Showing preview only (660K chars total). Download the full file or copy to clipboard to get everything.
Repository: Azure/acr
Branch: main
Commit: 4477d3db980c
Files: 166
Total size: 607.4 KB
Directory structure:
gitextract_umt5drn5/
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ ├── feature_request.md
│ │ └── roadmap-template.yml
│ └── workflows/
│ ├── nodejs.yml
│ └── stale.yml
├── .gitignore
├── LICENSE.txt
├── README.md
├── SECURITY.md
├── docs/
│ ├── .gitignore
│ ├── .vuepress/
│ │ └── config.js
│ ├── AAD-OAuth.md
│ ├── FAQ.md
│ ├── README.md
│ ├── Token-BasicAuth.md
│ ├── Troubleshooting Guide.md
│ ├── acr-roadmap.md
│ ├── aks-acr-across-tenants.md
│ ├── artifact-media-types.json
│ ├── blog/
│ │ ├── abac-repo-permissions.md
│ │ ├── connected-registry.md
│ │ └── teleport.md
│ ├── container-registry-consuming-public-content.md
│ ├── container-registry-oras-artifacts.md
│ ├── contributing-to-pages.md
│ ├── custom-domain/
│ │ ├── README.md
│ │ └── deprecated/
│ │ ├── docker-vm-deploy/
│ │ │ ├── azuredeploy.json
│ │ │ ├── azuredeploy.parameters.json
│ │ │ ├── deploy-nginx-docker.sh
│ │ │ ├── deploy.ps1
│ │ │ ├── docker-compose.yml.template
│ │ │ ├── nginx.conf.template
│ │ │ └── setup-certs.sh
│ │ ├── key-vault-setup/
│ │ │ ├── ensure-vault.ps1
│ │ │ └── upload-cert.ps1
│ │ └── registry-setup-deprecated.md
│ ├── deploy.sh
│ ├── http-headers.md
│ ├── image-signing.md
│ ├── image-transfer/
│ │ ├── ExportPipelines/
│ │ │ ├── azuredeploy.json
│ │ │ └── azuredeploy.parameters.json
│ │ ├── ImportPipelines/
│ │ │ ├── azuredeploy.json
│ │ │ └── azuredeploy.parameters.json
│ │ ├── PipelineRun/
│ │ │ ├── PipelineRun-Export/
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ └── PipelineRun-Import/
│ │ │ ├── azuredeploy.json
│ │ │ └── azuredeploy.parameters.json
│ │ └── README.md
│ ├── integration/
│ │ ├── CircleCI.md
│ │ ├── change-analysis/
│ │ │ └── README.md
│ │ └── github-actions/
│ │ ├── Dockerfile
│ │ ├── github-actions.md
│ │ └── main.workflow
│ ├── move-repositories-to-new-registry/
│ │ └── README.md
│ ├── package.json
│ ├── preview/
│ │ ├── abac-repo-permissions/
│ │ │ └── README.md
│ │ ├── artifact-streaming/
│ │ │ └── README.md
│ │ ├── connected-registry/
│ │ │ ├── README.md
│ │ │ ├── connected-registry-error-codes.md
│ │ │ ├── intro-connected-registry.md
│ │ │ ├── overview-connected-registry-access.md
│ │ │ ├── overview-connected-registry-and-iot-edge.md
│ │ │ ├── quickstart-connected-registry-cli.md
│ │ │ ├── quickstart-deploy-connected-registry-iot-edge-cli.md
│ │ │ ├── quickstart-deploy-connected-registry-kubernetes-v2.md
│ │ │ ├── quickstart-deploy-connected-registry-kubernetes.md
│ │ │ ├── quickstart-deploy-connected-registry-nested-iot-edge-cli.md
│ │ │ ├── quickstart-pull-images-from-connected-registry.md
│ │ │ ├── quickstart-send-connected-registry-events-to-event-grid.md
│ │ │ ├── quickstart-view-connected-registry-repos-and-tags.md
│ │ │ ├── release-notes.md
│ │ │ └── troubleshooting.md
│ │ ├── continuous-patching/
│ │ │ └── README.md
│ │ ├── quarantine/
│ │ │ ├── quarantine-details/
│ │ │ │ ├── example.json
│ │ │ │ └── schema.json
│ │ │ └── readme.md
│ │ └── regional-endpoints/
│ │ └── regional-endpoints.md
│ ├── roles-and-permissions.md
│ ├── tasks/
│ │ ├── agentpool/
│ │ │ └── README.md
│ │ ├── buildx/
│ │ │ ├── README.md
│ │ │ ├── bootstrap.yaml
│ │ │ ├── build.yaml
│ │ │ ├── build_with_cache.yaml
│ │ │ └── build_with_cache_2.yaml
│ │ ├── container-registry-tasks-overview.md
│ │ ├── container-registry-tasks-walkthrough.md
│ │ ├── run-as-deployment/
│ │ │ ├── README.md
│ │ │ ├── quickdockerbuild/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ ├── quickdockerbuild-on-existing-registry/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ ├── quickdockerbuildusingidentitykeyvault/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ ├── quickdockerbuildwithidentity/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ ├── quickrun/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ └── taskrun/
│ │ │ ├── README.md
│ │ │ ├── azuredeploy.json
│ │ │ └── azuredeploy.parameters.json
│ │ └── triggers/
│ │ └── private-base-image-update.md
│ └── teleport/
│ ├── README.md
│ ├── aks-getting-started.md
│ ├── aks-teleport-comparison.md
│ ├── check-expansion.sh
│ ├── collecting-teleportd-logs-aks.md
│ ├── edit-teleport-attribute.sh
│ ├── find-teleport-enabled-repositories.sh
│ ├── samples/
│ │ ├── azure-vote-shuttle.yaml
│ │ └── azure-vote-teleport.yaml
│ └── teleport-repository-management.md
├── notifications/
│ ├── README.md
│ └── helm-repo-failure-20200918-.md
└── samples/
├── dotnetcore/
│ ├── image-transfer/
│ │ ├── ContainerRegistryTransfer/
│ │ │ ├── Clients/
│ │ │ │ ├── ExportClient.cs
│ │ │ │ └── ImportClient.cs
│ │ │ ├── ContainerRegistryTransfer.csproj
│ │ │ ├── Helpers/
│ │ │ │ ├── AzureHelper.cs
│ │ │ │ ├── IdentityHelper.cs
│ │ │ │ └── KeyVaultHelper.cs
│ │ │ ├── Models/
│ │ │ │ ├── Options.cs
│ │ │ │ ├── PipelineConfig.cs
│ │ │ │ └── PipelineRunConfig.cs
│ │ │ ├── Program.cs
│ │ │ └── appsettings.json
│ │ ├── ContainerRegistryTransfer.sln
│ │ └── README.md
│ └── registry-artifact-transfer/
│ ├── README.md
│ └── src/
│ ├── Configurations/
│ │ ├── AzureEnvironmentConfiguration.cs
│ │ ├── ExportConfiguration.cs
│ │ ├── IdentityConfiguration.cs
│ │ ├── ImportConfiguration.cs
│ │ ├── RegistryConfiguration.cs
│ │ ├── SourceRegistryConfiguration.cs
│ │ └── TransferDefinition.cs
│ ├── Program.cs
│ ├── Registry.cs
│ ├── RegistryArtifactTransfer.csproj
│ ├── RepositoryProvider/
│ │ ├── CatalogApiResponse.cs
│ │ ├── HttpMessageExtensions.cs
│ │ ├── RepositoryProviderV2.cs
│ │ └── TagListApiResponse.cs
│ ├── ResourceId.cs
│ ├── TaskExtensions.cs
│ ├── Transfer/
│ │ ├── ArtifactProvider.cs
│ │ ├── BlobCopier.cs
│ │ ├── ExportJob.cs
│ │ ├── ExportWorker.cs
│ │ ├── ImportJob.cs
│ │ ├── ImportWorker.cs
│ │ ├── TransferClient.cs
│ │ └── TransferJobStatus.cs
│ ├── TransferReport.cs
│ ├── TransferResult.cs
│ └── transferdefinition.json
└── java/
└── task/
├── .factorypath
├── .gitignore
├── Dockerfile
├── README.md
├── acb.yaml
├── pom.xml
└── src/
└── main/
└── java/
└── com/
└── microsoft/
└── azure/
└── management/
└── containerregistry/
└── samples/
└── ManageTask.java
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.md
================================================
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: bug
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1.
2.
3.
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Any relevant environment information**
- OS: [e.g. Ubuntu, Windows]
- Azure CLI/PowerShell/SDK version
- Docker version
- Datetime (UTC) when the issue occurred
- Registry and image names
**Additional context**
Add any other context about the problem here.
If any information is a concern to post here, you can create a [support ticket](https://azure.microsoft.com/en-us/support/create-ticket/) or send an email to acrsup@microsoft.com.
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Suggest an idea for the Azure Container Registry
title: ''
labels: feature-request
assignees: ''
---
**What is the problem you're trying to solve**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Additional context**
Add any other context or screenshots about the feature request here.
================================================
FILE: .github/ISSUE_TEMPLATE/roadmap-template.yml
================================================
name: Roadmap Feature Request
description: This template is primarily used by the product group to manage roadmap features in the areas of cloud-native security, registries such as Azure Container Registry (ACR) and Microsoft Artifact Registry (MAR/MCR), open-source integration, and more.
labels: [feature-request, roadmap]
body:
- type: markdown
attributes:
value: |
A roadmap feature could include areas such as cloud-native security, registries like Azure Container Registry (ACR) and Microsoft Artifact Registry (MAR/MCR), open-source integration, and more.
- type: textarea
id: problem
validations:
required: true
attributes:
label: "Motivation"
description: "A clear and concise description of the motivation behind this feature request. Why is this feature important? What problem does it solve or what opportunity does it create?"
- type: textarea
id: solution
validations:
required: true
attributes:
label: "Description"
description: "A clear and concise description of the feature request. What is the feature about? Include any relevant details, success criteria or specifications."
- type: textarea
id: context
validations:
required: false
attributes:
label: "Additional context"
description: "Add any additional context about the roadmap feature."
================================================
FILE: .github/workflows/nodejs.yml
================================================
name: GH-Page Publish
on:
push:
branches:
- main
- test-pages
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [10.x]
steps:
- uses: actions/checkout@v1
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- name: Deploy Pages
run: |
eval "$(ssh-agent -s)"
ssh-add - <<< "${DEPLOY_KEY}"
cd docs
./deploy.sh
env:
GH_REPOSITORY : ${{ github.repository }}
GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no"
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
CI: true
================================================
FILE: .github/workflows/stale.yml
================================================
name: "Close stale issues and PRs"
on:
schedule:
- cron: "30 1 * * *"
permissions:
issues: write
pull-requests: write
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v8
with:
stale-issue-message: "This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days."
stale-pr-message: "This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 30 days."
close-issue-message: "This issue was closed because it has been stalled for 30 days with no activity."
close-pr-message: "This PR was closed because it has been stalled for 30 days with no activity."
days-before-issue-stale: 60
days-before-pr-stale: 45
days-before-issue-close: 30
days-before-pr-close: 30
exempt-all-milestones: true
exempt-issue-labels: 'feature-request'
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Ww][Ii][Nn]32/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
[Ll]ogs/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Coverlet is a free, cross platform Code Coverage Tool
coverage*.json
coverage*.xml
coverage*.info
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder
.ionide/
# Fody - auto-generated XML schema
FodyWeavers.xsd
.vscode/
.DS_Store
================================================
FILE: LICENSE.txt
================================================
Azure Container Registry Samples and Support
Copyright (c) Microsoft Corporation
All rights reserved.
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ""Software""), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
================================================
FILE: README.md
================================================
# Azure Container Registry
This repo contains [issues](https://github.com/Azure/acr/issues), [samples](./docs), [troubleshooting tips](./docs/Troubleshooting%20Guide.md), and a collection of links for Azure Container Registry.
## Blog posts
* [Choosing a Docker Container Registry](https://stevelasker.blog/2018/11/14/choosing-a-docker-container-registry/)
* [Key Differences between VM and Container Vulnerability Scanning](https://stevelasker.blog/2018/06/27/key-differences-between-vm-and-container-vulnerability-scanning/)
* [Working with Geo-replication notifications](https://stevelasker.blog/2018/01/29/working-with-acr-geo-replication-notifications/)
* [User Accounts](https://stevelasker.blog/2016/11/17/azure-container-registry-user-accounts/)
* [Docker Tagging Best Practices](https://stevelasker.blog/2018/03/01/docker-tagging-best-practices-for-tagging-and-versioning-docker-images/)
* [Deploying Docker Images to Azure Container Instances](https://stevelasker.blog/2017/07/28/deploying-docker-images-from-the-azure-container-registry-to-azure-container-instances/)
## Links
A set of short links for presentations & social media.
### General ACR Links
| Title | Link |
| - | - |
| [ACR service](https://aka.ms/acr) | https://aka.ms/acr |
| [Tiers](https://aka.ms/acr/tiers) | https://aka.ms/acr/tiers |
| [Pricing](https://aka.ms/acr/pricing) | https://aka.ms/acr/pricing |
| [Docs](https://aka.ms/acr/docs) | https://aka.ms/acr/docs |
| [CLI docs](https://aka.ms/acr/docs/cli) | https://aka.ms/acr/docs/cli |
| [REST docs](https://aka.ms/acr/docs/rest) | https://aka.ms/acr/docs/rest |
| [Roadmap](https://aka.ms/acr/roadmap) | https://aka.ms/acr/roadmap |
### General ACR Capabilities
| Title | Link |
| - | - |
| [Cross region replication](https://aka.ms/acr/geo-replication) | https://aka.ms/acr/geo-replication |
| [In-zone redundancy](https://aka.ms/acr/az) | https://aka.ms/acr/az |
| [Helm support](https://aka.ms/acr/helm) | https://aka.ms/acr/helm |
| [Supply chain artifact support](https://aka.ms/acr/acr/supply-chain-artifacts) | https://aka.ms/acr/acr/supply-chain-artifacts |
| [Importing artifacts](https://aka.ms/acr/import) | https://aka.ms/acr/import |
| [Tag locking](https://aka.ms/acr/tag-locking) | https://aka.ms/acr/tag-locking |
| [Webhook notifications](https://aka.ms/acr/webhooks) | https://aka.ms/acr/webhooks |
| [Auto-purge](https://aka.ms/acr/auto-purge) | https://aka.ms/acr/auto-purge |
| [OCI artifacts](https://aka.ms/acr/artifacts) | https://aka.ms/acr/artifacts |
| [Artifact streaming](https://aka.ms/acr/artifact-streaming) | [https://aka.ms/acr/artifact-streaming](https://aka.ms/acr/artifact-streaming) |
### Diagnostic & Troubleshooting Links
| Title | Link |
| - | - |
| [Audit logs](https://aka.ms/acr/audit-logs) | https://aka.ms/acr/audit-logs |
| [Health check CLI](https://aka.ms/acr/health-check) | https://aka.ms/acr/health-check |
### Security Links
| Title | Link |
| - | - |
| [Authentication](https://aka.ms/acr/authentication) | https://aka.ms/acr/authentication |
| [OAuth Authentication](https://aka.ms/acr/auth/oauth) | https://aka.ms/acr/auth/oauth |
| [Authorization](https://aka.ms/acr/authorization) | https://aka.ms/acr/authorization |
| [Authorization roles and role assignments](https://aka.ms/acr/authentication/roles) | https://aka.ms/acr/authentication/roles |
| [Microsoft Entra-based repository permissions](https://aka.ms/acr/auth/abac) | https://aka.ms/acr/auth/abac |
| [Azure policies](https://aka.ms/acr/azurepolicy) | https://aka.ms/acr/azurepolicy |
| [VNet & firewall rules](https://aka.ms/acr/vnet) | https://aka.ms/acr/vnet |
| [Azure private link](https://aka.ms/acr/privatelink) | https://aka.ms/acr/privatelink |
| [Dedicated data endpoints](http://aka.ms/acr/dedicated-data-endpoints) | http://aka.ms/acr/dedicated-data-endpoints |
| [Customer-managed keys](https://aka.ms/acr/cmk) | https://aka.ms/acr/cmk |
| [Content trust / signing](https://aka.ms/acr/content-trust) | https://aka.ms/acr/content-trust |
| [Docker content trust Deprecation](https://aka.ms/acr/dctdeprecation) | https://aka.ms/acr/dctdeprecation |
| [Quarantine pattern](https://aka.ms/acr/quarantine) | https://aka.ms/acr/quarantine |
| [Custom domains (Preview)](https://aka.ms/acr/custom-domains) | https://aka.ms/acr/custom-domains |
| [Continuous patching (Preview)](https://aka.ms/acr/patching) | https://aka.ms/acr/patching |
### ACR Tasks
| Title | Link |
| - | - |
| [Tasks](https://aka.ms/acr/tasks) | https://aka.ms/acr/tasks |
| [Tasks - Gated Import of Public Content](https://aka.ms/acr/tasks/gated-import) | https://aka.ms/acr/tasks/gated-import |
| [Task Scheduling](https://aka.ms/acr/tasks/scheduling) | https://aka.ms/acr/tasks/scheduling |
| [Task Timer Cron Expressions](https://aka.ms/acr/tasks/cron) | https://aka.ms/acr/tasks/cron |
| [Task Dedicated Agent Pool](https://aka.ms/acr/tasks/agentpool) | https://aka.ms/acr/tasks/agentpool |
## Social Media, Content & ACR Jobs at Microsoft
| Title | Link |
|-|-|
| [Links](https://aka.ms/acr/links) | https://aka.ms/acr/links |
| [FAQ](https://aka.ms/acr/faq) | https://aka.ms/acr/faq |
| [Presentations](https://aka.ms/acr/presentations) | https://aka.ms/acr/presentations |
| [Jobs](https://aka.ms/acr/jobs) | https://aka.ms/acr/jobs |
| X #AzureContainerRegistry | https://twitter.com/search?q=%23AzureContainerRegistry |
## Providing feedback
| Title | Link |
|-|-|
| [**Stack Overflow** for community support](https://aka.ms/acr/stack-overflow) | https://aka.ms/acr/stack-overflow |
| [**Azure Feedback** for feature requests](https://aka.ms/acr/uservoice) | https://aka.ms/acr/uservoice |
| [**GitHub** for logging issues](https://aka.ms/acr/issues) | https://aka.ms/acr/issues |
| [**Create a ticket** for general support](https://aka.ms/acr/support/create-ticket) | https://aka.ms/acr/support/create-ticket |
## API and SDK reference
* [REST API Reference](https://docs.microsoft.com/rest/api/containerregistry/)
* [Swagger Specification](https://github.com/Azure/azure-rest-api-specs/blob/master/specification/containerregistry/resource-manager/Microsoft.ContainerRegistry/stable/2017-10-01/containerregistry.json)
* [SDK for Python](https://pypi.python.org/pypi/azure-mgmt-containerregistry)
* [SDK for Python-Source](https://github.com/Azure/azure-sdk-for-python/tree/master/azure-mgmt-containerregistry)
* [SDK for .NET](https://www.nuget.org/packages/Microsoft.Azure.Management.ContainerRegistry)
* [SDK for .NET-Source](https://github.com/Azure/azure-sdk-for-net/tree/master/src/SDKs/ContainerRegistry)
================================================
FILE: SECURITY.md
================================================
<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
## Security
Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
## Reporting Security Issues
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc).
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
* Full paths of source file(s) related to the manifestation of the issue
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
## Preferred Languages
We prefer all communications to be in English.
## Policy
Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
<!-- END MICROSOFT SECURITY.MD BLOCK -->
================================================
FILE: docs/.gitignore
================================================
gh-pages/
.vuepress/dist/
node_modules
================================================
FILE: docs/.vuepress/config.js
================================================
const currentDateUTC = new Date().toUTCString()
module.exports = {
title: 'Azure Container Registry',
dest: './gh-pages',
base: '/acr/',
markdown: {
lineNumbers: true
},
themeConfig: {
domain: 'http://azure.github.com',
displayAllHeaders: true,
sidebar: 'auto',
docsDir : 'docs',
searchMaxSuggestions: 10,
repo: 'azure/acr',
repoLabel: 'Star this Repo',
editLinks: true,
editLinkText: 'Edit this page on GitHub',
logo: '/files/acr.svg',
sidebar: [
"/",
{
title: 'Teleport',
collapsable: true,
children: ['/blog/teleport'],
},
{
title: 'Tasks',
collapsible: true,
children: ['/tasks/container-registry-tasks-overview', '/tasks/run-as-deployment/', '/tasks/agentpool/']
},
{
title: 'Authentication',
collapsable: true,
sidebarDepth : 1,
children : ['AAD-OAuth', 'Token-BasicAuth']
},
{
title: 'Integration',
collapsable: true,
sidebarDepth : 1,
children : ['/integration/change-analysis/']
}
]
}
}
================================================
FILE: docs/AAD-OAuth.md
================================================
---
type: post
title: "AAD Integration"
---
# Azure Container Registry integration with Azure Active Directory
<!-- TOC depthFrom:2 orderedList:false -->
- [Azure Container Registry integration with Azure Active Directory](#azure-container-registry-integration-with-azure-active-directory)
- [Overview](#overview)
- [Authenticating to a registry with Azure CLI](#authenticating-to-a-registry-with-azure-cli)
- [Listing a repository with Azure CLI](#listing-a-repository-with-azure-cli)
- [Azure Container Registry token claim sets](#azure-container-registry-token-claim-sets)
- [Getting credentials programmatically](#getting-credentials-programmatically)
- [Calling `POST /oauth2/exchange` to get an ACR refresh token](#calling-post-oauth2exchange-to-get-an-acr-refresh-token)
- [Authenticating docker with an ACR refresh token](#authenticating-docker-with-an-acr-refresh-token)
- [Calling `POST /oauth2/token` to get an ACR access token](#calling-post-oauth2token-to-get-an-acr-access-token)
- [Calling `POST /oauth2/token` to get an ACR access token for Helm repository](#calling-post-oauth2token-to-get-an-acr-access-token-for-helm-repository)
- [Calling an Azure Container Registry API](#calling-an-azure-container-registry-api)
- [Catalog Listing](#catalog-listing)
- [Pagination](#pagination)
- [Tag Listing](#tag-listing)
- [Pagination](#pagination-1)
- [Samples API Call scripts](#samples-api-call-scripts)
- [Catalog Listing with AAD refresh token](#catalog-listing-with-aad-refresh-token)
- [Catalog listing using SP/Admin with Basic Auth](#catalog-listing-using-spadmin-with-basic-auth)
- [Catalog listing using Admin Keys with Bearer Auth](#catalog-listing-using-admin-keys-with-bearer-auth)
- [Docker login with ACR Access Token - Single repository scope](#docker-login-with-acr-access-token---single-repository-scope)
- [Fetch helm index.yaml with Admin Keys or SP with Basic Auth](#fetch-helm-indexyaml-with-admin-keys-or-sp-with-basic-auth)
<!-- /TOC -->
## Overview
The Azure Container Registry allows users to manage a private Docker registry on the cloud. Our service enables customers to store and manage container images across all types of Azure deployments, keep container images near deployments to reduce latency and costs, maintain Windows and Linux container images in a single Docker registry, use familiar, open-source Docker command line interface (CLI) tools, and simplify registry access management with Azure Active Directory.
The integration of Azure Container Registry with Azure Active Directory is crucial in order to enable transparent authentication and authorization of users and headless services using AAD credentials. In this scenario, a user will only have to use their AAD credentials to log-in to their private registry, and the Azure Container Service will take care of the authorization validation of each operation using the provided credentials.
Under the hood Azure Container Service utilizes the [oauth2](https://oauth.net/2/) authorization protocol, as described by the [Docker Registry v2 authentication via central service documentation](https://docs.docker.com/registry/spec/auth/token/) as well as the [Docker Registry v2 Bearer token specification](https://docs.docker.com/registry/spec/auth/jwt/). The JWT tokens generated by the Azure Container Registry are easy to observe in [jwt.ms](https://jwt.ms/).
## Authenticating to a registry with Azure CLI
The process to log in to the registry, from the user's perspective, is simple. The user will use the Microsoft Azure CLI 2.0:
```bash
az acr login -n contosoregistry
```
Internally, the CLI will follow these steps:
1. Calls to Azure Resource Manager to resolve the login server for the specified registry.
2. Obtains refresh credentials from the profile in use. For a headless call, this will give you the registered SPN, for a regular user this will give you a refresh token.
3. Makes an HTTPS GET call to the registry server's `/v2` endpoint, without credentials. A bearer token authentication challenge is expected, specifying realm and service values. The realm contains the authentication server's URL.
4. Makes an HTTPS POST call to the authentication server's `POST /oauth2/exchange` endpoint, with a body indicating the grant type, the service, the tenant, and the credentials.
5. From the server's response, we extract an Azure Container Registry refresh token.
6. Pass the refresh token as the password to the Docker CLI, using a null GUID as the username and calling `docker login`. From here on, the docker CLI takes care of the authorization cycle using oauth2.
At the end Docker will store the refresh token and go through the oauth2 flow on each operation it does against the Azure Container Registry.
## Listing a repository with Azure CLI
The Microsoft Azure CLI 2.0 allows users to also list the repositories registries, and list tags for a repository in a registry. Here's how users can achieve listing the repositories in a registry:
```
az acr repository list -n contosoregistry
```
Internally, the CLI will follow these steps:
1. Calls to Azure Resource Manager to resolve the login server for the specified registry.
2. Obtains refresh credentials from the profile in use. For a headless call, this will give you the registered SPN, for a regular user this will give you a refresh token.
3. Makes an HTTPS GET call to the registry server's `/v2` endpoint, without credentials. A bearer token authentication challenge is expected, specifying realm and service values. The realm contains the authentication server's URL.
4. Makes an HTTPS POST call to the authentication server's `POST /oauth2/exchange` endpoint, with a body indicating the grant type, the service, the tenant, and the credentials.
5. From the server's response we extract an Azure Container Registry refresh token.
6. Makes an HTTPS POST call to the authentication server's `POST /oauth2/token` endpoint, with a body indicating the grant type, the service, the scope, and the Azure Container Registry refresh token.
7. From the server's response we extract an Azure Container Registry access token.
8. Makes an HTTPS GET call to the registry server's `GET /v2/_catalog` endpoint using the access token as the bearer token.
9. Obtains the data from the service and displays it.
When listing the tags of a repository, every step above is the same except for the call to the endpoint that gives the tags which is `GET /v2/contosoregistry/tags/list` instead of `GET /v2/_catalog`.
# Azure Container Registry token claim sets
Following the command of repository list in the previous section:
```bash
az acr repository list -n contosoregistry
```
A JWT refresh token extracted at step 5 has the following claim set:
```json
{
"jti": "365e3b5b-844e-4a21-a38c-4d8aebdd6a06",
"sub": "user@contoso.com",
"nbf": 1497988712,
"exp": 1497990801,
"iat": 1497988712,
"iss": "Azure Container Registry",
"aud": "contosoregistry.azurecr.io",
"version": "1.0",
"grant_type": "refresh_token",
"tenant": "409520d4-8100-4d1d-ad47-72432ddcc120",
"permissions": {
"actions": [
"*"
],
"notActions": []
},
"roles": []
}
```
Followed by an access token at step 7 with the following claim set:
```json
{
"jti": "ec425c1e-7eda-4f70-adb5-19f927e34a41",
"sub": "user@contoso.com",
"nbf": 1497988907,
"exp": 1497993407,
"iat": 1497988907,
"iss": "Azure Container Registry",
"aud": "contosoregistry.azurecr.io",
"version": "1.0",
"access": [
{
"type": "registry",
"name": "catalog",
"actions": [
"*"
]
}
],
"roles": [],
"grant_type": "access_token"
}
```
# Getting credentials programmatically
In order to sign in to a container you'll need to exchange AAD credentials for ACR credentials. The accepted form of credential exchange are:
- AAD access token.
