Deploy services using custom images - Platform For AI - Alibaba Cloud Documentation Center

Plan your image repository

EAS pulls images from a container registry when deploying services. We recommend using Alibaba Cloud Container Registry (ACR) to store images and pull them over your VPC network for optimal performance and security.

Important

Don't pull images from the public internet. Public pulls are slow and insecure.

ACR Personal Edition

Free but limited to a single region. Cross-region image pulls require a public address.
Use ACR Personal Edition for testing only. Ensure it's in the same region as your EAS service.

ACR Enterprise Edition

Provides enhanced security, performance, and global synchronization. EAS services pull images over the internal network within the same region or across regions.
Use ACR Enterprise Edition for production.

Self-built image repositories

Self-hosted registries like Harbor in Alibaba Cloud VPC are accessible only within the VPC. Configure your EAS service to use the same VPC as your registry.

Image repository authentication

Private registries that require authentication need your username and password during deployment.

In your JSON configuration, use the dockerAuth parameter with the Base64-encoded username:password string.

For example, encode abcd:abcde12345 by running echo -n "abcd:abcde12345" | base64 to get the dockerAuth value: YWJjZDphYmNkZTEy****.

{"dockerAuth": "YWJjZDphYmNkZTEy****"}

Note

EAS pulls images from ACR without authentication when the registry and service use the same Alibaba Cloud account and region. No username or password needed.

Quick start: Create and deploy a custom image

Build a production-grade Flask and Gunicorn web service image on an ECS instance, push it to ACR, and deploy it to EAS.

Step 1: Prepare the environment

Before you begin, ensure you have:

Virtual Private Cloud (VPC): Your EAS service, ECS instance, and ACR registry must use the same VPC for stable, secure image transfers.
Container Registry (ACR): An ACR Enterprise Edition instance with a namespace and image repository. See Use an Enterprise Edition instance to push and pull images.
Development environment: An ECS instance with this configuration:
- Instance Type: ecs.u1-c1m2.large
- Image: Alibaba Cloud Linux 3.2104 LTS 64-bit
- Extension: Docker Community Edition
- Network: Add your VPC to the ACR Enterprise Edition instance access control list. See Configure access control for an ACR instance over a VPC.
Note
You can also use a local machine or DSW environment.
- Local development: Install Docker to build images locally.
- DSW development: In the Actions column, click Create Image to build and save the image to ACR. During deployment, select Custom Image from the dropdown. See Create a DSW instance image.

Step 2: Prepare application files

Create a project folder named my-app with these three files:

requirements.txt (Application dependencies)
```
flask
gunicorn
```

app.py (Web application code)

from flask import Flask

app = Flask(__name__)

@app.route('/hello/model')
def hello_world():
    # Integrate your model inference or other business logic here.
    return 'Hello World from Gunicorn!'

# Note: app.run() is not needed. Gunicorn will start the application.

Dockerfile (Image build instructions)

# 1. Use an official lightweight Python image as the base
FROM python:3.9-slim

# 2. Set the working directory
WORKDIR /app

# 3. Copy the requirements file and install dependencies, leveraging Docker's cache to speed up subsequent builds
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

# 4. Copy the application code
COPY app.py .

# 5. Expose the service port
EXPOSE 8000

# 6. Define the default container start command (which you can override with the "Command" in the EAS console)
CMD ["gunicorn", "-w", "4", "-b", "0.0.0.0:8000", "app:app"]

Step 3: Build and push the image

Navigate to your project folder (my-app).

Log in to ACR. Replace placeholders with your information.

# Example: docker login --username=your_user my-registry.cn-hangzhou.aliyuncs.com
docker login --username=<username> <ACR_repository_domain_name>

Build and tag the image.

# Example: docker build -t my-registry.cn-hangzhou.aliyuncs.com/my-namespace/flask-app:v1 .
docker build -t <ACR_repository_domain_name>/<namespace>/<image_repository_name>:<version_number> .

