Azure Container Registry: Image Pull Flow

Posted by  Bin Du on Sunday, April 30, 2023

Pull Simple Linux or Windows Image (Single Region)

  • [NOTE] Windows image by default has one or two base layers hosted in Azure CDN separately (a.k.a foreign layers). The client will download these foreign layers from Azure CDN directly.
sequenceDiagram Docker->>+ACR: [Head] [registry].azurecr.io/v2/library/hello-world/manifests/latest Note right of ACR: All manifest request accept-header includes
application/vnd.oci.image.manifest.v1+json,
application/vnd.docker.distribution.manifest.v2+json,
application/vnd.docker.distribution.manifest.list.v2+json,
application/vnd.oci.image.index.v1+json,
application/vnd.docker.distribution.manifest.v1+prettyjws,
application/json ACR->>Docker: Manifest Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 Docker->>+ACR: [GET] [registry].azurecr.io/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 ACR->>Docker: [200] Manifest Digest Content loop Enumerate all config and layer blobs Docker->>+ACR: [GET] [registry].azurecr.io/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54 ACR->>+Docker: [307] Redirect to storage blob Docker->>+Storage: [GET] [storageaccount].blob.core.windows.net/[container]//v2/blobs/sha256/2d/2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54/data Storage->>+Docker: [200/206] Blob content Docker->>+Storage: Continue to download remaining layer content end

Pull Multi-Arch Image (Single Region)

sequenceDiagram Docker->>+ACR: [Head] [registry].azurecr.io/v2/library/hello-world/manifests/latest Note right of ACR: All manifest request accept-header includes
application/vnd.oci.image.manifest.v1+json,
application/vnd.docker.distribution.manifest.v2+json,
application/vnd.docker.distribution.manifest.list.v2+json,
application/vnd.oci.image.index.v1+json,
application/vnd.docker.distribution.manifest.v1+prettyjws,
application/json ACR->>Docker: Manifest List Digest: sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af Docker->>+ACR: [GET] [registry].azurecr.io/v2/library/hello-world/manifests/sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af ACR->>Docker: [200] Manifest List Digest Content Docker->>+Docker: [Parse] Find the matching platform manifest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 Docker->>+ACR: [GET] [registry].azurecr.io/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 ACR->>Docker: [200] Manifest Digest Content loop Enumerate all config and layer blobs Docker->>+ACR: [GET] [registry].azurecr.io/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54 ACR->>+Docker: [307] Redirect to storage blob Docker->>+Storage: [GET] [storageaccount].blob.core.windows.net/[container]//v2/blobs/sha256/2d/2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54/data Storage->>+Docker: [200/206] Blob content Docker->>+Storage: Continue to download remaining layer content end

Pull Simple Linux or Windows Image (Multiple Regions)

  • If ACR enables the data replication in multiple regions, the traffic will be routed to the “closest” region which provides the lowest connection latency.
  • In the following example, the registry has data replications in WestUS and EastUS which serve the request for [registry].azurecr.io. Assume WestUS provides the lowest connection latency to the client, the image will be pulled from WestUS.
sequenceDiagram Docker->>+Azure DNS: Query the closest region Azure DNS->>+Docker: Return the ACR IP of WestUS which provides the lowest connection latency Docker->>+ WestUS ACR: [Head] [registry].azurecr.io[WestUS IP]/v2/library/hello-world/manifests/latest Note right of WestUS ACR: All manifest request accept-header includes
application/vnd.oci.image.manifest.v1+json,
application/vnd.docker.distribution.manifest.v2+json,
application/vnd.docker.distribution.manifest.list.v2+json,
application/vnd.oci.image.index.v1+json,
application/vnd.docker.distribution.manifest.v1+prettyjws,
application/json WestUS ACR->>Docker: Manifest Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 Docker->>+WestUS ACR: [GET] [registry].azurecr.io[WestUS IP]/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 WestUS ACR->>Docker: [200] Manifest Digest Content loop Enumerate all config and layer blobs Docker->>+ WestUS ACR: [GET] [registry].azurecr.io[WestUS IP]/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54 WestUS ACR->>+Docker: [307] Redirect to storage blob Docker->>+WestUS Storage: [GET] [storageaccount].blob.core.windows.net/[container]//v2/blobs/sha256/2d/2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54/data WestUS Storage->>+Docker: [200/206] Blob content Docker->>+WestUS Storage: Continue to download remaining layer content end

