core: push SOCI index when publishing docker image assets

[tmokmss]

Describe the feature

Recently Seekable OCI (SOCI) has become supported on ECS Fargate (blog) to launch Fargate tasks faster.

Amazon ECS tasks on Fargate that use Linux platform version 1.4.0 can use Seekable OCI (SOCI) to help start tasks faster. With SOCI, containers only spend a few seconds on the image pull before they can start, providing time for environment setup and application instantiation while the image is downloaded in the background. This is called lazy loading. When Fargate starts an Amazon ECS task, Fargate automatically detects if a SOCI index exists for an image in the task and starts the container without waiting for the entire image to be downloaded.
https://docs.aws.amazon.com/AmazonECS/latest/userguide/container-considerations.html#fargate-tasks-soci-images

It can help if CDK automatically builds and publishes a SOCI index for a docker image assets.

Use Case

To easily publishes SOCI index from CDK, and eventually increasing the speed of Fargate cold start for large container images.

Proposed Solution

NOTE: I published an experimental construct for this feature: #26413 (comment)

// install the package by npm install deploy-time-build
import { SociIndexBuild } from 'deploy-time-build;

const asset = new DockerImageAsset(this, 'Image', { directory: 'example-image' });
SociIndexBuild.fromDockerImageAsset(this, 'Index', asset);
// The SOCI index for the docker image will be built and deployed during CFn deployment!

Run soci-snapshotter locally on cdk deploy, and publish the artifact to ecr. Whether cdk publishes SOCI index or not should be optional because sometimes it will slow down fargate startup time especially for small images (ref).

Other Information

There is already a solution to automatically build and push SOCI index when an image is pushed to ECR.

https://aws-ia.github.io/cfn-ecr-aws-soci-index-builder/

Because this solution publishes a SOCI index asynchronously, sometimes the index is not ready yet when a Fargate task launches. The CDK solution might be better in that we can easily set dependencies between assets and ECS task definition, which allows to wait an update of task definition until the corresponding SOCI index is available.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.87.0

Environment details (OS name and version, etc.)

macOS

[khushail]

Thanks for submitting this feature request @tmokmss.

[pahud]

Thank you @tmokmss

Where would you expect the index to be built? From the local environment where CDK bundles and publishes the assets or from the lambda function? I guess the best solution might be transparently build the index when CDK bundles and publishes the container image assets but this requires the client to install the soci-snapshotter. If users opt in the index building and the soci-snapshotter is installed, maybe the image bundling process can build and upload the index transparently? This seems to be an interesting idea and we welcome any pull requests for this.

[tmokmss]

@pahud Personally I think building it locally is preferable, because using CFn custom resource would introduce some overhead such as triggering Lambda from CFn, pulling images from ECR, etc. It would also have several limitations like RAM or 15min duration (idk how long it usually takes to create an index though.)

That said, soci-snapshotter appears to only run on Linux to build an index (I'm confirming it on this thread). If so, I guess we have to use a custom resource after all. edit) The maintainer says it can be possible to use MacOS or Windows to build an index. We should try this first.

Also soci commands seems to require sudo to access metadata directories. Then to build an index locally, a user will have to run cdk command as root, or we will have a password prompt to elevate the privilege during cdk deploy, which can be nuisance for a user.

Many soci CLI commands need to be run as sudo, because the metadata is saved in directories that a non-root user often does not have access to. https://github.com/awslabs/soci-snapshotter/blob/main/docs/getting-started.md#install-soci-snapshotter

[tmokmss]

For anyone interested in this issue, I published an experimental construct to build and publish a SOCI index: deploy-time-build.

You can push a SOCI index during CFn deployment by the following code:

npm install deploy-time-build

import { SociIndexBuild } from 'deploy-time-build;

const asset = new DockerImageAsset(this, 'Image', { directory: 'example-image' });
SociIndexBuild.fromDockerImageAsset(this, 'Index', asset);

[pahud]

Hi @tmokmss does it mean the client will need to install additional tool for that?

[tmokmss]

@pahud No, the above construct works as a custom resource on Lambda and CodeBuild, so there's no dependency on a local machine. As far as I researched, building a SOCI index locally is difficult for now.