Container image deployment packages - Compute Nest - Alibaba Cloud Documentation Center

In scenarios in which Docker container images are used, we recommend that you use container image deployment packages to deploy services. Compute Nest provides a public Container Registry repository to manage and store container images. Each service provider corresponds to a namespace to implement multi-tenant data isolation. This topic describes the scenarios of container image deployment packages, how container image deployment packages work, and how to create and use a container image deployment package.

Scenarios

If you want to use a Docker container image that is pulled over the Internet to deploy a service but do not want to make the container image publicly available, you can use a container image deployment package that is pulled by using a temporary key.

Important

Container image deployment packages are not applicable to scenarios in which auto scaling is required or images need to be frequently pulled.

Solutions if container image deployment packages are not applicable to your scenarios

Scenarios in which a service cannot access the Internet
If your service cannot access the Internet, create a self-managed Container Registry repository and use internal URLs to pull images over an internal network. For more information, see Configure a VPC ACL.
Scenarios in which you want to pull images after you deploy a service
Private service: Create a self-managed public Container Registry repository to ensure that the images can be pulled.
Fully managed service: Create a private Container Registry repository and use the password-free image pulling plug-in provided by a Container Service for Kubernetes (ACK) cluster to pull images.
For more information, see Use the aliyun-acr-credential-helper component to pull images without using a secret.
Scenarios in which public container images are used
If a public container image is used, use the public URL to pull the image during service deployment. You do not need to use a Container image deployment package.

Implementation

Container images of multiple service providers are stored in the same image repository. To implement multi-tenant data isolation, Compute Nest assigns each service provider to a separate namespace. Container images of service providers are stored in their corresponding namespaces. Temporary keys for uploading and pulling images are generated for a namespace based on the Alibaba Cloud account ID of the corresponding service provider. This way, access control is implemented based on namespaces.

Details

Upload a container image to the Container Registry repository of Compute Nest
1. The service provider calls an operation of Compute Nest to obtain a temporary key. Compute Nest calls an operation of Container Registry to obtain a temporary key of the namespace whose name is the Alibaba Cloud account ID of the service provider.
2. The service provider uses the obtained temporary key to upload a local container image to the Container Registry repository of Compute Nest. The container image is stored in the namespace whose name is the Alibaba Cloud account ID of the service provider.
Deploy a container image to an ACK cluster
1. Compute Nest obtains a temporary key for pulling the container image of the service provider, and the temporary key is stored in a Secret in the ACK cluster.
2. Compute Nest replaces the container image deployment package with the URL of the container image in the Container Registry repository of Compute Nest, and specifies the Secret that is stored in the ACK cluster as the key to pull the container image.
3. The ACK cluster pulls and deploys the container image.

Why does Compute Nest use a managed solution for container image deployment packages?

Docker container images can be stored in Alibaba Cloud Container Registry. Service providers can upload images to their own private repositories and manage the images by themselves. However, to reduce costs of purchasing Container Registry instances, facilitate security scanning, and prevent service providers from accidentally deleting images, Compute Nest provides a public Container Registry repository. This repository is solely used to store and maintain container images of service providers. This ensures security and stability.

Usage notes

You must define the following identifiers in a Resource Orchestration Service (ROS) template of a service. The identifiers are replaced with actual values during service deployment.

{{ computenest::acrimage::yourimage }}: the identifier of the container image deployment package. When you deploy the service template, Compute Nest replaces the identifier with the URL of the associated container image deployment package, such as compute-nest-registry.cn-hangzhou.cr.aliyuncs.com/aliUid1/volcanosh/vc-controller-manager:1.0.
{{ computenest::acr::dockerconfigjson }}: the identifier of the key that is used to pull the container image. When you deploy the service template, Compute Nest replaces the identifier with a temporary key that is used to pull the container image.

The following sample YAML file shows how to deploy a service by using a container image deployment package. The {{ computenest::acr::dockerconfigjson }} key that is used to pull the container image is stored in the computenestrepo Secret. The Secret is used as the imagePullSecret to pull the container image after the deployment package identifier is replaced with the URL of the container image deployment package.

