Azure Container and Container Registry

Container Group

A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes. It's similar in concept to a pod in Kubernetes
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups?source=recommendations#what-is-a-container-group

Storage

Supported volumes include:
- Azure file share
  - Using an Azure file share with Azure Container Instances provides file-sharing features similar to using an Azure file share with Azure virtual machines
  - Azure Files shares can only be mounted to Linux containers
  - Requires the Linux container run as root
  - Volume mounts are limited to CIFS support
  - Mounting an Azure Files share to a container instance is similar to a Docker bind mount. If you mount a share into a container directory in which files or directories exist, the mount obscures files or directories, making them inaccessible while the container runs.
- Secret
  - To supply sensitive information to the containers in a container group
  - Once deployed with secrets in a container group, a secret volume is read-only
  - All secret volumes are backed by tmpfs, a RAM-backed filesystem; their contents are never written to non-volatile storage.
  - Secret volumes are currently restricted to Linux containers. (9/04/2023)
- Empty directory (emptyDir)
  - provide writeable directory accessible to each container in a container group.
  - data is persisted through container crashes. However, containers that are restarted are not guaranteed to persist the data in an emptyDir volume. If container gropu is stopped, the emptyDir volume is not persisted.
- Cloned git repo
  - Mounts a directory and clones the specified Git repository into it at container startup, which avoid adding the code in the applications.
  - Mounting a gitRepo volume is currently restricted to Linux containers. (09/04/2023)

Examples

# Create volume
# Change these four parameters as needed
ACI_PERS_RESOURCE_GROUP=myResourceGroup
ACI_PERS_STORAGE_ACCOUNT_NAME=mystorageaccount$RANDOM
ACI_PERS_LOCATION=eastus
ACI_PERS_SHARE_NAME=acishare

# Create the storage account with the parameters
az storage account create \
    --resource-group $ACI_PERS_RESOURCE_GROUP \
    --name $ACI_PERS_STORAGE_ACCOUNT_NAME \
    --location $ACI_PERS_LOCATION \
    --sku Standard_LRS

# Create the file share
az storage share create \
  --name $ACI_PERS_SHARE_NAME \
  --account-name $ACI_PERS_STORAGE_ACCOUNT_NAME

# Create container and mount volume
az container create \
    --resource-group $ACI_PERS_RESOURCE_GROUP \
    --name hellofiles \
    --image mcr.microsoft.com/azuredocs/aci-hellofiles \
    --dns-name-label aci-demo \
    --ports 80 \
    --azure-file-volume-account-name $ACI_PERS_STORAGE_ACCOUNT_NAME \
    --azure-file-volume-account-key $STORAGE_KEY \
    --azure-file-volume-share-name $ACI_PERS_SHARE_NAME \
    --azure-file-volume-mount-path /aci/logs/

# Manage files in mounted volume
az container show --resource-group $ACI_PERS_RESOURCE_GROUP \
  --name hellofiles --query ipAddress.fqdn --output tsv

YAML Template file

# Save file as deploy-aci.yaml
apiVersion: '2019-12-01'
location: eastus
name: file-share-demo
properties:
  containers:
  - name: hellofiles
    properties:
      environmentVariables: []
      image: mcr.microsoft.com/azuredocs/aci-hellofiles
      ports:
      - port: 80
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
      volumeMounts:
      - mountPath: /aci/logs/
        name: filesharevolume
  osType: Linux
  restartPolicy: Always
  ipAddress:
    type: Public
    ports:
      - port: 80
    dnsNameLabel: aci-demo
  volumes:
  - name: filesharevolume
    azureFile:
      sharename: acishare
      storageAccountName: <Storage account name>
      storageAccountKey: <Storage account key>
tags: {}
type: Microsoft.ContainerInstance/containerGroups

Create Container and Mount volume

# Deploy with YAML template
az container create --resource-group myResourceGroup --file deploy-aci.yaml

Template file

# Save file as deploy-aci.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "container1name": "hellofiles",
    "container1image": "mcr.microsoft.com/azuredocs/aci-hellofiles"
  },
  "resources": [
    {
      "name": "file-share-demo",
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2019-12-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "containers": [
          {
            "name": "[variables('container1name')]",
            "properties": {
              "image": "[variables('container1image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              },
              "ports": [
                {
                  "port": 80
                }
              ],
              "volumeMounts": [
                {
                  "name": "filesharevolume",
                  "mountPath": "/aci/logs"
                }
              ]
            }
          }
        ],
        "osType": "Linux",
        "ipAddress": {
          "type": "Public",
          "ports": [
            {
              "protocol": "tcp",
              "port": "80"
            }
          ],
          "dnsNameLabel": "aci-demo"
        },
        "volumes": [
          {
            "name": "filesharevolume",
            "azureFile": {
                "shareName": "acishare",
                "storageAccountName": "<Storage account name>",
                "storageAccountKey": "<Storage account key>"
            }
          }
        ]
      }
    }
  ]
}

