Juan Manuel Rey bio photo

Juan Manuel Rey

Unix Geek. Sysadmin by heart turned cloud architect. Working for Microsoft.

Twitter Google+ LinkedIn Github Stackoverflow

Past April Microsoft announced the general availability of Azure Container Regitry. Since I will be using ACR during my next posts about ACS and Kubernetes I tought it would be helpful to write a quick intro about it.

Azure Container Registry, or ACR, is an offering from Microsoft to manage and store Docker container images on Azure, compatible with Docker Registry v2 specification. The service can be managed using Azure Portal, Azure PopwerShell or Azure CLI and the images can be managed using standard Docker tools. And can be easily integrated within an existing CI/CD pipeline.

  • ACR is Docker Registry V2 compatible.
  • Allows to store Docker images from a cluster deployed with Azure Container Service, a manually deployed container cluster on Azure,a developer workstation or from an on-prem cluster.
  • Supports Windows and Linux container images. It also has integration with other Azure services that supports Docker images like Service Fabric and App Service.
  • Azure Active Directory integration for the authentication.

One of the advantages of using ACR with your ACS clusters or Azure services is the low latency for the pulling and pushing operations. Lets see how can we create and manage our Docker registry in Azure.

Create your first registry

As always create your resource group.

az group create -n acr-rg -l westeurope

Now create the registry, provide the name for the registry, the resource group and the SKU which as of today is just Basic.

az acr create -n registryprod -g acr-rg -l westeurope --sku Basic

This operation will produce two resources in Azure.

  • The registry, behind the scenes a Docker registry has been deployed.
  • One Storage Account to store the images.
$ az resource list -g acr-rg
Name                ResourceGroup    Location    Type                                    Status
------------------  ---------------  ----------  --------------------------------------  --------
registryprod        acr-rg           westeurope  Microsoft.ContainerRegistry/registries
registryprod105019  acr-rg           westeurope  Microsoft.Storage/storageAccounts

The registry is automcatically assigned a fqdn with the form <registry_name>.azurecr.io.


Te registy is created but right now is not usable since there is no way to authenticate. ACR by default does not even have an admin user, although it can be enabled during the create task it can also be enabled afterwards as we will see now.

$ az acr update -n registryprod --admin-enabled true
------------  ----------------  ----------  -----------------------  --------------------------------  ---------------
registryprod  acr-rg            westeurope  registryprod.azurecr.io  2017-05-25T10:50:59.194729+00:00  True
$ az acr credential show -n registryprod
USERNAME      PASSWORD                          PASSWORD2
------------  --------------------------------  --------------------------------

Having an admin account is useful however the best option is to use a service account in the form of a Service Principal. A Service Principal is an account used by cloud apps and services to access Azure APIs. The good thing about Service Principals is that they are backed by Azure Active Directory meaning you can audit and revoke the account at any time.

You can create a new Service Principal, assigning the proper role and scope over ACR during the operation. The roles can be Owner, Contributor or Reader. The first one will give the SP account full control over ACR, the second will allow to push and pull images and the last one will have read-only permissions allowing the SP account just to pull Docker images from the registry.

az ad sp create-for-rbac --scopes /subscriptions/11111111-1111-1111-1111-1111111111111/resourcegroups/acr-rg/providers/Microsoft.ContainerRegistry/registries/registryprod --role Owner --password <password>

Alternatively you can use an existing service principal and assign access to your registry.

az role assignment create --scope /subscriptions/11111111-1111-1111-1111-1111111111111/resourcegroups/acr-rg/providers/Microsoft.ContainerRegistry/registries/registryprod --role Owner --assignee <app-id>

Test the authentication from your Docker host with docker login.

azureuser@coreos ~ $ sudo docker login registryprod.azurecr.io -u <service_principal_id> -p <service_principal_key>
Login Succeeded
azureuser@coreos ~ $

Image Management

Azure CLI allows you to perform some basic tasks for the images stored in a registry.

List the repositories currently in the registry.

$ az acr repository list -n registryprod

Retrieve the tags of a given registry.

$ az acr repository show-tags -n acrinfra1 --repository baseimages/fedora

Removing images

While pushing, pulling and tagging images are non-trivial tasks performed from docker client, removing an image can be a bit tricky. Currently there is now way to easily remove an image from ACR, yes Docker registry v2 has a delete API but unfortunately is not exposed on ACR registries.

However there is a method to remove an image from ACR but the caveat is that it must be done from the Azure Portal and the user must have the Owner role either for the registry or the whole subscription.

From Azure Portal access the storage account backing up your registry and then select Blobs.

Inside Blobs navigate through the different folders until you get to Respositories. <no-name> -> docker -> registry -> v2 -> repositories. In repositories select one, in my case baseimages.

Inside the repository select the container image, I choose fedora.

Then click on _manifests and inside it select tags. The different tags for the image will be listed.

Select the tag and then click on Delete folder at the top bar.

If we go back to Azure CLI and list the tags for baseimages/fedora the deleted one will not show up.

$ az acr repository show-tags -n acrinfra1 --repository baseimages/fedora

– Juanma