When you create a container by using an image, the system typically downloads and decompresses the whole package of the image even if only some resources are required to start the container. This usually takes a long period of time. You can use Container Registry Enterprise Edition to deploy an accelerated version of a container image. The accelerated image allows the system to download and decompress only the required resources without the need to download the entire image package. This accelerates application deployment and provides high elasticity.
Prerequisites
A Container Service for Kubernetes (ACK) cluster or an ACK Serverless cluster is created. For more information, see Create an ACK managed cluster and Create an ACK Serverless cluster.
NoteOnly ACK managed clusters, ACK dedicated clusters, and ACK Serverless clusters of V1.16.9 or later support accelerated images. When you create the cluster, select one of the following operating systems: Alibaba Cloud Linux 2.1903, Alibaba Cloud Linux 3.2104, Alibaba Cloud Linux 3.2104 LTS 64-bit ARM Edition, Alibaba Cloud Linux UEFI 2.1903, and CentOS 7.9.
A Container Registry Enterprise Edition instance is created. For more information, see Create a Container Registry Enterprise Edition instance.
NoteThe Container Registry Enterprise Edition instance must be of Advanced Edition.
The virtual private cloud (VPC) of the ACK cluster or ACK Serverless cluster is configured for the Container Registry Enterprise Edition instance. Accelerated images must be used in VPCs. For more information, see Configure a VPC ACL.
Background information
You can use Container Registry Enterprise Edition to deploy an accelerated version of a container image. The accelerated image allows the system to download only the required resources and decompress the image package online. This accelerates the distribution of application artifacts and provides high elasticity. The effect of an imaged image depends on factors such as the image size and the network conditions of the image repository. Tests show that pulling a 1.34 GB-sized NodeBB image from Docker Hub requires 36 seconds. Starting applications on the image requires 38 seconds. Pulling the accelerated NodeBB image requires only 4 seconds, and starting applications on the image requires only 9 seconds.
Usage limits
If your container runtime is Containerd, you can use custom domain names for repositories of accelerated images. You cannot use custom domain names for repositories of docker accelerated images. For more information, see Use a custom domain name to access a Container Registry Enterprise Edition instance.
Region limits
The on-demand image loading feature is not supported in regions of Alibaba Finance Cloud and Alibaba Gov Cloud.
Enable image acceleration
You can enable image acceleration for a repository. This way, each image that is pushed to the repository is automatically converted to an accelerated image. The time required to convert a pushed image to an accelerated image depends on the size of the pushed image. The conversion does not affect the original image.
The accelerated image resides in the same namespace and repository as the original image. The tag of the accelerated image is the tag of the original image suffixed with _accelerated.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose .
On the Repositories page, find the repository for which you want to enable image acceleration. Click the name of the repository or click Manage in the Actions column.
On the page that appears, click Edit in the upper-left corner.
In the Modify Settings dialog box, turn on Enable image acceleration and click Confirm.
Install the aliyun-acr-acceleration-suite component
To start a container by using an accelerated image, you must install the aliyun-acr-acceleration-suite component on the worker nodes in the ACK cluster.
Attach the image acceleration label to nodes.
When you create worker nodes, you can attach the alibabacloud.com/image-accelerate-enabled: true label to the nodes to enable image acceleration when the nodes are initialized. After the image acceleration label is attached, the aliyun-acr-acceleration-suite component is automatically installed when the nodes are initialized.
NoteAccelerated containers must run on accelerated nodes. Accelerated nodes support both common containers and accelerated containers.
If you attach the label to existing worker nodes, image acceleration does not take effect.
If you attach the label to the virtual-kubelet virtual node, image acceleration immediately takes effect.
Attach the image acceleration label when you create the cluster.
You can set the Label parameter to alibabacloud.com/image-accelerate-enabled: true when you create the cluster. For more information, see Create an ACK managed cluster.
Attach an image acceleration label to the node when you scale out a node.
You can set the Node Label parameter to alibabacloud.com/image-accelerate-enabled: true when you scale out nodes. This way, newly scaled-out nodes in the node pool are attached with the alibabacloud.com/image-accelerate-enabled: true label. For more information, see Create a node pool.
NoteYou can create a separate node pool to manage the nodes that support accelerated images.
Attach the image acceleration label when existing nodes are added.
You can set the Label parameter to alibabacloud.com/image-accelerate-enabled: true when you add existing nodes. For more information, see Add existing ECS instances to an ACK cluster.
Install the aliyun-acr-acceleration-suite component.
Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
In the Others section of the Add-ons page, find aliyun-acr-acceleration-suite and click Install.
In the Install aliyun-acr-acceleration-suite message, click OK.
In the left-side navigation pane of the Cluster Management page, choose
. On the DaemonSets page, view the installation details of the daemons of the component.In the left-side navigation pane of the Cluster Management page, choose
. On the Deployments page, view the installation details of the deployments of the component.
If all pods of the component are started, the installation of the component is complete.
Uninstall the aliyun-acr-acceleration-suite component
Before you uninstall the aliyun-acr-acceleration-suite component, make sure that no container that is created by using an accelerated image is running.
Log on to the ACK console.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the cluster management page, choose .
In the Others section of the Add-ons page, find aliyun-acr-acceleration-suite and click Uninstall.
In the Uninstall aliyun-acr-acceleration-suite message, click OK.
Deploy an accelerated image
Configure access to the repository where the accelerated image resides.
Configure access to the repository by using the aliyun-acr-credential-helper component that allows you to access an image repository without using secrets.
If the aliyun-acr-credential-helper component has been configured for the ACK cluster and the specified information about the Container Registry Enterprise Edition is correct, you can skip this step.
If the aliyun-acr-credential-helper component has not been configured for the ACK cluster, you can configure the component for the cluster. For more information, see Use the aliyun-acr-credential-helper component to pull images without using a secret.
Specify a prefix for the name of the secret that is used to pull images.
WarningMake sure that the principle of least privilege is followed when you configure the secret that is used to pull images and only the permissions that are required to pull the business images for the current cluster are granted. For more information, see Attach a custom policy to a RAM user.
Run the following command to create a secret whose type is kubernetes.io/dockerconfigjson and whose name starts with acr-credential-:
kubectl create secret docker-registry acr-credential-test --docker-server=<RegistryVpcDomain> --docker-username=<UserName> --docker-password=<Password>
Specify a label for the secret that is used to pull images.
NoteOnly the aliyun-acr-acceleration-suite component of V0.2.6 or later supports this method.
Run the following command to create a secret whose type is kubernetes.io/dockerconfigjson and whose label is images.alibabacloud.com/accelerated: true:
kubectl create secret docker-registry <SecretName> --docker-server=<RegistryVpcDomain> --docker-username=<UserName> --docker-password=<Password>
kubectl label secrets <SecretName> images.alibabacloud.com/accelerated="true"
Attach the image acceleration label.
You can attach the image acceleration label to workloads such as pods and Deployments. You can also attach an image acceleration label to a namespace of the ACK cluster or ACK Serverless cluster. All workloads in the namespace that meet acceleration conditions can load resources of a container image on demand. This way, you do not need to edit the YAML file for each workload. You can use the following methods to attach the image acceleration label to a specific workload or all workloads in a namespace:
NoteThe name of the label is
k8s.aliyun.com/image-accelerate-mode
and the value of the label ison-demand
.Attach the image acceleration label to a workload.
The following example shows how to attach the image acceleration label to pods. Run the following command to attach the image acceleration label to the pods that are managed by a Deployment:
kubectl edit deployment <Name of the Deployment> -n <Namespace in which the Deployment resides>
Add the
k8s.aliyun.com/image-accelerate-mode: on-demand
label to the YAML file of the Deployment.apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx # enable on-demand mode k8s.aliyun.com/image-accelerate-mode: on-demand spec: containers: # Your ACR instance image - image: test-registry-vpc.cn-hangzhou.cr.aliyuncs.com/test/nginx:latest name: test command: ["sleep", "3600"]
Attach the image acceleration label to a namespace.
Attach the image acceleration label in the console.
Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster to whose namespace you want to attach the image acceleration label and click the name of the cluster or click Details in the Actions column corresponding to the cluster.
In the left-side navigation pane of the details page, choose Nodes > Namespaces and Quotas.
On the Namespace page, find the namespace that you want to configure and click Edit in the Actions column.
In the Label section of the Edit Namespace dialog box, set Variable Key to
k8s.aliyun.com/image-accelerate-mode
and Variable Value toon-demand
, and click OK.
Attach the image acceleration label on the CLI.
kubectl label namespaces <YOUR-NAMESPACE> k8s.aliyun.com/image-accelerate-mode=on-demand
Assume that an image is converted to an accelerated image after you configure the image acceleration label. When you create or update a pod in the namespace, the acceleration component automatically replaces the address of the original image of the pod with the address of the accelerated image. The acceleration component adds nodeSelector and schedules the pod to the accelerated nodes.