- [Deprecated] AAD refresh token.
- [Deprecated] AAD access token and refresh token.
The AAD access token is used to talk to the Azure Resource Manager and query for the set of permissions that the user has for the container registry resource.
[Deprecated] The AAD refresh token is used in two ways:
1. If no AAD access token was presented, the AAD refresh token is used to obtain an AAD access token.
2. The AAD refresh token is sent back to the user so they can initiate a token refresh cycle against AAD. If no AAD refresh token is sent, then the client won't have this credential at hand to initiate a credential refresh.
The cycle to get credentials looks as follows:
1. Call `POST /oauth2/exchange` presenting the AAD access token or the AAD refresh token [Deprecated]. The service will return you an ACR refresh token.
2. Call `POST /oauth2/token` presenting the ACR refresh token. The service will return you an ACR access token which you can use to call the Azure Container Registry's APIs.
## Calling `POST /oauth2/exchange` to get an ACR refresh token
In this example, we'll try to obtain an ACR refresh token from existing AAD tokens. Assume you have the following:
1. A valid container registry, which here we'll call `contosoregistry.azurecr.io`.
2. The AAD tenant identifier associated to the credentials, which here we'll take to be `409520d4-8100-4d1d-ad47-72432ddcc120`.
3. Valid AAD access token credential with access to the aforementioned container registry.
The AAD access token can be obtained from the Azure CLI. After running `az login` check file `$HOME/.azure/msal_token_cache.json` (`%HOMEDRIVE%%HOMEPATH%\.azure\msal_token_cache.json` in Windows) for the token values. Alternatively, run `az account get-access-token --subscription "<your_subscription_name>"` to find the AAD access token. By default, the returned access token is for Azure Resource Manager (ARM). To obtain an AAD access token for Azure Container Registry (ACR), run `az account get-access-token --resource=https://containerregistry.azure.net`.
We'll now call `POST /oauth2/exchange` to exchange the AAD tokens for an ACR refresh token. Here's how such a call looks when done via `curl`:
```bash
registry="contosoregistry.azurecr.io"
tenant="409520d4-8100-4d1d-ad47-72432ddcc120"
aad_access_token="eyJ...H-g"
curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
"grant_type=access_token&service=$registry&tenant=$tenant&access_token=$aad_access_token" \
https://$registry/oauth2/exchange
```
The body of the POST message is a querystring-like text that specifies the following values:
- `grant_type`, which can take a value of `access_token`, or `access_token_refresh_token` [Deprecated], or `refresh_token` [Deprecated].
- `service`, which must indicate the name of your Azure container registry.
- `tenant`, which is the AAD tenant associated to the AAD credentials.
- `access_token`, the AAD access token, mandatory when `grant_type` is `access_token` or `access_token_refresh_token` [Deprecated].
- [Deprecated] `refresh_token`, the AAD refresh token, mandatory when `grant_type` is `access_token_refresh_token` or `refresh_token`.
The outcome of this operation will be a response with status 200 OK and a body with the following JSON payload:
```json
{"refresh_token":"eyJ...L7a"}
```
This response is the ACR refresh token which you can inspect with [jwt.ms](https://jwt.ms/). You can now use it to obtain an ACR access token programmatically or simply send it to the `docker login` command to get docker talking to the Azure Container Registry.
## Authenticating docker with an ACR refresh token
Once you have obtained an ACR refresh token, you can use the docker CLI to sign in to your registry like this:
```bash
registry="contosoregistry.azurecr.io"
acr_username="00000000-0000-0000-0000-000000000000"
acr_refresh_token="eyJ...L7a"
docker login -u "$acr_username" -p "$acr_refresh_token" $registry
```
The null GUID tells the container registry that this is an ACR refresh token during the login flow. Once the authentication succeeds you can talk to the Azure Container Registry with commands like `docker pull` and `docker push`. For example:
```bash
docker pull contosoregistry.azurecr.io/contoso-marketing
```
Notice that the ACR refresh token will be saved by the docker CLI in its credential store, and will be used by the docker CLI to obtain an ACR access token on each operation it performs against the Azure Container Registry. The ACR refresh token is made so it stops working after a period of time, but if you obtained it using either `grant_type=access_token_refresh_token` or `grant_type=refresh_token` then it can be refreshed automatically by installing the [ACR docker credential helper](https://github.com/azure/acr-docker-credential-helper).
## Calling `POST /oauth2/token` to get an ACR access token
In this example, we'll try to obtain an ACR access token from existing ACR refresh token, and this access token will only work for the operation we're trying to perform, which is a call to the `GET /v2/_catalog` API. Assume you have the following:
1. A valid container registry, which here we'll call `contosoregistry.azurecr.io`.
2. A valid ACR refresh token.
The first thing you want is to obtain an authentication challenge for the operation you want to on the Azure Container Registry. That can be done by targetting the API you want to call without any authentication. Here's how to do that via `curl`:
```bash
registry="contosoregistry.azurecr.io"
curl -v https://$registry/v2/_catalog
```
Note that `curl` by default does the request as a `GET` unless you specify a different verb with the `-X` modifier.
This will output the following payload, with `...` used to shorten it for illustrative purposes:
```html
< HTTP/1.1 401 Unauthorized
...
< Www-Authenticate: Bearer realm="https://contosoregistry.azurecr.io/oauth2/token",service="contosoregistry.azurecr.io",scope="registry:catalog:*"
...
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]}
```
Notice the response payload has a header called `Www-Authenticate` that gives us the following information:
- The type of challenge: `Bearer`.
- The realm of the challenge: `https://contosoregistry.azurecr.io/oauth2/token`.
- The service of the challenge: `contosoregistry.azurecr.io`.
- The scope of the challenge: `registry:catalog:*`.
The body of the payload might provide additional details, but all the information you need is contained in the `Www-Authenticate` header.
With this information we're now ready to call `POST /oauth2/token` to obtain an ACR access token that will allow us to use the `GET /v2/_catalog` API. Here's how such a call looks when done via `curl`:
```bash
registry="contosoregistry.azurecr.io"
acr_refresh_token="eyJ...L7a"
scope="registry:catalog:*"
curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
"grant_type=refresh_token&service=$registry&scope=$scope&refresh_token=$acr_refresh_token" \
https://$registry/oauth2/token
```
The body of the POST message is a querystring-like text that specifies the following values:
- `grant_type` which is expected to be `refresh_token`.
- `service`, which must indicate the name of your Azure container registry. You obtained this from the `Www-Authenticate` response header from the challenge.
- `scope`, which is expected to be a valid [scope](https://docs.docker.com/registry/spec/auth/scope/), and can be specified more than once for multiple scope requests. You obtained this from the `Www-Authenticate` response header from the challenge.
- `refresh_token`, which must be a valid ACR refresh token, as obtained by calling `POST /oauth2/exchange`.
The outcome of this operation will be a response with status 200 OK and a body with the following JSON payload:
```json
{"access_token":"eyJ...xcg"}
```
This response is the ACR access token which you can inspect with [jwt.ms](https://jwt.ms/). You can now use it to call APIs exposed by the Azure Container Registry
## Calling `POST /oauth2/token` to get an ACR access token for Helm repository
In this example, we'll try to obtain an ACR access token from existing ACR refresh token to access Helm repository, and this access token will only work for the operation we're trying to perform, which is a call to the `GET /helm/v1/repo/index.yaml` API. Assume you have the following:
1. A valid container registry, which here we'll call `contosoregistry.azurecr.io`.
2. A valid ACR refresh token.
The first thing you want is to obtain an authentication challenge for the operation you want to on the Azure Container Registry. That can be done by targetting the API you want to call without any authentication. Here's how to do that via `curl`:
```bash
registry="contosoregistry.azurecr.io"
curl -v https://$registry/helm/v1/repo/index.yaml
```
Note that `curl` by default does the request as a `GET` unless you specify a different verb with the `-X` modifier.
This will output the following payload, with `...` used to shorten it for illustrative purposes:
```bash
< HTTP/1.1 401 Unauthorized
...
< Www-Authenticate: Bearer realm="https://contosoregistry.azurecr.io/oauth2/token",service="contosoregistry.azurecr.io",scope="artifact-repository:repo:pull"
...
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"artifact-repository","Name":"repo","Action":"pull"}]}]}
```
Notice the response payload has a header called `Www-Authenticate` that gives us the following information:
- The type of challenge: `Bearer`.
- The realm of the challenge: `https://contosoregistry.azurecr.io/oauth2/token`.
- The service of the challenge: `contosoregistry.azurecr.io`.
- The scope of the challenge: `artifact-repository:repo:pull`.
The body of the payload might provide additional details, but all the information you need is contained in the `Www-Authenticate` header.
With this information we're now ready to call `POST /oauth2/token` to obtain an ACR access token that will allow us to use the `GET /helm/v1/repo/index.yaml` API. Here's how such a call looks when done via `curl`:
```bash
registry="contosoregistry.azurecr.io"
acr_refresh_token="eyJ...L7a"
scope="artifact-repository:repo:pull"
curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
"grant_type=refresh_token&service=$registry&scope=$scope&refresh_token=$acr_refresh_token" \
https://$registry/oauth2/token
```
The body of the POST message is a querystring-like text that specifies the following values:
- `grant_type` which is expected to be `refresh_token`.
- `service`, which must indicate the name of your Azure container registry. You obtained this from the `Www-Authenticate` response header from the challenge.
- `scope`, which is expected to be a `artifact-repository:repo:pull` for read operations and `artifact-repository:repo:*` for write operations, and can be specified more than once for multiple scope requests. You obtained this from the `Www-Authenticate` response header from the challenge.
- `refresh_token`, which must be a valid ACR refresh token, as obtained by calling `POST /oauth2/exchange`.
The outcome of this operation will be a response with status 200 OK and a body with the following JSON payload:
```json
{"access_token":"eyJ...xcg"}
```
This response is the ACR access token which you can inspect with [jwt.ms](https://jwt.ms/). You can now use it to call APIs exposed by the Azure Container Registry. Refer the full script to [fetch the helm index.yaml](#fetch-helm-indexyaml).
## Calling an Azure Container Registry API
In this example we'll call catalog listing and tag listing APIs on an Azure Container Registry.
### Catalog Listing
Assume you have the following:
1. A valid container registry, which here we'll call `contosoregistry.azurecr.io`.
2. A valid ACR access token, created with the correct scope for the API we're going to call.
Here's how a call to the `GET /v2/_catalog` API of the given registry would look like when done via `curl`:
```bash
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
curl -v -H "Authorization: Bearer $acr_access_token" https://$registry/v2/_catalog
```
Note that `curl` by default does the request as a `GET` unless you specify a different verb with the `-X` modifier.
This should result in a status 200 OK, and a body with a JSON payload listing the repositories held in this registry:
```json
{"repositories":["alpine","contoso-marketing","hello-world","node"]}
```
#### Pagination
To retrieve paginated catalog results, add an `n` parameter to limit the number or results. We take `n=2` as example:
```bash
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
limit=2
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/_catalog?n=$limit"
```
This should result in a status 200 OK, and a body with a JSON payload listing the first `n` repositories held in this registry. If there are more results, a `Link` header containing the request URL for the next result block is also returned. If the entire result set has been received, the `Link` header will not be returned.
In this case, the first 2 repositories are returned, and there are more entries in the result set. The response would look like:
```http
< HTTP/1.1 200 OK
...
Content-Type: application/json
Link: </v2/_catalog?last=contoso-marketing&n=2&orderby=>; rel="next"
{"repositories": ["alpine","contoso-marketing"]}
```
To get the next result block, issue the request using the `/v2/_catalog?last=contoso-marketing&n=2&orderby=` URL encoded in the `Link` header. Here is how the call would look like:
```bash
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/_catalog?last=contoso-marketing&n=2&orderby="
```
You can query the paginated results in a loop, as the following shows:
```bash
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
limit=2
operation=/v2/_catalog?n=$limit
headers=$(mktemp -t headers.XXXXX)
while [ -n "$operation" ]
do
echo "Operation"
echo $operation
catalog=$(curl -H "Authorization: Bearer $acr_access_token" "https://$registry$operation" -D $headers)
echo "Catalog"
echo $catalog
operation=$(cat $headers | sed -n 's/^Link: <\(.*\)>.*/\1/p')
done
rm $headers
```
For more information, visit [Docker V2 API Reference - Listing Repositories](https://docs.docker.com/registry/spec/api/#listing-repositories).
### Tag Listing
Assume you have the following:
1. A valid container registry, which here we'll call `contosoregistry.azurecr.io`.
2. A valid ACR access token, created with the correct scope for the API we're going to call.
3. A valid image in the registry, for example `hello-world`.
Here's how a call to the `GET /v2/<name>/tags/list` API of the given image would look like when done via `curl`:
```bash
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
image="hello-world"
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/$image/tags/list"
```
Note that `curl` by default does the request as a `GET` unless you specify a different verb with the `-X` modifier.
This should result in a status 200 OK, and a body with a JSON payload listing the tags of this image:
```json
{"name": "hello-world","tags": ["latest","v1","v2","v3"]}
```
#### Pagination
To retrieve paginated tag results, add an `n` parameter to limit the number or results. We take `n=2` as example:
```bash
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
image="hello-world"
limit=2
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/$image/tags/list?n=$limit"
```
This should result in a status 200 OK, and a body with a JSON payload listing the first `n` tags of this image. If there are more results, a `Link` header containing the request URL for the next result block is also returned. If the entire result set has been received, the `Link` header will not be returned.
In this case, the first 2 tags are returned, and there are more entries in the result set. The response would look like:
```http
< HTTP/1.1 200 OK
...
Content-Type: application/json
Link: </v2/hello-world/tags/list?last=v1&n=2&orderby=>; rel="next"
{"name":"hello-world","tags":["latest","v1"]}
```
To get the next result block, issue the request using the `/v2/hello-world/tags/list?last=v1&n=2&orderby=` URL encoded in the `Link` header. Here is how the call would look like:
```bash
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/$image/tags/list?last=v1&n=2&orderby="
```
You can query the paginated results in a loop, as the following shows:
```bash
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
image="hello-world"
limit=2
operation=/v2/$image/tags/list?n=$limit
headers=$(mktemp -t headers.XXXXX)
while [ -n "$operation" ]
do
echo "Operation"
echo $operation
tags=$(curl -H "Authorization: Bearer $acr_access_token" "https://$registry$operation" -D $headers)
echo "Tags"
echo $tags
operation=$(cat $headers | sed -n 's/^Link: <\(.*\)>.*/\1/p')
done
rm $headers
```
For more information, visit [Docker V2 API Reference - Listing Image Tags](https://docs.docker.com/registry/spec/api/#listing-image-tags).
## Samples API Call scripts
This is a summary script of the points discussed above. The first three variables have to be filled out.
- Variable `registry` can be something like `"contosoregistry.azurecr.io"`.
- The AAD access token and AAD refresh token values can be obtained from the Azure CLI, after running `az login` check file `$HOME/.azure/accessTokens.json` (`%HOMEDRIVE%%HOMEPATH%\.azure\accessTokens.json` in Windows) for the token values.
Note that a stale AAD tokens will result in this script failing to obtain an ACR refresh token, and therefore it won't succeed in obtaining an ACR access token or in executing the operation against the registry.
### Catalog Listing with AAD refresh token
```bash
#!/bin/bash
registry=" --- you have to fill this out --- "
aad_refresh_token=" --- you have to fill this out --- "
aad_access_token=" --- you have to fill this out --- "
operation="/v2/_catalog"
acr_refresh_token=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=access_token_refresh_token&service=$registry&refresh_token=$aad_refresh_token&access_token=$aad_access_token" https://$registry/oauth2/exchange | jq '.refresh_token' | sed -e 's/^"//' -e 's/"$//')
echo "ACR Refresh Token"
echo $acr_refresh_token
challenge=$(curl -vs https://$registry$operation 2>&1 | grep "Www-Authenticate:")
echo "Challenge"
echo $challenge
scope=$(echo $challenge | egrep -o 'scope=\"([^\"]*)\"' | egrep -o '\"([^\"]*)\"' | sed -e 's/^"//' -e 's/"$//')
echo "Scope"
echo $scope
acr_access_token=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&service=$registry&scope=$scope&refresh_token=$acr_refresh_token" https://$registry/oauth2/token | jq '.access_token' | sed -e 's/^"//' -e 's/"$//')
echo "ACR Access Token"
echo $acr_access_token
catalog=$(curl -s -H "Authorization: Bearer $acr_access_token" https://$registry$operation)
echo "Catalog"
echo $catalog
```
### Catalog listing using SP/Admin with Basic Auth
Here's an equivalent set of scripts that will allow you to execute an operation against an Azure Container Registry, but this time using only the admin credentials, and not AAD.
If you'd like to use basic auth, you can do a direct call to the registry like this:
```bash
#!/bin/bash
registry=" --- you have to fill this out --- "
user=" --- you have to fill this out --- "
password=" --- you have to fill this out --- "
operation="/v2/_catalog"
credentials=$(echo -n "$user:$password" | base64 -w 0)
catalog=$(curl -s -H "Authorization: Basic $credentials" https://$registry$operation)
echo "Catalog"
echo $catalog
```
### Catalog listing using Admin Keys with Bearer Auth
If you'd like to use bearer auth, you have to first convert your admin credentials to an ACR access token like this:
```bash
#!/bin/bash
registry=" --- you have to fill this out --- "
user=" --- you have to fill this out --- "
password=" --- you have to fill this out --- "
operation="/v2/_catalog"
challenge=$(curl -vs https://$registry$operation 2>&1 | grep "Www-Authenticate:")
echo "Challenge"
echo $challenge
scope=$(echo $challenge | egrep -o 'scope=\"([^\"]*)\"' | egrep -o '\"([^\"]*)\"' | sed -e 's/^"//' -e 's/"$//')
echo "Scope"
echo $scope
credentials=$(echo -n "$user:$password" | base64 -w 0)
acr_access_token=$(curl -s -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic $credentials" "https://$registry/oauth2/token?service=$registry&scope=$scope" | jq '.access_token' | sed -e 's/^"//' -e 's/"$//')
echo "ACR Access Token"
echo $acr_access_token
catalog=$(curl -s -H "Authorization: Bearer $acr_access_token" https://$registry$operation)
echo "Catalog"
echo $catalog
```
### Docker login with ACR Access Token - Single repository scope
The following script uses an AAD token to request an 'ACR access token` which can be used as a docker login credential.
```bash
#/bin/sh
set -e
REGISTRY=" --- you have to fill this out --- "
REPOSITORY=" --- you have to fill this out --- "
AAD_ACCESS_TOKEN=$(az account get-access-token --query accessToken -o tsv)
ACR_REFRESH_TOKEN=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=access_token&service=$REGISTRY&access_token=$AAD_ACCESS_TOKEN" \
https://$REGISTRY/oauth2/exchange \
| jq '.refresh_token' \
| sed -e 's/^"//' -e 's/"$//')
echo "ACR Refresh Token obtained."
# Create the repo level scope
SCOPE="repository:$REPOSITORY:pull"
# to pull multiple repositories passing in multiple scope arguments.
#&scope="repository:repo:pull,push"
ACR_ACCESS_TOKEN=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&service=$REGISTRY&scope=$SCOPE&refresh_token=$ACR_REFRESH_TOKEN" \
https://$REGISTRY/oauth2/token \
| jq '.access_token' \
| sed -e 's/^"//' -e 's/"$//')
echo "ACR Access Token obtained."
# Docker Login using the ACR_ACCESS_TOKEN
echo docker login into $REGISTRY
docker login -u 00000000-0000-0000-0000-000000000000 -p $ACR_ACCESS_TOKEN $REGISTRY
docker pull $REGISTRY/$REPOSITORY
```
### Fetch helm index.yaml with Admin Keys or SP with Basic Auth
```bash
#!/bin/bash
registry=" --- you have to fill this out --- "
user=" --- you have to fill this out --- "
password=" --- you have to fill this out --- "
operation="/helm/v1/repo/index.yaml"
challenge=$(curl -vs https://$registry$operation 2>&1 | grep "Www-Authenticate:")
echo "Challenge"
echo $challenge
scope=$(echo $challenge | egrep -o 'scope=\"([^\"]*)\"' | egrep -o '\"([^\"]*)\"' | sed -e 's/^"//' -e 's/"$//')
echo "Scope"
echo $scope
credentials=$(echo -n "$user:$password" | base64 -w 0)
acr_access_token=$(curl -s -H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic $credentials" "https://$registry/oauth2/token?service=$registry&scope=$scope" | jq '.access_token' | sed -e 's/^"//' -e 's/"$//')
echo "ACR Access Token"
echo $acr_access_token
#Retrieve the location header and strip the trailing \r for curl
URL=$(curl -sD - -H "Authorization: Bearer $acr_access_token" https://$registry$operation | grep -Fi Location | awk '{print $2}' | tr -d '\r')
echo Location=$URL
echo index.yaml
echo ----------
curl $URL
```
================================================
FILE: docs/FAQ.md
================================================
# Azure Container Registry - Frequently Asked Questions
This article has moved to [Microsoft Docs](https://docs.microsoft.com/azure/container-registry/container-registry-faq).
================================================
FILE: docs/README.md
================================================
---
title: Overview
type: post
---
## Overview
This repo contains [issues](https://github.com/Azure/acr/issues), [samples](./docs), [troubleshooting tips](./docs/Troubleshooting%20Guide.md), and a collection of links for Azure Container Registry.
## Blog posts
* [Choosing a Docker Container Registry](https://stevelasker.blog/2018/11/14/choosing-a-docker-container-registry/)
* [Key Differences between VM and Container Vulnerability Scanning](https://stevelasker.blog/2018/06/27/key-differences-between-vm-and-container-vulnerability-scanning/)
* [Working with Geo-replication notifications](https://stevelasker.blog/2018/01/29/working-with-acr-geo-replication-notifications/)
* [User Accounts](https://stevelasker.blog/2016/11/17/azure-container-registry-user-accounts/)
* [Docker Tagging Best Practices](https://stevelasker.blog/2018/03/01/docker-tagging-best-practices-for-tagging-and-versioning-docker-images/)
* [Deploying Docker Images to Azure Container Instances](https://stevelasker.blog/2017/07/28/deploying-docker-images-from-the-azure-container-registry-to-azure-container-instances/)
## Links
See [ACR Links](../README.md/#links)
================================================
FILE: docs/Token-BasicAuth.md
================================================
---
type: post
title: "Token with Basic Auth"
---
# Azure Container Registry's support of getting Bearer token using Basic Authentication
The Azure Container Registry supports both Basic Authentication and OAuth2 for getting a registry Bearer token. This document describes how to get a Bearer token using Basic Authentication. To get the token using OAuth2, please refer to the [AAD-OAuth doc](https://github.com/Azure/acr/blob/master/docs/AAD-OAuth.md).
## Using the token API
ACR has implemented the GET method on the token endpoint for user to retrieve a Bearer token using Basic Authentication:
GET /oauth2/token
### Get the scope of the token to be requested
The first thing you want is to obtain an authentication challenge for the operation you want to on the Azure Container Registry. That can be done by targetting the API you want to call without any authentication. Here's how to do that via `curl`:
```bash
export registry="contosoregistry.azurecr.io"
curl -v https://$registry/v2/hello-world/manifests/latest
```
Note that `curl` by default does the request as a `GET` unless you specify a different verb with the `-X` modifier.
This will output the following payload, with `...` used to shorten it for illustrative purposes:
```bash
< HTTP/1.1 401 Unauthorized
...
< Www-Authenticate: Bearer realm="https://contosoregistry.azurecr.io/oauth2/token",service="contosoregistry.azurecr.io",scope="repository:hello-world:pull"
...
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"hello-world","Action":"pull"}]}]}
```
Notice the response payload has a header called `Www-Authenticate` that gives us the following information:
- The type of challenge: `Bearer`.
- The realm of the challenge: `https://contosoregistry.azurecr.io/oauth2/token`.
- The service of the challenge: `contosoregistry.azurecr.io`.
- The scope of the challenge: `repository:hello-world:pull`.
The body of the payload might provide additional details, but all the information you need is contained in the `Www-Authenticate` header.
With this information we're now ready to call `GET /oauth2/token` to obtain an ACR access token that will allow us to use the `GET /v2/hello-world/manifests/latest` API.
### Encode the username and password
- You can use Windows Powershell or `base64` command line utility in Linux/Mac
- Encode using the following format: **[username]**:**[password]**
- Powershell:
- `[convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes('[username]:[password]'))`
- Linux/Mac Terminal:
- `echo -n '[username]:[password]' | base64`
- Copy the encoded value and set it as a environment variable
```bash
export acr_credential="xxxxxxx"
```
### Get a Pull access token for the user
**REST format:** `https://`**[login-url]**`/oauth2/token?service=`**[login-url]**`&scope=repository:`**[image]**`:pull,push`
Set the header for Authorization, setting the 'Basic' word followed by a space and the encoded usr:pwd value
|Header | Value |
|-------|-------|
| Authorization | Basic [base64 encoded usr:pwd] |
| Host | [login-url] |
Here's how such a call looks when done via `curl`:
```bash
export registry="contosoregistry.azurecr.io"
export scope="repository:hello-world:pull"
curl -v -H "Authorization: Basic $acr_credential" \
"https://$registry/oauth2/token?service=$registry&scope=$scope"
```
The outcome of this operation will be a response with status 200 OK and a body with the following JSON payload:
```json
{"access_token":"eyJ...xcg"}
```
This response is the ACR access token which you can inspect with [jwt.ms](https://jwt.ms/). You can now use it to call APIs exposed by the Azure Container Registry.
### Calling an Azure Container Registry API
In this example we'll call the `GET /v2/{repository}/manifests/{tag}` API on an Azure Container Registry. Assume you have the following:
1. A valid container registry, which here we'll call `contosoregistry.azurecr.io`.
2. A valid ACR access token, created with the correct scope for the API we're going to call.
Here's how a call to the `GET /v2/hello-world/manifests/latest` API of the given registry would look like when done via `curl`:
```bash
export registry="contosoregistry.azurecr.io"
export acr_access_token="eyJ...xcg"
curl -v -H "Authorization: Bearer $acr_access_token" -H "Accept:application/vnd.oci.image.manifest.v1+json" https://$registry/v2/hello-world/manifests/latest
```
This should result in a status 200 OK.
================================================
FILE: docs/Troubleshooting Guide.md
================================================
# Azure Container Registry - Troubleshooting guide
## I get an error while creating a registry - "Unregistered Subscription specified"
<a name="registersub"></a>
You need to register the subscription using
Powershell:
```
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.ContainerRegistry
```
Az CLI:
```
az provider register –n Microsoft.ContainerRegistry
```
## I'm able to create registry in one region but not in another region
As we add more regions, the service in new region needs to know about your subscription. So please register your subscription again so that ACR service in newer regions will know about your subscription
See [here](#registersub)
## Azure CLI - I get this error - No resource with type Microsoft.ContainerRegistry/registries can be found with name
<a name="setcorrectsub"></a>
Please run this command and check if you have set the right subscription
```
az account show
```
Please run this command to set the correct subscription
```
az account set --subscription <correct-subscription>
```
## Azure CLI - Not able to use az cli to query/view my registries
See [this](#registersub) and [this](#setcorrectsub)
## Image exists in my ACR but, docker pull returns "image not found"
Please make sure you login before you pull/push repositories
```
docker login <yourregistry>.azurecr.io
```
## Configuring a custom domain for azure container registry
Azure container registries have a typical login url of the format `*.azurecr.io`. A customer might like to use a custom domain for the registry. Follow [this guide](custom-domain/README.md) to achieve that.