Pull Simple Linux or Windows Image with Data Proxy (Single Region)

  • If ACR enables private endpoint, service endpoint, dedicated data-endpoint, customer managed keys or pull through cache, the layer download will be proxied through data proxy server.
sequenceDiagram Docker->>+ACR: [Head] [registry].azurecr.io/v2/library/hello-world/manifests/latest Note right of ACR: All manifest request accept-header includes
application/vnd.oci.image.manifest.v1+json,
application/vnd.docker.distribution.manifest.v2+json,
application/vnd.docker.distribution.manifest.list.v2+json,
application/vnd.oci.image.index.v1+json,
application/vnd.docker.distribution.manifest.v1+prettyjws,
application/json ACR->>Docker: Manifest Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 Docker->>+ACR: [GET] [registry].azurecr.io/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 ACR->>Docker: [200] Manifest Digest Content loop Enumerate all config and layer blobs Docker->>+ACR: [GET] [registry].azurecr.io/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54 ACR->>+Docker: [307] Redirect to DataProxy Docker->>+DataProxy: [GET] [registry].[region].data.azurecr.io/[encrypted-upstream-data-source-uri] DataProxy->>+Upstream: [GET] Forward the request to upstream Upstream->>+DataProxy: [200/206] Blob content DataProxy->>+Docker: [200/206] Blob content Docker->>+DataProxy: Continue to download remaining layer content end

Pull Simple Linux or Windows Image with Data Proxy (Multiple Regions)

  • If ACR enables the data replication in multiple regions, the traffic will be routed to the “closest” region which provides the lowest connection latency.
  • If ACR also enables private endpoint, service endpoint, dedicated data-endpoint, customer managed keys or pull through cache, the layer download will be proxied through data proxy server.
  • In the following example, the registry has data replications in WestUS and EastUS which serve the request for [registry].azurecr.io. Assume WestUS provides the lowest connection latency to the client, the image will be pulled from WestUS.
sequenceDiagram Docker->>+Azure DNS: Query the closest region Azure DNS->>+Docker: Return the ACR IP of WestUS which provides the lowest connection latency Docker->>+ WestUS ACR: [Head] [registry].azurecr.io[WestUS IP]/v2/library/hello-world/manifests/latest Note right of WestUS ACR: All manifest request accept-header includes
application/vnd.oci.image.manifest.v1+json,
application/vnd.docker.distribution.manifest.v2+json,
application/vnd.docker.distribution.manifest.list.v2+json,
application/vnd.oci.image.index.v1+json,
application/vnd.docker.distribution.manifest.v1+prettyjws,
application/json WestUS ACR->>Docker: Manifest Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 Docker->>+WestUS ACR: [GET] [registry].azurecr.io[WestUS IP]/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 WestUS ACR->>Docker: [200] Manifest Digest Content loop Enumerate all config and layer blobs Docker->>+ WestUS ACR: [GET] [registry].azurecr.io/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54 WestUS ACR->>+Docker: [307] Redirect to WestUS DataProxy Docker->>+WestUS DataProxy: [GET] [registry].westus.data.azurecr.io/[encrypted-upstream-data-source-uri] WestUS DataProxy->>+Upstream: [GET] Forward the reqeust to upstream Upstream->>+WestUS DataProxy: [200/206] Blob content WestUS DataProxy->>+Docker: [200/206] Blob content Docker->>+WestUS DataProxy: Continue to download remaining layer content end