Speed Up Pod Startup by Loading Container Images On Demand - ACK Edge

When you create a container by using an image, the system typically downloads and decompresses the entire image package even if only a part of resources are required to start the container. Container Registry Enterprise Edition addresses this with image acceleration: worker nodes download only the resources required at startup and decompress image layers on demand, leaving the rest to load in the background.

For a 1.34 GB NodeBB image pulled from Docker Hub, this reduces pull time from 36 seconds to 4 seconds and cuts application startup from 38 seconds to 9 seconds.

Prerequisites

Before you begin, ensure that you have:

A supported cluster type and version: Supported operating systems when you create the cluster:

Alibaba Cloud Linux 2.1903
Alibaba Cloud Linux 3.2104
Alibaba Cloud Linux 3.2104 LTS 64-bit ARM edition
Alibaba Cloud Linux UEFI 2.1903
CentOS 7.9

Cluster type	Minimum version
ACK managed and dedicated clusters	v1.16.9
ACK Edge clusters	v1.26.3
ACK Serverless clusters	v1.26.3
ACK Lingjun clusters	v1.26.3
Alibaba Cloud Container Compute Service (ACS)	v1.26.3

A Container Registry Enterprise Edition instance. See Create a Container Registry Enterprise Edition instance. The CR Enterprise Edition editions that support image acceleration depend on the acceleration mode:
- Full mode: Standard Edition and Advanced Edition
- Index-only mode: Basic Edition, Standard Edition, and Advanced Edition
The virtual private cloud (VPC) of your ACK or ACK Serverless cluster added to the access control list (ACL) of the Container Registry Enterprise Edition instance. Accelerated images run only inside VPCs. See Configure a VPC ACL.

Choose an acceleration mode

Select an acceleration mode before enabling image acceleration on a repository.

	Full mode	Index-only mode
Acceleration effect	Full effect	~70% of full mode
Accelerated image size	~130% of base image	~3% of base image
Conversion time (1 GB image)	~25 seconds	~3 seconds
Supported runtimes	Docker and containerd	containerd only
Base image deletion	Accelerated image is independent; base image can be deleted	Base image cannot be deleted while the accelerated image is in use
Supported CR editions	Standard and Advanced	Basic, Standard, and Advanced
Status	Generally available	Public preview
CI/CD impact	Generates a new image artifact with `_accelerated` suffix	Generates a separate index artifact; original image is unchanged

Important

Index-only mode is in public preview. Validate it in a test environment before production use.

Additional constraints for index-only mode:

Works only with images compressed by tar or tgz. Images compressed with zstd are not supported, because the index-only approach maps byte ranges within the original compressed stream and zstd does not expose a seekable structure.
Does not support the Docker runtime, because the index-only snapshotter relies on containerd's plugin API, which Docker does not expose.
Cannot be used in Function Compute or Serverless App Engine (SAE) scenarios.

Limitations

Custom domain names: containerd supports custom domain names for accelerated image repositories. Docker does not, due to Docker's own restrictions. See Use a custom domain name to access a Container Registry Enterprise Edition instance.
Existing images: Images already in a repository are not automatically converted when you enable acceleration. Trigger conversion manually.
Region availability: This feature is not available in Alibaba Finance Cloud and Alibaba Gov Cloud regions.

Convert a base image to an accelerated image

Enable image acceleration on a repository so that every image pushed to that repository is automatically converted to an accelerated image. Conversion runs in the background and does not affect the base image.

About accelerated image tags:

The namespace and repository name of an accelerated image are the same as the base image. The tag format depends on the acceleration mode:

Index-only mode: base tag + _accelerated suffix (containerd runtime only). Do not delete the base image tag while the accelerated image is in use.
Full mode: two tag formats are generated:
- Base tag + _accelerated suffix — supports Docker and containerd runtimes.
- Base tag + _containerd_accelerated suffix — supports containerd runtime only. Do not delete this image or its base image while either is in use.

Steps:

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance you want to manage.
In the left-side navigation pane, choose Repository > Repositories.
On the Repositories page, find the repository and click its name, or click Manage in the Actions column. On the repository page, click Edit in the upper-left corner.
In the Modify Settings dialog box, select Enabled in the Accelerated Image section, choose an acceleration mode, and click Confirm.
(Optional) In Prefetch File List, enter the absolute paths of files to prefetch at container startup. Use this when large files must be read at startup.
Enter one absolute path per line. For directories, add a trailing slash (/).

After you enable acceleration, each image pushed to the repository is automatically converted. To receive a notification when conversion completes, configure an event notification with an expression-based trigger and set the expression to _accelerated$. See Event Notification.

Install the aliyun-acr-acceleration-suite add-on

The aliyun-acr-acceleration-suite add-on must be installed on worker nodes before you can start containers using accelerated images. Installation has two steps: enable image acceleration on the node pool, then install the add-on in the ACK console.

