Set up Alibaba Cloud
One-time setup to run ALE on Alibaba Cloud: sign in, create a network, and import the sandbox images into your account. Then point an experiment at the Alibaba environment and run. Credentials live in your Alibaba CLI profile; everything else is created once below.
Sign in
Create an Alibaba Cloud account
if you don't have one and activate ECS and
OSS (Object Storage Service) in the console. Install the
Alibaba Cloud CLI
(aliyun) plus ossutil,
create a RAM user with ECS + OSS access and an AccessKey pair for it, then:
aliyun configure # paste the AccessKey id/secret, region cn-hangzhou
export ALE_ALIYUN_REGION=cn-hangzhou
① Create the network
A VPC with a vSwitch in two zones (tried in order if one is short on
capacity), and a security group ale-sandbox opening the port
ALE needs (5000; 3389 to view a Windows desktop).
R=cn-hangzhou
J(){ python3 -c "import sys,json;print(json.load(sys.stdin)$1)"; }
VPC=$(aliyun vpc CreateVpc --RegionId $R --VpcName ale-vpc --CidrBlock 192.168.0.0/16 | J "['VpcId']")
i=10; for z in cn-hangzhou-j cn-hangzhou-k; do
VSW=$(aliyun vpc CreateVSwitch --RegionId $R --VpcId $VPC --ZoneId $z \
--CidrBlock 192.168.$i.0/24 --VSwitchName ale-vsw-$z | J "['VSwitchId']")
aliyun vpc TagResources --RegionId $R --ResourceType VSWITCH --ResourceId.1 $VSW \
--Tag.1.Key project --Tag.1.Value ale; i=$((i+10))
done
SG=$(aliyun ecs CreateSecurityGroup --RegionId $R --VpcId $VPC \
--SecurityGroupName ale-sandbox --Description "ALE sandbox ingress" | J "['SecurityGroupId']")
for p in 5000 3389; do
aliyun ecs AuthorizeSecurityGroup --RegionId $R --SecurityGroupId $SG \
--IpProtocol tcp --PortRange $p/$p --SourceCidrIp 0.0.0.0/0
done
② Import the sandbox images
A task boots from a prebaked image (the OS, the professional software, and the task data, ready to go). ALE publishes them as raw disks; the script imports the one(s) you need into your account. Pick by what your tasks run on:
ale-ubuntu22— Linux (the bulk of tasks)ale-win10orale-win-server— Windows; either one works, pick one
# imports from the published source into your OSS + registers an ECS image,
# tagged ale:image-family=<name> (repeat per image you need)
./scripts/aliyun/import_images.sh ale-ubuntu22 # or ale-win10 / ale-win-server
The environment config refers to images by these family names, so once imported they're picked up automatically. (A Windows image is a large disk; the import takes a while.)
③ Keep run output in OSS (recommended for real runs)
With output_path: local each run's output is fetched back to
your machine over the sandbox's control port — fine for a quick demo, but
slow and flaky for large outputs at scale. So, exactly as on Google Cloud
(where output goes to a GCS bucket), the recommended path is to have the
sandbox upload straight to OSS. Create the bucket and a RAM role that lets
the sandbox upload to it:
ossutil mb oss://ale-run-results-$(aliyun sts GetCallerIdentity | J "['AccountId']")
aliyun ram CreateRole --RoleName ale-sandbox --AssumeRolePolicyDocument \
'{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":["ecs.aliyuncs.com"]}}],"Version":"1"}'
aliyun ram AttachPolicyToRole --PolicyType System \
--PolicyName AliyunOSSFullAccess --RoleName ale-sandbox
The snapshots already reference the ale-sandbox role, so once
it exists the sandbox is launched with it attached (that's what lets the
in-box ossutil write to the bucket). All you do to switch on
OSS output is set output_path: oss://ale-run-results-<account>
in configs/environments/environment_aliyun.yaml. (If the role
doesn't exist it's skipped for local runs, so you only need it for OSS
output — and if output_path is a bucket but the role is
missing, the run fails fast with a clear message.)
④ Run
Point your experiment at the Alibaba environment
(environment: configs/environments/environment_aliyun.yaml) and run:
uv run python -m ale_run run my_experiment.yaml