When you create a container by using an image, the system typically downloads and decompresses the entire image package even if only a part of resources are required to start the container. This usually takes a long period of time. You can use Container Registry Enterprise Edition to deploy an accelerated version of a container image. The accelerated image allows the system to download and decompress only the required resources without the need to download the entire image package. This accelerates application deployment and provides high elasticity.
Prerequisites
Your cluster must be one of the following cluster types:
NoteContainer Service for Kubernetes (ACK) managed clusters or ACK dedicated clusters of V1.16.9 or later, ACK Edge clusters, ACK Serverless clusters, or ACK Lingjun clusters of V1.26.3 or later, or Alibaba Cloud Container Compute Service (ACS) clusters. The cluster must use one of the following operating systems: Alibaba Cloud Linux 2.1903, Alibaba Cloud Linux 3.2104, Alibaba Cloud Linux 3.2104 LTS 64-bit Arm Edition, Alibaba Cloud Linux UEFI 2.1903, and CentOS 7.9.
A Container Registry Enterprise Edition instance is created. For more information, see Create a Container Registry Enterprise Edition instance.
ImportantThe editions of Container Registry Enterprise Edition instances that support accelerated images vary based on the image acceleration mode.
Full mode: Standard Edition and Advanced Edition
Index-only mode: Basic Edition, Standard Edition, and Advanced Edition
The virtual private cloud (VPC) of the ACK cluster or ACK Serverless cluster is added to the access control list (ACL) of the Container Registry Enterprise Edition instance. Accelerated images can only run in VPCs. For more information, see Configure a VPC ACL.
Background Information
You can use Container Registry Enterprise Edition to deploy an accelerated version of a container image. The accelerated image allows the system to download only the required resources and decompress the image package online. This accelerates the distribution of application artifacts and provides high elasticity. The acceleration effect varies based on the image size and the network conditions of the image repository. Tests show that pulling a 1.34 GB-sized NodeBB image from Docker Hub requires 36 seconds. Starting applications on the image requires 38 seconds. Pulling the accelerated NodeBB image requires only 4s, and starting applications on the image requires only 9s.
Usage limits
If your container runtime is Containerd, you can set custom domain names for repositories of accelerated images. If your container runtime is Docker, you cannot set custom domain names for repositories of accelerated images due to the limits of Docker. For more information, see Use a custom domain name to access a Container Registry Enterprise Edition instance.
The index-only mode cannot be used in Function Compute or Serverless App Engine (SAE) scenarios.
Region limits
The on-demand image loading feature is not supported in regions of Alibaba Finance Cloud and Alibaba Gov Cloud.
Convert a base image to an accelerated image
You can enable image acceleration for a repository. This way, each image that is pushed to the repository is automatically converted to an accelerated image. The time required to convert an image to an accelerated image depends on the size of the image. The conversion does not affect the base image.
The namespace name and repository name of accelerated images are the same as the namespace name and repository name of the base images. The tag format of accelerated images varies based on the image acceleration mode.
For the index-only mode, the tag format of accelerated images is the tag of the base images plus the
_acceleratedsuffix. The accelerated images support only the containerd runtime, and the tag of the base images cannot be deleted when the accelerated images are used.For the full mode, the tags of accelerated images are in one of the following formats:
The tag of the base images plus the
_acceleratedsuffix. The accelerated images whose tags are in this format support the Docker and Containerd runtimes.The tag of the base images plus the
_containerd_acceleratedsuffix. The accelerated images whose tags are in this format support only the containerd runtime.Note: When you use the accelerated images whose tags contain the
_containerd_acceleratedsuffix, the base images cannot be deleted.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose .
On the Repositories page, find the repository for which you want to enable image acceleration. Click the name of the repository or click Manage in the Actions column. On the page that appears, click Edit in the upper-left corner.
In the Modify Settings dialog box, select Enabled in the Accelerated Image section, select an acceleration mode, and then click Confirm.
