Quick Links

In software development, it seems that no matter where you go, no matter who you talk to, containers are the new normal. If you're not developing them or migrating your application already, you're building supporting systems that use them to support a legacy application. Containers are everywhere.

However, this means that as an engineer, you will need to put your containers somewhere. In the old days, this meant building an artifact of some kind, whether a binary or an archive, then writing it to a disc or a file share and distributing it. In the container ecosystem, it's going to be a container registry, and the artifacts you build are going to be container images.

Ideally, a container registry would be somewhere secure that could automate some of the work for you, such as container scanning and trigger actions on each commit or on a schedule. Fortunately, Azure has you covered with all of the above with the Azure Container Registry, or ACR for short.

Prerequisites

To follow along, you'll need the following:

  • An Azure Account
  • A container to push and pull from the repository
  • (Optional) A PowerShell terminal that's authenticated to Azure or a CloudShell instance

The container doesn't have to be anything more than 

        hello-world

because this is a tutorial about container registries, not containers themselves. If you're not familiar with Docker or containers, you can learn more about them here.

Creating the Registry

The first thing you'll need to do is create a registry, first using the Azure Portal, then using Azure PowerShell.

Using the Portal

Go to "Create A Resource," then look under Containers > Container Registry.

Look under Containers > Container Registry.

You'll then be asked to fill out some information about which storage account and subscription to put the registry in. It's considered a best practice to put the registry in the same region that you'll be deploying containers to.

Create the container registry.

Once it's provisioned, go to the resource page and look for the "Access Keys" tab. From here, make sure to enable the "Admin User" option so you can log in using the CLI later on.

Under "Access Keys," enable the "Admin User" option.

Using Azure PowerShell

With Azure PowerShell, this is done with one line, either on a CloudShell instance or a locally authenticated PowerShell console with the Azure PowerShell module installed. 

        New-AzContainerRegistry -ResourceGroupName <Resource Group Name> -Name <Registry Name> -EnableAdminUser

You can then use the 

        Get-AzContainerRegistry

cmdlet to list the registries associated with your tenant. You'll still need the LoginServer property to push your image to the registry, but you can pull this from Azure PowerShell shown in the rest of the demo.

Use the Get-AzContainerRegistry cmdlet to list the registries associated with your tenant.

As long as you included the 

        -EnableAdminUser

flag, you'll also be able to use the 

        Get-AzContainerRegistryCredential

cmdlet to get the login credentials for the next step.

Use the Get-AzContainerRegistryCredential cmdlet to get the login credentials.

Pushing the Image to ACR

Now that the registry and the user for it are set up, it's time to log in and push an image to it. You can log in by using the 

        docker login

command. If you're using a script, make sure the credentials aren't displayed in plain text, by passing them like this, or using Azure Key Vault. 

        # Azure PowerShell

$RG_NAME  = <Resource_Group_Name>
$ACR_NAME = <Registry_Name>

$registry = Get-AzContainerRegistry -ResourceGroupName $RG_NAME -Name $ACR_NAME
$creds = Get-AzContainerRegistryCredential -Registry $registry
$creds.Password | docker login $registry.LoginServer -u $creds.Username --password-stdin

If you are doing it manually, then just running docker login <RegistryURL> and replace "<RegistryURL> "with the value from "Login Server" under the Access Keys tab from earlier, then the admin username and password.

Now that you're logged in, you can push and pull container images from the repository as much as you like. Once you have built or pulled a container locally, use the docker tag command to add the registry URL and version tag to the image, then the docker push command to push it to ACR. It should look something like this: 

        # Docker CLI

docker tag <Image_Name> <Registry_URL>/<Image_Name>:<Version_Tag>
docker push <Registry_URL>/<Image_Name>:<Version_Tag>

With the image in ACR, you can use the docker pull from any authenticated device to pull the image down and run it.

Use the docker pull from any authenticated device to pull the image down and run it.

Summary

By now, you should be familiar with how to set up a registry in ACR using the Azure portal or Azure PowerShell, as well as how to push and pull containers from it.

From here, you can look into enabling Container vulnerability scanning with Azure Security Center or automation using ACR Tasks.