All Products
Search

This Product

    Platform For AI:Deploy model services using custom images

    Document Center

    Platform For AI:Deploy model services using custom images

    Last Updated:Mar 11, 2026

    Build custom images when official EAS images lack required dependencies or configurations. Package runtime environment, dependencies, and inference code into container images for model service deployment.

    Image repository options

    EAS pulls container images from a registry during service deployment. Store images in Alibaba Cloud Container Registry (ACR) and pull over VPC network for optimal performance and security.

    Important

    Avoid public internet pulls. Public registries deliver slow transfer speeds and expose security vulnerabilities.

    ACR Personal Edition

    • Free tier limited to single-region storage. Cross-region pulls require public network address.

    • Suitable for testing environments only. Deploy EAS service in same region as registry.

    ACR Enterprise Edition

    • Provides enterprise-grade security, high-performance image distribution, and global synchronization. EAS services pull images over internal network within same region or across regions.

    • Recommended for production deployments.

    Self-hosted registries

    • Self-hosted registries like Harbor deployed in Alibaba Cloud VPC are accessible only within VPC boundaries. Configure EAS service to use same VPC as registry for network connectivity.

    Authentication

    Private registries require username and password credentials during service deployment.

    In JSON configuration, specify dockerAuth parameter with Base64-encoded username:password string.

    Encode abcd:abcde12345 by running echo -n "abcd:abcde12345" | base64 to get dockerAuth value YWJjZDphYmNkZTEy****:

    {"dockerAuth": "YWJjZDphYmNkZTEy****"}
    Note

    EAS pulls images from ACR without authentication when registry and service belong to same Alibaba Cloud account and region.

    Quick start

    This example builds a Flask and Gunicorn web service image on an ECS instance, pushes the image to ACR, and deploys it to EAS.

    Step 1: Prepare environment

    Prerequisites:

    • Virtual Private Cloud (VPC): EAS service, ECS instance, and ACR registry must use same VPC for stable, secure image transfers.

    • Container Registry (ACR): ACR Enterprise Edition instance with configured namespace and image repository. See Use an Enterprise Edition instance to push and pull images.

    • Development environment: ECS instance with Docker installed and this configuration:

      Note

      Alternative development environments:

      • Local development: Install Docker to build images locally.

      • DSW development: In Actions column, click Create Image to build and save image to ACR. During EAS deployment, select Custom Image from dropdown. See Create a DSW instance image.

    Step 2: Create application files

    Create a project folder named my-app with three files:

    1. requirements.txt (Application dependencies)

      flask
gunicorn

    2. app.py (Web application code)

      from flask import Flask

app = Flask(__name__)

@app.route('/hello/model')
def hello_world():
    # Replace with model inference or business logic
    return 'Hello World from Gunicorn!'

# Gunicorn starts application (app.run() not needed)

    1. Dockerfile (Image build instructions)

      # 1. Use official lightweight Python image as base
FROM python:3.9-slim

# 2. Set working directory
WORKDIR /app

# 3. Copy requirements and install dependencies (leverages Docker cache)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

# 4. Copy application code
COPY app.py .

# 5. Expose service port
EXPOSE 8000

# 6. Define container start command (override with "Command" in EAS console)
CMD ["gunicorn", "-w", "4", "-b", "0.0.0.0:8000", "app:app"]

    Step 3: Build and push image

    1. Navigate to project folder (my-app).

    2. Log in to ACR. Replace placeholders with your ACR credentials.

      # Example: docker login --username=your_user my-registry.cn-hangzhou.aliyuncs.com
docker login --username=<username> <ACR_repository_domain_name>

    3. Build and tag the image.

      # Example: docker build -t my-registry.cn-hangzhou.aliyuncs.com/my-namespace/flask-app:v1 .
docker build -t <ACR_repository_domain_name>/<namespace>/<image_repository_name>:<version_number> .

    4. Push the image to ACR.

      # Example: docker push registry.cn-hangzhou.aliyuncs.com/my-namespace/flask-app:v1
docker push <ACR_repository_domain_name>/<namespace>/<image_repository_name>:<version_number>

    Step 4: Deploy service

    1. Log on to the PAI console. Select a region on the top of the page. Then, select the desired workspace and click Elastic Algorithm Service (EAS).

    2. Click Deploy Service and select Custom Model Deployment > Custom Deployment.

    3. Configure parameters:

      • Deployment Method: Select Image-based Deployment.

      • Image Configuration: Select Image Address and enter the full image address.

        Authentication is unnecessary when ACR and EAS belong to the same Alibaba Cloud account.

      • Command to Run: gunicorn -w 4 -b 0.0.0.0:8000 app:app

        Console commands override Dockerfile CMD. Specify the command here for easier runtime debugging and modification.

      • Port Number: 8000.

      • Deployment: Select CPU resource like ecs.c6.large from Public Resources.

      • VPC: Select VPC, vSwitch, and security group for the service.

        VPC must be added to ACR instance access control list. Missing configuration causes ImagePullBackOff errors during deployment.

    4. Click Deploy. Service status changes to Running after successful deployment.

    Step 5: Test service

    Obtain the service endpoint and token, then test the Flask service:

    # Replace <endpoint> and <token> with actual service endpoint and token
curl <endpoint>/hello/model -H "Authorization: <token>"

    A Hello World from Gunicorn! response confirms the service is running correctly.

    For more information about service invocation, see Service invocation methods.

    Limitations

    • Network access: EAS services require VPC configuration to access internal network resources. To access public internet resources (install dependencies with pip, call external APIs, or pull images from public registries), configure a NAT Gateway for the VPC. See Allow an EAS service to access the public network or internal resources.

      NAT Gateway incurs additional charges.

    • Port restrictions: EAS reserves ports 8080 and 9090 for internal use. Applications must not bind to these ports, or deployment will fail with port conflict errors.

    • Sidecar injection: EAS automatically injects a proxy container as sidecar to handle authentication, authorization, and monitoring. This lightweight proxy securely forwards incoming requests to the service port.

    • Protocol support: Custom images support HTTP, WebSocket, and gRPC (HTTP/2) protocols.

    Best practices

    • Separate images and models: Package application code in the image and store model files in Object Storage Service (OSS) or File Storage NAS. Use storage mount to mount model files during deployment. This separation reduces image pull times during service updates and scaling operations.

    • Pull images over internal network: Configure VPC for the service to pull images from ACR using the VPC address for optimal security and transfer performance.

    • Register images as AI assets: For reusable custom images, register them in PAI AI Assets to manage them as standardized, versioned assets.

    • Configure health checks: Enable health checks so EAS can automatically restart unhealthy service instances. For more information, see Health check.

    • Enable auto scaling: For variable workloads, enable horizontal automatic scaling to handle traffic changes.

    Troubleshooting

    Service fails with ImagePullBackOff error

    ImagePullBackOff error indicates EAS cannot pull the container image from the registry. Common causes:

    1. Network connectivity

      EAS service's VPC must have network connectivity to the image registry.

    2. Authentication failure

      Private registries require authentication credentials. ACR instances in the same account automatically authenticate without credentials.

      • Action: Verify username and password in Image Configuration are correct and have pull permissions for the repository.

    3. Image not found

      Image path or tag is incorrect, or the image doesn't exist in the registry.

      • Action: Verify image address, namespace, and tag match the values you used when pushing to the registry.

    4. Insufficient disk space

      Node's local storage is full and cannot store the pulled image.

    For additional issues, see EAS FAQ.