Step 1: Enable image acceleration on the node pool

ACK managed and dedicated clusters

When creating a node pool:

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find your cluster and click its name. In the left-side navigation pane, choose Nodes > Node Pools.
On the Node Pools page, enable Container Registry Acceleration in the Advanced Options section. See Create and manage a node pool.

For an existing node pool:

Toggling Container Registry Acceleration applies only to nodes added after the change. To apply it to existing nodes, remove them from the node pool and re-add them. See Remove a node and Add existing ECS instances to an ACK cluster.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find your cluster and click its name. In the left-side navigation pane, choose Nodes > Node Pools.
On the Node Pools page, find the node pool and click Edit in the Actions column. In the Advanced Options section, enable Container Registry Acceleration and follow the instructions to update the node pool's ConfigMap. The Status column shows Updating while the change is applied, and changes to Active when complete.

Other cluster types

Add the label alibabacloud.com/image-accelerate-enabled: true to each node. This enables image acceleration and installs the image storage plugin automatically during node initialization.

Cluster type	Reference
ACK Serverless cluster	CreateClusterNodePool, ModifyClusterNodePool
ACK Edge cluster (cloud-side node pool)	Create and manage a node pool
ACK Edge cluster (edge-side node pool)	Edge node pool management
ACK Lingjun cluster	Overview of Lingjun node pools
Alibaba Cloud Container Compute Service (ACS)	Node label and taint management

Step 2: Install the add-on

Log on to the ACK console.
On the Clusters page, click the cluster name. In the left-side navigation pane, choose Operations > Add-ons.
In the Others section, find aliyun-acr-acceleration-suite and click Install.
In the Install aliyun-acr-acceleration-suite message, click OK.

To verify installation, check that all pods are running:

In the left-side navigation pane, choose Workloads > DaemonSets to view daemon status.
Choose Workloads > Deployments to view Deployment status.

Installation is complete when all pods of the add-on are running.

Enable on-demand image loading

Step 1: Configure access credentials

Warning

Follow the principle of least privilege when configuring Secrets for image pulls. See Attach a custom policy to a RAM user.

Use one of the following methods:

Option 1 (recommended): Use aliyun-acr-credential-helper

The aliyun-acr-credential-helper component lets pods pull images from Container Registry without Secrets. If it is already configured for the cluster with the correct Container Registry Enterprise Edition instance information, skip this step. Otherwise, see Use the aliyun-acr-credential-helper component to pull images without using a Secret.

Option 2: Label a Secret

Requires aliyun-acr-acceleration-suite V0.2.6 or later.

Create a Secret of type kubernetes.io/dockerconfigjson and add the label images.alibabacloud.com/accelerated: true:

kubectl create secret docker-registry <SecretName> \
  --docker-server=<RegistryVpcDomain> \
  --docker-username=<UserName> \
  --docker-password=<Password>

kubectl label secrets <SecretName> images.alibabacloud.com/accelerated="true"

Replace the placeholders:

Placeholder	Description
`<SecretName>`	Name for the Secret
`<RegistryVpcDomain>`	VPC endpoint of your Container Registry Enterprise Edition instance
`<UserName>`	Registry username
`<Password>`	Registry password

Step 2: Attach the image acceleration label

Attach the label k8s.aliyun.com/image-accelerate-mode: on-demand to a workload or a namespace.

Workload label: Acceleration applies only to the labeled workload.
Namespace label: Acceleration applies to all workloads in the namespace that meet acceleration conditions, so you do not need to edit each workload's YAML file individually.

Attach the label to a workload

Edit the Deployment and add the label to the pod template:

kubectl edit deployment <DeploymentName> -n <Namespace>

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
        # Enable on-demand image loading
        k8s.aliyun.com/image-accelerate-mode: on-demand
    spec:
      containers:
        # Use the VPC endpoint of your Container Registry Enterprise Edition instance
        - image: test-registry-vpc.cn-hangzhou.cr.aliyuncs.com/test/nginx:latest
          name: test
          command: ["sleep", "3600"]

Attach the label to a namespace (console)

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster and click its name. In the left-side navigation pane, click Namespaces and Quotas.
On the Namespace page, find the namespace and click Edit in the Actions column.
In the Label section of the Edit Namespace dialog box, set Variable Key to k8s.aliyun.com/image-accelerate-mode and Variable Value to on-demand, then click OK.

Attach the label to a namespace (CLI)

kubectl label namespaces <YOUR-NAMESPACE> k8s.aliyun.com/image-accelerate-mode=on-demand

When a namespace has this label and its images have been converted to accelerated images, the aliyun-acr-acceleration-suite add-on automatically replaces the base image URL with the accelerated image URL and schedules the pod to an acceleration-enabled node.