All Products
Search

This Product

    Container Registry:Install a P2P acceleration agent in an ACK cluster

    Document Center

    Container Registry:Install a P2P acceleration agent in an ACK cluster

    Last Updated:Aug 15, 2025

    You can use the P2P acceleration feature in Container Service for Kubernetes (ACK) clusters to accelerate image pulls and reduce the time that is required to deploy applications. This topic describes how to install a P2P acceleration agent in an ACK cluster.

    Prerequisites

    Limits on image usage

    If your business container image is an ultra-large image such as a large model, make sure that the data disk in the node is of the AutoPL type or the node has no less than 8 GB of free memory for P2P data caching to improve the efficiency of P2P data pulls.

    Step 1: Obtain the ID of the Container Registry Enterprise Edition instance and enable the P2P acceleration feature

    1. Log on to the Container Registry console.

    2. In the top navigation bar, select a region.

    3. In the left-side navigation pane, click Instances.

    4. On the Instances page, click the Enterprise Edition instance that you want to manage.

    5. On the Overview page, record the Instance ID of the Container Registry Enterprise Edition instance and turn on P2P Acceleration in the Component Settings section. In the message that appears, click OK.

      Warning

      Before you disable the P2P acceleration agent, you must stop using the P2P feature and uninstall the P2P agent from all clusters where the P2P agent is installed. If you want to enable the feature again, you must reinstall the P2P agent.

      image

    Step 2: Install the P2P agent and grant corresponding permissions to the P2P agent

    You can use one of the following methods to grant the P2P agent the access to the Container Registry Enterprise Edition instance:

    • Use the worker RAM role.

      Limit: The Container Registry Enterprise Edition instance and the ACK cluster must belong to the same Alibaba Cloud account.

    • Use the AccessKey pair of a RAM user.

    • Use the RAM Roles for Service Accounts (RRSA) feature.

      Limit: The cluster must be an ACK managed cluster that runs Kubernetes 1.22 or later.

    Use the worker RAM role to grant the P2P agent the access to the Container Registry Enterprise Edition instance and install the agent

    1. Log on to the ACK console. In the navigation pane on the left, click Clusters.

    2. On the Clusters page, find the target cluster and click its name. In the navigation pane on the left, click Cluster Information.

    3. On the Cluster Information page, click the Basic Information tab. In the Cluster Resources section, copy the name on the right of the Worker RAM Role, then click the link to enter the RAM console and grant permissions to the Worker RAM role.

      1. Create the following custom permission policy. See Create custom policies.

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstanceVpcEndpoint",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*"
        }
    ]
}

      2. On the RAM Role page, search for the Worker RAM role and grant it the custom permission policy you created above. For detailed steps, see Grant permissions to a RAM role.

    4. Log on to the ACK console. In the left-side navigation pane, choose Marketplace > Marketplace.

    5. On the App Catalog page, enter ack-acr-acceleration-p2p in the search box, find the corresponding agent, and click the card of the agent.

    6. On the details page of the agent, click Deploy in the upper-right corner.

    7. In the Create panel, configure Cluster and Namespace, set a release name, and then click Next.

    8. In the Parameters panel, set the chart version to the latest version and acrInstances to the ID of the Container Registry Enterprise Edition instance that you obtained in Step 1. If you have multiple Container Registry Enterprise Edition instances, separate the IDs with commas (,) when you set acrInstances. 

      # ID of ACR EE instances, support multi, e.g. "cri-xxx,cri-yyy"
acrInstances: ""


# Region of ACR EE instance, default is the region of the cluster on the cloud.
# Need to be set if cross-regional access on the cloud cluster, or access on your IDC cluster.
region: ""

# VPC which is connected to the VPC network of the ACR EE instance, default is the VPC of the cluster on the cloud.
# Need to be set if cross-regional access on the cloud cluster, or access on your IDC cluster through VPC network.
vpcId: ""


p2p:
  # Port of P2P Agent in host network
  port: 65001
      Note

      • By default, the P2P agent uses port 65001 on nodes. If port 65001 is occupied by another agent, change the port for the P2P agent.

      • If the ACK cluster and the Container Registry Enterprise Edition instance reside in the same region, you can leave the region and vpcId parameters empty. If the ACK cluster and the Container Registry Enterprise Edition instance reside in different regions, you must set the region parameter to the region where the Container Registry Enterprise Edition instance resides and the vpcId parameter to the ID of the VPC that is associated with the Container Registry Enterprise Edition instance.