Deploy Container using template file

# Deploy with Resource Manager template
az deployment group create --resource-group myResourceGroup --template-file deploy-aci.json

Create and access Secret volume

# Create Volume
az container create \
    --resource-group myResourceGroup \
    --name secret-volume-demo \
    --image mcr.microsoft.com/azuredocs/aci-helloworld \
    --secrets mysecret1="My first secret FOO" mysecret2="My second secret BAR" \
    --secrets-mount-path /mnt/secrets
  
# Listing secrets
az container exec \
  --resource-group myResourceGroup \
  --name secret-volume-demo --exec-command "/bin/sh"
# Output
/usr/src/app # ls /mnt/secrets
mysecret1
mysecret2
/usr/src/app # cat /mnt/secrets/mysecret1
My first secret FOO
/usr/src/app # cat /mnt/secrets/mysecret2
My second secret BAR
/usr/src/app # exit
Bye.

Mount Secret Volume with YAML Template

YAML Template

# Save as deploy-aci.yaml
apiVersion: '2019-12-01'
location: eastus
name: secret-volume-demo
properties:
  containers:
  - name: aci-tutorial-app
    properties:
      environmentVariables: []
      image: mcr.microsoft.com/azuredocs/aci-helloworld:latest
      ports: []
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
      volumeMounts:
      - mountPath: /mnt/secrets
        name: secretvolume1
  osType: Linux
  restartPolicy: Always
  volumes:
  - name: secretvolume1
    secret:
      mysecret1: TXkgZmlyc3Qgc2VjcmV0IEZPTwo=
      mysecret2: TXkgc2Vjb25kIHNlY3JldCBCQVIK
tags: {}
type: Microsoft.ContainerInstance/containerGroups

Deploy container with YAML template

# Deploy with YAML template
az container create \
  --resource-group myResourceGroup \
  --file deploy-aci.yaml

Mount Secret Volume using Resource Manager

# the secret values must be Base64-encoded in the template. However, the secret values appear in plaintext within the files in the container.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "container1name": "aci-tutorial-app",
    "container1image": "microsoft/aci-helloworld:latest"
  },
  "resources": [
    {
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2021-03-01",
      "name": "secret-volume-demo",
      "location": "[resourceGroup().location]",
      "properties": {
        "containers": [
          {
            "name": "[variables('container1name')]",
            "properties": {
              "image": "[variables('container1image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              },
              "ports": [
                {
                  "port": 80
                }
              ],
              "volumeMounts": [
                {
                  "name": "secretvolume1",
                  "mountPath": "/mnt/secrets"
                }
              ]
            }
          }
        ],
        "osType": "Linux",
        "ipAddress": {
          "type": "Public",
          "ports": [
            {
              "protocol": "tcp",
              "port": "80"
            }
          ]
        },
        "volumes": [
          {
            "name": "secretvolume1",
            "secret": {
              "mysecret1": "TXkgZmlyc3Qgc2VjcmV0IEZPTwo=",
              "mysecret2": "TXkgc2Vjb25kIHNlY3JldCBCQVIK"
            }
          }
        ]
      }
    }
  ]
}

Mount emptyDir volume using Resource Manager

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "container1name": "aci-tutorial-app",
    "container1image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest",
    "container2name": "aci-tutorial-sidecar",
    "container2image": "mcr.microsoft.com/azuredocs/aci-tutorial-sidecar"
  },
  "resources": [
    {
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2021-03-01",
      "name": "volume-demo-emptydir",
      "location": "[resourceGroup().location]",
      "properties": {
        "containers": [
          {
            "name": "[variables('container1name')]",
            "properties": {
              "image": "[variables('container1image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              },
              "ports": [
                {
                  "port": 80
                }
              ],
              "volumeMounts": [
                {
                  "name": "emptydir1",
                  "mountPath": "/mnt/empty"
                }
              ]
            }
          },
          {
            "name": "[variables('container2name')]",
            "properties": {
              "image": "[variables('container2image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              },
              "volumeMounts": [
                {
                  "name": "emptydir1",
                  "mountPath": "/mnt/empty"
                }
              ]
            }
          }
        ],
        "osType": "Linux",
        "ipAddress": {
          "type": "Public",
          "ports": [
            {
              "protocol": "tcp",
              "port": "80"
            }
          ]
        },
        "volumes": [
          {
            "name": "emptydir1",
            "emptyDir": {}
          }
        ]
      }
    }
  ]
}