Push the image to ACR.

# Example: docker push registry.cn-hangzhou.aliyuncs.com/my-namespace/flask-app:v1
docker push <ACR_repository_domain_name>/<namespace>/<image_repository_name>:<version_number>

Step 4: Deploy the service

Log on to the PAI console. Select a region on the top of the page. Then, select the desired workspace and click Elastic Algorithm Service (EAS).
Click Deploy Service and select Custom Model Deployment > Custom Deployment.
Configure the following key parameters:
- Deployment Method: Select Image-based Deployment.
- Image Configuration: Select Image Address and enter the full image address.
  
  This example uses ACR in the same Alibaba Cloud account, so no authentication is needed.
- Command to Run: gunicorn -w 4 -b 0.0.0.0:8000 app:app
  
  Note: Commands in the EAS console override the CMD in your Dockerfile. Specify the command here for easier debugging.
- Port Number 8000.
- Deployment: Select a CPU resource like ecs.c6.large from Public Resources.
- VPC: Select a VPC, vSwitch, and security group.
  
  Ensure your VPC is in the ACR access control list. Missing VPC configuration causes ImagePullBackOff errors.
Click Deploy. Deployment succeeds when the service status changes to Running.

Step 5: Test the service

After deployment succeeds, obtain the endpoint and token and test the Flask service:

# Replace <endpoint> and <token> with the actual service endpoint and token.
curl <endpoint>/hello/model -H "Authorization: <token>"

A Hello World from Gunicorn! response confirms the service is running.

For more information about service invocation, see Service invocation methods.

Core concepts and limitations

Network limitations: EAS services require a VPC to access internal network resources. To access public internet resources (install dependencies with pip, call external APIs, or pull images from public registries), configure a NAT Gateway for your VPC. See Allow an EAS service to access the public network or internal resources.

Cost implication: NAT Gateway incurs additional charges.
Port limitations: EAS reserves ports 8080 and 9090. Your application must not use these ports, or deployment will fail with port conflicts.
Sidecar injection: EAS injects a proxy container as a sidecar to handle authentication, authorization, and monitoring. This lightweight proxy securely forwards requests to your service port.
API protocol support: Custom images support HTTP, WebSocket, and gRPC (HTTP/2) protocols.

Recommendations for production applications

Separate images and models: Package code in your image and store models in Object Storage Service (OSS) or File Storage NAS. Use the storage mount feature to mount models at deployment. This reduces image pull times during updates and scaling.
Pull images over the internal network: Configure a VPC for your service to pull images from ACR using a VPC address for optimal security and performance.
Register images as AI assets: For reusable custom images, use PAI AI Assets to manage them as standardized assets.
Configure a health check: Enable health checks so EAS can automatically restart unhealthy instances. For more information, see Health check.
Enable auto scaling: For variable workloads, enable horizontal automatic scaling to handle traffic changes efficiently.

FAQ

Q: Why does my service fail with an `ImagePullBackOff` error?

The ImagePullBackOff error means EAS cannot pull your container image. This typically indicates one of these issues:

Network connectivity issues

Your EAS service's VPC must have network access to the image registry.
- Action: Verify your EAS service's VPC is in your ACR instance's access control list.
- For cross-region deployments: Connect VPCs using Cloud Enterprise Network (CEN). See Access an ACR Enterprise Edition instance across regions or from an IDC.
- For public internet pulls: Ensure your VPC has a NAT Gateway and public network access is enabled for your ACR repository.
Authentication failure

Private registries require authentication credentials (ACR instances in the same account don't require credentials).
- Action: Verify the username and password in Image Configuration are correct with pull permissions.
Image not found

The image path or tag is incorrect, or the image doesn't exist in the registry.
- Action: Verify the image address, namespace, and tag match what you pushed to the registry.
Insufficient system disk space

The node's local storage is full and cannot store the image.
- Action: Expand the system disk for your EAS service resource group.

For more information about other issues, see EAS FAQ.