      • If your business container image is an ultra-large image such as a large model, you must adjust the caching mode of P2P data based on the node status.

        • Data disk-based caching mode: This is the default caching mode of P2P data. Make sure that the data disk in the node is of the AutoPL type and the p2p.v2.cache.mode value is disk.

        • Memory-based caching mode: Make sure that node has no less than 8 GB of free memory and the p2p.v2.cache.mode value is memory.

    Use the AccessKey pair of a RAM user to grant the P2P agent the access to the Container Registry Enterprise Edition instance and install the agent

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Add the following permissions to the RAM user and obtain the AccessKey pair of the RAM user. For more information, see View the information about AccessKey pairs of a RAM user. 

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstanceVpcEndpoint",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*"
        }
    ]
}

    3. Log on to the ACK console. In the left-side navigation pane, choose Marketplace > Marketplace.

    4. On the App Catalog page, enter ack-acr-acceleration-p2p in the search box, find the corresponding agent, and click the card of the agent.

    5. On the details page of the agent, click Deploy in the upper-right corner.

    6. In the Create panel, configure Cluster and Namespace, set a release name, and then click Next.

    7. In the Parameters panel, set the chart version to the latest version and acrInstances to the ID of the Container Registry Enterprise Edition instance that you obtained in Step 1. If you have multiple Container Registry Enterprise Edition instances, separate the IDs with commas (,) when you set acrInstances. Enter the AccessKey ID and AccessKey secret that you obtained. 

      # ID of ACR EE instances, support multi, e.g. "cri-xxx,cri-yyy"
acrInstances: ""


# Please fill in the following parameters if the K8s cluster is built in your own IDC
accessKey: ""
accessKeySecret: ""

# Region of ACR EE instance, default is the region of the cluster on the cloud.
# Need to be set if cross-regional access on the cloud cluster, or access on your IDC cluster.
region: ""

# VPC which is connected to the VPC network of the ACR EE instance, default is the VPC of the cluster on the cloud.
# Need to be set if cross-regional access on the cloud cluster, or access on your IDC cluster through VPC network.
vpcId: ""


p2p:
  # Port of P2P Agent in host network
  port: 65001
      Note

      • By default, the P2P agent uses port 65001 on nodes. If port 65001 is occupied by another agent, change the port for the P2P agent.

      • If the ACK cluster and the Container Registry Enterprise Edition instance reside in the same region, you can leave the region and vpcId parameters empty. If the ACK cluster and the Container Registry Enterprise Edition instance reside in different regions, you must set the region parameter to the region where the Container Registry Enterprise Edition instance resides and the vpcId parameter to the ID of the VPC that is associated with the Container Registry Enterprise Edition instance.

      • If your business container image is an ultra-large image such as a large model, you must adjust the caching mode of P2P data based on the node status.

        • Data disk-based caching mode: This is the default caching mode of P2P data. Make sure that the data disk in the node is of the AutoPL type and the p2p.v2.cache.mode value is disk.

        • Memory-based caching mode: Make sure that node has no less than 8 GB of free memory and the p2p.v2.cache.mode value is memory.

    Use the RRSA feature to grant the P2P agent the access to the Container Registry Enterprise Edition instance and install the agent

    The RRSA feature can be used to perform access control on pods in a cluster.

    The RRSA feature can be used only in Kubernetes clusters of version 1.22 or later.

    Important

    • To enable the RRSA feature, you must upgrade the P2P agent to v0.3.6 or later.

    • To enable the RRSA feature for the P2P agent, you must enable RRSA on the Basic Information tab of the Cluster Information page in the ACK console and then configure RRSA for the P2P agent. If you reverse the operation sequence to configure RRSA for the P2P agent and then enable RRSA on the Basic Information tab of the Cluster Information page in the ACK console, you must uninstall and reinstall the P2P agent after you configure RRSA. This allows the RRSA feature to take effect.

    1. Enable the RRSA feature for the cluster. For more information, see Use RRSA to authorize different pods to access different cloud services.

    2. Configure the RRSA role to access the Container Registry Enterprise Edition instance.

      • The Container Registry Enterprise Edition instance and the ACK cluster belong to the same Alibaba Cloud account.