## Moving repositories to a new registry
To move your repositories to a newly created registry, follow [this guide](move-repositories-to-new-registry/README.md).
## Failed to add a virtual network from a different Azure subscription
If you want to restrict registry access using a virtual network in a different Azure subscription, you will see the following error if the subscription hasn't registered the `Microsoft.ContainerRegistry` resource provider:
```
Failed to save firewall and virtual network settings for container registry 'MyRegistry'. Error: Could not validate network rule - The client '00000000-0000-0000-0000-000000000000' with object id '00000000-0000-0000-0000-000000000000' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/taggedTrafficConsumers/validate/action' over scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyRG/providers/Microsoft.Network/virtualNetworks/MyRegistry/taggedTrafficConsumers/Microsoft.ContainerRegistry' or the scope is invalid. If access was recently granted, please refresh your credentials.
```
You need to register the resource provider for Azure Container Registry in that subscription. For example:
Azure CLI
```
az account set --subscription <Name or ID of subscription of virtual network>
az provider register --namespace Microsoft.ContainerRegistry
```
## Check role assignments on a registry
```
az role assignment list --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<registryName>
```
See [here](https://docs.microsoft.com/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-list) for reference
================================================
FILE: docs/acr-roadmap.md
================================================
# Azure Container Registry Roadmap
Visit [ACR Public Roadmap](https://github.com/orgs/Azure/projects/259) to see what we are building next. Please note, that we do not communicate specific dates for delivery. We also do not commit to delivery items outside of our rolling 6-12 month window.
## Helping with Prioritization
Have a request, or wish we were doing something; Please provide your feedback and ranking to help us understand your needs and priority through [UserVoice][uservoice].
[uservoice]: https://aka.ms/acr/uservoice
================================================
FILE: docs/aks-acr-across-tenants.md
================================================
# Set up AKS to pull from ACR in a different AD tenant
## Introduction
There are several ways to set up the auth credential in Kubernetes to pull image from ACR. For example, you can use [admin user or repository scoped access token](https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal) to configure pod [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
While `imagePullSecrets` is commonly used, it brings the challenge and overhead to manage the corresponding secret. On Azure, you can set up [AKS cluster with a service principal credential](https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal) which allows you securely pull the image from ACR without additional `imagePullSecrets` setting on each pod.
Sometimes, you may have your AKS and ACR in different Azure Active Directories (Tenants). This document will walk your through the steps to enable cross tenant authentication using service principal credential.
## Instruction
In this example, the AKS cluster is in `Tenant A` and the ACR is in `Tenant B`.
`Tenant A` is also the service principal home tenant.
You will need the contributor role of AKS subscription and the owner role of ACR subscription.
### Step 1: Enable multi-tenant AAD Application
- Login [Azure portal](http://portal.azure.com/) in `Tenant A` and go to Azure Active Directory `App registrations` blade to find the service principal application object.
- Remember the `Application (client) ID` (it will be used in `step 2` and `step 4`)
- Choose multitenant account type as the following screenshot and also remember the `redirect url` (it will be used in step 2).
- Create a client secret if not exist (It is __IMPORTANT__ to make sure you use this client secret to update AKS in `step 4`).
### Step 2: Provision the service principal in ACR Tenant
- Open the following link with the Tenant B admin account and accept the permission request.
```
https://login.microsoftonline.com/<ACR Tenant ID (Tenant B)>/oauth2/authorize?client_id=<Application (client) ID>&response_type=code&redirect_uri=<redirect url>
```
### Step 3: Grant service principal ACR image pull permission
- Assign AcrPull role to the service principal
### Step 4: Update AKS with the AAD Application secret
- Use the `Application (client) ID` and `client secret` collected in `step 1` to [update AKS service principal credential](https://docs.microsoft.com/en-us/azure/aks/update-credentials#update-aks-cluster-with-new-service-principal-credentials).
## Reference
- [Application and service principal objects in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals)
================================================
FILE: docs/artifact-media-types.json
================================================
{
"application/vnd.docker.distribution.manifest.v2+json": "Docker images",
"application/vnd.cncf.helm.chart.config.v1+json": "Helm charts",
"application/vnd.oci.image.config.v1+json": "OCI images",
"application/vnd.cncf.openpolicyagent.config.v1+json": "Open Policy Agent bundles",
"application/vnd.sylabs.sif.config.v1+json": "Singularity images"
}
================================================
FILE: docs/blog/abac-repo-permissions.md
================================================
---
title: Introducing Azure Container Registry Repository Permissions through Attribute-Based Access Control (Private Preview)
description: Learn about the new Repository Permissions feature for Azure Container Registry during the private preview. The feature ensures secure and efficient repository permissions management for Azure Container Registry.
ms.topic: whats-new #Don't change.
ms.date: 08/12/2024
ms.author: johsh
author: johnsonshi
ms.service: container-registry
---
# What's New: Manage Repository Permissions for Azure Container Registry through Attribute-Based Access Control (ABAC)
> [!NOTE]
> The Repository Permissions feature for Azure Container Registry is currently in private preview. For details on enrolling in the Private Preview and to ensure a smooth experience, please follow the provided instructions.
If you're looking to stay updated with the latest enhancements in Azure Container Registry (ACR), particularly in managing repository permissions, this article is for you. We are excited to announce the private preview of managing repository permissions in ACR in Azure role assignments, a feature that transforms how you manage access to your repositories.
Azure Attribute-Based Access Control (ABAC) allows for more granular repository-level permissions during Azure role assignments with Entra identities. During Azure Entra role assignments, role permissions can be scoped to specific repositories within a registry rather granting permissions to the entire registry. This feature improves the security footprint by ensuring permissions are precisely assigned according to your needs.
Understanding the new ACR ABAC Repository Permissions will help you optimize your workflow and enhance your security measures. So, let's dive in and explore what's new!
## Azure Attribute-Based Access Control (ABAC) capabilities
Azure Attribute-Based Access Control (ABAC) builds on top of Azure RBAC by allowing repository conditions during Azure Entra role assignments for ACR.
- **Condition-based Role Assignments**: Azure ABAC lets you [specify repository conditions for Azure Entra role assignments](https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview), scoping role permissions to specific repositories based on repository name conditions.
- **Repository Name Conditions**: You can grant access to repositories matching certain prefixes or exact names, tailoring permissions to your organizational needs.
- **Compatibility with Roles**: ABAC conditions work with both [built-in ACR roles](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles) and custom role assignments, providing flexibility in repository permission management during Azure Entra role assignments.
- **Identity Support**: ABAC Repository Permissions support various Microsoft Entra ID identities, including users, groups, service principals, and managed identities, ensuring comprehensive access control for all role assignment scenarios.
- **SKU Support**: All ACR SKUs support ABAC, making it available across different service levels.
This feature is a significant step towards more secure and precise access management within Azure Container Registry.
## Related content
For private preview onboarding and documentation, please visit [Attribute-Based Access Control for Azure Container Registry Repository Permissions (Private Preview)](../preview/abac-repo-permissions/README.md).
================================================
FILE: docs/blog/connected-registry.md
================================================
---
title: Connected Registry Private Preview
description: Private preview for ACR connected registry feature.
ms.topic: post
ms.date: 01/05/2021
ms.author: memladen
author: toddysm
ms.custom:
---
## Private Preview - ACR Connected Registry Feature
We are announcing the private preview of the Azure Container Registry (ACR) connected registry feature.
The connected registry feature of ACR allows you to deploy a registry on your premises and synchronize images between the ACR and your premises. It brings the container images and OCI artifacts closer to your container workloads on premises and increases their acquisition performance.
ACR connected registry can be used in conjunction with [Azure IoT Edge](https://azure.microsoft.com/services/iot-edge/), [Azure Arc](https://azure.microsoft.com/en-us/services/azure-arc/), [Azure Stack](https://azure.microsoft.com/overview/azure-stack/) as well as other edge container workloads.
Connected registry is currently in limited preview. To request preview access, submit your contact details using this [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR1OsLxas9SdIhfyFenqqkolUMkFKMTdDSU45SFQzU0o0WUNROVAySkRINy4u).
For private preview documentation, please visit [Connected Registry Private Preview Details](../preview/connected-registry/README.md).
---
Toddy Mladenov
================================================
FILE: docs/blog/teleport.md
================================================
> [!NOTE]
> Please visit [aka.ms/acr/artifact-streaming](https://aka.ms/acr/artifact-streaming).
---
type: post
title: "Overview"
excerpt: "project teleport"
tags: [developers, teleport]
date: 2019-11-01 17:00:00
author: Steve Lasker
---
# Azure Container Registry Adds Teleportation
Instancing a custom environment within seconds is one of the many wonders of running containers. Having to wait for the image and its layers to download & decompress the first time is the _current_ price of admission.
> Project Teleport removes the cost of download and decompression by SMB mounting pre-expanded layers from the Azure Container Registry to Teleport enabled Azure container hosts.
## Teleportation Performance
The following table represents initial performance metrics across different image sizes. The amount of time to teleport an image has less to do with the size of the image, but rather the number of layers that must be mounted. This is an area of performance we’ll continue to focus upon.
> Our opportunistic goal for Project Teleport is 90% of locally cached images. We’re not considering teleportation of organic material, as 90% would not be _quite_ good enough. Being able to pull any custom image, to any serverless host, at 90% of the startup time, seems pretty good. Especially considering it’s a 100% unattainable goal of having every custom image on every serverless host.
>
> <cite>Steve Lasker – Program Manager – Azure Container Registries</cite>
## How Project Teleport Optimizes Registry Operations
While Docker didn’t invent containers, they did provide a highly productive end to end experience for building, pushing, discovering, pulling and instancing containers. Container registries are one of the innovations that provide content addressable objects through a collection of layers.
The underlying container flow today involves:
1. pulling an image, which calls a REST endpoint, returning a collection of layer IDs
2. comparing the local cache, determining the delta of layers that must be retrieved
3. requesting secured URLs for each layer ID
4. pulling each layer
5. decompressing each layer
6. instancing the container when all the layers are available
This flow works well for internet protocols where the network is comparatively unreliable and slower than an intra-datacenter network. For a reasonably sized image, it’s faster to serve compressed blobs, decompressing on the client, than waiting for larger payloads to fight with YouTube, Netflix and a million other packets traveling across the wild internet.
When running within a controlled datacenter, the network is reliable and fast, while CPU, disk speed and memory become the bottleneck for pulling complete layers and decompressing them before usage.
When using dedicated hosts, such as VMs provisioned for Kubernetes, pulling the first image is painful, but subsequent image pulls benefit from the pre-cached layers. As clouds move to “serverless” environments, where the hosts are dynamically allocated, each container run is a new environment. Cloud providers pre-cache the most common base layers, but the hit ratio varies across each service and time, as newer versions are continually released. This creates an inconsistent experience, detracting from the value of serverless.
## Highly Factored Registry Protocol
The designers of the [distribution-spec](https://github.com/opencontainers/distribution-spec/) and [image-spec](https://github.com/opencontainers/image-spec) created a highly factored protocol that enables cloud providers to adhere to a public spec, with the flexibility to implement cloud specific storage and authentication solutions. Project Teleport takes advantage of this factoring by adhering to the public API that container developers are accustomed to, while providing cloud specific optimizations.
[](https://stevelaskerblog.files.wordpress.com/2019/10/telportimagepull.png?w=1024)
Project Teleport assumes the image pull runs within an optimized environment. The underlying Teleport flow is slightly, but very impactfully different, involving:
1. pulling an image, which involves a REST endpoint that returns the collection of layer IDs
2. comparing the local cache, determining the delta of layers that must be retrieved
3. **_requesting [Azure Premium File](https://azure.microsoft.com/en-us/blog/announcing-the-general-availability-of-azure-premium-files/) mount points for each layer ID_**
4. **_[SMB](https://en.wikipedia.org/wiki/Server_Message_Block) mounting each layer as pre-expanded content_**
5. instancing the container when all the layers are available
The benefits of Project Teleport include:
* when using the SMB protocol, only the content read by the container is pulled across the network, speeding container start time
* no decompression in the run flow, removing the additional CPU, local disk speed and memory bottlenecks
* overall reduced network traffic, as only the subset of an image that’s utilized is pulled across the network
* the ability to leverage local image cache information as the teleported mounts intermix with the local cache
## Orca, a Teleport Client for Azure
Project Teleport is a registry transport protocol, enabling container layers to be teleported from the registry directly to a container host. Normally, you would issue docker run commands to pull and run an image. However, we need a means to plugin the teleport protocol to the container host. Project Teleport takes advantage of the [containerd snapshot plugin](https://github.com/containerd/containerd#snapshot-plugins). As containerd and the docker client evolve, we’ll simply plugin Project Teleport to a new docker client. Until that time, we provide an orca client, for a subset of docker functionality, focusing on the running of container images. For instance, container building is not yet supported.
| | |
|-----------------|-----------------------|
| |  |
| Orca represents the amazing Orca species of whales, roaming the Seattle Puget Sound.| Our own Brendan Burns also has a sailboat, appropriately named Orca.|
## Previewing Teleportation with ACR Tasks
While our goal is to enable Project Teleport on all Azure Services, today we are previewing Teleport with [ACR Tasks](https://aka.ms/acr/tasks). ACR Tasks provides the ability build and run container images in a highly optimized and securely isolated environment. The initial Project Teleport preview focuses on running Linux images.
Because ACR Tasks is a focused environment, we can preview teleportation with customer provided images without having to support a large surface area. Based on your feedback and the evolution of containerd, we’ll know when we can expand usage to other Azure services
## Running Containers With the Orca Client, Using the Teleport Transport
The following two commands demonstrate running ACR Tasks with and without Project Teleport.
**ACR Run:**
`az acr run -r demo42 --cmd "demo42.azurecr.io/batchprocessor:1" /dev/null`
The above command executes an [ACR Task](https://aka.ms/acr/task), on the `demo42` registry. The `--cmd` parameter runs the `batchprocessor` image. Like `docker run`, `acr task run` takes a positional argument that represents the context. Since we’re not passing a context, we just pass `/dev/null`
**Teleporting the batchprocessor image:**
`az acr run -r demo42 --cmd "**orca run** demo42.azurecr.io/batchprocessor:1" /dev/null`
The above command instructs [ACR Tasks](https://aka.ms/acr/task) to use the orca client to run the `batchprocessor` image. Over time, the `--cmd` parameter will directly support Teleport enabled images, removing the need to specify `orca run`.
## Under the Hood of an Image Teleporter
[](https://stevelaskerblog.files.wordpress.com/2019/10/dockerorca.png?w=1024)
Within ACR, we’ve expanded support from compressed blobs, using [Azure Blob Storage](https://azure.microsoft.com/services/storage/blobs/), to [Azure Premium Files](https://azure.microsoft.com/en-us/blog/announcing-the-general-availability-of-azure-premium-files/), storing expanded layers. Each expanded layer is persisted as a [virtual hard disk (.vhd)](https://en.wikipedia.org/wiki/VHD_(file_format)) which are supported by Linux and Windows clients.
To support standard docker clients, or any client capable of pushing a container image, ACR accepts the incoming image and checks to see if the target repository supports teleportation. If the repository is teleport enabled, an **ACR expansion service** creates a decompressed .vhd for each layer. By storing each layer as a .vhd, ACR can continue to maintain de-duping of common layers across multiple images, while maintaining repository based RBAC.
When a request is made to pull an image, the orca client provides header information stating the region and whether it’s teleport enabled. If the registry is in the same region, teleport SMB mount points are returned. If the client is in a different region, a fallback to compressed blob URLs are returned.
> The SMB Teleporter depends on intra-datacenter networks, limiting short range teleportation. To enable a [best practice of having images network-close to the container host](https://stevelasker.blog/2018/11/14/choosing-a-docker-container-registry/), future releases will support multi-region Teleportation through an [ACR Geo-replication](https://aka.ms/acr/geo-replication) translocator.
[](https://stevelaskerblog.files.wordpress.com/2019/10/orcadocker.png?w=1024)
In future releases we plan to enable ACR Task build support, teleporting base images and writing new image layers directly to the registry. As the image build completes, ACR will compress the layers into traditional blobs, enabling standard docker clients.
When paired with [ACR Task buildx caching](https://github.com/Azure/acr/blob/master/docs/Tasks/buildx/README.md), dramatic improvements from code-commit to deploy performance can be realized.
## The Future of Container Teleportation
The future of Project Teleport is broken into the following categories:
* Incorporating user feedback
* Improved mounting performance
* Supporting all Azure services using containers
* Windows containers
* Building images, teleporting the base layers and writing expanded layers directly to the registry
* Geo-replication translocation
Thankfully, the teleport project is split across multiple teams, enabling parallelization.
## Teleporting Images Across All Azure Container Hosts
Project Teleport is designed to support all container hosts, including Linux & Windows, and all Azure services. This includes AKS, ACI, Virtual Kubelet, Machine Learning, ACR Tasks and the golden serverless scenario, Azure Functions.
## Teleporting Serverless Functions
When we think about serverless functions, the ability to instantly run some custom set of code becomes the holy grail. The service must scale from 0 to infinity (_and beyond_), while only charging for the actual usage. The reference to **_instant_** and **_custom code_** is the challenge. Today, serverless platforms utilize containers to host known environments for specific language runtimes. To achieve specific language runtimes, services mount user code into a pre-allocated pool of container instances. Pulling custom images is just too slow. With Project Teleport, we can now expand the environments and the languages you prefer, bringing whatever custom images you desire in near instant time.
## How Can You Teleport Your Containers?
The customer feedback we get with ACR Tasks will help us improve teleportation across all Azure service hosts. We’ve been working on Teleportation since early 2018, so we’re obviously excited to hear what you think, and learn how we need to complete the scenarios. After the first round of a private preview feedback, we’ll open a public preview.
* To Help us test teleportation of your images – [sign up here](https://aka.ms/teleport/signup) for the private preview
* Are you just as excited with container scenarios, building teleporters and other [ACR roadmap capabilities](https://aka.ms/acr/roadmap)? Apply here for [ACR Jobs](https://aka.ms/acr/jobs)
---
Steve Lasker
================================================
FILE: docs/container-registry-consuming-public-content.md
================================================
---
title: How to manage public content in private registry
description: ....
ms.service: container-registry
ms.topic: article
ms.date: 10/27/2020
author: stevelas
---
# How to consume & maintain public content with Azure Container Registry Tasks
An Azure container registry hosts your container images and other [OCI artifacts][oci-artifacts] in a private, authenticated environment. However, your environment may have dependencies on public content such as public container images, [helm charts][helm-charts], [Open Policy Agent (OPA)][opa] policies or other artifacts. For example, you might run [nginx] for service routing or `docker build FROM` [alpine][alpine-public-image] by pulling images directly from Docker Hub or another public registry. As upstream changes occur, this article will explain how to import and maintain these public artifacts.
For more information about the risks introduced by dependencies on public content and best practices see the [OCI Consuming Public Content Blog post][oci-consuming-public-content].
This article covers features and workflows in Azure Container Registry to help you manage consuming and maintaining public content:
* Import local copies of dependent public images.
* Validate public images through security scanning and functional testing.
* Promoting to private registries for internal usage.
* Triggering base image updates for applications dependent upon public content.
* Using [ACR Tasks](container-registry-tasks-overview.md) to automate this workflow.
This article refers mainly to container images, but the concepts apply to other supported [registry artifacts](container-registry-image-formats.md).
The gated import workflow refers to decoupling your organizations dependencies on externally managed artifacts. For instance, images sourced from public registries like: [docker hub][docker-hub], [gcr][gcr], [quay][quay], [github container registry][ghcr], [Microsoft Container Registry][mcr] or even other public [Azure Container Registries][acr].
Consider balancing these two, possibly conflicting goals:
1. Do you really want an unexpected upstream change to possibly take out your production system?
2. Do you want upstream security fixes, for the versions you depend upon, to be automatically deployed?
## Prerequisites
* Create three registries to represent the workflow
* A simulated copy of docker hub for public images.
* This allows us simulate a base image update, which would normally be initiated on [Docker Hub][docker-hub] or other public registries.
* A development team registry, that will host one more more teams that build and manage images.
* **Note:** [repository based RBAC (preview)][acr-repo-permissions] is now available, enabling multiple teams to share a single registry, with unique permission sets
* A registry to host imported base artifacts.
* An Azure KeyVault for storing access keys to the registries
* An [Azure Container Instance][aci] to host the `hello-world` image.
The following steps will:
1. Configure unique values for your environment
1. Simulate a Public Registry
1. Automate building a hello-world image
1. Automate deploying to an [Azure Container Instance][aci]
1. Simulate upstream changes directly to your environment
1. Create a gated import, that validates upstream changes are appropriate for your environment
This walk through will:
1. Configure three registries representing:
* Simulated Docker Hub (`publicregistry`)to support changing the base image
* Team registry (`contoso`) for private images
* Company/team shared registry (`baseartifacts`) for imported public content
2. Configure ACR Tasks to:
* build the simulated public node image
* import and validate the public node image to the company/team shared registry
* build and deploy the hello-world image
3. ACR Task definitions, including configurations for:
4. Collection of registry credentials which can be pointers to KeyVault
5. Collection of secrets, available within an `acr-task.yaml`, which are pointers to KeyVault
6. Collection of configured values used within an `acr-task.yaml`.
7. An Azure KeyVault, securing all secrets
8. An Azure Container Instance, hosting the hello-world build application
### Set environment variables
Configure variables unique to your environment. We follow best practices for placing resources with durable content in their own resource group to minimize accidental deletion, however you can place these in a single resource group if desired.
```azurecli
# Set the three registry names, unique to your environment:
REGISTRY_PUBLIC=publicregistry
REGISTRY_BASE_ARTIFACTS=contosobaseartifacts
REGISTRY=contoso
# set the location all resources will be created in:
RESOURCE_GROUP_LOCATION=eastus
# default resource groups
REGISTRY_PUBLIC_RG=${REGISTRY_PUBLIC}-rg
REGISTRY_BASE_ARTIFACTS_RG=${REGISTRY_BASE_ARTIFACTS}-rg
REGISTRY_RG=${REGISTRY}-rg
# fully qualified registry urls
REGISTRY_DOCKERHUB_URL=docker.io
REGISTRY_PUBLIC_URL=${REGISTRY_PUBLIC}.azurecr.io
REGISTRY_BASE_ARTIFACTS_URL=${REGISTRY_BASE_ARTIFACTS}.azurecr.io
REGISTRY_URL=${REGISTRY}.azurecr.io
# Azure KeyVault for storing secrets
AKV=acr-task-credentials
AKV_RG=${AKV}-rg
# ACI for hosting the deployed application
ACI=hello-world-aci
ACI_RG=${ACI}-rg
```
### GIT repositories and tokens
To simulate your environment, fork each of these into repositories you can mange. Then, update the variables for your forked repositories.
Notice `:main` concatenated to the end of the git URLs representing the default repository branch.
```azurecli
GIT_BASE_IMAGE_NODE=https://github.com/importing-public-content/base-image-node.git#main
GIT_NODE_IMPORT=https://github.com/importing-public-content/import-baseimage-node.git#main
GIT_HELLO_WORLD=https://github.com/importing-public-content/hello-world.git#main
```
Establish a [Git Token][git-token] for ACR Tasks to clone and establish git webhooks.
See: @DAN, CAN YOU UPDATE TO A REFERENCE FOR REQUIRED PERMISSIONS?
```azurecli
GIT_TOKEN=<set-git-token-here>
```
Docker Hub Credentials
To avoid throttling and identify requests, [create a Docker Hub token][docker-hub-tokens]
```azurecli
REGISTRY_DOCKERHUB_USER=<yourusername>
REGISTRY_DOCKERHUB_PASSWORD=<yourtoken>
```
### Create Resources
Create the three registries:
```azurecli
az group create --name $REGISTRY_PUBLIC_RG --location $RESOURCE_GROUP_LOCATION
az acr create --resource-group $REGISTRY_PUBLIC_RG --name $REGISTRY_PUBLIC --sku Premium
az group create --name $REGISTRY_BASE_ARTIFACTS_RG --location $RESOURCE_GROUP_LOCATION
az acr create --resource-group $REGISTRY_BASE_ARTIFACTS_RG --name $REGISTRY_BASE_ARTIFACTS --sku Premium
az group create --name $REGISTRY_RG --location $RESOURCE_GROUP_LOCATION
az acr create --resource-group $REGISTRY_RG --name $REGISTRY --sku Premium
```
Create a KeyVault for secrets
```azurecli
az group create --name $AKV_RG --location $RESOURCE_GROUP_LOCATION
az keyvault create --resource-group $AKV_RG --name $AKV
```
Create a Docker Hub token
To avoid throttling and identify requests, [create a Docker Hub token][docker-hub-tokens]
```azurecli
az keyvault secret set \
--vault-name $AKV \
--name registry-dockerhub-user \
--value $REGISTRY_DOCKERHUB_USER
az keyvault secret set \
--vault-name $AKV \
--name registry-dockerhub-password \
--value $REGISTRY_DOCKERHUB_PASSWORD
```
Set and Verify a Git token within KeyVault
```azurecli
az keyvault secret set --vault-name $AKV --name github-token --value $GIT_TOKEN
az keyvault secret show --vault-name $AKV --name github-token --query value -o tsv
```
Create a Resource Group for an Azure Container Instance
```azurecli
az group create --name $ACI_RG --location $RESOURCE_GROUP_LOCATION
```
### Create public node base image
To simulate the node image on Docker Hub, create an [ACR Task][acr-task] to build and maintain the public image. This allows simulating changes by the node image maintainers.
```azurecli
az acr task create \
--name node-public \
-r $REGISTRY_PUBLIC \
-f acr-task.yaml \
--context $GIT_BASE_IMAGE_NODE \
--git-access-token $(az keyvault secret show \
--vault-name $AKV \
--name github-token \
--query value -o tsv) \
--set REGISTRY_FROM_URL=${REGISTRY_DOCKERHUB_URL}/ \
--assign-identity
```
To avoid Docker throttling, add [Docker Hub credentials][docker-hub-tokens]:
```azurecli
az acr task credential add \
-n node-public \
-r $REGISTRY_PUBLIC \
--login-server $REGISTRY_DOCKERHUB_URL \
-u https://${AKV}.vault.azure.net/secrets/registry-dockerhub-user \
-p https://${AKV}.vault.azure.net/secrets/registry-dockerhub-password \
--use-identity [system]
```
Grant access to ACR for reading values from KeyVault
```azurecli
az keyvault set-policy \
--name $AKV \
--resource-group $AKV_RG \
--object-id $(az acr task show \
--name node-public \
--registry $REGISTRY_PUBLIC \
--query identity.principalId --output tsv) \
--secret-permissions get
```
[Tasks can be triggered][acr-task-triggers] by git commits, base image updates, scheduled runs or manually executed.
Run the task to generate the `node` image
```azurecli
az acr task run -r $REGISTRY_PUBLIC -n node-public
```
List the image in the simulated public registry
```azurecli
az acr repository show-tags -n $REGISTRY_PUBLIC --repository node
```
## Create the hello-world image
Based on the simulated public node image, build a hello-world image.