Full Mode: This mode significantly accelerates container startup. The size of an accelerated image is approximately 130% the size of the base image. The system requires approximately 25 seconds to generate an accelerated image for a 1 GB-sized image. If an accelerated image layer has been generated for an image layer, the system does not re-generate an accelerated image layer for the image layer.
Index-only Mode: This mode provides an acceleration effect that is approximately 70% the effect of full mode on container startup. The size of an accelerated image is approximately 3% the size of the base image. The system requires approximately 3 seconds to generate an accelerated image for a 1 GB-sized image. The system does not re-generate indexes for image layers that already have indexes.
ImportantThe index-only mode is in public preview. We recommend that you verify the mode in a test environment before you use the mode in the production environment.
NoteThe index-only mode can be used only for images that are compressed by
tarandtgz. The mode cannot be used for images that are compressed by other compression methods, such aszstd.When you use the index-only mode to accelerate an image, you must use the accelerated image together with the base image. You cannot delete the base image. If you use the full mode, you can separately use the accelerated image.
The index-only mode does not support the Docker runtime.
After you enable image acceleration for a repository, each image that the system pushes to the repository is automatically converted into an accelerated image. If you want to be notified each time an image is converted into an accelerated image, you can configure event notifications. For example, specify an expression-based trigger and set the expression to
_accelerated$. For more information, see Event Notification.(Optional) Specify Prefetch File List. The files in this list are preferentially prefetched when accelerated images are started. We recommend that you use the file prefetch feature when large files must be read for container startup.
NoteEnter the absolute path of a file in a line. If the absolute path is a directory, add the forward slash (
/) to the end of the line.
Install the aliyun-acr-acceleration-suite image acceleration component
To start a container by using an accelerated image, you must install the aliyun-acr-acceleration-suite component on the worker node in the ACK cluster.
To support DADI-accelerated images, you can enable Container Image Acceleration in the ACK console to enable image acceleration for new or existing node pools.
ACK managed clusters
Enable image acceleration when you create a node pool
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose .
On the Node Pools page, enable Container Registry Acceleration in the Advanced Options section. For more information, see Create and manage a node pool.
Enable image acceleration for an existing node pool
If you turn on or off Container Image Acceleration, this operation takes effect only for new nodes. If you want this operation to take effect on existing nodes, you must remove the nodes from the node pool and re-add the nodes to the node pool. For more information, see Remove a node and Add existing ECS instances to an ACK cluster.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose .
On the Node Pools page, find the node pool that you want to modify and click Edit in the Actions column. In the Advanced Options section, enable Container Registry Acceleration and follow the instructions to update the ConfigMap of the node pool.
On the Node Pools page, if the Status column of the node pool displays Updating, the node pool is being modified. If the status of the node pool changes to Active, the modification is complete.
Other clusters
When you create the worker node pool, you can set the
alibabacloud.com/image-accelerate-enabled: truelabel for the nodes to enable image acceleration when the nodes are initialized. After the image acceleration label is set, the aliyun-acr-acceleration-suite component is automatically installed when the nodes are initialized.Enable image acceleration when you create a node pool
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose .
On the Node Pools page, click Create Node Pool. On the Create Node Pool page, follow the instructions in the
Create and manage a node pooltopic to configure the node pool. Unfold Advanced Options and then set the alibabacloud.com/image-accelerate-enabled: true label for the nodes in the Node Labels section.
Enable image acceleration for an existing node pool
If you turn on or off Container Image Acceleration, this operation takes effect only for new nodes. If you want this operation to take effect on existing nodes, you must remove the nodes from the node pool and re-add the nodes to the node pool. For more information, see Remove a node and Add existing ECS instances to an ACK cluster.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose .
On the Node Pools page, find the node pool for which you want to enable image acceleration and click Edit in the Actions column. Unfold
Advanced Optionsand then set the alibabacloud.com/image-accelerate-enabled: true label for the nodes in the Node Labels section.
