Accelerate Container Startup with On-Demand Image Loading - ACK

Container images are stored as compressed layers. When a container starts, the runtime downloads and decompresses every layer before the container can run — even though in most business scenarios the container runtime needs to read only a portion of the data from the container image. For large images, this unnecessary download dominates startup time.

ACK supports on-demand loading of container images using Data Accelerator for Disaggregated Infrastructure (DADI). Instead of pulling the full image upfront, DADI loads only the data the container actually needs, decompressing it on the fly.

For a 1.34 GB NodeBB image from Docker Hub, on-demand loading reduces the image pull phase from 36 seconds to 4 seconds, and total application startup time from 38 seconds to 9 seconds.

Important

The image pull times above are for reference only. Actual performance depends on image size and network conditions.

Limits

Constraint	Requirement
Cluster type	ACK managed clusters only.
Cluster version	1.26 or later. See Manually upgrade a cluster.
Node runtime	containerd 1.6.34 or later. See Update a node pool.
DADI mode	Full mode only. Index-only mode is not supported.

Important behavior — enabling or disabling Container Image Acceleration on a node pool only affects nodes added afterward. To apply the change to existing nodes, remove them from the node pool and re-add them. See Remove a node and Add existing nodes.

Prerequisites

Before you begin, ensure that you have:

An ACK managed cluster running Kubernetes 1.26 or later with containerd 1.6.34 or later as the node runtime
Access to an image repository — either ACR Enterprise Edition (Standard or Premium) or a self-managed registry
kubectl access to the cluster

Step 1: Get an accelerated image

Accelerated images use the DADI format. Convert an existing image using ACR Enterprise Edition's built-in conversion feature (recommended) or the open source DADI tool.

Option 1: Use ACR Enterprise Edition (recommended)

ACR Enterprise Edition (Standard or Premium) converts images automatically at the repository level. When you push an image, ACR creates an accelerated copy without modifying the original. The accelerated image uses the same namespace and repository name, with _accelerated appended to the tag (for example, latest becomes latest_accelerated).

For more information and limits, see On-demand loading of container images.

Log on to the Container Registry console and select a region.
In the left navigation pane, click Instances. On the Instances page, click the name of the Enterprise Edition instance.
In the left navigation pane, select Repository > Repositories.
Click the repository name. On the Details page, click Edit in the upper-left corner.
In the Modify Settings dialog box, enable Accelerated Image, select Full Mode, and click Confirm. Images pushed after this change automatically trigger a conversion task. To receive a notification when conversion completes, configure event notifications with the expression _accelerated$. See Event Notifications.

Option 2: Use the open source DADI tool

Use the DADI image convertor to convert an image manually.

Install the overlaybd snapshotter.

# Download the package for your instance architecture.
wget https://github.com/containerd/accelerated-container-image/releases/download/v1.2.3/overlaybd-snapshotter-1.2.3-20241016090917.0c2f057.x86_64.rpm
rpm -ivh overlaybd-snapshotter-1.2.3-20241016090917.0c2f057.x86_64.rpm

Install the overlaybd block device layer.

# Download the package for your instance architecture.
wget https://github.com/containerd/overlaybd/releases/download/v1.0.13/overlaybd-1.0.13-20240821.a117098.el8.x86_64.rpm
rpm -ivh overlaybd-1.0.13-20240821.a117098.el8.x86_64.rpm

Convert the image. The following example converts an image in an ACR repository. For a self-managed registry, update the image address and credentials accordingly.

Placeholder	Description
`user:password`	Registry credentials
`xxxxx-registry.cn-hangzhou.cr.aliyuncs.com/default/redis`	Source image repository address
`latest`	Source image tag (`-i`)
`latest_obd_new`	Output image tag (`-o`)

/opt/overlaybd/snapshotter/convertor \
  -u user:password \
  -r xxxxx-registry.cn-hangzhou.cr.aliyuncs.com/default/redis \
  -i latest \
  -o latest_obd_new

Replace the following placeholders:

Step 2: Enable Container Image Acceleration on a node pool

Both new and existing node pools support Container Image Acceleration. The steps differ slightly.

Enable for a new node pool

Log on to the ACK console and click Clusters in the left navigation pane.
Click the cluster name. In the left navigation pane, choose Nodes > Node Pools.
When creating a node pool, expand Advanced Options and enable Container Image Acceleration.

Enable for an existing node pool

Important

Changes to Container Image Acceleration take effect only on nodes added to the pool after the change. Existing nodes are not affected — to apply the feature to existing nodes, remove them and re-add them. See Remove a node and Add existing nodes.

Log on to the ACK console and click Clusters in the left navigation pane.
Click the cluster name. In the left navigation pane, choose Nodes > Node Pools.
Find the node pool and click Edit in the Actions column. In the Advanced Options section, enable Container Image Acceleration and follow the on-screen instructions to update the node pool ConfigMap. The Status column shows Updating while the update is in progress, and Active when complete.

Step 3: Deploy an application with an accelerated image

Configure image pull credentials

Install the aliyun-acr-acceleration-suite component so that DADI can authenticate with the image registry when loading image data on demand.

Log on to the ACK console and click Clusters in the left navigation pane.
Click the cluster name. In the left navigation pane, click Add-ons.
On the Add-ons page, find aliyun-acr-acceleration-suite on the Others tab and click Install.

After installation, configure pull credentials based on your registry type:

ACR Enterprise Edition: Install the password-free plugin to automatically inject access credentials into eligible workloads. This eliminates manual Secret management. See Pull ACR images without a secret.

Self-managed registry: Create a Secret of type kubernetes.io/dockerconfigjson, then label it so the acceleration suite can use it.

# Create the Secret.
kubectl create secret docker-registry <SecretName> \
  --docker-server=<RegistryVpcDomain> \
  --docker-username=<UserName> \
  --docker-password=<Password>

# Label the Secret for DADI.
kubectl label secrets <SecretName> images.alibabacloud.com/accelerated="true"

Note

If your application does not need to use a secret to pull a private image, you can skip this step.

Create the application

Use a node selector to schedule pods to nodes with image acceleration enabled. The label alibabacloud.com/image-accelerate-enabled: "true" is automatically applied to acceleration-enabled nodes.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      nodeSelector:
        alibabacloud.com/image-accelerate-enabled: "true" # Schedule to acceleration-enabled nodes only.
      containers:
        - name: test
          image: xxxxx-registry.cn-hangzhou.cr.aliyuncs.com/default/redis:latest_obd_new # Replace with your accelerated image address.
          command: ["sleep", "3600"]

Apply the manifest:

kubectl apply -f deployment.yaml

What's next

To accelerate workload and node initialization using data disk snapshots, see Use data disk snapshots to accelerate the startup of large model applications.

References

Accelerate workload deployment and node initialization with data disk snapshots