Cannot push to Azure Container Registry

Answered

The docs say that it is possible to push docker images to ACR by setting up a Docker Registry connection in the project. However, although the docker build step works, the docker push step fails with: "denied: requested access to the resource is denied"

The connection is supposed to cause a login to the registry at the start of the build but this appears to not be happening since I cannot see it in the build log and the error above sounds like it is not logged in.

Did I miss a setup step?

7 comments
Comment actions Permalink

Hi Luke,

did you add the Docker Support build feature with the required connection for the build configuration?

0
Comment actions Permalink

Hi Nadia, I have set all of that up.

  • The Docker build works fine.
  • The build feature is present
  • The connection has been setup with username and password and "test connection" works

This is a really simple build, just to get the Docker pipeline up and running so there shouldn't be anything weird in the docker file etc.

 

0
Comment actions Permalink

Sorry, but just to be sure - you added a build feature and selected checkbox `Log in to the Docker registry before the build`? 

Do you see any errors in a build log in Verbose mode? Could you please also check teamcity-agent.log? Do you see any warnings there? 

If everything configured correctly you should see in teamcity-agent.log the following line: 

INFO - rains.buildServer.AGENT.DOCKER - Run: /bin/sh -c "docker login -u "******" --password-stdin docker.io"
0
Comment actions Permalink

The TC log shows the following entry against the builds:

[2019-09-06 11:12:44,740] INFO - rains.buildServer.AGENT.DOCKER - Run: cmd.exe /c "docker login -u "******" --password-stdin example.azurecr.io"

[2019-09-06 11:12:45,140] INFO - uildStages.BuildStagesExecutor - Call stage jetbrains.buildServer.agent.impl.buildStages.startStages.CleanAgentTempDirectoryStage

teamcity-agent.log doesn't show any warnings or errors for the build, although the web UI shows the permission error.

0
Comment actions Permalink

The agent was able to log-in under the specified user before a build without any errors. Could you please try to push under the same user manually in a command line without any problems (e.g., manually execute `docker login XXX` and after that `docker push`)? 

0
Comment actions Permalink

OK, I found the issue which is not TeamCity as such (although the UI and docs probably need updating to be clearer).

When using Azure Container registry (and it looks like Docker Hub is the same according to Google), after building the image, you need to tag it with the URL of the registry like:

docker tag dockerservice1:v1.0 example.azurecr.io/dockerservice1:v1.0

Then you can push it to the remote registry! I guess that the URL itself does not identify the actual registry, it needs to be in the tag. Once this is done, the image is correctly listed in Azure and the registry URL is not included in the repo name or version. It just shows as dockerservice1 and v1.0

0
Comment actions Permalink

Thank you for letting us know, and I'm glad that you were able to solve the issue.

0

Please sign in to leave a comment.