Accelerate Container Startup with On-Demand Image Loading - Container Compute Service

Container Compute Service (ACS) integrates DADI (Data Accelerator for Disaggregated Infrastructure) overlaybd, enabling containers to start without downloading the full image first. Image content is fetched on demand as the container runs, reducing startup time significantly.

Performance benchmark — pulling a NodeBB image (1.34 GB) from Docker Hub:

	Pull time	Startup time
Traditional	36 seconds	38 seconds
DADI-accelerated	4 seconds	9 seconds

Actual improvement scales with image size and depends on network conditions between your cluster and the Container Registry instance.

How it works

Traditional containers download and decompress the entire image before the application starts. With DADI-accelerated images, the container starts immediately and fetches only the image layers it needs, on demand.

DADI supports two acceleration modes:

	Full mode	Index-only mode
Content stored	Full image content	Layer index only
Accelerated image size	1.3x the base image	3% of the base image
Conversion speed	Slower	Faster
Acceleration performance	Baseline	70% of full mode
Referrers API support	No	Yes
Tag suffix	`_containerd_accelerated`	`_accelerated`

Why index-only mode is slower at runtime: index-only mode stores only the layer index in the accelerated image, so the container must fetch layer data remotely on each file access. Full mode embeds the complete image data in the accelerated image, so reads are faster after the initial pull.

How image tag resolution works: in index-only mode, the Referrers API links the accelerated image back to the base image, so ACS can resolve the accelerated image automatically when you specify the base image tag. In full mode, the Referrers API is not supported — you must specify the accelerated image tag directly.

Prerequisites

Before you begin, ensure that you have:

An ACS cluster. See Create an ACS cluster
A Container Registry Enterprise Edition instance (basic or advanced tier). See Create an Enterprise Edition instance
Access control configured between your Container Registry instance and the ACS cluster:
- For VPC access: configure a VPC ACL. See Configure a VPC ACL
- For internet access: add the ACS cluster to the allowlist. See Configure access over the internet
(Index-only mode only) A trial approved. Submit a ticket to request access

Limitations

Multi-arch images cannot be converted to accelerated images.
The accelerated image must remain accessible throughout the lifetime of any Pod using it. In index-only mode, both the accelerated image and the base image must remain accessible.

Enable image acceleration

Enable image acceleration on a repository so that every image pushed to that repository is automatically converted to an accelerated image. The conversion runs in the background and does not affect the base image.

Enabling acceleration on a repository does not automatically convert existing images. To convert an existing image, follow the steps in Convert an existing image.

Log on to the Container Registry console.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click your Enterprise Edition instance.
In the left-side navigation pane, choose Repository > Repositories.
Click the repository name, or click Manage in the Actions column.
Click Edit in the upper-left corner.
In the Modify Settings dialog box, turn on Enable image acceleration, then click Confirm.

Convert an existing image

In the Container Registry console, go to Instances, then click your Enterprise Edition instance.
In the left-side navigation pane, choose Repository > Repositories, then click the target repository.
In the left-side navigation pane, click Tags.
Find the image version you want to convert, then click the accelerate button on the right.

Use accelerated images

To pull accelerated images, grant ACS permission to access your Container Registry instance. ACS matches imagePullSecrets in the Pod spec to find credentials for pulling accelerated images. Two methods are supported.

Method 1: Password-free image pulling plug-in (recommended)

The password-free plug-in automatically injects Container Registry credentials into workloads that meet the configured conditions. You do not need to manually manage or renew credentials.

Install and configure the plug-in. See Pull images from Container Registry without using Secrets.

Create a workload using the ServiceAccount associated with the plug-in. Make sure the workload is in the same namespace as that ServiceAccount. For both full mode and index-only mode, specify the base image tag. Container Registry links the accelerated image to the base image automatically.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        # Specify the base image tag — ACS resolves the accelerated image automatically.
        - image: test-registry-vpc.cn-hangzhou.cr.aliyuncs.com/test/nginx:latest
          name: test
          command: ["sleep", "3600"]

Method 2: Kubernetes Secret

Create a kubernetes.io/dockerconfigjson Secret with credentials for your Container Registry instance. The Secret must either have the acr-credential- name prefix or the images.alibabacloud.com/accelerated: true label.

Step 1: Create the Secret

Use one of the following options:

Create a Secret that contains the prefix

kubectl create secret docker-registry acr-credential-test \
  --docker-server=<RegistryVpcDomain> \
  --docker-username=<UserName> \
  --docker-password=<Password>

Create a Secret that contains the tag value

kubectl create secret docker-registry <SecretName> \
  --docker-server=<RegistryVpcDomain> \
  --docker-username=<UserName> \
  --docker-password=<Password>

kubectl label secrets <SecretName> images.alibabacloud.com/accelerated="true"

Warning

Follow the principle of least privilege when configuring the pull Secret. Grant only the permissions required to pull images. See Attach a custom policy to a RAM user.

Step 2: Create a workload

The image tag you specify depends on the acceleration mode.

Full mode

Note

full mode does not support the Referrers API, so you must specify the accelerated image tag directly:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      imagePullSecrets:
        # The name of the Secret.
        - name: acr-credential-test
      containers:
        # Specify the accelerated image tag (suffixed with _containerd_accelerated).
        - image: test-registry-vpc.cn-hangzhou.cr.aliyuncs.com/test/nginx:latest_containerd_accelerated
          name: test
          command: ["sleep", "3600"]

Index-only mode

Note

index-only mode supports the Referrers API, so specify the base image tag:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      imagePullSecrets:
        # The name of the Secret.
        - name: acr-credential-test
      containers:
        # Specify the base image tag — ACS resolves the accelerated image automatically.
        - image: test-registry-vpc.cn-hangzhou.cr.aliyuncs.com/test/nginx:latest
          name: test
          command: ["sleep", "3600"]

What's next

Load resources of a container image on demand — technical deep dive into DADI overlaybd