        For example, if Account A is the owner of the Container Registry Enterprise Edition instance and the ACK cluster, create a RAM role for Account A. For more information, see Create a RAM role for a trusted Alibaba Cloud account. Attach the following permission policy to the RAM role. 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstanceVpcEndpoint",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*"
        }
    ]
}
        Note

        • Replace <oidc_issuer_url> in the sample code with the URL of the OpenID Connect (OIDC) identity provider (IdP) of the ACK cluster. You can obtain the URL on the Basic Information tab of the Cluster Information page in the ACK console.

        • Replace <oidc_provider_arn> in the sample code with the OIDC IdP ARN (Alibaba Cloud Resource Name) of the ACK cluster. You can obtain the ARN on the Basic Information tab of the Cluster Information page in the ACK console. 

        {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "oidc:aud": [
            "sts.aliyuncs.com"
          ],
          "oidc:iss": "<oidc_issuer_url>",
          "oidc:sub": [
            "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-job-sa",
            "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-sa"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "Federated": [
          "<oidc_provider_arn>"
        ]
      }
    }
  ],
  "Version": "1"
}

      • The Container Registry Enterprise Edition instance and the ACK cluster belong to different Alibaba Cloud accounts.

        For example, if Account A is the owner of the ACK cluster and Account B is the owner of the Container Registry Enterprise Edition instance, you must authorize the ACK cluster of Account A to access the Container Registry Enterprise Edition instance of Account B.

        Create a RAM role for Account A. For more information, see Create a RAM role for a trusted Alibaba Cloud account. Attach the AliyunSTSAssumeRoleAccess policy to the RAM role of Account A. This policy grants the RAM role of Account A the permission to assume the RAM role of Account B. Modify the trust policy of Account A.

        Note

        • Replace <oidc_issuer_url> in the sample code with the URL of the OIDC IdP of the ACK cluster. You can obtain the URL on the Basic Information tab of the Cluster Information page in the ACK console.

        • Replace <oidc_provider_arn> in the sample code with the OIDC IdP ARN of the ACK cluster. You can obtain the ARN on the Basic Information tab of the Cluster Information page in the ACK console. 

        {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "oidc:aud": [
            "sts.aliyuncs.com"
          ],
          "oidc:iss": "<oidc_issuer_url>",
          "oidc:sub": [
            "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-job-sa",
            "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-sa"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "Federated": [
          "<oidc_provider_arn>"
        ]
      }
    }
  ],
  "Version": "1"
}

        Create a RAM role for Account B that has the access to the Container Registry Enterprise Edition instance, click Trust Policy, and add the ARN of the RAM role of Account A. Attach the following policy to the RAM role of Account B to grant the following permissions to the RAM role of Account B. 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstanceVpcEndpoint",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*"
        }
    ]
}
        Note

        You can configure the MaxSessionDuration parameter for the RAM role of Account B. Valid values of the MaxSessionDuration parameter range from 3600 to 43200 seconds. You must configure the expireDuration parameter when you configure the RRSA feature in the following Step 7. We recommend that you specify the same value for MaxSessionDuration and expireDuration. The value of expireDuration can be smaller than or equal to the value of MaxSessionDuration.

    3. Log on to the ACK console. In the left-side navigation pane, choose Marketplace > Marketplace.

    4. On the App Catalog page, enter ack-acr-acceleration-p2p in the search box, find the corresponding agent, and click the card of the agent.

    5. On the details page of the agent, click Deploy in the upper-right corner.

    6. In the Create panel, configure Cluster and Namespace, set a release name, and then click Next.

    7. In the Parameters panel, set the chart version to the latest version and registryInstances to the ID of the Container Registry Enterprise Edition instance that you obtained in Step 1. If you have multiple Container Registry Enterprise Edition instances, separate the IDs with commas (,) when you set registryInstances. The following table describes the parameters that you need to configure when you configure the RRSA feature.