Install the aliyun-acr-acceleration-suite component.
Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, click the name of the cluster for which you want to install the aliyun-acr-acceleration-suite component and choose in the left-side navigation pane.
In the Others section of the Add-ons page, find aliyun-acr-acceleration-suite and click Install.
In the Install aliyun-acr-acceleration-suite message, click OK.
In the left-side navigation pane of the Cluster Management page, choose . On the DaemonSets page, view the installation details of the daemons of the component.
In the left-side navigation pane of the Cluster Management page, choose . On the Deployments page, view the installation details of the deployments of the component.
If all pods of the component are started, the installation of the component is complete.
Enable the accelerated image
Configure access credential for the repository where the accelerated image resides.
WarningMake sure that the principle of least privilege is followed when you configure the secret that is used to pull images and only the required permissions are granted. For more information, see Attach a custom policy to a RAM user.
Use the aliyun-acr-credential-helper component that allows you to pull images from an image repository without using secrets.
If the aliyun-acr-credential-helper component has been configured for the cluster and the specified information about the Container Registry Enterprise Edition instance is correct, you can skip this step.
If the aliyun-acr-credential-helper component has not been configured for the cluster, you can configure the component for the cluster. For more information, see Use the aliyun-acr-credential-helper component to pull images without using a secret.
Specify a label for the secret that is used to pull images.
NoteOnly the aliyun-acr-acceleration-suite component of V0.2.6 or later supports this method.
Run the following commands to create a secret whose type is kubernetes.io/dockerconfigjson and whose label is images.alibabacloud.com/accelerated: true:
kubectl create secret docker-registry <SecretName> --docker-server=<RegistryVpcDomain> --docker-username=<UserName> --docker-password=<Password>kubectl label secrets <SecretName> images.alibabacloud.com/accelerated="true"
Attach the image acceleration label.
You can attach the image acceleration label to workloads such as pods and Deployments. You can also attach an image acceleration label to a namespace of the ACK cluster or ACK Serverless cluster. The on-demand image loading feature is applied to all workloads in the namespace that meet acceleration conditions. This way, you do not need to edit the YAML file for each workload. You can use one of the following methods to attach the image acceleration label to a specific workload or all workloads in a namespace:
NoteThe name of the label is
k8s.aliyun.com/image-accelerate-mode, and the value of the label ison-demand.Attach the image acceleration label to a workload.
The following example shows how to attach the image acceleration label to pods. Run the following command to attach the image acceleration label to the pods that are managed by a Deployment:
kubectl edit deployment <Name of the Deployment> -n <Namespace in which the Deployment resides>Add the
k8s.aliyun.com/image-accelerate-mode: on-demandlabel to the YAML file of the Deployment.apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx # enable on-demand mode k8s.aliyun.com/image-accelerate-mode: on-demand spec: containers: # your ACR instacne image - image: test-registry-vpc.cn-hangzhou.cr.aliyuncs.com/test/nginx:latest name: test command: ["sleep", "3600"]Attach the image acceleration label to a namespace.
Attach the image acceleration label in the ACK console.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, click Namespaces and Quotas.
On the Namespace page, find the namespace that you want to configure and click Edit in the Actions column.
In the Label section of the Edit Namespace dialog box, set Variable Key to
k8s.aliyun.com/image-accelerate-modeand Variable Value toon-demand, and click OK.
Attach the image acceleration label on the CLI.
kubectl label namespaces <YOUR-NAMESPACE> k8s.aliyun.com/image-accelerate-mode=on-demandIf you have attached an image acceleration label to a namespace and converted based images into accelerated images, when you create or update a pod in the namespace, the aliyun-acr-acceleration-suite component automatically uses the URL of the accelerated image of the pod to replace the URL of the base image of the pod, adds a nodeSelector, and then schedules the pod to the accelerated node.