### Create a Token for access to the "public" registry
Using [ACR Tokens][acr-tokens], create access tokens, scoped to `pull`
```azurecli
az keyvault secret set \
--vault-name $AKV \
--name "registry-${REGISTRY_PUBLIC}-user" \
--value "registry-${REGISTRY_PUBLIC}-user"
az keyvault secret set \
--vault-name $AKV \
--name "registry-${REGISTRY_PUBLIC}-password" \
--value $(az acr token create \
--name "registry-${REGISTRY_PUBLIC}-user" \
--registry $REGISTRY_PUBLIC \
--scope-map _repositories_pull \
-o tsv \
--query credentials.passwords[0].value)
```
### Create an ACR Token for access by ACI to pull the image
A token to the registry with `hello-world` is created. Permissions are scoped to read (pull)
```azurecli
az keyvault secret set \
--vault-name $AKV \
--name "registry-${REGISTRY}-user" \
--value "registry-${REGISTRY}-user"
az keyvault secret set \
--vault-name $AKV \
--name "registry-${REGISTRY}-password" \
--value $(az acr token create \
--name "registry-${REGISTRY}-user" \
--registry $REGISTRY \
--repository hello-world content/read \
-o tsv \
--query credentials.passwords[0].value)
```
### Create and maintain a `hello-world` image using ACR Tasks
Simulating a public registry, which could be docker hub, provide credentials using [acr task credentials][acr-task-credentials]. Since the registry is an ACR, use the token created above. The [acr task credentials][acr-task-credentials] may be used to pass docker credentials to any registry, including Docker Hub.
Within the `acr-task.yaml`, we deploy the newly built image to ACI. The resource group was created above. By calling `az container create` with only a difference in the `image:tag`, the same instance is used.
```azurecli
az acr task create \
-n hello-world \
-r $REGISTRY \
-f acr-task.yaml \
--context $GIT_HELLO_WORLD \
--git-access-token $(az keyvault secret show \
--vault-name $AKV \
--name github-token \
--query value -o tsv) \
--set REGISTRY_FROM_URL=${REGISTRY_PUBLIC_URL}/ \
--set KEYVAULT=$AKV \
--set ACI=$ACI \
--set ACI_RG=$ACI_RG \
--assign-identity
```
Add credentials for our Public Registry
```azurecli
az acr task credential add \
-n hello-world \
-r $REGISTRY \
--login-server $REGISTRY_PUBLIC_URL \
-u https://${AKV}.vault.azure.net/secrets/registry-${REGISTRY_PUBLIC}-user \
-p https://${AKV}.vault.azure.net/secrets/registry-${REGISTRY_PUBLIC}-password \
--use-identity [system]
```
Grant access to read values from the KeyVault
```azurecli
az keyvault set-policy \
--name $AKV \
--resource-group $AKV_RG \
--object-id $(az acr task show \
--name hello-world \
--registry $REGISTRY \
--query identity.principalId --output tsv) \
--secret-permissions get
```
Grant the task access to create and manage ACI by granting access to the resource group:
```azurecli
az role assignment create \
--assignee $(az acr task show \
--name hello-world \
--registry $REGISTRY \
--query identity.principalId --output tsv) \
--scope $(az group show -n $ACI_RG --query id -o tsv) \
--role owner
```
With the task created, run the task to build/deploy the hello-world image:
```azurecli
az acr task run -r $REGISTRY -n hello-world
```
Once created, browse the site hosting the `hell-world` image.
```bash
explorer.exe "http://"$(az container show \
--resource-group $ACI_RG \
--name ${ACI} \
--query ipAddress.ip \
--out tsv)
```
## Update the base image with a "bad" change
Open the `Dockerfile` in base-image-node repo
Change the `BACKGROUND_COLOR` to `Red` to simulate a change that would break our environment.
```Dockerfile
ARG REGISTRY_NAME=
FROM ${REGISTRY_NAME}node:15-alpine
ENV NODE_VERSION 15-alpine
ENV BACKGROUND_COLOR Red
```
Commit the change and watch for ACR Tasks to automatically start building.
Watch for the task to start executing:
```azurecli
watch -n1 az acr task list-runs -r $REGISTRY_PUBLIC
```
You should eventually see STATUS `Succeeded` based on a TRIGGER of `Commit`:
```azurecli
RUN ID TASK PLATFORM STATUS TRIGGER STARTED DURATION
-------- -------- ---------- --------- --------- -------------------- ----------
ca4 hub-node linux Succeeded Commit 2020-10-24T05:02:29Z 00:00:22
```
Type `CTRL-C` to exit the watch command, then view the logs for the most recent run:
```azurecli
az acr task logs -r $REGISTRY_PUBLIC
```
Once the node image is completed, `watch` for ACR Tasks to automatically start the hello-world image:
```azurecli
watch -n1 az acr task list-runs -r $REGISTRY
```
You should eventually see STATUS `Succeeded` based on a TRIGGER of `Image Update`
```azurecli
RUN ID TASK PLATFORM STATUS TRIGGER STARTED DURATION
-------- ----------- ---------- --------- ------------ -------------------- ----------
dau hello-world linux Succeeded Image Update 2020-10-24T05:08:45Z 00:00:31
```
Type `CTRL-C` to exit the watch command, then view the logs for the most recent run:
```azurecli
az acr task logs -r $REGISTRY
```
Once completed, browse the site hosting the updated `hell-world` image, which should have a red (broken) background.
```bash
explorer.exe "http://"$(az container show \
--resource-group $ACI_RG \
--name ${ACI} \
--query ipAddress.ip \
--out tsv)
```
## Checking in
At this point, you've created a `hello-world` image that is automatically built on git commits, and changes to the base `node` image. While we've built against a base image in ACR, this could be any supported registry.
The ACR Task base image update trigger automatically re-executes as the node image is updated. As seen here, not all updates are wanted.
## Gated imports of public content
To prevent upstream changes from breaking critical workloads, security scanning and functional tests may be addedd.
This section covers:
* Build a test image
* Run a functional test script `./test.sh` against the test image
* If the image tests successfully, import the public image to the **baseimages** registry
### Write automation testing
To gate any upstream content, automated testing is implemented. In this example, a `test.sh` is provided which checks the `$BACKGROUND_COLOR`. If the test fails, an `EXIT_CODE` of `1` is returned which causes the ACR Task step to fail, ending the task run. The tests can be expanded in any form of tools, including logging results. The gate is managed by a pass/fail response.
```bash
if [ ""$(echo $BACKGROUND_COLOR | tr '[:lower:]' '[:upper:]') = 'RED' ]; then
echo -e "\e[31mERROR: Invalid Color:\e[0m" ${BACKGROUND_COLOR}
EXIT_CODE=1
else
echo -e "\e[32mValidation Complete - No Known Errors\e[0m"
fi
exit ${EXIT_CODE}
```
The `acr-task.yaml` performs the following steps:
* Build the test base image using the following dockerfile:
```dockerfile
ARG REGISTRY_FROM_URL=
FROM ${REGISTRY_FROM_URL}node:15-alpine
WORKDIR /test
COPY ./test.sh .
CMD ./test.sh
```
* When completed, validate the image by running the container, which runs `./test.sh`
* Only if successfully completed, run the import steps, which are gated with `when: ['validate-base-image']`
```yaml
version: v1.1.0
steps:
- id: build-test-base-image
# Build off the base image we'll track
# Add a test script to do unit test validations
# Note: the test validation image isn't saved to the registry
# but the task logs captures log validation results
build: >
--build-arg REGISTRY_FROM_URL={{.Values.REGISTRY_FROM_URL}}
-f ./Dockerfile
-t {{.Run.Registry}}/node-import:test
.
- id: validate-base-image
# only continues if node-import:test returns a non-zero code
when: ['build-test-base-image']
cmd: "{{.Run.Registry}}/node-import:test"
- id: pull-base-image
# import the public image to base-artifacts
# Override the stable tag,
# and create a unique tag to enable rollback
# to a previously working image
when: ['validate-base-image']
cmd: >
docker pull {{.Values.REGISTRY_FROM_URL}}node:15-alpine
- id: retag-base-image
when: ['pull-base-image']
cmd: docker tag {{.Values.REGISTRY_FROM_URL}}node:15-alpine {{.Run.Registry}}/node:15-alpine
- id: retag-base-image-unique-tag
when: ['pull-base-image']
cmd: docker tag {{.Values.REGISTRY_FROM_URL}}node:15-alpine {{.Run.Registry}}/node:15-alpine-{{.Run.ID}}
- id: push-base-image
when: ['retag-base-image', 'retag-base-image-unique-tag']
push:
- "{{.Run.Registry}}/node:15-alpine"
- "{{.Run.Registry}}/node:15-alpine-{{.Run.ID}}"
```
Create an ACR Task to import and test the node base image
```azurecli
az acr task create \
--name base-import-node \
-f acr-task.yaml \
-r $REGISTRY_BASE_ARTIFACTS \
--context $GIT_NODE_IMPORT \
--git-access-token $(az keyvault secret show \
--vault-name $AKV \
--name github-token \
--query value -o tsv) \
--set REGISTRY_FROM_URL=${REGISTRY_PUBLIC_URL}/ \
--assign-identity
```
Add credentials for our public registry
```azurecli
az acr task credential add \
-n base-import-node \
-r $REGISTRY_BASE_ARTIFACTS \
--login-server $REGISTRY_PUBLIC_URL \
-u https://${AKV}.vault.azure.net/secrets/registry-${REGISTRY_PUBLIC}-user \
-p https://${AKV}.vault.azure.net/secrets/registry-${REGISTRY_PUBLIC}-password \
--use-identity [system]
```
Grant access to read values from the KeyVault
```azurecli
az keyvault set-policy \
--name $AKV \
--resource-group $AKV_RG \
--object-id $(az acr task show \
--name base-import-node \
--registry $REGISTRY_BASE_ARTIFACTS \
--query identity.principalId --output tsv) \
--secret-permissions get
```
Run the import task:
```azurecli
az acr task run -n base-import-node -r $REGISTRY_BASE_ARTIFACTS
```
If the task fails due to `./test.sh: Permission denied` assure the script has execution permissions and commit back to the git repo:
```bash
chmod +x ./test.sh
```
## Update the hello-world image to build from the gated node image
Add a `AcrPull` token to access the base-artifacts registry
```azurecli
az keyvault secret set \
--vault-name $AKV \
--name "registry-${REGISTRY_BASE_ARTIFACTS}-user" \
--value "registry-${REGISTRY_BASE_ARTIFACTS}-user"
az keyvault secret set \
--vault-name $AKV \
--name "registry-${REGISTRY_BASE_ARTIFACTS}-password" \
--value $(az acr token create \
--name "registry-${REGISTRY_BASE_ARTIFACTS}-user" \
--registry $REGISTRY_BASE_ARTIFACTS \
--repository node content/read \
-o tsv \
--query credentials.passwords[0].value)
```
Add credentials for our Public Registry
```azurecli
az acr task credential add \
-n hello-world \
-r $REGISTRY \
--login-server $REGISTRY_BASE_ARTIFACTS_URL \
-u https://${AKV}.vault.azure.net/secrets/registry-${REGISTRY_BASE_ARTIFACTS}-user \
-p https://${AKV}.vault.azure.net/secrets/registry-${REGISTRY_BASE_ARTIFACTS}-password \
--use-identity [system]
```
Change the REGISTRY_FROM_URL to use the BASE_ARTIFACTS registry
```azurecli
az acr task update \
-n hello-world \
-r $REGISTRY \
--set KEYVAULT=$AKV \
--set REGISTRY_FROM_URL=${REGISTRY_BASE_ARTIFACTS_URL}/ \
--set ACI=$ACI \
--set ACI_RG=$ACI_RG
```
Run the hello-world task to change it's base image dependency
```azurecli
az acr task run -r $REGISTRY -n hello-world
```
## Update the base image with a "valid" change
Open the `Dockerfile` in base-image-node repo
Change the `BACKGROUND_COLOR` to `Green` to simulate a valid change.
```Dockerfile
ARG REGISTRY_NAME=
FROM ${REGISTRY_NAME}node:15-alpine
ENV NODE_VERSION 15-alpine
ENV BACKGROUND_COLOR Green
```
Commit the change and monitor the sequence of updates
```azurecli
watch -n1 az acr task list-runs -r $REGISTRY_PUBLIC
```
Once running, `ctrl+C` and monitor the logs
```azurecli
az acr task logs -r $REGISTRY_PUBLIC
```
Once complete, monitor the base-image-import task
```azurecli
watch -n1 az acr task list-runs -r $REGISTRY_BASE_ARTIFACTS
```
Once running, `ctrl+C` and monitor the logs
```azurecli
az acr task logs -r $REGISTRY_BASE_ARTIFACTS
```
Once complete, monitor the hello-world task
```azurecli
watch -n1 az acr task list-runs -r $REGISTRY
```
Once running, `ctrl+C` and monitor the logs
```azurecli
az acr task logs -r $REGISTRY
```
Once complete, view the ACI hello-world image.
```bash
explorer.exe "http://"$(az container show \
--resource-group $ACI_RG \
--name ${ACI} \
--query ipAddress.ip \
--out tsv)
```
### View the gated workflow
Perform the above steps again, with a background color of red
Open the `Dockerfile` in base-image-node repo
Change the `BACKGROUND_COLOR` to `Red` to simulate a valid change.
```Dockerfile
ARG REGISTRY_NAME=
FROM ${REGISTRY_NAME}node:15-alpine
ENV NODE_VERSION 15-alpine
ENV BACKGROUND_COLOR Red
```
Commit the change and monitor the sequence of updates
```azurecli
watch -n1 az acr task list-runs -r $REGISTRY_PUBLIC
```
Once running, `ctrl+C` and monitor the logs
```azurecli
az acr task logs -r $REGISTRY_PUBLIC
```
Once complete, monitor the base-image-import task
```azurecli
watch -n1 az acr task list-runs -r $REGISTRY_BASE_ARTIFACTS
```
Once running, `ctrl+C` and monitor the logs
```azurecli
az acr task logs -r $REGISTRY_BASE_ARTIFACTS
```
At this point, you should see base-import-node fail validation and stop the sequence to publish a hello-world update.
### Publish an update to hello-world
Changes to the hello-world image will continue using the last validated node image.
Any additional changes to the base-node image that pass the gated validations will trigger base-updates to the hello-world image.
## Cleaning up
```azurecli
az group delete -n $REGISTRY_RG --no-wait -y
az group delete -n $REGISTRY_PUBLIC_RG --no-wait -y
az group delete -n $REGISTRY_BASE_ARTIFACTS_RG --no-wait -y
az group delete -n $AKV_RG --no-wait -y
az group delete -n $ACI_RG --no-wait -y
```
## Next steps
* [Adopt tagging scheme for base image updates](container-registry-image-tag-version.md)
* [Build images from stable service tags - can continue to receive security patches and framework updates.](container-registry-image-tag-version.md)
* [Protect images using Image/tag locking](container-registry-image-lock.md)
[acr]: https://aka.ms/acr
[acr-repo-permissions]: https://aka.ms/acr/repo-permissions
[acr-task]: https://aka.ms/acr/tasks
[acr-task-triggers]: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tasks-overview#task-scenarios
[acr-task-credentials]: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tasks-authentication-managed-identity#4-optional-add-credentials-to-the-task
[acr-tokens]: https://aka.ms/acr/tokens
[aci]: https://aka.ms/aci
[alpine-public-image]: https://hub.docker.com/_/alpine
[docker-hub]: https://hub.docker.com
[docker-hub-tokens]: https://hub.docker.com/settings/security
[git-token]: https://github.com/settings/tokens
[gcr]: https://cloud.google.com/container-registry
[ghcr]: https://docs.github.com/en/free-pro-team@latest/packages/getting-started-with-github-container-registry/about-github-container-registry
[helm-charts]: https://helm.sh
[mcr]: https://aka.ms/mcr
[nginx-public-image]: https://hub.docker.com/_/nginx
[oci-artifacts]: https://aka.ms/acr/artifacts
[oci-consuming-public-content]: https://docs.google.com/document/d/1fxayMznIkszBI9Y2S3KGSyi2hFMwUIwDfn3D2wQcye4/edit?usp=sharing
[opa]: https://www.openpolicyagent.org/
[quay]: https://quay.io
================================================
FILE: docs/container-registry-oras-artifacts.md
================================================
---
title: Push and pull Supply Chain Artifacts
description: Push and pull supply chain artifacts, using a private container registry in Azure
author: SteveLasker
manager: gwallace
ms.topic: article
ms.date: 11/11/2021
ms.author: stevelas
---
# Push and pull supply chain artifacts, using a private container registry in Azure (Preview)
Use an Azure container registry to store and manage a graph of artifacts, including signatures, software bill of materials, security scan results or other types.
To demonstrate this capability, this article shows how to use the [OCI Registry as Storage (ORAS)](https://oras.land) tool to push and pull a graph of artifacts to an Azure container registry.
## Prerequisites
* **Azure container registry** - Create a container registry in your Azure subscription. During the preview of ORAS Artifacts support, the registry must be created in specific regsions.
* **ORAS CLI** - The ORAS CLI enables push, discover, pull of artifacts to an ORAS Artifacts enabled registry.
* **Azure CLI** - To create an identity, list and delete repositories, you need a local installation of the Azure CLI. Version 2.29.1 or later is recommended. Run `az --version `to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
* **Docker (optional)** - To complete the walkthrough, a container image is referenced. You can use Docker installed locally to build and push a container image, or reference an existing container image. Docker provides packages that easily configure Docker on any [macOS][docker-mac], [Windows][docker-windows], or [Linux][docker-linux] system.
## Preview limitations
ORAS Artifacts support is limited to the South Central US region, with Availability Zone support.
* Geo-replicated registries will not replicate referenced artifacts to other regions. As additional regions support ORAS Artifacts, the referenced artifacts will be replicated.
## ORAS installation
Download and install a preview ORAS release for your operating system. See [ORAS Install instructions][oras-install-docs] for how to extract and install the file for your operating system, referencing an Alpha.1 preview build from the [ORAS GitHub repo][oras-preview-install]
## Configure a private registry
Configure environment variables to easily copy/paste commands into your shell. The commands can be run in the [Azure Cloud Shell](https://http://shell.azure.com/)
```console
ACR_NAME=myregistry
REGISTRY=$ACR_NAME.azurecr.io
REPO=net-monitor
TAG=v1
IMAGE=$REGISTRY/${REPO}:$TAG
```
### Create a resource group
If needed, run the [az group create](/cli/azure/group#az_group_create) command to create a resource group for the registry.
```azurecli
az group create --name $ACR_NAME --location southcentralus
```
### Create ORAS Artifact enabled registry
Preview support for ORAS Artifacts requires Zone Redundancy, which requires a Premium service tier, in the South Central US region. Run the [az acr create](/cli/azure/acr#az_acr_create) command to create an ORAS Artifacts enabled registry. See the `az acr create` command help for more registry options.
```azurecli
az acr create \
--resource-group $ACR_NAME \
--name $ACR_NAME \
--zone-redundancy enabled \
--sku Premium \
--output jsonc
```
In the command output, note the `zoneRedundancy` property for the registry. When enabled, the registry is zone redundant, and ORAS Artifact enabled:
```JSON
{
[...]
"zoneRedundancy": "Enabled",
}
```
### Sign in with Azure CLI
[Sign in](/cli/azure/authenticate-azure-cli) to the Azure CLI with your identity to push and pull artifacts from the container registry.
Then, use the Azure CLI command [az acr login](/cli/azure/acr#az_acr_login) to access the registry.
```azurecli
az login
az acr login --name $ACR_NAME
```
> [!NOTE]
> `az acr login` uses the Docker client to set an Azure Active Directory token in the `docker.config` file. The Docker client must be installed and running to complete the individual authentication flow.
## Sign in with ORAS
This section shows options to sign into the registry. Choose the method appropriate for your environment.
Run `oras login` to authenticate with the registry. You may pass [registry credentials](container-registry-authentication.md) appropriate for your scenario, such as service principal credentials, user identity, or a repository-scoped token (preview).
- Authenticate with your [individual Azure AD identity](container-registry-authentication.md?tabs=azure-cli#individual-login-with-azure-ad) to use an AD token.
```bash
USER_NAME="00000000-0000-0000-0000-000000000000"
PASSWORD=$(az acr login --name $ACR_NAME --expose-token --output tsv --query accessToken)
```
- Authenticate with a [repository scoped token](container-registry-repository-scoped-permissions.md) (Preview) to use non-AD based tokens.
```bash
USER_NAME="oras-token"
PASSWORD=$(az acr token create -n $USER_NAME \
-r $ACR_NAME \
--repository $REPO content/write \
--only-show-errors \
--query "credentials.passwords[0].value" -o tsv)
```
- Authenticate with an Azure Active Directory [service principal with pull and push permissions](container-registry-auth-service-principal.md#create-a-service-principal) (AcrPush role) to the registry.
```bash
SERVICE_PRINCIPAL_NAME="oras-sp"
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
PASSWORD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME \
--scopes $(az acr show --name $ACR_NAME --query id --output tsv) \
--role acrpush \
--query "password" --output tsv)
USER_NAME=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query "[].appId" --output tsv)
```
### Sign in with ORAS
Supply the credentials to `oras login`.
```bash
oras login $REGISTRY \
--username $USER_NAME \
--password $PASSWORD
```
To read the password from Stdin, use `--password-stdin`.
## Push a container image
This example associates a graph of artifacts to a container image. Build and push a container image, or reference an existing image in the private registry.
```bash
docker build -t $IMAGE https://github.com/wabbit-networks/net-monitor.git#main
docker push $IMAGE
```
## Create a sample signature to the container image
```bash
echo '{"artifact": "'${IMAGE}'", "signature": "pat hancock"}' > signature.json
```
### Push a signature to the registry, as a reference to the container image
The ORAS command pushes the signature to a repository, referencing another artifact through the `subject` parameter. The `--artifact-type` provides for differentiating artifacts, similar to file extensions enable different file types. One or more files can be pushed by specifying `file:mediaType`
```bash
oras push $REGISTRY/$REPO \
--artifact-type 'signature/example' \
--subject $IMAGE \
./signature.json:application/json
```
For more information on oras push, see [ORAS documentation][oras-push-docs].
## Push a multi-file artifact as a reference
Create some documentation around an artifact
```bash
echo 'Readme Content' > readme.md
echo 'Detailed Content' > readme-details.md
```
Push the multi-file artifact as a reference
```bash
oras push $REGISTRY/$REPO \
--artifact-type 'readme/example' \
--subject $IMAGE \
./readme.md:application/markdown \
./readme-details.md:application/markdown
```
## Discovering artifact references
The ORAS Artifacts Specification defines a [referrers API][oras-artifacts-referrers] for discovering references to a `subject` artifact. The `oras discover` command can show the list of references to the container image.
Using `oras discover`, view the graph of artifacts now stored in the registry
```bash
oras discover -o tree $IMAGE
```
The output shows the beginning of a graph of artifacts, where the signature and docs are viewed as a children of the container image
```output
myregistry.azurecr.io/net-monitor:v1
├── signature/example
│ └── sha256:555ea91f39e7fb30c06f3b7aa483663f067f2950dcb...
└── readme/example
└── sha256:1a118663d1085e229ff1b2d4d89b5f6d67911f22e55...
```
## Creating a deep graphs of artifacts
The ORAS Artifacts specification enables deep graphs, enabling signed software bill of materials (SBoM) and other artifact types.
### Create a sample SBoM
```bash
echo '{"version": "0.0.0.0", "artifact": "'${IMAGE}'", "contents": "good"}' > sbom.json
```
### Push a sample SBoM to the registry
```bash
oras push $REGISTRY/$REPO \
--artifact-type 'sbom/example' \
--subject $IMAGE \
./sbom.json:application/json
```
### Sign the SBoM
Artifacts that are pushed as references, typically do not have tags as they are considered part of the subject artifact. To push a signature to an artifact that is a child of another artifact, use the `oras discover` with `--artifact-type` filtering to find the digest.
```bash
SBOM_DIGEST=$(oras discover -o json \
--artifact-type sbom/example \
$IMAGE | jq -r ".references[0].digest")
```
Create a signature of an SBoM
```bash
echo '{"artifact": "'$REGISTRY/${REPO}@$SBOM_DIGEST'", "signature": "pat hancock"}' > sbom-signature.json
```
### Push the SBoM signature
```bash
oras push $REGISTRY/$REPO \
--artifact-type 'signature/example' \
--subject $REGISTRY/$REPO@$SBOM_DIGEST \
./sbom-signature.json:application/json
```
### View the graph
```bash
oras discover -o tree $IMAGE
```
Generates the following output:
```output
myregistry.azurecr.io/net-monitor:v1
├── signature/example
│ └── sha256:555ea91f39e7fb30c06f3b7aa483663f067f2950dcb...
├── readme/example
│ └── sha256:1a118663d1085e229ff1b2d4d89b5f6d67911f22e55...
└── sbom/example
└── sha256:4280eef9adb632b42cf200e7cd5a822a456a558e4f3142da6b...
└── signature/example
└── sha256:a31ab875d37eee1cca68dbb14b2009979d05594d44a075bdd7...
```
## Pull the Docs
To pull a referenced type, the digest of reference is discovered with the `oras discover` command
```bash
DOC_DIGEST=$(oras discover -o json \
--artifact-type 'readme/example' \
$IMAGE | jq -r ".references[0].digest")
```
### Create a clean directory for downloading
```bash
mkdir ./download
```
### Pull the docs into the download directory
```bash
oras pull -a -o ./download $REGISTRY/$REPO@$DOC_DIGEST
```
### View the docs
```bash
ls ./download
```
## View the repository and tag listing
ORAS Artifacts enables artifact graphs to be pushed, discovered, pulled and copied without having to assign tags. This enables a tag listing to focus on the artifacts users think about, as opposed to the signatures and SBoMs that are associated with the container images, helm charts and other artifacts.
### View a list of tags
```azurecli
az acr repository show-tags \
-n $ACR_NAME \
--repository $REPO \
-o jsonc
```
### View a list of manifests
A repository can have a list of manifests that are both tagged and untagged
```azurecli
az acr repository show-manifests \
-n $ACR_NAME \
--repository $REPO \
--detail -o jsonc
```
Note the container image manifests have `"tags":`
```json
{
"architecture": "amd64",
"changeableAttributes": {
"deleteEnabled": true,
"listEnabled": true,
"readEnabled": true,
"writeEnabled": true
},
"configMediaType": "application/vnd.docker.container.image.v1+json",
"createdTime": "2021-11-12T00:18:54.5123449Z",
"digest": "sha256:a0fc570a245b09ed752c42d600ee3bb5b4f77bbd70d8898780b7ab4...",
"imageSize": 2814446,
"lastUpdateTime": "2021-11-12T00:18:54.5123449Z",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"os": "linux",
"tags": [
"v1"
]
}
```
The signature is untagged, but tracked as a `oras.artifact.manifest` reference to the container image
```json
{
"changeableAttributes": {
"deleteEnabled": true,
"listEnabled": true,
"readEnabled": true,
"writeEnabled": true
},
"createdTime": "2021-11-12T00:19:10.987156Z",
"digest": "sha256:555ea91f39e7fb30c06f3b7aa483663f067f2950dcbcc0b0d...",
"imageSize": 85,
"lastUpdateTime": "2021-11-12T00:19:10.987156Z",
"mediaType": "application/vnd.cncf.oras.artifact.manifest.v1+json"
}
```
## Delete all artifacts in the graph
Support for the ORAS Artifacts specification enables deleting the graph of artifacts associated with the root artifact. Use the [az acr repository delete][az-acr-repository-delete] command to delete the signature, SBoM and the signature of the SBoM.
