This project demonstrates building a Windows Docker container with Visual Studio, CMake and git, with the objective of being to implement the VFX Reference Platform compliant ASWF build containers from Docker Images for the Academy Software Foundation.
Docker on Windows requires that containers are built from a base images of the same Windows version (or more specifically Build version) than the system on which they will run. As of Summer 2022 the GitHub hosted GitHub Actions Windows runners with Container support enabled are running:
- Windows Server 2019 Datacenter 10.0.17763 Build 3046
- Windows Server 2022 Datacenter 10.0.20348 Build 768
Both of these include Docker 20.10.7. We use the 2022 base image for Windows Server Core:
mcr.microsoft.com/windows/servercore:ltsc2022-amd64
Newer Windows version support running older containers using Hyper-V Isolation which turns the container into something more like a Hyper-V VM. It's unclear if that's supported on GitHub Actions Windows runners.
To authenticate against Docker Hub using docker login to push the newly built image requires a Docker Hub Personal Access Token. Record this PAT in a secure location before dismissing the creation window.
Next save this token to a secret Azure Pipelines secret variable called DOCKER_HUB_TOKEN:
az pipelines variable create --name DOCKER_HUB_TOKEN --value YOUR_DOCKER_HUB_TOKEN --secret true --allow-override true --pipeline-name GITHUB_PROJECT.ci
Instead of using docker login, we can use the pre-defined Docker task in Azure Pipelines. We need to create a Service Connection with the Azure CLI. Unfortunately the API isn't completely fleshed out for Docker Hub service endpoints and requires gathering a sample JSON request generated by using the GUI, updating it with the desired parameters and feeding that to the command line. The file az_cli_docker_hub_endpoint.json can be used to create a valid request:
sed -e 's/DOCKER_HUB_USER/docker-hub-id/' \
-e 's/DOCKER_HUB_TOKEN/docker-hub-access-token/' \
-e 's/DOCKER_HUB_EMAIL/docker-hub-email/' \
-e 's/DOCKER_HUB_CONNECTION/GITHUB_PROJECT.dockerhub.connection/' \
docker_hub_endpoint.json | \
az devops service-endpoint create --service-endpoint-configuration /dev/stdinwhere name-for-service-endpoint corresponds to the containerRegistry property of the Docker@2 task in your azure-pipelines.yml CI configuration file. az devops ... reads the output of sed via /dev/stdin to avoid having to create a temporary file containing cleartext credentials.
As of version 0.16.0 of the azure-devops extension to the Azure CLI, az devops service-endpoint supports a update command that can be used to allow access to the Docker Hub service connection from all pipelines in the the Azure DevOps project we just created (the previous approach based on using az devops invoke to issue the http patch API is kept below for reference):
export DOCKER_HUB_CONNECTION_ID=$(az devops service-endpoint list \
--query "[?name=='name-of-docker-hub-connection'].id" -o tsv)
az devops service-endpoint update --id $DOCKER_CONNECTION_ID --enable-for-allexport DOCKER_HUB_CONNECTION_ID=$(az devops service-endpoint list \
--query "[?name=='name-of-docker-hub-connection'].id" -o tsv)
sed -e 's/DOCKER_HUB_CONNECTION_ID/'$DOCKER_HUB_CONNECTION_ID'/' \
-e 's/DOCKER_HUB_CONNECTION/name-of-docker-hub-service-endpoint/' \
docker_hub_endpoint_auth.json | \
az devops invoke --http-method patch --area build --resource authorizedresources \
--route-parameters project=GITHUB_PROJECT --api-version 5.0-preview --in-file /dev/stdin --encoding ascii