Sample code

Resources:
  ClusterApplication:
    Type: ALIYUN::CS::ClusterApplication
    Properties:
      YamlContent: |
          apiVersion: v1
          data:
            .dockerconfigjson: {{computenest::acr::dockerconfigjson}}
          kind: Secret
          metadata:
            name: computenestrepo
            namespace: nginx
          type: kubernetes.io/dockerconfigjson
          ---
          apiVersion: apps/v1
          kind: Deployment
          spec:
            template:
              spec:
                containers:
                - name: nginx
                  image: {{ computenest::acrimage::nginx }}
                  ports:
                  - containerPort: 80
                imagePullSecrets:
                - name: computenestrepo

Create and use a container image deployment package

Prerequisites

Docker is installed, and a Docker image is created. For more information, see Install and use Docker.

Create a container image deployment package

Configure the basic information about the deployment package.

Log on to the Compute Nest console. In the left-side navigation pane, click Service Deployment Package. In the Deployment Package section of the Service Deployment Package page, click Create Deployment Package.

In the Deployment Package Information section, configure the parameters described in the following table.

Parameter	Description
Deployment Package Name	The name of the deployment package. The name must be 3 to 128 characters in length, and can contain letters, digits, and underscores (_). The name cannot be changed after the deployment package is created.
Version Name	The name of the deployment package version. The name must be 3 to 50 characters in length, and can contain letters, digits, and underscores (_).
Description	The description of the deployment package. The description must be 10 to 500 characters in length.
Resource Group	The name of the resource group to which the deployment package belongs. Resource groups are used to group your resources by usage, permission, and region. You can use resource groups to organize your resources in a hierarchical manner and group resources based on users and projects. For more information, see Manage resource groups.
Tag Settings	The tags that you want to add to the deployment package. Select or enter complete tag keys and tag values. You can add up to 20 tags to a deployment package. If no tag key or tag value are available, you can create a custom tag. For more information, see Add a custom tag.

Configure the container image deployment package.
In this example, the apache-php5 image is uploaded.
1. In the Deployment Package Content section, set the Deployment Package Type parameter to Container Image.
2. Click Obtain Access Credential to obtain the command that is used to log on to the Container Registry repository of Compute Nest and upload a container image to the Container Registry repository of Compute Nest.
  1. Log on to the CLI and run the command obtained to log on to the Container Registry repository of Compute Nest.
  2. Tag your container image.
  3. Push the tagged container image to the Container Registry repository of Compute Nest.
3. Configure the Select Product parameter and click Publish Deployment Package.
View the deployment package.
1. Return to the Service Deployment Package page. On the Packages tab, find the deployment package and click its ID. On the Deployment Package Details page, view the deployment progress.
2. If the deployment package is in the Available state, the deployment package is created.

Use a container image deployment package

In this example, a private service is created to describe how to use a container image deployment package.

Log on to the Compute Nest console.
In the left-side navigation pane, click My Services. On the Created Services tab of the My Services page, click Create Service.
On the Create Service page, set Select Service Creation Method to Custom Launch, Select Service Type to Private Service, and then click Next: Configure Settings.

On the Create Service page, configure the parameters in the Basic Information section as prompted. In the Service Deployment section, set the nst.vendor.create.tplInputType.label parameter to Custom Template, select Manually Import Template, set the Deployment Method parameter to ROS, and then enter template content.

In the ALIYUN::CS::ClusterApplication resource of the ROS template, define the {{ computenest::acr::dockerconfigjson }} identifier that specifies the access credential and the {{ computenest::acrimage::yourimage }} identifier that specifies the container image deployment package.

Sample template

Note

This sample template is used for testing only.

ROSTemplateFormatVersion: '2015-09-01'
Description:
  en: Application deployed by docker
  zh-cn:  使用docker部署单机应用
Parameters:
  PayType:
    Type: String
    Label:
      en: ECS Instance Charge Type
      zh-cn: 付费类型
    Default: PostPaid
    AllowedValues:
      - PostPaid
      - PrePaid
    AssociationProperty: ChargeType
    AssociationPropertyMetadata:
      LocaleKey: InstanceChargeType
  PayPeriodUnit:
    Type: String
    Label:
      en: Pay Period Unit
      zh-cn: 购买资源时长周期
    Default: Month
    AllowedValues:
      - Month
      - Year
    AssociationProperty: PayPeriodUnit
    AssociationPropertyMetadata:
      Visible:
        Condition:
          Fn::Not:
            Fn::Equals:
              - ${PayType}
              - PostPaid
  PayPeriod:
    Type: Number
    Label:
      en: Period
      zh-cn: 购买资源时长
    Default: 1
    AllowedValues:
      - 1
      - 2
      - 3
      - 4
      - 5
      - 6
      - 7
      - 8
      - 9
    AssociationProperty: PayPeriod
    AssociationPropertyMetadata:
      Visible:
        Condition:
          Fn::Not:
            Fn::Equals:
              - ${PayType}
              - PostPaid
  EcsInstanceType:
    Type: String
    Label:
      en: Instance Type
      zh-cn: 实例类型
    AssociationProperty: ALIYUN::ECS::Instance::InstanceType
    AssociationPropertyMetadata:
      InstanceChargeType: ${PayType}
    AllowedValues:
      - ecs.g8i.large
      - ecs.g6.large
    