```bash
az acr repository delete \
-n $ACR_NAME \
-t ${REPO}:$TAG -y
```
### View the remaining manifests
```azurecli
az acr repository show-manifests \
-n $ACR_NAME \
--repository $REPO \
--detail -o jsonc
```
## Next steps
* Learn more about [the ORAS cli](https://oras.land)
* Learn more about [ORAS Artifacts][oras-artifacts] for how to push, discover, pull, copy a graph of supply chain artifacts
<!-- LINKS - external -->
[docker-linux]: https://docs.docker.com/engine/installation/#supported-platforms
[docker-mac]: https://docs.docker.com/docker-for-mac/
[docker-windows]: https://docs.docker.com/docker-for-windows/
[oras-install-docs]: https://oras.land/cli/
[oras-preview-install]: https://github.com/oras-project/oras/releases/tag/v0.2.1-alpha.1
[oras-push-docs]: https://oras.land/cli/1_pushing/
[oras-artifacts]: https://github.com/oras-project/artifacts-spec/
<!-- LINKS - internal -->
[az-acr-repository-show]: /cli/azure/acr/repository?#az_acr_repository_show
[az-acr-repository-delete]: /cli/azure/acr/repository#az_acr_repository_delete
================================================
FILE: docs/contributing-to-pages.md
================================================
# Instructions to get started
## Prerequisites
### YARN
Install `vuepress` globally using yarn. Here are the instructions for debian which can be used for WSL as well.
https://yarnpkg.com/en/docs/install#debian-stable
```sh
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt update && sudo apt install yarn
```
> Make sure you have yarn in your path.
## Vuepress
Install Vuepress with yarn.
```sh
yarn global add vuepress
```
# To view the pages
```sh
cd ./docs/
vuepress dev .
```
# Publish content
https://v1.vuepress.vuejs.org/guide/deploy.html#github-pages
```sh
cd docs
vuepress build .
cd gh-pages
git init
git add -A
git commit -m 'deploy'
git push -f git@github.com:Azure/acr.git master:gh-pages
```
================================================
FILE: docs/custom-domain/README.md
================================================
# Using Custom Domains with Azure Container Registry
**Important - Using a custom domain in Azure Container Registry is a private preview feature.**
**If your registry has already been enabled for a custom domain and you need support, please open an issue in this repository.**
Every ACR is accessed using its login server. If you have a registry called `myregistry`, you access it using its default hostname, `myregistry.azurecr.io` (in Azure Public Cloud.) As a customer belonging to an organization, you may prefer to access your registry using a custom domain that is associated with your organization, for instance, `container-registry.contoso.com`.
The following steps describe how you can achieve this.
**The following sections describe preparation steps for the private preview. THESE STEPS ARE NOT SUFFICIENT TO ENABLE A CUSTOM DOMAIN FOR YOUR REGISTRY WITHOUT ACCEPTANCE INTO THE PRIVATE PREVIEW.**
## Prerequisites
- [Azure CLI](https://docs.microsoft.com/cli/azure/?view=azure-cli-latest): version 2.4.0 or higher
- Consider using [Azure Cloud Shell](https://docs.microsoft.com/azure/cloud-shell/overview)
- A _premium_ Azure Container Registry. See [here](https://docs.microsoft.com/azure/container-registry/container-registry-get-started-azure-cli) for instructions on how to create one.
- Your custom domain names. The following two are required:
- Custom registry domain to access the registry REST API. Example for the `contoso.com` domain: `container-registry.contoso.com`
- Custom data domain to access the registry content. Again, example for `contoso.com`: `eastus-registry-data.contoso.com`
- Note that the custom data domain is region specific. For geo-replicated registries, each region should have its own custom data endpoint.
For each domain, you must prepare a single PEM formatted file containing the TLS private key and the public certificate:
```
-----BEGIN PRIVATE KEY-----
XXXXXX
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
XXXXXX
-----END CERTIFICATE-----
```
If you use a certificate bundle, prepare a single PEM formatted file containing the TLS private key and each public certificate:
```
---BEGIN PRIVATE KEY-----
XXXXXX
-----END PRIVATE KEY-------
-----BEGIN CERTIFICATE-----
XXXXX-01
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXX-02
-----END CERTIFICATE----
[etc.]
```
For example, using [openssl](https://github.com/openssl/openssl):
- Create a self-signed public cert and private key
```shell
openssl req -nodes -x509 -newkey rsa:4096 \
-keyout container-registry.contoso.com.key.pem \
-out container-registry.contoso.com.cert.pem -days 365 \
-subj '/CN=container-registry.contoso.com/O=Contoso./C=US' \
-addext "subjectAltName = DNS:container-registry.contoso.com"
```
- Create a single file containing both the public certificate (or certificates, in the case of a certificate bundle) and private key
```shell
cat container-registry.contoso.com.key.pem \
>> container-registry-contoso-com.pem
cat container-registry.contoso.com.cert.pem \
>> container-registry-contoso-com.pem
```
- For each data domain, follow the same steps above to prepare the PEM formatted files containing the public certificate and private key.
Azure Key Vault allows you to [create](https://docs.microsoft.com/azure/key-vault/certificate-scenarios) Certificate Authority (CA) signed certificates.
- If you choose to use the Azure Portal to create the certificates, be sure to select certificate content type as PEM.
## Prepare your existing registry
We will enable two features on your registry:
- Data Endpoints:\
This feature provides a dedicated endpoint for downloading content from your registry. If you have a registry in East US, on enabling this feature, a data endpoint is automatically created for you: `myregistry.eastus.data.azurecr.io`
- ACR Managed Identities:\
Managed Identities provide a mechanism to associate an Azure Active Directory identity with your registry, while relieving you of the burden of managing credentials. To learn more, see the documentation [here](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview).\
ACR supports both user assigned and system assigned managed identities.
### Enable data endpoints and managed idenitites
1. `az login`
2. `az account set -s <subscription-id-or-name> `
3. `az acr update --data-endpoint-enabled true -n myregistry`
4. You can either enable a system assigned managed identity, a user assigned managed identity, or both for your registry. We recommend using system assigned managed identity to enable advanced scenarios with virtual networks that, although not supported currently, are [coming soon](#enhanced-security-with-virtual-networks). Do _one_ of the following:
- To enable only system assigned managed identity:
- `az acr identity assign -n myregistry --identities [system]`
- To enable user assigned managed identity, with or without a system identity:
- Create a user assigned managed identity following the instructions [here](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal).
- Do _one_ of the following:
- To enable _only_ user assigned managed identity:
- `az acr identity assign -n myregistry --identities "<arm-resource-id-of-user-assigned-identity>"`
- To enable _both_ user and system assigned managed identities:
- `az acr identity assign -n myregistry --identities "<arm-resource-id-of-user-assigned-identity>" [system]`
## Prepare your Azure Key Vault
For each domain, its TLS private key and public certificate pair must be added to an Azure Key Vault that is accessible by your registry as a single PEM formatted file. We recommend creating a new key vault containing only your TLS certificates and granting the registry's identity access to `get` secret.
1. [Create](https://docs.microsoft.com/azure/key-vault/) a new Azure Key Vault.
2. [Add](https://docs.microsoft.com/azure/key-vault/certificate-scenarios) your certificates to the key vault.
3. Add an access policy to the key vault that grants your registry's identity access to `get` secret:\
`az keyvault set-policy --name <your-kv-name> --secret-permissions get --spn <registry-system-or-user-mi-principal-id>`
- The output of the command to enable managed identities on the registry will contain the principal ids of the assiged identities.
- Alternatively, you may obtain the principal ids using `az cli`:
- For system assigned managed identity:
- `az acr show -n myregistry --query identity.principalId -o tsv`
- For user assigned managed identities, you may list them as follows and use the desired principal ID:
- `az acr show -n myregistry --query identity.userAssignedIdentities`
For greater isolation, we recommend that you put each certificate in its own key vault and set its access policy independently. The registry should always have access to the key vault secrets.
### Certificate updates and rotation
You have two options for updating the certificates used for custom domains:
* **Automatic updates** - If you reference a custom domain certificate with a [non-versioned](https://docs.microsoft.com/azure/key-vault/general/about-keys-secrets-certificates#objects-identifiers-and-versioning) secret ID, the registry regularly checks the key vault and automatically uses the latest certificate version there for its operations.
To rotate or update a custom domain certificate, upload the new certificate version to the secret's location in the key vault. The registry automatically uses the latest certificate version within a short time.
> NOTE: after the certificate is updated, the registry may serve a mix of the old and new certificate versions for upto 15 minutes until all caches have been refreshed.
* **Manual updates** - If you reference a domain certificate with a [versioned](https://docs.microsoft.com/azure/key-vault/general/about-keys-secrets-certificates#objects-identifiers-and-versioning) secret ID, the registry does not configure automatic certificate rotation.
After you upload a new certificate version to the key vault, the certificate must be manually rotated in the registry. Contact [Azure Support](https://azure.microsoft.com/support/create-ticket/).
### Enhanced security with Virtual Networks
If you restrict the access of Azure Key Vault to a specific virtual network, you need to [grant access to trusted Azure services](https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#grant-access-to-trusted-azure-services) which allow Azure Container Registry service to download the certificate.
## Prepare your DNS zone
1. The custom registry domain must have a CNAME record with the target registry login server:\
`container-registry.contoso.com` --> `myregistry.azurecr.io`
2. The regional custom data domain must have a CNAME record with the target regional registry data endpoint:\
`eastus-registry-data.contoso.com` --> `myregistry.eastus.data.azurecr.io`
- The output of the command to enable data endpoints on the registry will contain the regional data endpoint.
## Contact us
As a final step, share the following with us by creating a support ticket ([Azure Support](https://aka.ms/azuresupport)):
* Custom registry domain details
* custom registry domain (container-registry.contoso.com)
* key vault secret ID of the corresponding TLS data
* client ID of the user assigned registry identity that has access to this secret (not required in case of system assigned)
* Custom data domain details
* regional custom data domain (eastus-registry-data.contoso.com)
* key vault secret ID of the corresponding TLS data
* client ID of the user assigned registry identity that has access to this secret (not required in case of system assigned)
================================================
FILE: docs/custom-domain/deprecated/docker-vm-deploy/azuredeploy.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"newStorageAccountName": {
"type": "string",
"metadata": {
"description": "Unique DNS Name for the Storage Account where the Virtual Machine's disks will be placed."
}
},
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
}
},
"dnsNameForVM": {
"type": "string",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
}
},
"ubuntuOSVersion": {
"type": "string",
"defaultValue": "14.04.4-LTS",
"metadata": {
"description": "The Ubuntu version for deploying the Docker containers. This will pick a fully patched image of this given Ubuntu version. Allowed values: 14.04.4-LTS, 15.10, 16.04.0-LTS"
},
"allowedValues": [
"14.04.4-LTS",
"15.10",
"16.04.0-LTS"
]
},
"newVmName": {
"type": "string",
"metadata": {
"description": "Name of the new VM to create"
}
},
"vaultName": {
"type": "string",
"metadata": {
"description": "Name of Key Vault that has a secret"
}
},
"vaultResourceGroup": {
"type": "string",
"metadata": {
"description": "Resource Group of Key Vault that has a secret"
}
},
"secretUrlWithVersion": {
"type": "string",
"metadata": {
"description": "Url of the certificate in Key Vault"
}
},
"certThumbPrint": {
"type": "string",
"metadata": {
"description": "Thumb print for the key for above url"
}
},
"dnsFrontEnd": {
"type": "string",
"metadata": {
"description": "DNS for the front end service."
}
},
"backendRegistry": {
"type": "string",
"metadata": {
"description": "Azure container registry serving as backend."
}
},
"caCertUrl": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "URL for the signing certificate authority cert. If any"
}
}
},
"variables": {
"imagePublisher": "Canonical",
"imageOffer": "UbuntuServer",
"OSDiskName": "osdiskfordockersimple",
"nicName": "[concat(parameters('newVmName'), 'NIC')]",
"addressPrefix": "10.0.0.0/16",
"subnetName": "Subnet",
"subnetPrefix": "10.0.0.0/24",
"storageAccountType": "Standard_LRS",
"publicIPAddressName": "[concat(parameters('newVmName'), 'PublicIPD')]",
"publicIPAddressType": "Dynamic",
"vmStorageAccountContainerName": "vhds",
"vmSize": "Standard_F1",
"virtualNetworkName": "[concat(parameters('newVmName'), 'VNET')]",
"vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]",
"subnetRef": "[concat(variables('vnetID'),'/subnets/',variables('subnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
"apiVersion": "2015-05-01-preview",
"location": "[resourceGroup().location]",
"properties": {
"accountType": "[variables('storageAccountType')]"
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[variables('publicIPAddressName')]",
"location": "[resourceGroup().location]",
"properties": {
"publicIPAllocationMethod": "[variables('publicIPAddressType')]",
"dnsSettings": {
"domainNameLabel": "[parameters('dnsNameForVM')]"
}
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/virtualNetworks",
"name": "[variables('virtualNetworkName')]",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('addressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('subnetName')]",
"properties": {
"addressPrefix": "[variables('subnetPrefix')]"
}
}
]
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/networkInterfaces",
"name": "[variables('nicName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]",
"[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
},
"subnet": {
"id": "[variables('subnetRef')]"
}
}
}
]
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Compute/virtualMachines",
"name": "[parameters('newVmName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('newStorageAccountName'))]",
"[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[variables('vmSize')]"
},
"osProfile": {
"computerName": "[parameters('newVmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"secrets": [
{
"sourceVault": {
"id": "[resourceId(parameters('vaultResourceGroup'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"vaultCertificates": [
{
"certificateUrl": "[parameters('secretUrlWithVersion')]"
}
]
}
]
},
"storageProfile": {
"imageReference": {
"publisher": "[variables('imagePublisher')]",
"offer": "[variables('imageOffer')]",
"sku": "[parameters('ubuntuOSVersion')]",
"version": "latest"
},
"osDisk": {
"name": "osdisk1",
"vhd": {
"uri": "[concat('http://',parameters('newStorageAccountName'),'.blob.core.windows.net/',variables('vmStorageAccountContainerName'),'/',variables('OSDiskName'),'.vhd')]"
},
"caching": "ReadWrite",
"createOption": "FromImage"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"
}
]
}
}
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('newVmName'),'/docker')]",
"apiVersion": "2015-05-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('newVmName'))]"
],
"properties": {
"publisher": "Microsoft.Azure.Extensions",
"type": "DockerExtension",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": { }
}
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('newVmName'),'/initdevbox')]",
"apiVersion": "2015-06-15",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('newVmName'))]"
],
"properties": {
"publisher": "Microsoft.Azure.Extensions",
"type": "CustomScript",
"typeHandlerVersion": "2.0",
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": ["https://raw.githubusercontent.com/Azure/acr/main/docs/custom-domain/deprecated/docker-vm-deploy/deploy-nginx-docker.sh"]
},
"protectedSettings": {
"commandToExecute": "[concat('./deploy-nginx-docker.sh ', parameters('certThumbPrint'), ' ', parameters('backendRegistry'), ' ', parameters('dnsFrontEnd'), ' \"', parameters('caCertUrl'), '\"')]"
}
}
}
]
}
================================================
FILE: docs/custom-domain/deprecated/docker-vm-deploy/azuredeploy.parameters.json
================================================
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"newVmName": {
"value": "<My VM>"
},
"newStorageAccountName": {
"value": "<My new Storage>"
},
"adminUsername": {
"value": "<Admin User>"
},
"adminPassword": {
"value": "<Password>"
},
"dnsNameForVM": {
"value": "<VM DNS>"
},
"vaultName": {
"value": "<My Valut>"
},
"vaultResourceGroup": {
"value": "<Resource Group>"
},
"secretUrlWithVersion": {
"value": "<Secret URL>"
},
"certThumbPrint": {
"value": "<Key Thumbprint>"
},
"dnsFrontEnd": {
"value": "<Front End URL>"
},
"backendRegistry": {
"value": "<Azure Registry URL>"
},
"caCertUrl": {
"value": "<Optional: CA Cert URL>"
}
}
}
================================================
FILE: docs/custom-domain/deprecated/docker-vm-deploy/deploy-nginx-docker.sh
================================================
#!/bin/bash
set -e
CERT_FINGERPRINT=$1
export BACKEND_HOST=$2
export FRONTEND_HOST=$3
CA_CERT_URL=$4
SOURCE_ROOT="https://raw.githubusercontent.com/Azure/acr/main"
curl "$SOURCE_ROOT/docs/custom-domain/deprecated/docker-vm-deploy/setup-certs.sh" -o setup-certs.sh
chmod +x ./setup-certs.sh
. ./setup-certs.sh $CERT_FINGERPRINT $CA_CERT_URL
export CONTAINER_CERT_LOCATION="/etc/nginx/ssl/cert.crt"
export CONTAINER_PRV_LOCATION="/etc/nginx/ssl/private.key"
curl "$SOURCE_ROOT/docs/custom-domain/deprecated/docker-vm-deploy/docker-compose.yml.template" -o docker-compose.yml.template
sudo -E envsubst '$CERT_LOCATION$PRV_LOCATION$CONTAINER_CERT_LOCATION$CONTAINER_PRV_LOCATION' < docker-compose.yml.template > docker-compose.yml
export CERT_LOCATION=$CONTAINER_CERT_LOCATION
export PRV_LOCATION=$CONTAINER_PRV_LOCATION
curl "$SOURCE_ROOT/docs/custom-domain/deprecated/docker-vm-deploy/nginx.conf.template" -o nginx.conf.template
sudo -E envsubst '$FRONTEND_HOST$BACKEND_HOST$CERT_LOCATION$PRV_LOCATION' < nginx.conf.template > nginx.conf
## Docker installation extension installs docker in the background
## So we cannot make assumption about its completion time
until docker-compose up
do
sleep 10
done
================================================
FILE: docs/custom-domain/deprecated/docker-vm-deploy/deploy.ps1
================================================
param (
$templateFile = 'azuredeploy.json',
$templateParams = 'azuredeploy.parameters.json',
[Parameter(Mandatory=$true)]
[string]
$resourceGroupName
)
New-AzureRmResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateFile $templateFile -TemplateParameterFile $templateParams
================================================
FILE: docs/custom-domain/deprecated/docker-vm-deploy/docker-compose.yml.template
================================================
proxy:
image: nginx
ports:
- 443:443
volumes:
- ${CERT_LOCATION}:${CONTAINER_CERT_LOCATION}:ro
- ${PRV_LOCATION}:${CONTAINER_PRV_LOCATION}:ro
- ./nginx.conf:/etc/nginx/nginx.conf:ro
================================================
FILE: docs/custom-domain/deprecated/docker-vm-deploy/nginx.conf.template
================================================
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log; # main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
upstream backends {
server ${BACKEND_HOST}:443;
}
server {
listen 443 ssl; # 'ssl' parameter tells NGINX to decrypt the traffic
server_name ${FRONTEND_HOST};
ssl_certificate ${CERT_LOCATION}; # The certificate file
ssl_certificate_key ${PRV_LOCATION}; # The private key file
location / {
client_max_body_size 1000G;
proxy_set_header Host ${BACKEND_HOST};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://backends;
}
}
}
================================================
FILE: docs/custom-domain/deprecated/docker-vm-deploy/setup-certs.sh
================================================
#!/bin/bash
CERT_FINGERPRINT=$1
CA_CERT_URL=$2
CERT_FINGERPRINT=`echo $CERT_FINGERPRINT | tr [a-z] [A-Z]`
if [ ! -z "$CA_CERT_URL" ]; then
curl $CA_CERT_URL -o ca_cert.crt
set +e
certDetails=`openssl x509 -in ca_cert.crt -text -noout`
set -e
# if it is not PEM, it must be DER
if [ -z "$certDetails" ]; then
openssl x509 -in ca_cert.crt -inform der -outform pem -out ca_cert_pem.crt
else
mv ca_cert.crt ca_cert_pem.crt
fi
sudo cat "/var/lib/waagent/$CERT_FINGERPRINT.crt" ca_cert_pem.crt > cert.crt
export CERT_LOCATION=`pwd`/cert.crt
else
export CERT_LOCATION=/var/lib/waagent/${CERT_FINGERPRINT}.crt
fi
export PRV_LOCATION=/var/lib/waagent/${CERT_FINGERPRINT}.prv
================================================
FILE: docs/custom-domain/deprecated/key-vault-setup/ensure-vault.ps1
================================================
param (
$subscriptionName,
$resourceGroupName,
$vaultName
}
if ($subscriptionName)
{
Select-AzureRmSubscription -SubscriptionName $subscriptionName
}
Get-AzureRmKeyVault -vaultName $vaultName -ev notPresent -ea 0
if ($notPresent)
{
New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -sku standard -EnabledForDeployment
}
================================================
FILE: docs/custom-domain/deprecated/key-vault-setup/upload-cert.ps1
================================================
param (
[Parameter(Mandatory=$true)]
[string]
$pfxFilePath,
[Parameter(Mandatory=$true)]
[string]
$pfxPwFile,
[Parameter(Mandatory=$true)]
[string]
$secretName,
[Parameter(Mandatory=$true)]
[string]
$vaultName
)
$pfxPw = [IO.File]::ReadAllText($pfxPwFile)
$pfxContent = get-content $pfxFilePath -Encoding Byte
$pfxContentEncoded = [System.Convert]::ToBase64String($pfxContent)
$certBundleObj = @"
{
"data": "$pfxContentEncoded",
"dataType" :"pfx",
"password": "$pfxPw"
}
"@
$bundleObjBytes = [System.Text.Encoding]::UTF8.GetBytes($certBundleObj)
$bundleObjEncoded = [System.Convert]::ToBase64String($bundleObjBytes)
$secretValue = ConvertTo-SecureString -String $bundleObjEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -Name $secretName -SecretValue $secretValue -VaultName $vaultName
================================================
FILE: docs/custom-domain/deprecated/registry-setup-deprecated.md
================================================
# How to use a custom domain for azure container registry
Azure Container registries has a typical login url of the format `*.azurecr.io`. A customer might like to have a custom domain that associate with its own organization. The following is the guide on how to achieve that.
## Prerequisites
For this example, we suppose that you want to associate `registry.contoso.com` with a Azure Container Registry. You would need the following:
* Setup your organization's DNS zone `.contoso.com`. To create one on Azure, you can follow [this guide](https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-create-dnszone-portal)
* SSL certificate for `registry.contoso.com`, we would call it `contoso.pfx`. Put the password of the certificate to a file named `pwd.txt`. You would optionally also need your signing CA certificate's URL, such as `http://www.contoso.com/pki/ca.cert`
* An instance of Azure Container Registry service as the backend. In this example we would assume it's `docker-registry-contoso.azurecr.io`
## Steps
### Upload your cert into Azure Key Vault
Under [key-vault-setup/](key-vault-setup/), run the following:
1. (Optional) Create an Azure Key Vault, if you don't already have one:
`.\ensure-vault.ps1 -subscriptionName <subscription> -resourceGroupName <resourceGroup> -vaultName <new VaultName>`
2. Upload `contoso.pfx` to Azure Key Vault:
`.\upload-cert.ps1 -pfxFilePath <pfxFile> -pfxPwFile <pwdFile> -secretName <new SecretName> -vaultName <vaultName>`
### Deploy and configure an Nginx Docker image on a new Azure VM
Deploy via Azure Portal
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Facr%2Fmaster%2Fdocs%2Fcustom-domain%2Fdocker-vm-deploy%2Fazuredeploy.json" target="_blank">
<img src="http://azuredeploy.net/deploybutton.png"/>
</a>
<a href="http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Facr%2Fmaster%2Fdocs%2Fcustom-domain%2Fdocker-vm-deploy%2Fazuredeploy.json" target="_blank">
<img src="http://armviz.io/visualizebutton.png"/>
</a>
Alternatively, to deploy using powershell script, [docker-vm-deploy/](docker-vm-deploy/), do the following:
1. Edit [azuredeploy.parameters.json](docker-vm-deploy/azuredeploy.parameters.json) and populate all necessary parameters
2. Run the following script to create the new VM:
`.\deploy.ps1 -resourceGroupName <resourceGroup>`
### Configure DNS zone
Configure the DNS zone so `registry.contoso.com` points to the Azure VM you have just created. If you are using an Azure DNS Zone. You can use the following command:
`New-AzureRmDnsRecordSet -Name <registry> -RecordType CNAME -ZoneName <contoso.com> -ResourceGroupName <resourceGroup> -Ttl <Ttl> -DnsRecords (New-AzureRmDnsRecordConfig -Cname <AddrToAboveVM>)`
## Quick verification
A simple way to test the setup is to call `docker login` to quickly confirm that the requests are properly forwarded:
`docker login -u <username> -p <password> registry.contoso.com`
================================================
FILE: docs/deploy.sh
================================================
#!/usr/bin/env sh
# abort on errors
set -e
npm install -g vuepress
# build
npm run docs:build
# navigate into the build output directory
cd ./gh-pages
# if you are deploying to a custom domain
# echo 'www.example.com' > CNAME
git init && \
git config --global user.email @users.noreply.github.com && \
git config --global user.name "Git Hub Deploy Action" && \
git add .
git commit -m 'deploy'
git push -f git@github.com:${GH_REPOSITORY}.git master:gh-pages
================================================
FILE: docs/http-headers.md
================================================
# Azure Container Registry HTTP headers
Azure container registries are compatible with a multitude of services and orchestrators. To help our customers, we'd like to understand which services in Azure, or outside of Azure, are issuing registry requests. To track the source services and agents from which ACR is used, we have started using the `HttpHeaders` field in the Docker `config.json` file.
## Header format
ACR will parse headers using the following format:
```HTTP
X-Meta-Source-Client: <cloud>/<service>/<optionalservicename>
```
* `cloud`: Azure, Azure Stack, or other government- or country-specific Azure cloud.
* `service`: The name of the service.
* `optionalservicename`: An optional parameter for services with subservices, or for specifying a SKU. For example, Web Apps corresponds to `azure/app-service/web-apps`. The servicename can also be a hierarchy path, for example `azure/acr/connected-registry/instance-1`.
### Example
```JSON
{
"HttpHeaders": {
"X-Meta-Source-Client": "azure/aks"
},
"auths": {
"myregistry.azurecr.io": {},
},
"credsStore": "wincred"
}
```
## Header values
Partner services and orchestrators are encouraged to use specific header values to help with our telemetry. Users can also modify the value passed to the header if they so desire.
The values we ask ACR partners to use when populating the `X-Meta-Source-Client` field are:
| Cloud | Header |
| ------------------ | ------------- |
| Azure Public Cloud | `azure/` |
| Azure Stack | `azurestack/` |
| China (Mooncake) | `china/` |
| Germany | `germany/` |
| US DOD | `azureusdod/` |
| US Gov | `azureusgov/` |
| On Premise | `on-prem/` |
| Service or Orchestrator name | Header |
| ------------------------------ | ----------------------------------------- |
| App Service - Logic Apps | `azure/app-service/logic-apps` |
| App Service - Web Apps | `azure/app-service/web-apps` |
| Azure Container Builder | `azure/acb` |
| Azure Container Instance | `azure/aci` |
| Azure Container Service | `azure/acs` |
| Azure Kubernetes Service | `azure/aks` |
| AKS Engine (Kubernetes) | `azure/aks-engine` |
| Cluster API Azure (Kubernetes) | `azure/capz` |
| Batch | `azure/batch` |
| Cloud Console | `azure/cloud-console` |
| Functions | `azure/functions` |
| HDInsight | `azure/hdinsight` |
| Internet of Things - Hub | `azure/iot/hub` |
| Jenkins | `azure/jenkins` |
| Machine Learning | `azure/ml` |
| Service Fabric | `azure/service-fabric` |
| VSTS | `azure/vsts` |
| ACR Tasks | `azure/acr/tasks` |
| ACR Connected Registry | `azure/acr/connected-registry/instance-1` |
================================================
FILE: docs/image-signing.md
================================================
# Azure Container Registry Image Signing
Azure Container Registry supports image signing through [Docker Content Trust](https://docs.docker.com/notary/getting_started/).
