Version Control of Machine Learning Containers Using AWS ECR Lifecycle

Question

Pulumi · Accepted Answer

Managing machine learning containers effectively involves version controlling your Docker images so that you can reliably roll back to earlier versions if needed. AWS Elastic Container Registry (ECR) provides a feature known as lifecycle policies that allows you to manage the lifecycles of images in your repository.

A lifecycle policy is a set of rules that automatically manage your images for you. For example, you can use a lifecycle policy to keep only the most recent five images and automatically delete older ones, or to delete untagged images that are a certain number of days old.

In the following Pulumi program, we create an Amazon ECR repository to store Docker images, then apply a lifecycle policy to the repository. This lifecycle policy will maintain the last 5 images tagged with 'prod' and automatically expire images tagged as 'dev' after 30 days.

Here's how you do it in Python using Pulumi:

```python
import pulumi
import pulumi_aws as aws

# Create an AWS ECR Repository to store your Docker images
repository = aws.ecr.Repository("my_ml_repository",
    image_scanning_configuration=aws.ecr.RepositoryImageScanningConfigurationArgs(
        scan_on_push=True,
    ),
    image_tag_mutability="MUTABLE",
)

# Define a lifecycle policy for the repository to manage image versions
lifecycle_policy_document = {
    "rules": [
        {
            "rulePriority": 1, 
            "description": "Keep last 5 prod images",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["prod"],
                "countType": "imageCountMoreThan",
                "countNumber": 5,
            },
            "action": {
                "type": "expire"
            },
        },
        {
            "rulePriority": 2,
            "description": "Expire dev images after 30 days",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["dev"],
                "countType": "sinceImagePushed",
                "countUnit": "days",
                "countNumber": 30,
            },
            "action": {
                "type": "expire"
            },
        },
    ]
}

lifecycle_policy = aws.ecr.LifecyclePolicy("my_ml_repository_lifecycle_policy",
    repository=repository.name,
    policy=pulumi.Output.secret(lifecycle_policy_document),
)

# Export the repository URL to be used in docker commands to push images.
pulumi.export("repository_url", repository.repository_url)
```

In this program:
- We first create an ECR repository called `my_ml_repository` where our Docker images will be stored.
- We then set `image_scanning_configuration` to `True` for `scan_on_push`, enabling the scanning of images for vulnerabilities upon push.
- We've set `image_tag_mutability` to `"MUTABLE"` allowing image tags to be overwritten. For production use, you might want to set this to `"IMMUTABLE"` to prevent image tags from being overwritten.
- Next, we define our lifecycle policy. The policy is a JSON-like structure:
  - The first rule keeps the last five images that are tagged with 'prod', so we always have the latest five production releases.
  - The second rule automatically expires 'dev' tagged images after 30 days. It's common in a development environment to create many iterations of an image, so this rule helps prevent your repository from having too many unnecessary dev images taking up space.
- The `LifecyclePolicy` resource applies this policy to our repository.
- Finally, we export the `repository_url` so it can be used in Docker commands to push or pull images from the repository.

This program assumes you have AWS credentials configured. Once you run this Pulumi program, your AWS ECR repository will automatically start version controlling your Docker container images based on the defined lifecycle policy rules.