  InstancePassword:
    NoEcho: true
    Type: String
    Description:
      en: Server login password, Length 8-30, must contain three(Capital letters, lowercase letters, numbers, ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/ Special symbol in)
      zh-cn: 服务器登录密码,长度8-30，必须包含三项（大写字母、小写字母、数字、 ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/ 中的特殊符号）
    AllowedPattern: '^[a-zA-Z0-9-\(\)\`\~\!\@\#\$\%\^\&\*\_\-\+\=\|\{\}\[\]\:\;\<\>\,\.\?\/]*$'
    Label:
      en: Instance Password
      zh-cn: 实例密码
    ConstraintDescription:
      en: Length 8-30, must contain three(Capital letters, lowercase letters, numbers, ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/ Special symbol in)
      zh-cn: 长度8-30，必须包含三项（大写字母、小写字母、数字、 ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/ 中的特殊符号）
    MinLength: 8
    MaxLength: 30
    AssociationProperty: ALIYUN::ECS::Instance::Password
  ZoneId:
    Type: String
    Label:
      en: Zone ID
      zh-cn: 可用区ID
    AssociationProperty: ALIYUN::ECS::Instance::ZoneId
  VpcId:
    Type: String
    Label:
      en: VPC ID
      zh-cn: 专有网络VPC实例ID
    Description:
      en: >-
        Please search the ID starting with (vpc-xxx) from console-Virtual
        Private Cloud
      zh-cn: 现有虚拟专有网络的实例ID
    AssociationProperty: 'ALIYUN::ECS::VPC::VPCId'
  VSwitchId:
    Type: String
    Label:
      en: VSwitch ID
      zh-cn: 交换机实例ID
    Description:
      en: >-
        Instance ID of existing business network switches, console-Virtual
        Private Cloud-VSwitches under query
      zh-cn: 现有业务网络交换机的实例ID
    Default: ''
    AssociationProperty: 'ALIYUN::ECS::VSwitch::VSwitchId'
    AssociationPropertyMetadata:
      VpcId: VpcId
      ZoneId: ZoneId
  AdminPassword:
    Type: String
    AssociationProperty: ALIYUN::ECS::Instance::Password
    Label: Administrator password
    NoEcho: True
Resources:
  SecurityGroup:
    Type: ALIYUN::ECS::SecurityGroup
    Properties:
      SecurityGroupName:
        Ref: ALIYUN::StackName
      VpcId:
        Ref: VpcId
      SecurityGroupIngress:
        - PortRange: 80/80
          Priority: 1
          SourceCidrIp: 0.0.0.0/0
          IpProtocol: tcp
          NicType: internet
  InstanceGroup:
    Type: ALIYUN::ECS::InstanceGroup
    Properties:
      # The billing method.
      InstanceChargeType:
        Ref: PayType
      PeriodUnit:
        Ref: PayPeriodUnit
      Period:
        Ref: PayPeriod
      VpcId:
        Ref: VpcId
      VSwitchId:
        Ref: VSwitchId
      SecurityGroupId:
        Ref: SecurityGroup
      ZoneId:
        Ref: ZoneId
      ImageId: centos_7
      Password:
        Ref: InstancePassword
      InstanceType:
        Ref: EcsInstanceType
      SystemDiskCategory: cloud_essd
      SystemDiskSize: 200
      InternetMaxBandwidthOut: 5
      IoOptimized: optimized
      MaxAmount: 1
  WaitCondition:
    Type: ALIYUN::ROS::WaitCondition
    Properties:
      Count: 1
      Handle:
        Ref: WaitConditionHandle
      Timeout: 300
  WaitConditionHandle:
    Type: ALIYUN::ROS::WaitConditionHandle
  InstallPackage:
    Type: ALIYUN::ECS::RunCommand
    Properties:
      InstanceIds:
        Fn::GetAtt:
          - InstanceGroup
          - InstanceIds
      Type: RunShellScript
      Sync: true
      Timeout: 300
      CommandContent:
        Fn::Sub:
          - |
            yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
            yum makecache fast
            yum -y install docker-ce jq
            systemctl enable docker
            systemctl start docker
            sleep 10

