This document provides detailed configuration for publishing Docker images to Edge Azure Container Registry (Edge ACR).
Edge ACR is the target Azure Container Registry for HagiCode Docker images. All multi-architecture Docker images are built and pushed to Edge ACR as part of the release process.
- Account: Azure account with Container Registry access
- Registry: Edge ACR endpoint (e.g.,
hagicode.azurecr.io) - Permissions:
AcrPush,AcrPull,AcrImageSign,AcrDelete - Authentication: Username/password or service principal/token
- Docker Version: 20.10 or later with buildx support
- QEMU: Cross-architecture emulation (via binfmt image)
- Storage: Sufficient space for Docker images (~2-5GB)
Most common authentication method for interactive use:
docker login hagicode.azurecr.io -u <username> -p <password>Environment Variables:
export AZURE_ACR_USERNAME="hagicode"
export AZURE_ACR_PASSWORD="password_or_token"
export AZURE_ACR_REGISTRY="hagicode.azurecr.io"Recommended for CI/CD and automated builds:
# Create service principal
az ad sp create-for-rbac \
--name hagicode-docker-push \
--role acrpull \
--role acrpush \
--scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<registry>
# Get credentials
export AZURE_ACR_USERNAME="<service-principal-app-id>"
export AZURE_ACR_PASSWORD="<service-principal-password>"Most secure option for production workloads:
# User-assigned managed identity
az identity create -g <resource-group> -n hagicode-docker-identity
# Assign ACR role
az role assignment create \
--assignee <identity-id> \
--role acrpull \
--role acrpush \
--scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<registry>Use Azure CLI for authentication (requires az acr login):
# Install Azure CLI
# macOS: brew install azure-cli
# Linux: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Login to Azure
az login
# Login to ACR
az acr login --name hagicode| Variable | Description | Example | Required |
|---|---|---|---|
AZURE_ACR_REGISTRY |
Edge ACR registry endpoint | hagicode.azurecr.io |
Yes |
AZURE_ACR_USERNAME |
Registry username or service principal | hagicode or sp-app-id |
Yes |
AZURE_ACR_PASSWORD |
Registry password or service principal secret | password or sp-secret |
Yes |
All variables can be prefixed with NUGEX_ for Nuke builds:
export NUGEX_AzureAcrRegistry="hagicode.azurecr.io"
export NUGEX_AzureAcrUsername="hagicode"
export NUGEX_AzureAcrPassword="password"<registry>/<image-name>:<tag>
| Tag Type | Example | Use Case |
|---|---|---|
| Version | hagicode.azurecr.io/hagicode:1.2.3 |
Specific version |
| Minor | hagicode.azurecr.io/hagicode:1.2 |
Latest in 1.2.x series |
| Major | hagicode.azurecr.io/hagicode:1 |
Latest in 1.x series |
| Latest | hagicode.azurecr.io/hagicode:latest |
Most recent release |
Note: Images use unified multi-stage build. Base tools and application code are combined in a single image. No separate base image tags are pushed.
Edge ACR supports multi-architecture manifests that reference both AMD64 and ARM64 images:
# Example multi-arch manifest
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"manifests": [
{
"platform": {
"architecture": "amd64",
"os": "linux"
},
"digest": "sha256:..."
},
{
"platform": {
"architecture": "arm64",
"os": "linux"
},
"digest": "sha256:..."
}
]
}The build system automatically creates multi-arch manifests using Docker buildx:
docker buildx build \
--platform linux/amd64,linux/arm64 \
--tag hagicode.azurecr.io/hagicode:1.2.3 \
--output type=registry \
.Check if a multi-arch manifest exists:
docker manifest inspect hagicode.azurecr.io/hagicode:1.2.3
# Output shows all supported platforms:
# Platform: linux/amd64
# Platform: linux/arm64The Nuke build system includes Edge ACR integration in Build.Targets.Docker.cs:
Targets:
DockerBuild- Build images locallyDockerPush- Push images to Edge ACRDockerRelease- Build and push (combined target)
Parameters:
--DockerPlatform- Platform(s) to build (all, linux-amd64, linux-arm64)--AzureAcrRegistry- Edge ACR endpoint--AzureAcrUsername- ACR username--AzureAcrPassword- ACR password--DockerImageName- Image name (default: hagicode/hagicode)
The .github/workflows/docker-build.yml workflow automatically:
- Authenticates to Edge ACR using secrets
- Builds multi-arch Docker images with buildx
- Pushes images directly to Edge ACR registry
- Creates version tags (full, minor, major, latest)
- Verifies images are available in registry
Error: unauthorized: authentication required
Causes:
- Incorrect username/password
- Expired token
- Insufficient permissions
Solutions:
- Verify credentials:
az acr show-credentials --name hagicode - Check permissions: Ensure role includes
AcrPush - Re-generate service principal secret if expired
Error: failed to upload layer to registry
Causes:
- Network connectivity issues
- Image size exceeds ACR limits
- Registry throttling
Solutions:
- Check network connectivity
- Verify ACR SKU supports required operations
- Retry with exponential backoff
- Check ACR quota limits:
az acr show-usage
Error: no such manifest or manifest invalid
Causes:
- Incorrect image tag
- Multi-arch manifest not fully pushed
- Cache issues
Solutions:
- List images in registry:
az acr repository show-tags --name hagicode --registry hagicode.azurecr.io - Verify platform-specific images exist
- Clear local Docker cache:
docker builder prune
Error: image not found in registry after push
Causes:
- Registry propagation delay (1-2 minutes)
- Indexing not complete
- Multi-region replication delay
Solutions:
- Wait and retry: Sleep 60 seconds, retry verification
- Check across regions: Verify image exists in target region
- Verify manifest digest matches build output
- Use service principals: Don't use personal accounts for CI/CD
- Rotate credentials: Update service principal secrets regularly
- Least privilege: Grant only
AcrPushandAcrPullas needed - Separate registries: Consider separate registries for dev/prod
- Audit access: Monitor who has ACR access via Azure AD
- Enable caching: Use Docker build cache to reduce rebuild time
- Parallel builds: Build AMD64 and ARM64 in parallel with buildx
- Layer optimization: Minimize layers by combining related changes
- Registry proximity: Use region-specific ACR for faster pulls
- Clean old images: Remove untagged images periodically
- Monitor usage: Track storage and request metrics
- Set retention policies: Automate image cleanup with ACR retention rules
- Use manifests: Prefer multi-arch manifests over separate images
# Login to ACR
az acr login --name hagicode
# List repositories
az acr repository list --name hagicode --registry hagicode.azurecr.io
# Show image tags
az acr repository show-tags --name hagicode --registry hagicode.azurecr.io
# Show image details
az acr manifest show-metadata \
--name hagicode \
--registry hagicode.azurecr.io \
--image 1.2.3
# Delete image
az acr repository delete \
--name hagicode \
--registry hagicode.azurecr.io \
--image 1.2.3# Show ACR usage
az acr show-usage --resource-group <resource-group> --name hagicode
# List credentials
az acr credential-list --name hagicode- Azure Container Registry Documentation
- Docker Buildx Documentation
- Azure CLI Documentation
- ACR Best Practices
For Edge ACR configuration issues:
- Check ENVIRONMENT_VARIABLES.md for variable setup
- Review README.md for build instructions
- Consult Azure Support for registry issues
- Review Nuke build logs:
./build.sh DockerRelease --help