Deploying container app with private docker.io image fails

[RadekKapica]

Please provide us with the following information:

This issue is a: (mark with an x)

• bug report -> please search issues before submitting
• documentation issue or request
• regression (a behavior that used to work and stopped in a new release)

Issue description

When trying to deploy a container app with a container image i a private docker registry you receive the following error:

The following field(s) are either invalid or missing. Invalid value: "<registry>/<image>:<tag>": GET https:: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:<registry>/<image> Type:repository]]: template.containers.<containername>.image.

Steps to reproduct

1. Open Cloud Shell in portal
2. upload yml-file

kind: containerapp
location: westeurope
name: \<name>
resourceGroup: \<resourcegroup\>
type: Microsoft.App/containerApps
tags:
 tagname: value
properties:
 managedEnvironmentId: /subscriptions/\<subscriptionId\>/resourceGroups/DefaultResourceGroup-WEU/providers/Microsoft.App/managedEnvironments/\<environmentname\>
 configuration:
   activeRevisionsMode: Multiple
   secrets:
     - name: mysecret
       value: thisismysecret
     - name: myregistrypassword
       value: \<registrypassword\>
   ingress:
     external: true
     allowInsecure: false
     targetPort: 80
     traffic:
       - latestRevision: true
         weight: 100
     transport: Auto
   registries:
     - passwordSecretRef: myregistrypassword
       server: docker.io
       username: \<username\>
 template:
   revisionSuffix: r
   containers:
     - image: \<username\>/\<image\>:\<tag\>
       name: <containername>
       env:
         - name: HTTP_PORT
           value: 80
         - name: secret_name
           secretRef: mysecret
       resources:
         cpu: 0.25
         memory: 0.5Gi
   scale:
     minReplicas: 1
     maxReplicas: 1

3. az containerapp create -n <name> -g <resourcegroup> --environment <environment> --yaml "<yaml-file>"

Expected behavior [What you expected to happen.]
Successfully deployed container app

Actual behavior [What actually happened.]
Deployment fails

Screenshots

Additional context

Ex. Did this issue occur in the CLI or the Portal?

Same issue occurs in both CLI and Portal

[CamiloTerevinto]

Same problem happening here. Adding more information:

• The Portal doesn't save the Registry (possibly since deployment fails?). Manually creating the registry using az containerapp registry set does not help.
• Using az containerapp up and passing in registry server/username/password fails with the exact same error.

Using --debug flag, this is what fails:

urllib3.connectionpool: https://management.azure.com:443 "PATCH /subscriptions/**omitted**/resourceGroups/**omitted**/providers/Microsoft.App/containerApps/**omitted**?api-version=2022-03-01 HTTP/1.1" 400 350
cli.azure.cli.core.util: Response status: 400
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
cli.azure.cli.core.util:     'Pragma': 'no-cache'
cli.azure.cli.core.util:     'Content-Length': '350'
cli.azure.cli.core.util:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.util:     'Expires': '-1'
cli.azure.cli.core.util:     'x-ms-ratelimit-remaining-subscription-resource-requests': '499'
cli.azure.cli.core.util:     'api-supported-versions': '2022-01-01-preview, 2022-03-01, 2022-05-01, 2022-06-01-preview'
cli.azure.cli.core.util:     'Server': 'Microsoft-IIS/10.0'
cli.azure.cli.core.util:     'X-Powered-By': 'ASP.NET'
cli.azure.cli.core.util:     'x-ms-request-id': 'f041a2a8-4058-49b0-a469-8edaeb125e1e'
cli.azure.cli.core.util:     'x-ms-correlation-request-id': 'f041a2a8-4058-49b0-a469-8edaeb125e1e'
cli.azure.cli.core.util:     'x-ms-routing-request-id': 'UKSOUTH:20220810T085332Z:f041a2a8-4058-49b0-a469-8edaeb125e1e'
cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.util:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.util:     'Date': 'Wed, 10 Aug 2022 08:53:31 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"code":"WebhookInvalidParameterValue","message":"The following field(s) are either invalid or missing. Invalid value: \"docker.io/**omitted**/**omitted**:159\": GET https:: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:**omitted**/**omitted** Type:repository]]: template.containers.**omitted**.image."}

[vturecek]

The image string should be <server>/<image>:<tag>, not <username>/<image>:<tag>. For example:

..
registries:
     - passwordSecretRef: myregistrypassword
       server: docker.io
       username: myuser
 template:
   revisionSuffix: r
   containers:
     - image: docker.io/myimage:tag
..

We match the server part of the value in the image field to the server field in one of the entries in registries. If we don't find a match, then we try an anonymous pull, which fails with unauthorized if the registry doesn't allow anonymous pull.

[BigMorty]

I got the following CLI command to work with my private DockerHub registry.
az containerapp create -n mycontainerapp -g my-rg --image registry.hub.docker.com/myhubusername/imagename:latest --environment my-env --ingress external --target-port 80 --registry-server registry.hub.docker.com --registry-username myhubusername --registry-password myhubpassword

[ats1999]

docker.io/myimage:tag

The following field(s) are either invalid or missing. Field 'template.containers.mywebsite-web-server.image' is invalid with details: 'Invalid value: "docker.io/docker.io/myimage:latest": GET https:: UNAUTHORIZED: authentication required';. (Code: InvalidParameterValueInContainerTemplate)

Naming image to image: docker.io/myimage:tag is resulting in error too

[ats1999]

In my case changing registry from docker.io to registry.hub.docker.com worked

[cpellensap]

@BigMorty how could we go about getting the solution mentioned in this thread in the documentation? The documentation states that you use docker.io:

https://learn.microsoft.com/en-us/azure/container-apps/containers#container-registries

Thank you!

[BigMorty]

@anthonychu - Can you help with this?

[dyllandry]

Just had this issue while creating my first Container App through the portal. What fixed it was ats1999's suggestion of using registry.hub.docker.com instead of docker.io as the registry login url when creating the Container App for the first time.

This was pretty annoying as cpellensap is right, both the docks and the default placeholder urls are docker.io but cause this whole issue.

It's doubly annoying because I am not able to edit the registry url after failing to create the Container App for the first time. I can't create a new revision to change the image because there is no revision to base it off of since the Container App failed to create. I instead have to delete the whole container app and recreate it with different registry settings.

I don't understand why this issue is closed. The problem still exists.