To push signed images to ACR, the following configuration is required:
* The user or Service Principal used for automated signing must be assigned the `AcrImageSigner` role to your registry in addition to the `Owner`, `Contributor` roles for signing. Role assignment can be done by the following methods.
* Azure Portal: Your registry -> Access Control (IAM) -> Add (Select `AcrImageSigner` for the Role).
* Azure CLI: Find the resource id `id` of the registry by running
```
az acr show -n myRegistry
```
Then you can assign the `AcrImageSigner` role to a user
```
az role assignment create --scope resource_id --role AcrImageSigner --assignee user@example.com
```
or a service principle identified by its application ID
```
az role assignment create --scope resource_id --role AcrImageSigner --assignee 00000000-0000-0000-0000-000000000000
```
* To pull trusted images, a `Reader` role is enough for normal users. No additional roles like an `AcrImageSigner` role are required.
You can use Docker Client and Notary Client to interact trusted images with ACR.
Detailed documentation can be found at [Content trust in Docker](https://docs.docker.com/engine/security/trust/content_trust/).
================================================
FILE: docs/image-transfer/ExportPipelines/azuredeploy.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"registryName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your Azure Container Registry"
}
},
"exportPipelineName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your export pipeline."
}
},
"userAssignedIdentity": {
"type": "string",
"metadata": {
"description": "The user assigned identity to be bound to the task run."
},
"defaultValue": ""
},
"targetUri": {
"type": "string",
"metadata": {
"description": "The target URI of the export pipeline."
}
},
"keyVaultName": {
"type": "string",
"metadata": {
"description": "The key vault name to obtain the target storage SAS token."
}
},
"sasTokenSecretName": {
"type": "string",
"metadata": {
"description": "The key vault secret name to obtain the target storage SAS token."
}
},
"options": {
"type": "array",
"metadata": {
"description": "The list of all options configured for the pipeline."
},
"defaultValue": []
},
"storageAccessMode": {
"type": "string",
"defaultValue": "SasToken",
"allowedValues": [
"SasToken",
"ManagedIdentity"
],
"metadata": {
"description": "The storage access mode for the export pipeline. Use 'SasToken' to authenticate via a SAS token stored in Key Vault, or 'ManagedIdentity' to authenticate directly using an Entra managed identity."
}
}
},
"variables": {
"targetType": "AzureStorageBlobContainer",
"systemIdentity": {
"type": "SystemAssigned"
},
"userIdentity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[parameters('userAssignedIdentity')]": {}
}
},
"keyVaultSecretsPermissions": [
"get"
]
},
"resources": [
{
"type": "Microsoft.ContainerRegistry/registries/exportPipelines/",
"name": "[concat(parameters('registryName'), '/', parameters('exportPipelineName'))]",
"location": "[parameters('location')]",
"apiVersion": "2025-06-01-preview",
"identity": "[if(not(empty(parameters('userAssignedIdentity'))), variables('userIdentity'), variables('systemIdentity'))]",
"properties": {
"target": {
"type": "[variables('targetType')]",
"uri": "[parameters('targetUri')]",
"keyVaultUri": "[concat(reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2023-07-01').vaultUri, 'secrets/', parameters('sasTokenSecretName'))]",
"storageAccessMode": "[parameters('storageAccessMode')]"
},
"options": "[parameters('options')]"
}
},
{
"condition": "[equals(parameters('storageAccessMode'), 'SasToken')]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('keyVaultName'), '/add')]",
"apiVersion": "2023-07-01",
"dependsOn": [
"[resourceId('Microsoft.ContainerRegistry/registries/exportPipelines', parameters('registryName'), parameters('exportPipelineName'))]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[if(not(empty(parameters('userAssignedIdentity'))), reference(parameters('userAssignedIdentity'), '2023-01-31').principalId, reference(resourceId('Microsoft.ContainerRegistry/registries/exportPipelines', parameters('registryName'), parameters('exportPipelineName')), '2025-06-01-preview', 'Full').identity.principalId)]",
"permissions": {
"secrets": "[variables('keyVaultSecretsPermissions')]"
}
}
]
}
}
]
}
================================================
FILE: docs/image-transfer/ExportPipelines/azuredeploy.parameters.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"registryName": {
"value": "myregistry"
},
"exportPipelineName": {
"value": "myExportPipeline"
},
"targetUri": {
"value": "https://accountname.blob.core.windows.net/containername"
},
"keyVaultName": {
"value": "myvault"
},
"sasTokenSecretName": {
"value": "acrexportsas"
},
"options": {
"value": [
"OverwriteBlobs",
"ContinueOnErrors"
]
},
"storageAccessMode": {
"value": "SasToken"
}
}
}
================================================
FILE: docs/image-transfer/ImportPipelines/azuredeploy.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"registryName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your Azure Container Registry"
}
},
"importPipelineName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your import pipeline."
}
},
"userAssignedIdentity": {
"type": "string",
"metadata": {
"description": "The user assigned identity to be bound to the task run."
},
"defaultValue": ""
},
"sourceUri": {
"type": "string",
"metadata": {
"description": "The source URI of the import pipeline."
}
},
"keyVaultName": {
"type": "string",
"metadata": {
"description": "The key vault name to obtain the target storage SAS token."
}
},
"sasTokenSecretName": {
"type": "string",
"metadata": {
"description": "The key vault secret name to obtain the target storage SAS token."
}
},
"sourceTriggerStatus": {
"type": "string",
"defaultValue": "Enabled",
"metadata": {
"description": "Indicates whether you want to enable the source trigger on the import pipeline."
},
"allowedValues": [
"Enabled",
"Disabled"
]
},
"options": {
"type": "array",
"metadata": {
"description": "The list of all options configured for the pipeline."
},
"defaultValue": []
},
"storageAccessMode": {
"type": "string",
"defaultValue": "SasToken",
"allowedValues": [
"SasToken",
"ManagedIdentity"
],
"metadata": {
"description": "The storage access mode for the import pipeline. Use 'SasToken' to authenticate via a SAS token stored in Key Vault, or 'ManagedIdentity' to authenticate directly using an Entra managed identity."
}
}
},
"variables": {
"sourceType": "AzureStorageBlobContainer",
"systemIdentity": {
"type": "SystemAssigned"
},
"userIdentity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[parameters('userAssignedIdentity')]": {}
}
},
"keyVaultSecretsPermissions": [
"get"
]
},
"resources": [
{
"type": "Microsoft.ContainerRegistry/registries/importPipelines/",
"name": "[concat(parameters('registryName'), '/', parameters('importPipelineName'))]",
"location": "[parameters('location')]",
"apiVersion": "2025-06-01-preview",
"identity": "[if(not(empty(parameters('userAssignedIdentity'))), variables('userIdentity'), variables('systemIdentity'))]",
"properties": {
"source": {
"type": "[variables('sourceType')]",
"uri": "[parameters('sourceUri')]",
"keyVaultUri": "[concat(reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2023-07-01').vaultUri, 'secrets/', parameters('sasTokenSecretName'))]",
"storageAccessMode": "[parameters('storageAccessMode')]"
},
"trigger": {
"sourceTrigger": {
"status": "[parameters('sourceTriggerStatus')]"
}
},
"options": "[parameters('options')]"
}
},
{
"condition": "[equals(parameters('storageAccessMode'), 'SasToken')]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('keyVaultName'), '/add')]",
"apiVersion": "2023-07-01",
"dependsOn": [
"[resourceId('Microsoft.ContainerRegistry/registries/importPipelines', parameters('registryName'), parameters('importPipelineName'))]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[if(not(empty(parameters('userAssignedIdentity'))), reference(parameters('userAssignedIdentity'), '2023-01-31').principalId, reference(resourceId('Microsoft.ContainerRegistry/registries/importPipelines', parameters('registryName'), parameters('importPipelineName')), '2025-06-01-preview', 'Full').identity.principalId)]",
"permissions": {
"secrets": "[variables('keyVaultSecretsPermissions')]"
}
}
]
}
}
]
}
================================================
FILE: docs/image-transfer/ImportPipelines/azuredeploy.parameters.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"registryName": {
"value": "myregistry"
},
"importPipelineName": {
"value": "myImportPipeline"
},
"sourceUri": {
"value": "https://accountname.blob.core.windows.net/containername"
},
"keyVaultName": {
"value": "myvault"
},
"sasTokenSecretName": {
"value": "acrimportsas"
},
"options": {
"value": [
"OverwriteTags",
"DeleteSourceBlobOnSuccess",
"ContinueOnErrors"
]
},
"storageAccessMode": {
"value": "SasToken"
}
}
}
================================================
FILE: docs/image-transfer/PipelineRun/PipelineRun-Export/azuredeploy.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"registryName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your Azure Container Registry"
}
},
"pipelineRunName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your pipeline run."
}
},
"pipelineResourceId": {
"type": "string",
"metadata": {
"description": "The resource ID of the pipeline to run."
}
},
"artifacts": {
"type": "array",
"metadata": {
"description": "List of source artifacts to be transferred by the pipeline."
},
"defaultValue": []
},
"sourceName": {
"type": "string",
"metadata": {
"description": "Name of the existing blob for exported artifacts in your storage account, such as myblob."
},
"defaultValue": ""
},
"targetName": {
"type": "string",
"metadata": {
"description": "Name you choose for the artifacts blob exported to your source storage account, such as myblob."
},
"defaultValue": ""
},
"catalogDigest": {
"type": "string",
"metadata": {
"description": "The digest of the tar used to transfer the artifacts."
},
"defaultValue": ""
},
"forceUpdateTag": {
"type": "string",
"metadata": {
"description": "How the pipeline run should be forced to recreate even if the pipeline run configuration has not changed."
},
"defaultValue": ""
}
},
"variables": {
"transferType": "AzureStorageBlob"
},
"resources": [
{
"type": "Microsoft.ContainerRegistry/registries/pipelineRuns/",
"name": "[concat(parameters('registryName'), '/', parameters('pipelineRunName'))]",
"location": "[parameters('location')]",
"apiVersion": "2025-06-01-preview",
"properties": {
"request": {
"pipelineResourceId": "[parameters('pipelineResourceId')]",
"artifacts": "[parameters('artifacts')]",
"source": {
"type": "[if(not(empty(parameters('sourceName'))), variables('transferType'), '')]",
"name": "[parameters('sourceName')]"
},
"target": {
"type": "[if(not(empty(parameters('targetName'))), variables('transferType'), '')]",
"name": "[parameters('targetName')]"
},
"catalogDigest": "[parameters('catalogDigest')]"
},
"forceUpdateTag": "[parameters('forceUpdateTag')]"
}
}
]
}
================================================
FILE: docs/image-transfer/PipelineRun/PipelineRun-Export/azuredeploy.parameters.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"registryName": {
"value": "myregistry"
},
"pipelineRunName": {
"value": "myPipelineRunExport"
},
"pipelineResourceId": {
"value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/myRegistry/exportPipelines/myExportPipeline"
},
"targetName": {
"value": "myblob"
},
"artifacts": {
"value": [
"hello-world:latest",
"sourceRepository@sha256:0000000000000000000000000000000000000000000000000000000000000000"
]
}
}
}
================================================
FILE: docs/image-transfer/PipelineRun/PipelineRun-Import/azuredeploy.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"registryName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your Azure Container Registry"
}
},
"pipelineRunName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your pipeline run."
}
},
"pipelineResourceId": {
"type": "string",
"metadata": {
"description": "The resource ID of the pipeline to run."
}
},
"artifacts": {
"type": "array",
"metadata": {
"description": "List of source artifacts to be transferred by the pipeline."
},
"defaultValue": []
},
"sourceName": {
"type": "string",
"metadata": {
"description": "Name of the existing blob for exported artifacts in your storage account, such as myblob."
},
"defaultValue": ""
},
"targetName": {
"type": "string",
"metadata": {
"description": "Name you choose for the artifacts blob exported to your source storage account, such as myblob."
},
"defaultValue": ""
},
"catalogDigest": {
"type": "string",
"metadata": {
"description": "The digest of the tar used to transfer the artifacts."
},
"defaultValue": ""
},
"forceUpdateTag": {
"type": "string",
"metadata": {
"description": "How the pipeline run should be forced to recreate even if the pipeline run configuration has not changed."
},
"defaultValue": ""
}
},
"variables": {
"transferType": "AzureStorageBlob"
},
"resources": [
{
"type": "Microsoft.ContainerRegistry/registries/pipelineRuns/",
"name": "[concat(parameters('registryName'), '/', parameters('pipelineRunName'))]",
"location": "[parameters('location')]",
"apiVersion": "2025-06-01-preview",
"properties": {
"request": {
"pipelineResourceId": "[parameters('pipelineResourceId')]",
"artifacts": "[parameters('artifacts')]",
"source": {
"type": "[if(not(empty(parameters('sourceName'))), variables('transferType'), '')]",
"name": "[parameters('sourceName')]"
},
"target": {
"type": "[if(not(empty(parameters('targetName'))), variables('transferType'), '')]",
"name": "[parameters('targetName')]"
},
"catalogDigest": "[parameters('catalogDigest')]"
},
"forceUpdateTag": "[parameters('forceUpdateTag')]"
}
}
]
}
================================================
FILE: docs/image-transfer/PipelineRun/PipelineRun-Import/azuredeploy.parameters.json
================================================
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"registryName": {
"value": "myregistry"
},
"pipelineRunName": {
"value": "myPipelineRunImport"
},
"pipelineResourceId": {
"value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/myRegistry/importPipelines/myImportPipeline"
},
"sourceName": {
"value": "myblob"
}
}
}
================================================
FILE: docs/image-transfer/README.md
================================================
# ACR Transfer - Sample ARM Templates
This directory contains Azure Resource Manager (ARM) templates for ACR Transfer, a feature for transferring container images and OCI artifacts between Azure Container Registries in disconnected environments.
## Templates
| Directory | Description |
|-----------|-------------|
| [ExportPipelines](./ExportPipelines) | Creates an ExportPipeline resource for exporting artifacts from a container registry to a storage account blob container. |
| [ImportPipelines](./ImportPipelines) | Creates an ImportPipeline resource for importing artifacts from a storage account blob container into a container registry. |
| [PipelineRun/PipelineRun-Export](./PipelineRun/PipelineRun-Export) | Creates a PipelineRun resource to trigger an export pipeline. |
| [PipelineRun/PipelineRun-Import](./PipelineRun/PipelineRun-Import) | Creates a PipelineRun resource to trigger an import pipeline. |
## Documentation
For complete documentation including prerequisites, setup instructions, and usage examples, see:
**[ACR Transfer Documentation](https://aka.ms/acr/transfer)**
The documentation covers:
- What is ACR Transfer and how it works
- Storage access modes (SAS Token vs Managed Identity)
- Prerequisites and setup
- Step-by-step guides for Azure CLI and ARM templates
- Troubleshooting
## Quick Start
These templates require:
- Azure Container Registry Premium tier
- Storage accounts with blob containers
- API version `2025-06-01-preview` or later
- For detailed prerequisites and instructions, refer to the [official documentation](https://aka.ms/acr/transfer)
================================================
FILE: docs/integration/CircleCI.md
================================================
# Using Azure Container Registry With CircleCI
For configuration of your Docker build using CircleCI, refer [https://circleci.com/docs/1.0/docker/](https://circleci.com/docs/1.0/docker/)
Here is a sample `circle.yml` file that can be used with Azure Container Registry using three environment variables as a part of the build, that builds and pushes an image to the registry.
``` yml
machine:
services:
- docker
dependencies:
override:
- docker info
- docker build --rm=false -t $REGISTRY_HOST/circleci .
test:
override:
- docker run -d hello-world
deployment:
hub:
branch: master
commands:
- docker login -e $DOCKER_USER -u $DOCKER_USER -p $DOCKER_PASSWORD $REGISTRY_HOST
- docker push $REGISTRY_HOST/circleci
```
| Environment Variable | Description |
| --------------------|-------------|
| REGISTRY_HOST | Login server host for your Registry |
| DOCKER_USER | Service principal or admin user for the registry |
| DOCKER_PASSWORD | User's password that would be used for docker login |
================================================
FILE: docs/integration/change-analysis/README.md
================================================
---
type: post
title: "Change Analysis"
tags: [developers, teleport]
date: 2019-11-13 17:00:00
author: Sajay Antony
---
# Change Analysis with ACR
You can enable change analysis service on your subscription in the [Azure Portal](https://docs.microsoft.com/en-us/azure/azure-monitor/app/change-analysis) or using the following command
```sh
az provider register -n 'Microsoft.ChangeAnalysis'
```
Once this has been enabled you can view changes on your registry.
For e.g. you can see that the `adminUserEnabled` boolean has been changed on the registry.
================================================
FILE: docs/integration/github-actions/Dockerfile
================================================
FROM hello-world
================================================
FILE: docs/integration/github-actions/github-actions.md
================================================
# Using Azure Container Registry With GitHub Actions
For creating workflows for your GitHub repository using GitHub Actions, please refer [https://developer.github.com/actions/](https://developer.github.com/actions/).
The following `main.workflow` file defines a workflow that uses the built-in Docker Actions to login to the Azure Container Registry, build and push an image to the registry. You also needs to define three secrets to pass the registry access information to the Actions.
| Secret/Environment Variable | Description |
| --------------------|---------------------------------------------------------------|
| DOCKER_REGISTRY_URL | Login server url for the registry, eg, myregistry.azurecr.io |
| DOCKER_USERNAME | Service principal App ID or admin username for the registry |
| DOCKER_PASSWORD | Service principal password or admin password for the registry |
main.workflow
---
```
workflow "DockerFlowExample" {
resolves = ["Docker Push"]
on = "push"
}
action "Docker Login" {
uses = "actions/docker/login@8cdf801b322af5f369e00d85e9cf3a7122f49108"
secrets = ["DOCKER_REGISTRY_URL", "DOCKER_USERNAME", "DOCKER_PASSWORD"]
}
action "Docker Build" {
uses = "actions/docker/cli@8cdf801b322af5f369e00d85e9cf3a7122f49108"
needs = ["Docker Login"]
args = ["build", "-t", "$DOCKER_REGISTRY_URL/hello-world:latest", "docs/integration/github-actions"]
secrets = ["DOCKER_REGISTRY_URL"]
}
action "Docker Push" {
uses = "actions/docker/cli@8cdf801b322af5f369e00d85e9cf3a7122f49108"
needs = ["Docker Build"]
args = ["push", "$DOCKER_REGISTRY_URL/hello-world:latest"]
secrets = ["DOCKER_REGISTRY_URL"]
}
```
================================================
FILE: docs/integration/github-actions/main.workflow
================================================
workflow "DockerFlowExample" {
resolves = ["Docker Push"]
on = "push"
}
action "Docker Login" {
uses = "actions/docker/login@8cdf801b322af5f369e00d85e9cf3a7122f49108"
secrets = ["DOCKER_REGISTRY_URL", "DOCKER_USERNAME", "DOCKER_PASSWORD"]
}
action "Docker Build" {
uses = "actions/docker/cli@8cdf801b322af5f369e00d85e9cf3a7122f49108"
needs = ["Docker Login"]
args = ["build", "-t", "$DOCKER_REGISTRY_URL/hello-world:latest", "docs/integration/github-actions"]
secrets = ["DOCKER_REGISTRY_URL"]
}
action "Docker Push" {
uses = "actions/docker/cli@8cdf801b322af5f369e00d85e9cf3a7122f49108"
needs = ["Docker Build"]
args = ["push", "$DOCKER_REGISTRY_URL/hello-world:latest"]
secrets = ["DOCKER_REGISTRY_URL"]
}
================================================
FILE: docs/move-repositories-to-new-registry/README.md
================================================
# How to move your repositories to a new registry?
When users create a container registry backed by a storage account, the repositories are pushed under a blob container that is named after the registry within that storage account.
In the example below we have two registries in a resource group associated with the same storage account.
Here using [Azure Storage Explorer](http://storageexplorer.com/) we can see that each registry gets a container with the corresponding registry name.
All you need to do is move the blobs from one container to the other if you want to copy over the repositories. If you do not care about the old container registry then you can just rename the blob container and delete the registry since deleting a registry does not delete the associate data in your storage account.
> Make sure you paste that into the target registry's blob container and you should be able to pull your images from the new registry.
================================================
FILE: docs/package.json
================================================
{
"scripts": {
"docs:dev": "vuepress dev .",
"docs:build": "vuepress build ."
}
}
================================================
FILE: docs/preview/abac-repo-permissions/README.md
================================================
# Microsoft Entra attribute-based access control (ABAC) for repository permissions (Preview)
ACR ABAC for Microsoft Entra-based repository permissions is currently in public preview (Portal as of May 9th, 2025, Azure CLI as of May 19th, 2025).
Documentation is available at [https://aka.ms/acr/auth/abac](https://aka.ms/acr/auth/abac).
================================================
FILE: docs/preview/artifact-streaming/README.md
================================================
> [!NOTE]
> This feature is available as a public preview.
## About
Azure Container Registry (ACR) and Azure Kubernetes Service (AKS) is proud to announce the public preview for artifact streaming. Artifact streaming for AKS provides customers the ability to accelerate containerized workloads in the cloud by dramatically reducing the overall startup time.
Artifact streaming will empower customers to scale resources on AKS seamlessly by not having to wait for long pull times for each Kubernetes pod. Customers with Linux amd64 container images are supported during this public preview and have plans to support Windows and arm64 container images in the future. We can’t wait to hear what our customers have to think and look forward to hearing feedback on further improving this feature.
Get started today at [aka.ms/acr/artifact-streaming](https://aka.ms/acr/artifact-streaming).
================================================
FILE: docs/preview/connected-registry/README.md
================================================
# ACR connected registry (Private Preview) instructions
This article provides guidance for use of the connected registry feature of Azure Container Registry (ACR) during the limited preview.
To request preview access, submit your contact details using this [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR1OsLxas9SdIhfyFenqqkolUMkFKMTdDSU45SFQzU0o0WUNROVAySkRINy4u) and we will get in touch with you.
## Available Regions
During limited preview period, the connected registry functionality is available in dedicated stamps in the following Azure regions:
- Asia East
- EU West
- US East
To use the connected registry functionality, your ACR must be deployed in one of the above three regions and in a supported deployment stamp. To check the stamp where your ACR is deployed to, use the following command:
```azurecli
nslookup <your_registry_name>.azurecr.io
```
The stamp name is one of the aliases returned by the above command. Currently, connected registries are supported in the following stamps:
- East Asia: `ea-1.fe.azcr.io`
- EU West: `weu-3.fe.azcr.io`
- East US: `eus-2.fe.azcr.io`
> **IMPORTANT**
> If your ACR doesn't have the above alias respective to your region, the connected registry functionality will not be available. You can create an issue as described below, and we will migrate your registry to the correct stamp.
## Known Limitations
Here is a list of known limitations for the connected registry functionality in limited preview:
- Number of tokens and scopemaps is limited to 20K for a single ACR. This indirectly limits the number of connected registries for an ACR registry because every connected registry needs a sync and client token.
- Number of repository permissions in a scope map is limited to 500.
- Number of clients for the connected registry is currently limited to 20.
- Image locking through repository/manifest/tag metadata is not currently supported for connected registries.
- Repository delete is not supported on the connected registry using registry mode.
- Audit logs for connected registries are currently not supported.
- Garbage collection of deleted artifacts on connected registries is currently not supported.
- Connected registry is coupled with home region data endpoint and its automatic migration for geo replications is not supported.
- Deletion of a connected registry needs manual removal of the containers on premises as well as removal of the respective scope map or tokens in the cloud.
- Connected registry sync limitations are as follows:
- For continuous sync:
- `minMessageTtl` is 1 day
- `maxMessageTtl` is 90 days
- For occasionally connected scenarios, where you want to specify sync window:
- `minSyncWindow` is 1 hr
- `maxSyncWindow` is 7 days
## Set Up and Configuration
In limited preview, the connected registry targets IoT scenarios. Below are links to the preliminary documentation you can use to set up and configure the connected registry with your IoT Edge infrastructure.
- [Overview of connected registry](./intro-connected-registry.md)
- [Understand access to a connected registry](./overview-connected-registry-access.md)
- [Using connected registry with Azure IoT Edge](./overview-connected-registry-and-iot-edge.md)
- [Quickstart: Create a connected registry using Azure Container Registry CLI commands](./quickstart-connected-registry-cli.md)
- [Quickstart: Deploy a connected registry to an IoT Edge device](./quickstart-deploy-connected-registry-iot-edge-cli.md)
- [Quickstart: Deploy a connected registry to an nested IoT Edge device](./quickstart-deploy-connected-registry-nested-iot-edge-cli.md)
- [Quickstart: Pull images from a connected registry](./quickstart-pull-images-from-connected-registry.md)
- [Quickstart: View connected registry repositories and tags](./quickstart-view-connected-registry-repos-and-tags.md)
## Release Notes
Reference [Release Notes](./release-notes.md) for information on the changes included in each release of the connected registry runtime.
## Troubleshooting
We keep a list of troubleshooting steps for known issues. Those are available on the [Troubleshooting](./troubleshooting.md) page.
## Reporting Issues and Asking for Help
To report issues, [create a new bug](https://github.com/Azure/acr/issues/new?assignees=toddysm&labels=connected-registry,bug&template=bug_report.md&title=) in this repository.
If you need help with installation, set up, or use, you can [submit a help request](https://github.com/Azure/acr/issues/new?assignees=toddysm&labels=help%20wanted&template=bug_report.md&title=) in this repository.
================================================
FILE: docs/preview/connected-registry/connected-registry-error-codes.md
================================================
---
title: Connected registry error code reference
description: Details about error codes shown in the statusDetails property of a connected registry resource. For each error, possible solutions are listed.
ms.topic: troubleshooting
ms.date: 09/29/2021
ms.author: jeburke
author: jaysterp
---
# Connected Registry Error Code Reference
This article helps you troubleshoot error codes you might encounter in the `StatusDetails` property of a connected registry.
## Connection State
The connection state of a connected registry indicates the current overall health status of the deployed connected registry instance. The possible connection states are defined as follows:
| Connection State | Description |
|--------------|-----------|
| Online | The connected registry instance is currently connected with the cloud and in a healthy state. |
| Offline | The connected registry instance is currently disconnected from the cloud. |
| Unhealthy | The connected registry instance is currently connected with the cloud, but it is reporting critical errors. Reference the `StatusDetails` property to view the corresponding errors. |
Use the [az acr connected-registry show][az-acr-connected-registry-show] command to view the current connection state of your connected registry.
```azurecli
az acr connected-registry show \
--registry MyRegistry \
--name MyConnectedRegistry \
--output table
```
You should see a response as follows. Note that this connected registry has a connection state of `Unhealthy`.
