Docker] INFO: Pushing image parthmodi/docker_demo:test_push
[Docker] INFO: PushResponseItem[stream=<null>,status=The push refers to a repository [docker.io/parthmodi/docker_demo],progressDetail=<null>,progress=<null>,id=<null>,from=<null>,time=<null>,errorDetail=<null>,error=<null>,aux=<null>]
...
[Docker] INFO: PushResponseItem[stream=<null>,status=<null>,progressDetail=<null>,progress=<null>,id=<null>,from=<null>,time=<null>,errorDetail=ResponseItem.ErrorDetail[code=<null>,message=denied: requested access to the resource is denied],error=denied: requested access to the resource is denied,aux=<null>]
ERROR: Build step failed with exception
com.github.dockerjava.api.exception.DockerClientException: Could not push image: denied: requested access to the resource is denied
at com.github.dockerjava.core.command.PushImageResultCallback.awaitSuccess(PushImageResultCallback.java:49)
at org.jenkinsci.plugins.dockerbuildstep.cmd.PushImageCommand.execute(PushImageCommand.java:81)
at org.jenkinsci.plugins.dockerbuildstep.DockerBuilder.perform(DockerBuilder.java:74)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:736)
at hudson.model.Build$BuildExecution.build(Build.java:206)
at hudson.model.Build$BuildExecution.doRun(Build.java:163)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:496)
at hudson.model.Run.execute(Run.java:1737)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:421)
Build step 'Execute Docker command' marked build as failure
Finished: FAILURE
Here is complete trace:
https://pastebin.com/tFy399D5
Why am I getting Could not push image: denied: requested access to the resource is denied error for pushing image to Docker Registry, and what can I do to resolve it?
Had also similar issues as OP, but with the Ram Kamath's code example. The issue lied with the incorrect registryURL that I passed to the docker.withRegistry. I had it as https://index.docker.io/v2/ but the credentials were for the https://index.docker.io/v1/ API.
Try this
stage('build and publish'){
def dockerImage = docker.build('dockerImageName')
docker.withRegistry(RegistryURL, CredentialID) {
dockerImage.push('latest')
}
}