Create and access gitRepo volume

# Create volume
az container create \
    --resource-group myResourceGroup \
    --name hellogitrepo \
    --image mcr.microsoft.com/azuredocs/aci-helloworld \
    --dns-name-label aci-demo \
    --ports 80 \
    --gitrepo-url https://github.com/Azure-Samples/aci-helloworld \
    --gitrepo-mount-path /mnt/aci-helloworld

# Verifying volume was mounted
az container exec --resource-group myResourceGroup --name hellogitrepo --exec-command /bin/sh

# Output
/usr/src/app # ls -l /mnt/aci-helloworld/
total 16
-rw-r--r--    1 root     root           144 Apr 16 16:35 Dockerfile
-rw-r--r--    1 root     root          1162 Apr 16 16:35 LICENSE
-rw-r--r--    1 root     root          1237 Apr 16 16:35 README.md
drwxr-xr-x    2 root     root          4096 Apr 16 16:35 app

Mount gitRepo Volume using Resource Manager

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "container1name": "aci-tutorial-app",
    "container1image": "microsoft/aci-helloworld:latest"
  },
  "resources": [
    {
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2021-03-01",
      "name": "volume-demo-gitrepo",
      "location": "[resourceGroup().location]",
      "properties": {
        "containers": [
          {
            "name": "[variables('container1name')]",
            "properties": {
              "image": "[variables('container1image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              },
              "ports": [
                {
                  "port": 80
                }
              ],
              "volumeMounts": [
                {
                  "name": "gitrepo1",
                  "mountPath": "/mnt/repo1"
                },
                {
                  "name": "gitrepo2",
                  "mountPath": "/mnt/repo2"
                }
              ]
            }
          }
        ],
        "osType": "Linux",
        "ipAddress": {
          "type": "Public",
          "ports": [
            {
              "protocol": "tcp",
              "port": "80"
            }
          ]
        },
        "volumes": [
          {
            "name": "gitrepo1",
            "gitRepo": {
              "repository": "https://github.com/Azure-Samples/aci-helloworld"
            }
          },
          {
            "name": "gitrepo2",
            "gitRepo": {
              "directory": "my-custom-clone-directory",
              "repository": "https://github.com/Azure-Samples/aci-helloworld",
              "revision": "d5ccfcedc0d81f7ca5e3dbe6e5a7705b579101f1"
            }
          }
        ]
      }
    }
  ]
}

ACR Role-based Access Control

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli

Container Networking

https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview

Reference

Empty Dir Volume: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-volume-emptydir
Secret volume: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-volume-secret
gitRepo volume: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-volume-gitrepo

PreviousAzure Cache for Redis NextAzure Cosmos DB

Last updated 2 years ago

hashtagContainer Group

hashtagStorage

hashtagExamples

hashtagCreate Azure Files Share volume and Mount

hashtagCreate Container and Mount Azure File Share Volume using YAML Template

hashtagCreate Container and Mount Azure File Share Volume using Resource Manager Template

hashtagCreate and access Secret volume

hashtagMount Secret Volume with YAML Template

hashtagMount Secret Volume using Resource Manager

hashtagMount emptyDir volume using Resource Manager

hashtagCreate and access gitRepo volume

hashtagMount gitRepo Volume using Resource Manager

hashtagACR Role-based Access Control

hashtagContainer Networking

hashtagReference

Container Group

Storage

Examples

Create Azure Files Share volume and Mount

Create Container and Mount Azure File Share Volume using YAML Template

Create Container and Mount Azure File Share Volume using Resource Manager Template

Create and access Secret volume

Mount Secret Volume with YAML Template

Mount Secret Volume using Resource Manager

Mount emptyDir volume using Resource Manager

Create and access gitRepo volume

Mount gitRepo Volume using Resource Manager

ACR Role-based Access Control

Container Networking

Reference