```
NAME MODE CONNECTION STATE PARENT LOGIN SERVER LAST SYNC (UTC) SYNC SCHEDULE SYNC WINDOW
--------------------- -------- ------------------ -------- -------------- ------------------------- --------------- -------------
MyConnectedRegistry ReadOnly Unhealthy 2021-09-29T12:59:00+00:00 * * * * *
```
## Status Details Format
When your connected registry has a connection state of `Unhealthy` you can run the [az acr connected-registry show][az-acr-connected-registry-show] command to view the list of status details.
```azurecli
az acr connected-registry show \
-
gitextract_umt5drn5/
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ ├── feature_request.md
│ │ └── roadmap-template.yml
│ └── workflows/
│ ├── nodejs.yml
│ └── stale.yml
├── .gitignore
├── LICENSE.txt
├── README.md
├── SECURITY.md
├── docs/
│ ├── .gitignore
│ ├── .vuepress/
│ │ └── config.js
│ ├── AAD-OAuth.md
│ ├── FAQ.md
│ ├── README.md
│ ├── Token-BasicAuth.md
│ ├── Troubleshooting Guide.md
│ ├── acr-roadmap.md
│ ├── aks-acr-across-tenants.md
│ ├── artifact-media-types.json
│ ├── blog/
│ │ ├── abac-repo-permissions.md
│ │ ├── connected-registry.md
│ │ └── teleport.md
│ ├── container-registry-consuming-public-content.md
│ ├── container-registry-oras-artifacts.md
│ ├── contributing-to-pages.md
│ ├── custom-domain/
│ │ ├── README.md
│ │ └── deprecated/
│ │ ├── docker-vm-deploy/
│ │ │ ├── azuredeploy.json
│ │ │ ├── azuredeploy.parameters.json
│ │ │ ├── deploy-nginx-docker.sh
│ │ │ ├── deploy.ps1
│ │ │ ├── docker-compose.yml.template
│ │ │ ├── nginx.conf.template
│ │ │ └── setup-certs.sh
│ │ ├── key-vault-setup/
│ │ │ ├── ensure-vault.ps1
│ │ │ └── upload-cert.ps1
│ │ └── registry-setup-deprecated.md
│ ├── deploy.sh
│ ├── http-headers.md
│ ├── image-signing.md
│ ├── image-transfer/
│ │ ├── ExportPipelines/
│ │ │ ├── azuredeploy.json
│ │ │ └── azuredeploy.parameters.json
│ │ ├── ImportPipelines/
│ │ │ ├── azuredeploy.json
│ │ │ └── azuredeploy.parameters.json
│ │ ├── PipelineRun/
│ │ │ ├── PipelineRun-Export/
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ └── PipelineRun-Import/
│ │ │ ├── azuredeploy.json
│ │ │ └── azuredeploy.parameters.json
│ │ └── README.md
│ ├── integration/
│ │ ├── CircleCI.md
│ │ ├── change-analysis/
│ │ │ └── README.md
│ │ └── github-actions/
│ │ ├── Dockerfile
│ │ ├── github-actions.md
│ │ └── main.workflow
│ ├── move-repositories-to-new-registry/
│ │ └── README.md
│ ├── package.json
│ ├── preview/
│ │ ├── abac-repo-permissions/
│ │ │ └── README.md
│ │ ├── artifact-streaming/
│ │ │ └── README.md
│ │ ├── connected-registry/
│ │ │ ├── README.md
│ │ │ ├── connected-registry-error-codes.md
│ │ │ ├── intro-connected-registry.md
│ │ │ ├── overview-connected-registry-access.md
│ │ │ ├── overview-connected-registry-and-iot-edge.md
│ │ │ ├── quickstart-connected-registry-cli.md
│ │ │ ├── quickstart-deploy-connected-registry-iot-edge-cli.md
│ │ │ ├── quickstart-deploy-connected-registry-kubernetes-v2.md
│ │ │ ├── quickstart-deploy-connected-registry-kubernetes.md
│ │ │ ├── quickstart-deploy-connected-registry-nested-iot-edge-cli.md
│ │ │ ├── quickstart-pull-images-from-connected-registry.md
│ │ │ ├── quickstart-send-connected-registry-events-to-event-grid.md
│ │ │ ├── quickstart-view-connected-registry-repos-and-tags.md
│ │ │ ├── release-notes.md
│ │ │ └── troubleshooting.md
│ │ ├── continuous-patching/
│ │ │ └── README.md
│ │ ├── quarantine/
│ │ │ ├── quarantine-details/
│ │ │ │ ├── example.json
│ │ │ │ └── schema.json
│ │ │ └── readme.md
│ │ └── regional-endpoints/
│ │ └── regional-endpoints.md
│ ├── roles-and-permissions.md
│ ├── tasks/
│ │ ├── agentpool/
│ │ │ └── README.md
│ │ ├── buildx/
│ │ │ ├── README.md
│ │ │ ├── bootstrap.yaml
│ │ │ ├── build.yaml
│ │ │ ├── build_with_cache.yaml
│ │ │ └── build_with_cache_2.yaml
│ │ ├── container-registry-tasks-overview.md
│ │ ├── container-registry-tasks-walkthrough.md
│ │ ├── run-as-deployment/
│ │ │ ├── README.md
│ │ │ ├── quickdockerbuild/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ ├── quickdockerbuild-on-existing-registry/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ ├── quickdockerbuildusingidentitykeyvault/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ ├── quickdockerbuildwithidentity/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ ├── quickrun/
│ │ │ │ ├── README.md
│ │ │ │ ├── azuredeploy.json
│ │ │ │ └── azuredeploy.parameters.json
│ │ │ └── taskrun/
│ │ │ ├── README.md
│ │ │ ├── azuredeploy.json
│ │ │ └── azuredeploy.parameters.json
│ │ └── triggers/
│ │ └── private-base-image-update.md
│ └── teleport/
│ ├── README.md
│ ├── aks-getting-started.md
│ ├── aks-teleport-comparison.md
│ ├── check-expansion.sh
│ ├── collecting-teleportd-logs-aks.md
│ ├── edit-teleport-attribute.sh
│ ├── find-teleport-enabled-repositories.sh
│ ├── samples/
│ │ ├── azure-vote-shuttle.yaml
│ │ └── azure-vote-teleport.yaml
│ └── teleport-repository-management.md
├── notifications/
│ ├── README.md
│ └── helm-repo-failure-20200918-.md
└── samples/
├── dotnetcore/
│ ├── image-transfer/
│ │ ├── ContainerRegistryTransfer/
│ │ │ ├── Clients/
│ │ │ │ ├── ExportClient.cs
│ │ │ │ └── ImportClient.cs
│ │ │ ├── ContainerRegistryTransfer.csproj
│ │ │ ├── Helpers/
│ │ │ │ ├── AzureHelper.cs
│ │ │ │ ├── IdentityHelper.cs
│ │ │ │ └── KeyVaultHelper.cs
│ │ │ ├── Models/
│ │ │ │ ├── Options.cs
│ │ │ │ ├── PipelineConfig.cs
│ │ │ │ └── PipelineRunConfig.cs
│ │ │ ├── Program.cs
│ │ │ └── appsettings.json
│ │ ├── ContainerRegistryTransfer.sln
│ │ └── README.md
│ └── registry-artifact-transfer/
│ ├── README.md
│ └── src/
│ ├── Configurations/
│ │ ├── AzureEnvironmentConfiguration.cs
│ │ ├── ExportConfiguration.cs
│ │ ├── IdentityConfiguration.cs
│ │ ├── ImportConfiguration.cs
│ │ ├── RegistryConfiguration.cs
│ │ ├── SourceRegistryConfiguration.cs
│ │ └── TransferDefinition.cs
│ ├── Program.cs
│ ├── Registry.cs
│ ├── RegistryArtifactTransfer.csproj
│ ├── RepositoryProvider/
│ │ ├── CatalogApiResponse.cs
│ │ ├── HttpMessageExtensions.cs
│ │ ├── RepositoryProviderV2.cs
│ │ └── TagListApiResponse.cs
│ ├── ResourceId.cs
│ ├── TaskExtensions.cs
│ ├── Transfer/
│ │ ├── ArtifactProvider.cs
│ │ ├── BlobCopier.cs
│ │ ├── ExportJob.cs
│ │ ├── ExportWorker.cs
│ │ ├── ImportJob.cs
│ │ ├── ImportWorker.cs
│ │ ├── TransferClient.cs
│ │ └── TransferJobStatus.cs
│ ├── TransferReport.cs
│ ├── TransferResult.cs
│ └── transferdefinition.json
└── java/
└── task/
├── .factorypath
├── .gitignore
├── Dockerfile
├── README.md
├── acb.yaml
├── pom.xml
└── src/
└── main/
└── java/
└── com/
└── microsoft/
└── azure/
└── management/
└── containerregistry/
└── samples/
└── ManageTask.java
SYMBOL INDEX (112 symbols across 35 files)
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Clients/ExportClient.cs
class ExportClient (line 13) | internal class ExportClient
method ExportClient (line 19) | public ExportClient(ContainerRegistryManagementClient registryClient, ...
method CreateExportPipelineAsync (line 26) | public async Task<ExportPipeline> CreateExportPipelineAsync()
method CreateExportPipelineResourceAsync (line 45) | public async Task<ExportPipeline> CreateExportPipelineResourceAsync()
method ExportImagesAsync (line 80) | public async Task ExportImagesAsync(ExportPipeline exportPipeline)
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Clients/ImportClient.cs
class ImportClient (line 11) | internal class ImportClient
method ImportClient (line 17) | public ImportClient(ContainerRegistryManagementClient registryClient, ...
method CreateImportPipelineAsync (line 24) | public async Task<ImportPipeline> CreateImportPipelineAsync()
method CreateImportPipelineResourceAsync (line 43) | public async Task<ImportPipeline> CreateImportPipelineResourceAsync()
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Helpers/AzureHelper.cs
class AzureHelper (line 10) | public static class AzureHelper
method GetAzureCredentials (line 12) | public static AzureCredentials GetAzureCredentials(AzureEnvironment en...
method GetContainerRegistryManagementClient (line 44) | public static ContainerRegistryManagementClient GetContainerRegistryMa...
method GetKeyVaultManagementClient (line 66) | public static KeyVaultManagementClient GetKeyVaultManagementClient(Opt...
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Helpers/IdentityHelper.cs
class IdentityHelper (line 7) | public static class IdentityHelper
method GetManagedIdentity (line 9) | public static IdentityProperties GetManagedIdentity(string userAssigne...
method GetManagedIdentityPrincipalId (line 31) | public static string GetManagedIdentityPrincipalId(IdentityProperties ...
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Helpers/KeyVaultHelper.cs
class KeyVaultHelper (line 10) | public static class KeyVaultHelper
method AddKeyVaultAccessPolicyAsync (line 12) | public static async Task AddKeyVaultAccessPolicyAsync(KeyVaultManageme...
method GetKVNameFromUri (line 64) | private static string GetKVNameFromUri(string keyVaultUri)
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Models/Options.cs
class Options (line 6) | public class Options
method Validate (line 28) | public void Validate()
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Models/PipelineConfig.cs
class PipelineConfig (line 6) | public class PipelineConfig
method Validate (line 24) | public void Validate()
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Models/PipelineRunConfig.cs
class PipelineRunConfig (line 6) | public class PipelineRunConfig
method Validate (line 14) | public void Validate()
FILE: samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Program.cs
class Program (line 12) | internal class Program
method Main (line 14) | public static async Task<int> Main(string[] args)
method TransferRegistryArtifacts (line 38) | private static async Task TransferRegistryArtifacts(Options options)
method LoadOptions (line 96) | private static Options LoadOptions(string appSettingsFile)
FILE: samples/dotnetcore/registry-artifact-transfer/src/Configurations/AzureEnvironmentConfiguration.cs
class AzureEnvironmentConfiguration (line 5) | public class AzureEnvironmentConfiguration
method Validate (line 15) | public void Validate()
FILE: samples/dotnetcore/registry-artifact-transfer/src/Configurations/ExportConfiguration.cs
class ExportConfiguration (line 6) | public class ExportConfiguration
method Validate (line 19) | public void Validate()
class CopyBlobsConfiguration (line 55) | public class CopyBlobsConfiguration
method Validate (line 61) | public void Validate()
FILE: samples/dotnetcore/registry-artifact-transfer/src/Configurations/IdentityConfiguration.cs
class IdentityConfiguration (line 5) | public class IdentityConfiguration
method Validate (line 10) | public void Validate()
FILE: samples/dotnetcore/registry-artifact-transfer/src/Configurations/ImportConfiguration.cs
class ImportConfiguration (line 6) | public class ImportConfiguration
method Validate (line 18) | public void Validate()
FILE: samples/dotnetcore/registry-artifact-transfer/src/Configurations/RegistryConfiguration.cs
class RegistryConfiguration (line 5) | public class RegistryConfiguration
method Validate (line 12) | public void Validate()
FILE: samples/dotnetcore/registry-artifact-transfer/src/Configurations/SourceRegistryConfiguration.cs
class SourceRegistryConfiguration (line 5) | public class SourceRegistryConfiguration
method Validate (line 12) | public void Validate()
FILE: samples/dotnetcore/registry-artifact-transfer/src/Configurations/TransferDefinition.cs
class TransferDefinition (line 3) | public class TransferDefinition
method Validate (line 11) | public void Validate()
FILE: samples/dotnetcore/registry-artifact-transfer/src/Program.cs
class Program (line 13) | public static class Program
method Main (line 18) | public static async Task Main(string[] args)
method GetConfig (line 105) | private static TransferDefinition GetConfig(string transferDefinitionF...
FILE: samples/dotnetcore/registry-artifact-transfer/src/Registry.cs
class Registry (line 6) | public class Registry
method Registry (line 14) | public Registry(
method Registry (line 24) | public Registry(
method Validate (line 34) | public void Validate()
FILE: samples/dotnetcore/registry-artifact-transfer/src/RepositoryProvider/CatalogApiResponse.cs
class CatalogApiResponse (line 6) | public class CatalogApiResponse
FILE: samples/dotnetcore/registry-artifact-transfer/src/RepositoryProvider/HttpMessageExtensions.cs
class HttpMessageExtensions (line 9) | public static class HttpMessageExtensions
method GetNextPageUri (line 14) | public static Uri GetNextPageUri(this HttpResponseMessage response)
method AddBasicAuth (line 62) | public static void AddBasicAuth(this HttpRequestMessage request, strin...
FILE: samples/dotnetcore/registry-artifact-transfer/src/RepositoryProvider/RepositoryProviderV2.cs
class RepositoryProviderV2 (line 11) | public class RepositoryProviderV2
method RepositoryProviderV2 (line 29) | public RepositoryProviderV2()
method GetRepositoriesAsync (line 41) | public async Task<IEnumerable<string>> GetRepositoriesAsync(
method GetTagsAsync (line 87) | public async Task<IEnumerable<string>> GetTagsAsync(
FILE: samples/dotnetcore/registry-artifact-transfer/src/RepositoryProvider/TagListApiResponse.cs
class TagListApiResponse (line 6) | public class TagListApiResponse
FILE: samples/dotnetcore/registry-artifact-transfer/src/ResourceId.cs
class ResourceId (line 5) | public class ResourceId
method ResourceId (line 26) | public ResourceId()
method ResourceId (line 30) | public ResourceId(
method ResourceId (line 44) | public ResourceId(
method TryParse (line 61) | public static bool TryParse(string value, out ResourceId resourceId)
method Parse (line 75) | public static ResourceId Parse(string value)
method ToString (line 120) | public override string ToString()
method GetParentResourceId (line 132) | public string GetParentResourceId()
FILE: samples/dotnetcore/registry-artifact-transfer/src/TaskExtensions.cs
class TaskExtensions (line 8) | public static class TaskExtensions
method ThrottledWhenAll (line 10) | public static async Task ThrottledWhenAll<T>(
FILE: samples/dotnetcore/registry-artifact-transfer/src/Transfer/ArtifactProvider.cs
class ArtifactProvider (line 8) | public class ArtifactProvider
method ArtifactProvider (line 13) | public ArtifactProvider(ILogger logger) : base()
method GetArtifactsAsync (line 19) | public async Task<List<string>> GetArtifactsAsync(
method Match (line 62) | private static bool Match(
FILE: samples/dotnetcore/registry-artifact-transfer/src/Transfer/BlobCopier.cs
class BlobCopier (line 10) | public class BlobCopier
method BlobCopier (line 16) | public BlobCopier(
method CopyAsync (line 26) | public async Task CopyAsync(
method GetSingleTransferContext (line 44) | private SingleTransferContext GetSingleTransferContext(
FILE: samples/dotnetcore/registry-artifact-transfer/src/Transfer/ExportJob.cs
class ExportJob (line 5) | public class ExportJob
FILE: samples/dotnetcore/registry-artifact-transfer/src/Transfer/ExportWorker.cs
class ExportWorker (line 9) | public class ExportWorker
method ExportWorker (line 17) | public ExportWorker(
method RunAsync (line 36) | public async Task RunAsync(TransferReport transferReport)
method ExecuteExportAsync (line 117) | private async Task ExecuteExportAsync(ExportJob exportJob)
method CreateExportJobsAsync (line 141) | private async Task<List<ExportJob>> CreateExportJobsAsync(List<string>...
method GetSourceSasUriAsync (line 202) | private async Task<string> GetSourceSasUriAsync()
FILE: samples/dotnetcore/registry-artifact-transfer/src/Transfer/ImportJob.cs
class ImportJob (line 6) | public class ImportJob
type ImportSourceType (line 16) | public enum ImportSourceType
FILE: samples/dotnetcore/registry-artifact-transfer/src/Transfer/ImportWorker.cs
class ImportWorker (line 10) | public class ImportWorker
method ImportWorker (line 17) | public ImportWorker(
method RunAsync (line 50) | public async Task RunAsync(TransferReport transferReport)
method CreateImportJobs (line 97) | private async Task<List<ImportJob>> CreateImportJobs()
method ExecuteAsync (line 155) | private async Task ExecuteAsync(ImportJob importJob)
method ExecuteImportImageAsync (line 170) | private async Task ExecuteImportImageAsync(ImportJob importJob, Cancel...
method ExecutePipelineRunAsync (line 192) | private async Task ExecutePipelineRunAsync(ImportJob importJob, Cancel...
FILE: samples/dotnetcore/registry-artifact-transfer/src/Transfer/TransferClient.cs
class TransferClient (line 12) | public class TransferClient
method TransferClient (line 19) | public TransferClient(
method ImportImageAsync (line 54) | public async System.Threading.Tasks.Task ImportImageAsync(
method ImportImagesFromStorageAsync (line 99) | public async System.Threading.Tasks.Task<IList<string>> ImportImagesFr...
method ExportImagesToStorageAsync (line 110) | public async System.Threading.Tasks.Task ExportImagesToStorageAsync(
method GetExportPipelineAsync (line 121) | public async System.Threading.Tasks.Task<ExportPipeline> GetExportPipe...
method GetImportPipelineAsync (line 132) | public async System.Threading.Tasks.Task<ImportPipeline> GetImportPipe...
method GetRegistryLoginServerAsync (line 143) | public async System.Threading.Tasks.Task<string> GetRegistryLoginServe...
method CreatePipelineRunAsync (line 154) | private async System.Threading.Tasks.Task<PipelineRun> CreatePipelineR...
method CreateImportPipelineRunRequest (line 168) | private PipelineRunRequest CreateImportPipelineRunRequest(
method CreateExportPipelineRunRequest (line 191) | private PipelineRunRequest CreateExportPipelineRunRequest(
FILE: samples/dotnetcore/registry-artifact-transfer/src/Transfer/TransferJobStatus.cs
type TransferJobStatus (line 3) | public enum TransferJobStatus
FILE: samples/dotnetcore/registry-artifact-transfer/src/TransferReport.cs
class TransferReport (line 3) | public class TransferReport
FILE: samples/dotnetcore/registry-artifact-transfer/src/TransferResult.cs
class TransferResult (line 5) | public class TransferResult
FILE: samples/java/task/src/main/java/com/microsoft/azure/management/containerregistry/samples/ManageTask.java
class ManageTask (line 23) | public class ManageTask
method main (line 25) | public static void main( String[] args )
method runInProgress (line 172) | private static boolean runInProgress(RunStatus runStatus)
Condensed preview — 166 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (661K chars).