      Parameter

      Description

      Value

      rrsa.enable

      Specifies whether to enable the RRSA feature.

      true

      rrsa.rrsaRoleARN

      The ARN of the RAM role that you created for Account A.

      acs:ram::aaa

      rrsa.rrsaOIDCProviderRoleARN

      The ARN of the OIDC IdP that you obtained on the Basic Information tab of the Cluster Information page in the ACK console.

      acs:ram::bbb

      rrsa.assumeRoleARN

      The ARN of the RAM role that you created for Account B. Leave this parameter empty if the Container Registry Enterprise Edition instance and the ACK cluster belong to the same Alibaba Cloud account.

      acs:ram::ccc

      rrsa.expireDuration

      The session period of the RAM role that you created for Account B. The session period is equal to the validity period of the secret that is generated by aliyun-acr-credential-helper. Leave this parameter empty if the Container Registry Enterprise Edition instance and the ACK cluster belong to the same Alibaba Cloud account.

      Important

      The expireDuration value cannot be greater than the MaxSessionDuration value of the RAM role of Account B.

      Default value: 3600. Valid values: 3600 to 43200. Unit: seconds.

      Set the MaxSessionDuration parameter of the RAM role of Account B to 43200.

      For information about other parameters, see Appendix.

      Note

      • By default, the P2P agent uses port 65001 on nodes. If port 65001 is occupied by another agent, change the port for the P2P agent.

      • If the ACK cluster and the Container Registry Enterprise Edition instance reside in the same region, you can leave the region and vpcId parameters empty. If the ACK cluster and the Container Registry Enterprise Edition instance reside in different regions, you must set the region parameter to the region where the Container Registry Enterprise Edition instance resides and the vpcId parameter to the ID of the VPC that is associated with the Container Registry Enterprise Edition instance.

      • If your business container image is an ultra-large image such as a large model, you must adjust the caching mode of P2P data based on the node status.

        • Data disk-based caching mode: This is the default caching mode of P2P data. Make sure that the data disk in the node is of the AutoPL type and the p2p.v2.cache.mode value is disk.

        • Memory-based caching mode: Make sure that node has no less than 8 GB of free memory and the p2p.v2.cache.mode value is memory. 

      # ID of ACR EE instances, support multi, e.g. "cri-xxx,cri-yyy"
acrInstances: ""

rrsa:
  enable: true
  rrsaRoleARN: ""
  rrsaOIDCProviderRoleARN: ""
  assumeRoleARN: ""
  expireDuration: 3600

# Region of ACR EE instance, default is the region of the cluster on the cloud.
# Need to be set if cross-regional access on the cloud cluster, or access on your IDC cluster.
region: ""

# VPC which is connected to the VPC network of the ACR EE instance, default is the VPC of the cluster on the cloud.
# Need to be set if cross-regional access on the cloud cluster, or access on your IDC cluster through VPC network.
vpcId: ""


p2p:
  # Port of P2P Agent in host network
  port: 65001

    Appendix

    The following table describes other parameters of the ack-acr-acceleration-p2p agent.

    Parameter related to data caching

    Default value in data disk-based caching mode

    Default value in memory-based caching mode

    Description

    blocksize

    256

    256

    The size of a shard in a single request to the data source Object Storage Service (OSS).

    capacity

    4294967296

    0

    The size of the disk cache.

    optionBlockSize

    67108864

    8589934592

    The size of the memory cache. Unit: GB.

    • In data disk-based caching mode, P2P agent caches data at the memory and disk levels, and the optionBlockSize parameter specifies the size of the memory-level cache.

    • In memory-based caching mode, this parameter value is equal to the size of the memory cache.

    memoryCacheCapacityGB

    1

    8

    • Unit: GB. In data disk-based caching mode, use the default value.

    • In memory-based caching mode, this parameter value is equal to the value of the optionBlockSize parameter.

    aio

    0

    0

    This parameter is used to enable the libaio (Linux native asynchronous I/O) library. This parameter is invalid in memory-based caching mode.

    • In data disk-based caching mode, if you enable the autoPL feature for the ack-acr-acceleration-p2p agent and set the disk performance level to PL3, you can use this parameter to improve data I/O performance.

    • In data disk-based caching mode, if you set the disk performance level to PL0 or PL1, a long disk write time for AIO (asynchronous I/O) can lead to a large number of timeout exceptions in the entire P2P network.

    DeployConfig

    proxyFsParallels

    128

    The maximum number of requests that the P2P agent can process in parallel.

    AgentConfig

    connectTimeout (s)

    5

    The timeout period for the P2P agent to establish a connection with an upstream node. Unit: seconds.

    transferTimeout (s)

    15

    The timeout period for the P2P agent to receive data transfers from the upstream node. Unit: seconds. Set the value to 15.