            dockerJson='{{ computenest::acr::dockerconfigjson }}'
            decodeDockerJson=$(echo $dockerJson | base64 -d)
            host=$(echo $decodeDockerJson | jq '.auths' | jq 'keys' | jq .[0])
            username=$(echo $decodeDockerJson | jq ".auths.$host.username" | tr -d '"')
            password=$(echo $decodeDockerJson | jq ".auths.$host.password" | tr -d '"')
            host=$(echo $host | tr -d '"')
            docker login $host --username=$username --password=$password

            mkdir -p /home/admin/application
            cat >/home/admin/application/docker-compose.yaml<<EOF
            # You can reference parameters in the docker-compose.yaml file.
            # A NGINX service instance.
            services:
              # The service name.
              nginx:
                # The Docker image.
                image: {{computenest::acrimage::nginx}}
                # The port mapping.
                ports:
                  - 80:80
                volumes:
                  - /home/admin/application/nginx/logs:/var/log/nginx/
            EOF
            
            cat > /etc/systemd/system/docker-compose-app.service <<EOF
            [Unit]
            Description=Docker Compose Application Service
            Requires=docker.service
            After=docker.service
            
            [Service]
            Type=oneshot
            RemainAfterExit=yes
            WorkingDirectory=/home/admin/application
            ExecStart=/usr/bin/docker compose up -d
            ExecStop=/usr/bin/docker compose down
            TimeoutStartSec=0
            
            [Install]
            WantedBy=multi-user.target
            EOF
            
            systemctl enable docker-compose-app

            # The code snippet that is run before Docker Compose starts. You can reference parameters in the command.
            echo "before docker compose starts"
            mkdir -p /home/admin/application/nginx/logs
            
            systemctl start docker-compose-app
            sleep 10
            # The code snippet that is run after Docker Compose starts. You can reference parameters in the command.
            echo "after docker compose starts"
            echo ${AdminPassword}
            
            # The callback is invoked when the script is successfully run, and WaitCondition no longer needs to wait for sending signals.
            ${CurlCli} -d "{\"Data\" : \"Success\", \"status\" : \"SUCCESS\"}"
          - CurlCli:
              Fn::GetAtt:
                - WaitConditionHandle
                - CurlCli
Outputs: 
  Endpoint:
    Value:
      Fn::Sub:
        - http://${Address}:80
        - Address:
            Fn::Select:
            - 0
            - Fn::GetAtt:
              - InstanceGroup
              - PublicIps
Metadata:
  ALIYUN::ROS::Interface:
    ParameterGroups:
      - Parameters:
          - PayType
          - PayPeriodUnit
          - PayPeriod
        Label:
          default: billing method configuration
      - Parameters:
          - EcsInstanceType
          - InstancePassword
        Label:
          default: resource configuration
      
      - Parameters:
          - AdminPassword
        Label:
          en: Software Configuration
          zh-cn: 软件配置
      
      - Parameters:
          - ZoneId
          - VpcId
          - VSwitchId
        Label:
          default: zone configuration

In the Deployment Package Association section, find Set Container Image Association and click Select Deployment Package. In the Select Deployment Package (Container Image Association) dialog box, select a deployment package and a version and click OK.
Configure other parameters and click Create Service. After the service is created, test the service. After the service passes the test, check whether the service meets the review criteria of Compute Nest service and submit the service for review. For more information, see Review criteria.
After the service is created, go to the details page of the service. On the Service Details tab, find the Service Deployment section and click the Associated Deployment Packages tab. On the Associate Container Image tab, view the associations with deployment packages.

References

For more information about how to create a service in Compute Nest, see Create a service.
If you no longer need a deployment package or deployment package version, you can delete it. For more information, see Delete a deployment package.
If you need to modify a deployment package such as the content, you can create a new version. For more information, see Create a version.
For more information about how to configure the update settings of a deployment package, see Configure service update settings.