[
{
"path": ".github/ISSUE_TEMPLATE/bug_report.md",
"chars": 852,
"preview": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: bug\nassignees: ''\n\n---\n\n**Describe the "
},
{
"path": ".github/ISSUE_TEMPLATE/feature_request.md",
"chars": 466,
"preview": "---\nname: Feature request\nabout: Suggest an idea for the Azure Container Registry\ntitle: ''\nlabels: feature-request\nassi"
},
{
"path": ".github/ISSUE_TEMPLATE/roadmap-template.yml",
"chars": 1378,
"preview": "name: Roadmap Feature Request\ndescription: This template is primarily used by the product group to manage roadmap featur"
},
{
"path": ".github/workflows/nodejs.yml",
"chars": 755,
"preview": "name: GH-Page Publish \n\non:\n push:\n branches: \n - main \n - test-pages\n\njobs:\n build:\n\n runs-on: ubuntu"
},
{
"path": ".github/workflows/stale.yml",
"chars": 1013,
"preview": "name: \"Close stale issues and PRs\"\non:\n schedule:\n - cron: \"30 1 * * *\"\n\npermissions:\n issues: write\n pull-request"
},
{
"path": ".gitignore",
"chars": 6236,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## G"
},
{
"path": "LICENSE.txt",
"chars": 1144,
"preview": "Azure Container Registry Samples and Support\n\nCopyright (c) Microsoft Corporation\n\nAll rights reserved. \n\nMIT License\n\nP"
},
{
"path": "README.md",
"chars": 6578,
"preview": "# Azure Container Registry\n\nThis repo contains [issues](https://github.com/Azure/acr/issues), [samples](./docs), [troubl"
},
{
"path": "SECURITY.md",
"chars": 2757,
"preview": "<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->\n\n## Security\n\nMicrosoft takes the security of our software products an"
},
{
"path": "docs/.gitignore",
"chars": 40,
"preview": "gh-pages/\r\n.vuepress/dist/\r\nnode_modules"
},
{
"path": "docs/.vuepress/config.js",
"chars": 1408,
"preview": "const currentDateUTC = new Date().toUTCString()\r\n\r\nmodule.exports = {\r\n title: 'Azure Container Registry',\r\n dest:"
},
{
"path": "docs/AAD-OAuth.md",
"chars": 31642,
"preview": "---\ntype: post\ntitle: \"AAD Integration\"\n---\n\n# Azure Container Registry integration with Azure Active Directory\n\n<!-- TO"
},
{
"path": "docs/FAQ.md",
"chars": 176,
"preview": "# Azure Container Registry - Frequently Asked Questions\n\nThis article has moved to [Microsoft Docs](https://docs.microso"
},
{
"path": "docs/README.md",
"chars": 1151,
"preview": "---\ntitle: Overview\ntype: post\n---\n\n## Overview\n\nThis repo contains [issues](https://github.com/Azure/acr/issues), [samp"
},
{
"path": "docs/Token-BasicAuth.md",
"chars": 4534,
"preview": "---\ntype: post\ntitle: \"Token with Basic Auth\"\n---\n\n# Azure Container Registry's support of getting Bearer token using Ba"
},
{
"path": "docs/Troubleshooting Guide.md",
"chars": 3302,
"preview": "# Azure Container Registry - Troubleshooting guide\n\n\n## I get an error while creating a registry - \"Unregistered Subscri"
},
{
"path": "docs/acr-roadmap.md",
"chars": 550,
"preview": "# Azure Container Registry Roadmap\n\nVisit [ACR Public Roadmap](https://github.com/orgs/Azure/projects/259) to see what w"
},
{
"path": "docs/aks-acr-across-tenants.md",
"chars": 2997,
"preview": "# Set up AKS to pull from ACR in a different AD tenant\n\n## Introduction\n\nThere are several ways to set up the auth crede"
},
{
"path": "docs/artifact-media-types.json",
"chars": 370,
"preview": "{\n \"application/vnd.docker.distribution.manifest.v2+json\": \"Docker images\",\n \"application/vnd.cncf.helm.chart.conf"
},
{
"path": "docs/blog/abac-repo-permissions.md",
"chars": 3458,
"preview": "---\ntitle: Introducing Azure Container Registry Repository Permissions through Attribute-Based Access Control (Private P"
},
{
"path": "docs/blog/connected-registry.md",
"chars": 1357,
"preview": "---\ntitle: Connected Registry Private Preview\ndescription: Private preview for ACR connected registry feature.\nms.topic:"
},
{
"path": "docs/blog/teleport.md",
"chars": 12821,
"preview": "> [!NOTE]\r\n> Please visit [aka.ms/acr/artifact-streaming](https://aka.ms/acr/artifact-streaming).\r\n\r\n---\r\ntype: post\r\nti"
},
{
"path": "docs/container-registry-consuming-public-content.md",
"chars": 26146,
"preview": "---\ntitle: How to manage public content in private registry\ndescription: ....\nms.service: container-registry\nms.topic: a"
},
{
"path": "docs/container-registry-oras-artifacts.md",
"chars": 13780,
"preview": "---\ntitle: Push and pull Supply Chain Artifacts\ndescription: Push and pull supply chain artifacts, using a private conta"
},
{
"path": "docs/contributing-to-pages.md",
"chars": 904,
"preview": "# Instructions to get started\r\n\r\n## Prerequisites\r\n\r\n### YARN\r\n\r\nInstall `vuepress` globally using yarn. Here are the in"
},
{
"path": "docs/custom-domain/README.md",
"chars": 10017,
"preview": "# Using Custom Domains with Azure Container Registry\n\n**Important - Using a custom domain in Azure Container Registry is"
},
{
"path": "docs/custom-domain/deprecated/docker-vm-deploy/azuredeploy.json",
"chars": 8841,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/custom-domain/deprecated/docker-vm-deploy/azuredeploy.parameters.json",
"chars": 902,
"preview": "{\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n \"contentVersion\": \""
},
{
"path": "docs/custom-domain/deprecated/docker-vm-deploy/deploy-nginx-docker.sh",
"chars": 1217,
"preview": "#!/bin/bash\nset -e\n\nCERT_FINGERPRINT=$1\nexport BACKEND_HOST=$2\nexport FRONTEND_HOST=$3\nCA_CERT_URL=$4\n\nSOURCE_ROOT=\"http"
},
{
"path": "docs/custom-domain/deprecated/docker-vm-deploy/deploy.ps1",
"chars": 312,
"preview": "param (\r\n\t$templateFile = 'azuredeploy.json',\r\n\t$templateParams = 'azuredeploy.parameters.json',\r\n\t\r\n\t[Parameter(Mandato"
},
{
"path": "docs/custom-domain/deprecated/docker-vm-deploy/docker-compose.yml.template",
"chars": 228,
"preview": "proxy:\n image: nginx\n\n ports:\n - 443:443\n\n volumes:\n - ${CERT_LOCATION}:${CONTAINER_CERT_LOCATION"
},
{
"path": "docs/custom-domain/deprecated/docker-vm-deploy/nginx.conf.template",
"chars": 1244,
"preview": "error_log /var/log/nginx/error.log warn;\npid /var/run/nginx.pid;\n\nevents {\n worker_connections 1024;\n}\n\nhttp"
},
{
"path": "docs/custom-domain/deprecated/docker-vm-deploy/setup-certs.sh",
"chars": 735,
"preview": "#!/bin/bash\n\nCERT_FINGERPRINT=$1\nCA_CERT_URL=$2\n\nCERT_FINGERPRINT=`echo $CERT_FINGERPRINT | tr [a-z] [A-Z]`\n\nif [ ! -z \""
},
{
"path": "docs/custom-domain/deprecated/key-vault-setup/ensure-vault.ps1",
"chars": 376,
"preview": "param (\r\n\t$subscriptionName,\r\n\t$resourceGroupName,\r\n\t$vaultName\r\n}\r\n\r\nif ($subscriptionName)\r\n{\r\n\tSelect-AzureRmSubscrip"
},
{
"path": "docs/custom-domain/deprecated/key-vault-setup/upload-cert.ps1",
"chars": 868,
"preview": "param (\r\n [Parameter(Mandatory=$true)]\r\n [string]\r\n $pfxFilePath,\r\n\r\n [Parameter(Mandatory=$true)]\r\n [str"
},
{
"path": "docs/custom-domain/deprecated/registry-setup-deprecated.md",
"chars": 3040,
"preview": "# How to use a custom domain for azure container registry\n\nAzure Container registries has a typical login url of the for"
},
{
"path": "docs/deploy.sh",
"chars": 466,
"preview": "#!/usr/bin/env sh\n\n# abort on errors\nset -e\n\nnpm install -g vuepress\n# build\nnpm run docs:build\n\n# navigate into the bui"
},
{
"path": "docs/http-headers.md",
"chars": 3406,
"preview": "\n# Azure Container Registry HTTP headers\n\nAzure container registries are compatible with a multitude of services and orc"
},
{
"path": "docs/image-signing.md",
"chars": 1458,
"preview": "# Azure Container Registry Image Signing\n\nAzure Container Registry supports image signing through [Docker Content Trust]"
},
{
"path": "docs/image-transfer/ExportPipelines/azuredeploy.json",
"chars": 4218,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/image-transfer/ExportPipelines/azuredeploy.parameters.json",
"chars": 660,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n \"contentVersion\": "
},
{
"path": "docs/image-transfer/ImportPipelines/azuredeploy.json",
"chars": 4649,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/image-transfer/ImportPipelines/azuredeploy.parameters.json",
"chars": 696,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n \"contentVersion\": "
},
{
"path": "docs/image-transfer/PipelineRun/PipelineRun-Export/azuredeploy.json",
"chars": 2924,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/image-transfer/PipelineRun/PipelineRun-Export/azuredeploy.parameters.json",
"chars": 738,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n \"contentVersion\": "
},
{
"path": "docs/image-transfer/PipelineRun/PipelineRun-Import/azuredeploy.json",
"chars": 2924,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/image-transfer/PipelineRun/PipelineRun-Import/azuredeploy.parameters.json",
"chars": 558,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n \"contentVersion\": "
},
{
"path": "docs/image-transfer/README.md",
"chars": 1601,
"preview": "# ACR Transfer - Sample ARM Templates\n\nThis directory contains Azure Resource Manager (ARM) templates for ACR Transfer, "
},
{
"path": "docs/integration/CircleCI.md",
"chars": 1058,
"preview": "# Using Azure Container Registry With CircleCI\n\nFor configuration of your Docker build using CircleCI, refer [https://ci"
},
{
"path": "docs/integration/change-analysis/README.md",
"chars": 600,
"preview": "---\ntype: post\ntitle: \"Change Analysis\"\ntags: [developers, teleport]\ndate: 2019-11-13 17:00:00\nauthor: Sajay Antony\n---\n"
},
{
"path": "docs/integration/github-actions/Dockerfile",
"chars": 16,
"preview": "FROM hello-world"
},
{
"path": "docs/integration/github-actions/github-actions.md",
"chars": 1651,
"preview": "# Using Azure Container Registry With GitHub Actions\n\nFor creating workflows for your GitHub repository using GitHub Act"
},
{
"path": "docs/integration/github-actions/main.workflow",
"chars": 734,
"preview": "workflow \"DockerFlowExample\" {\n resolves = [\"Docker Push\"]\n on = \"push\"\n}\n\naction \"Docker Login\" {\n uses = \"actions/d"
},
{
"path": "docs/move-repositories-to-new-registry/README.md",
"chars": 1195,
"preview": "# How to move your repositories to a new registry?\n\nWhen users create a container registry backed by a storage account, "
},
{
"path": "docs/package.json",
"chars": 108,
"preview": "{\r\n \"scripts\": {\r\n \"docs:dev\": \"vuepress dev .\",\r\n \"docs:build\": \"vuepress build .\"\r\n }\r\n }"
},
{
"path": "docs/preview/abac-repo-permissions/README.md",
"chars": 337,
"preview": "# Microsoft Entra attribute-based access control (ABAC) for repository permissions (Preview)\n\nACR ABAC for Microsoft Ent"
},
{
"path": "docs/preview/artifact-streaming/README.md",
"chars": 891,
"preview": "> [!NOTE]\n> This feature is available as a public preview.\n\n## About\n\nAzure Container Registry (ACR) and Azure Kubernete"
},
{
"path": "docs/preview/connected-registry/README.md",
"chars": 4627,
"preview": "# ACR connected registry (Private Preview) instructions\n\nThis article provides guidance for use of the connected registr"
},
{
"path": "docs/preview/connected-registry/connected-registry-error-codes.md",
"chars": 8085,
"preview": "---\ntitle: Connected registry error code reference\ndescription: Details about error codes shown in the statusDetails pro"
},
{
"path": "docs/preview/connected-registry/intro-connected-registry.md",
"chars": 5991,
"preview": "---\ntitle: What is connected registry\ndescription: Overview of the connected registry feature of Azure container registr"
},
{
"path": "docs/preview/connected-registry/overview-connected-registry-access.md",
"chars": 6019,
"preview": "---\ntitle: Understand access to a connected registry\ndescription: Introduction to token-based authentication and authori"
},
{
"path": "docs/preview/connected-registry/overview-connected-registry-and-iot-edge.md",
"chars": 4496,
"preview": "---\ntitle: Using connected registry with Azure IoT Edge\ndescription: Overview of the connected registry use in hierarchi"
},
{
"path": "docs/preview/connected-registry/quickstart-connected-registry-cli.md",
"chars": 9898,
"preview": "---\ntitle: Quickstart - Create connected registry using the CLI\ndescription: Use Azure Container Registry CLI commands t"
},
{
"path": "docs/preview/connected-registry/quickstart-deploy-connected-registry-iot-edge-cli.md",
"chars": 15946,
"preview": "---\ntitle: Quickstart - Deploy a connected registry to an IoT Edge device\ndescription: Use Azure Container Registry CLI "
},
{
"path": "docs/preview/connected-registry/quickstart-deploy-connected-registry-kubernetes-v2.md",
"chars": 9011,
"preview": "---\ntitle: Quickstart - Deploy a connected registry to Kubernetes cluster - V2\ndescription: Use Azure Container Registry"
},
{
"path": "docs/preview/connected-registry/quickstart-deploy-connected-registry-kubernetes.md",
"chars": 16500,
"preview": "---\ntitle: Quickstart - Deploy a connected registry to Kubernetes cluster\ndescription: Use Azure Container Registry CLI "
},
{
"path": "docs/preview/connected-registry/quickstart-deploy-connected-registry-nested-iot-edge-cli.md",
"chars": 19191,
"preview": "---\ntitle: Quickstart - Deploy a connected registry to a nested IoT Edge device\ndescription: Use Azure Container Registr"
},
{
"path": "docs/preview/connected-registry/quickstart-pull-images-from-connected-registry.md",
"chars": 5082,
"preview": "---\ntitle: Quickstart - Pull images from a connected registry\ndescription: Use Azure Container Registry CLI commands to "
},
{
"path": "docs/preview/connected-registry/quickstart-send-connected-registry-events-to-event-grid.md",
"chars": 10321,
"preview": "---\ntitle: Quickstart - Send connected registry events to Azure Event Grid\ndescription: Send connected registry events "
},
{
"path": "docs/preview/connected-registry/quickstart-view-connected-registry-repos-and-tags.md",
"chars": 9058,
"preview": "---\ntitle: Quickstart - View connected registry repositories and tags\ndescription: Use curl commands to view the reposit"
},
{
"path": "docs/preview/connected-registry/release-notes.md",
"chars": 3083,
"preview": "# Release Notes\n\nRelease notes for the Azure Container Registry connected registry runtime image. The image is published"
},
{
"path": "docs/preview/connected-registry/troubleshooting.md",
"chars": 6612,
"preview": "---\ntitle: Troubleshoot issues with connected registry\ndescription: Symptoms, causes, and resolution of common problems "
},
{
"path": "docs/preview/continuous-patching/README.md",
"chars": 22630,
"preview": "Continuous Patching Workflow in Azure Container Registry\n========================================================\n\n## In"
},
{
"path": "docs/preview/quarantine/quarantine-details/example.json",
"chars": 360,
"preview": "{\n \"scanner\": \"SecurityCenter\",\n \"state\": \"ScanState\",\n \"link\": \"https://testresult/summary\",\n \"result\": {\n \"vers"
},
{
"path": "docs/preview/quarantine/quarantine-details/schema.json",
"chars": 2160,
"preview": "{\n \"$schema\": \"http://json-schema.org/draft-04/schema#\",\n \"title\": \"Azure Container Registry Quarantine Details object"
},
{
"path": "docs/preview/quarantine/readme.md",
"chars": 8640,
"preview": "# Quarantine Pattern\r\nTo assure a registry only contains images that have been vulnerability scanned, ACR introduces the"
},
{
"path": "docs/preview/regional-endpoints/regional-endpoints.md",
"chars": 12616,
"preview": "---\ntitle: Regional endpoints for geo-replicated registries (Preview)\ndescription: Learn how to use regional endpoints t"
},
{
"path": "docs/roles-and-permissions.md",
"chars": 3680,
"preview": "# ACR Roles & Permissions\nACR supports a set of permissions, assigned to specific Azure Roles.\nUsing Azure IAM, specific"
},
{
"path": "docs/tasks/agentpool/README.md",
"chars": 4478,
"preview": "---\ntitle: Agent Pools\n---\n\n# Running ACR Tasks on Dedicated Agent Pools\n\n## Introduction\n\nACR Task Agent Pool provides "
},
{
"path": "docs/tasks/buildx/README.md",
"chars": 4522,
"preview": "# Build Enhancements in ACR Tasks\r\n\r\nBuilding Linux images using [buildx](<https://github.com/docker/buildx>) and [build"
},
{
"path": "docs/tasks/buildx/bootstrap.yaml",
"chars": 512,
"preview": "version: v1.0.0\nsteps:\n # Build buildx from source using the built-in buildkit\n - cmd: docker build -t binaries https:"
},
{
"path": "docs/tasks/buildx/build.yaml",
"chars": 184,
"preview": "version: v1.0.0\nsteps:\n - cmd: >-\n {{.Run.Registry}}/buildx\n build --push\n -t {{.Run.Registry}}/{{.Value"
},
{
"path": "docs/tasks/buildx/build_with_cache.yaml",
"chars": 351,
"preview": "version: v1.0.0\nsteps:\n - cmd: >-\n {{.Run.Registry}}/buildx\n build --push\n -t {{.Run.Registry}}/{{.Value"
},
{
"path": "docs/tasks/buildx/build_with_cache_2.yaml",
"chars": 124,
"preview": "version: v1.1.0\nsteps:\n - build: -t $Registry/{{.Values.REPOSITORY_NAME}}:$ID {{.Values.BUILD_CONTEXT}}\n cache: enab"
},
{
"path": "docs/tasks/container-registry-tasks-overview.md",
"chars": 7001,
"preview": "---\ntitle: Automate OS and Framework Patching with Azure Container Registry Tasks\ndescription: An introduction to ACR Ta"
},
{
"path": "docs/tasks/container-registry-tasks-walkthrough.md",
"chars": 3396,
"preview": "---\ntitle: ACR Task Walkthrough\ndescription: Walkthrough, using ACR Tasks\nservices: container-registry\nauthor: stevelas\n"
},
{
"path": "docs/tasks/run-as-deployment/README.md",
"chars": 1159,
"preview": "---\ntitle: Deploy with ARM templates\n---\n\n# Running ACR Tasks as a deployment\n\nThe following set of samples show how to "
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuild/README.md",
"chars": 1317,
"preview": "# Quick docker build\n\n## Create a resource group\n\n```bash\naz group create \\\n -n mytaskrunrg \\\n -l westus\n```\n\n## Deplo"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuild/azuredeploy.json",
"chars": 4019,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuild/azuredeploy.parameters.json",
"chars": 455,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n \"contentVersion\": "
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuild-on-existing-registry/README.md",
"chars": 736,
"preview": "# Quick docker build on an existing registry\n\nThe sample shows how to schedule a deployment which will perform a quick d"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuild-on-existing-registry/azuredeploy.json",
"chars": 2815,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuild-on-existing-registry/azuredeploy.parameters.json",
"chars": 455,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n \"contentVersion\": "
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/README.md",
"chars": 2488,
"preview": "# Quick Docker build using identity and keyvault\n\n## Create a resource group\n\n```bash\naz group create \\\n -n mytaskrunrg"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/azuredeploy.json",
"chars": 3816,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault/azuredeploy.parameters.json",
"chars": 306,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n \"contentVersio"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuildwithidentity/README.md",
"chars": 1903,
"preview": "# Quick Docker build using identity and credential\n\n## Create a resource group\n\n```bash\naz group create \\\n -n mytaskrun"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuildwithidentity/azuredeploy.json",
"chars": 3978,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/tasks/run-as-deployment/quickdockerbuildwithidentity/azuredeploy.parameters.json",
"chars": 423,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n \"contentVersio"
},
{
"path": "docs/tasks/run-as-deployment/quickrun/README.md",
"chars": 873,
"preview": "# Quick run\n\nDeploy a quick run or a set of container using a multi-step task with Managed Identities. \n\n## Create a res"
},
{
"path": "docs/tasks/run-as-deployment/quickrun/azuredeploy.json",
"chars": 3214,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/tasks/run-as-deployment/quickrun/azuredeploy.parameters.json",
"chars": 449,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n \"contentVersion\": "
},
{
"path": "docs/tasks/run-as-deployment/taskrun/README.md",
"chars": 483,
"preview": "# Task run\n\n## Create a resource group\n\n```bash\naz group create \\\n -n mytaskrunrg \\\n -l westus\n```\n\n## Deploy a task r"
},
{
"path": "docs/tasks/run-as-deployment/taskrun/azuredeploy.json",
"chars": 4905,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1"
},
{
"path": "docs/tasks/run-as-deployment/taskrun/azuredeploy.parameters.json",
"chars": 423,
"preview": "{\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#\",\n \"contentVersio"
},
{
"path": "docs/tasks/triggers/private-base-image-update.md",
"chars": 3379,
"preview": "# Track base image update from any Azure Container Registry\n\nACR Tasks supports automated builds for when a container's "
},
{
"path": "docs/teleport/README.md",
"chars": 5213,
"preview": "> [!WARNING]\n> This page is no longer being maintained and will be archived by Tuesday, November 11, 2023. Please visit "
},
{
"path": "docs/teleport/aks-getting-started.md",
"chars": 11803,
"preview": "> [!WARNING]\n> This page is no longer being maintained and will be archived by Tuesday, November 11, 2023. Please visit "
},
{
"path": "docs/teleport/aks-teleport-comparison.md",
"chars": 16763,
"preview": "> [!WARNING]\n> This page is no longer being maintained and will be archived by Tuesday, November 11, 2023. Please visit "
},
{
"path": "docs/teleport/check-expansion.sh",
"chars": 2607,
"preview": "#!/bin/bash\n#usage: check-expansion.sh acr-name repo tag\n#usage: eg: check-expansion.sh demo42 /demo42/hello-world 2.1\n#"
},
{
"path": "docs/teleport/collecting-teleportd-logs-aks.md",
"chars": 3105,
"preview": "> [!WARNING]\n> This page is no longer being maintained and will be archived by Tuesday, November 11, 2023. Please visit "
},
{
"path": "docs/teleport/edit-teleport-attribute.sh",
"chars": 1862,
"preview": "#!/bin/bash\n#usage: edit-teleport-attribute.sh acr-name repo enable\n#usage: eg: edit-teleport-attribute.sh demo42 /demo4"
},
{
"path": "docs/teleport/find-teleport-enabled-repositories.sh",
"chars": 947,
"preview": "#!/bin/bash\n# Prerequisites:\n# azure cli (logged in)\n# jq \n# usage: find-teleport-enabled-repositories.sh acr-name\n\nACR_"
},
{
"path": "docs/teleport/samples/azure-vote-shuttle.yaml",
"chars": 1808,
"preview": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: azure-vote-back-shuttle\nspec:\n replicas: 1\n selector:\n match"
},
{
"path": "docs/teleport/samples/azure-vote-teleport.yaml",
"chars": 1817,
"preview": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: azure-vote-back-teleport\nspec:\n replicas: 1\n selector:\n matc"
},
{
"path": "docs/teleport/teleport-repository-management.md",
"chars": 7814,
"preview": "> [!WARNING]\n> This page is no longer being maintained and will be archived by Tuesday, November 11, 2023. Please visit "
},
{
"path": "notifications/README.md",
"chars": 278,
"preview": "# ACR Notifications\n\nThis page will capture ACR Service notifications.\n\n## Security Notifications\n\n| Date | Notification"
},
{
"path": "notifications/helm-repo-failure-20200918-.md",
"chars": 9035,
"preview": "# ACR Helm Repo Security Advisory\n\n|Date | Status |\n|-|-|\n| September 26, 2020| Mitigation Complete |\n| September 25, 20"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Clients/ExportClient.cs",
"chars": 6036,
"preview": "using ContainerRegistryTransfer.Helpers;\nusing ContainerRegistryTransfer.Models;\nusing Microsoft.Azure.Management.Conta"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Clients/ImportClient.cs",
"chars": 3796,
"preview": "using ContainerRegistryTransfer.Helpers;\nusing ContainerRegistryTransfer.Models;\nusing Microsoft.Azure.Management.Conta"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/ContainerRegistryTransfer.csproj",
"chars": 970,
"preview": "<Project Sdk=\"Microsoft.NET.Sdk\">\n\n <PropertyGroup>\n <OutputType>Exe</OutputType>\n <TargetFramework>netcoreapp3.1"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Helpers/AzureHelper.cs",
"chars": 3175,
"preview": "using Microsoft.Azure.Management.ContainerRegistry;\nusing ContainerRegistryTransfer.Models;\nusing Microsoft.Azure.Manag"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Helpers/IdentityHelper.cs",
"chars": 1173,
"preview": "using Microsoft.Azure.Management.ContainerRegistry.Models;\nusing System.Collections.Generic;\nusing System.Linq;\n\nnamesp"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Helpers/KeyVaultHelper.cs",
"chars": 2866,
"preview": "using Microsoft.Azure.Management.ContainerRegistry;\nusing Microsoft.Azure.Management.KeyVault;\nusing Microsoft.Azure.Ma"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Models/Options.cs",
"chars": 1684,
"preview": "using Microsoft.Azure.Management.ResourceManager.Fluent;\nusing System;\n\nnamespace ContainerRegistryTransfer.Models\n{\n "
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Models/PipelineConfig.cs",
"chars": 1516,
"preview": "using System;\nusing System.Collections.Generic;\n\nnamespace ContainerRegistryTransfer.Models\n{\n public class Pipeline"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Models/PipelineRunConfig.cs",
"chars": 820,
"preview": "using System;\nusing System.Collections.Generic;\n\nnamespace ContainerRegistryTransfer.Models\n{\n public class Pipeline"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/Program.cs",
"chars": 5559,
"preview": "using ContainerRegistryTransfer.Clients;\nusing ContainerRegistryTransfer.Helpers;\nusing ContainerRegistryTransfer.Model"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer/appsettings.json",
"chars": 631,
"preview": "{\n \"Environment\": \"\",\n \"TenantId\": \"\",\n \"MIClientId\": \"\",\n \"SPClientId\": \"\",\n \"SPClientSecret\": \"\",\n \"Subscriptio"
},
{
"path": "samples/dotnetcore/image-transfer/ContainerRegistryTransfer.sln",
"chars": 1153,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3032"
},
{
"path": "samples/dotnetcore/image-transfer/README.md",
"chars": 4909,
"preview": "## Getting Started with Azure Container Registry Transfer - in DotNetCore ##\n\nThis sample will allow you to transfer art"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/README.md",
"chars": 12410,
"preview": "# **Overview of Registry Artifact Transfer Tool** ##\r\n\r\nThe Registry Artifact Transfer Tool supports transfer workflows "
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Configurations/AzureEnvironmentConfiguration.cs",
"chars": 700,
"preview": "using System;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class AzureEnvironmentConfiguration\r\n {\r\n p"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Configurations/ExportConfiguration.cs",
"chars": 2584,
"preview": "using System;\r\nusing System.Collections.Generic;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class ExportConfig"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Configurations/IdentityConfiguration.cs",
"chars": 577,
"preview": "using System;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class IdentityConfiguration\r\n {\r\n public st"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Configurations/ImportConfiguration.cs",
"chars": 1926,
"preview": "using System;\r\nusing System.Collections.Generic;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class ImportConfig"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Configurations/RegistryConfiguration.cs",
"chars": 998,
"preview": "using System;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class RegistryConfiguration\r\n {\r\n public st"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Configurations/SourceRegistryConfiguration.cs",
"chars": 1285,
"preview": "using System;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class SourceRegistryConfiguration\r\n {\r\n pub"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Configurations/TransferDefinition.cs",
"chars": 636,
"preview": "namespace RegistryArtifactTransfer\r\n{\r\n public class TransferDefinition\r\n {\r\n public AzureEnvironmentConfig"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Program.cs",
"chars": 4862,
"preview": "using Microsoft.Extensions.Configuration;\r\nusing Microsoft.Extensions.DependencyInjection;\r\nusing Microsoft.Extensions."
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Registry.cs",
"chars": 1489,
"preview": "using System;\r\nusing static RegistryArtifactTransfer.ResourceId;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public cl"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/RegistryArtifactTransfer.csproj",
"chars": 1609,
"preview": "<Project Sdk=\"Microsoft.NET.Sdk\">\n <PropertyGroup>\n <OutputType>Exe</OutputType>\n <TargetFramework>netcoreapp3.1<"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/RepositoryProvider/CatalogApiResponse.cs",
"chars": 242,
"preview": "using System.Collections.Generic;\nusing Newtonsoft.Json;\n\nnamespace RegistryArtifactTransfer\n{\n public class Catalog"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/RepositoryProvider/HttpMessageExtensions.cs",
"chars": 2497,
"preview": "using System;\nusing System.Linq;\nusing System.Net.Http;\nusing System.Net.Http.Headers;\nusing System.Text;\n\nnamespace Re"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/RepositoryProvider/RepositoryProviderV2.cs",
"chars": 5001,
"preview": "using Newtonsoft.Json;\nusing Polly;\nusing Polly.Extensions.Http;\nusing System;\nusing System.Collections.Generic;\nusing "
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/RepositoryProvider/TagListApiResponse.cs",
"chars": 301,
"preview": "using System.Collections.Generic;\nusing Newtonsoft.Json;\n\nnamespace RegistryArtifactTransfer\n{\n public class TagList"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/ResourceId.cs",
"chars": 5574,
"preview": "using System;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class ResourceId\r\n {\r\n public const string "
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/TaskExtensions.cs",
"chars": 1178,
"preview": "using System;\r\nusing System.Collections.Generic;\r\nusing System.Threading;\r\nusing System.Threading.Tasks;\r\n\r\nnamespace Re"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Transfer/ArtifactProvider.cs",
"chars": 2748,
"preview": "using Microsoft.Extensions.Logging;\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Threading.Tasks;\r\n\r\n"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Transfer/BlobCopier.cs",
"chars": 2193,
"preview": "using Microsoft.Azure.Storage.Blob;\r\nusing Microsoft.Azure.Storage.DataMovement;\r\nusing Microsoft.Extensions.Logging;\r\nu"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Transfer/ExportJob.cs",
"chars": 407,
"preview": "using System.Collections.Generic;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class ExportJob\r\n {\r\n p"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Transfer/ExportWorker.cs",
"chars": 9262,
"preview": "using Microsoft.Extensions.Logging;\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Threading;\r\nusing Sy"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Transfer/ImportJob.cs",
"chars": 609,
"preview": "using System;\r\nusing System.Collections.Generic;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class ImportJob\r\n "
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Transfer/ImportWorker.cs",
"chars": 8701,
"preview": "using Microsoft.Extensions.Logging;\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System."
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Transfer/TransferClient.cs",
"chars": 9130,
"preview": "using Microsoft.Azure.Management.ContainerRegistry;\nusing Microsoft.Azure.Management.ContainerRegistry.Models;\nusing Mic"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/Transfer/TransferJobStatus.cs",
"chars": 143,
"preview": "namespace RegistryArtifactTransfer\r\n{\r\n public enum TransferJobStatus\r\n {\r\n Pending,\r\n Succeeded,\r\n "
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/TransferReport.cs",
"chars": 500,
"preview": "namespace RegistryArtifactTransfer\r\n{\r\n public class TransferReport\r\n {\r\n public TransferResult ImportArtif"
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/TransferResult.cs",
"chars": 274,
"preview": "using System.Collections.Generic;\r\n\r\nnamespace RegistryArtifactTransfer\r\n{\r\n public class TransferResult\r\n {\r\n "
},
{
"path": "samples/dotnetcore/registry-artifact-transfer/src/transferdefinition.json",
"chars": 1402,
"preview": "{\n \"AzureEnvironment\": {\n \"Name\": \"AzureGlobalCloud\"\n },\n \"Registry\": {\n \"TenantId\": \"myTenantId\",\n \"Subscr"
},
{
"path": "samples/java/task/.factorypath",
"chars": 5831,
"preview": "<factorypath>\n <factorypathentry kind=\"VARJAR\" id=\"M2_REPO/io/reactivex/rxjava/1.2.4/rxjava-1.2.4.jar\" enabled=\"true\""
},
{
"path": "samples/java/task/.gitignore",
"chars": 490,
"preview": "*.class\n\n# Auth filed\n*.auth\n*.azureauth\n\n# Mobile Tools for Java (J2ME)\n.mtj.tmp/\n\n# Package Files #\n*.jar\n*.war\n*.ear\n"
},
{
"path": "samples/java/task/Dockerfile",
"chars": 55,
"preview": "FROM maven:3.5.4-jdk-8\n\nCOPY . .\n\nRUN mvn clean compile"
},
{
"path": "samples/java/task/README.md",
"chars": 864,
"preview": "## Getting Started with Container Registry - Manage Container Registry Task - in Java ##\n\n* Create an Azure Container Re"
},
{
"path": "samples/java/task/acb.yaml",
"chars": 107,
"preview": "version: v1.1.0\nsteps:\n - build: -t $Registry/java-sample:$ID .\n - push: \n - $Registry/java-sample:$ID"
},
{
"path": "samples/java/task/pom.xml",
"chars": 2923,
"preview": "<project xmlns=\"http://maven.apache.org/POM/4.0.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xsi:sc"
},
{
"path": "samples/java/task/src/main/java/com/microsoft/azure/management/containerregistry/samples/ManageTask.java",
"chars": 8507,
"preview": "package com.microsoft.azure.management.containerregistry.samples;\n\nimport com.microsoft.azure.arm.resources.Region;\nimpo"
}
]
About this extraction
This page contains the full source code of the Azure/acr GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 166 files (607.4 KB), approximately 148.0k tokens, and a symbol index with 112 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.