locked
How to specify startTask user identity using Azure CLI? RRS feed

  • Question

  • Hello,

    I'm using a pool of linux machine (canonical:ubuntuserver:16.04.0-LTS) and my startTask need to run some commands with the administrator permissions. I'm using --start-task-command-line '/bin/bash -c "sudo ls"'.

    Without the admin permission I hit this error 'sudo: no tty present and no askpass program specified'. It seems that I could use 'sudo -S' but in that case I have an issue waiting the password of _azbatchaccount (not sure about the account name).

    I don't see any way to specify the  start task userIdentity [here](https://docs.microsoft.com/en-us/cli/azure/batch/pool?view=azure-cli-latest#az_batch_pool_create) But this is doable in the Azure Portal. When I switch the user using the portal to Pool autouser, Admin my nodes start correctly. 

    Moreover running 'az batch pool show --poll-id myPool'

    I see that the startTask contains a "userIdentity" node. It also seems from this (documentation)[https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.batch.starttask.useridentity?view=azurebatch-7.0.1] that if the identity isn't specified it's a non-admin.

    I wonder if a workaround could be to use the --json-file of the 'az batch pool create' but I cannot find docs on this json.

    Thanks




    • Edited by ttrunck Sunday, October 15, 2017 12:08 AM
    Sunday, October 15, 2017 12:06 AM

Answers

  • Hi there,

    You are quite right - you can use the --json-file command flag to specify a pool with a lot more options than are available by command flags alone.

    The --json-file flag is touched on in the context of creating tasks here:
    https://docs.microsoft.com/en-us/azure/batch/scripts/batch-cli-sample-run-job

    The JSON file you pass in here will be in the format of our API specification, which is fully documented here:
    https://docs.microsoft.com/en-us/rest/api/batchservice/Pool/Add

    A pool JSON with an admin start task could look something like this:

    {
        "id": "sample_pool",
        "virtualMachineConfiguration": {
            "imageReference": {
                "publisher": "Canonical",
                "offer": "UbuntuServer",
                "sku": "16.04-LTS"
            },
            "nodeAgentSKUId": "batch.node.ubuntu 16.04",
        },            
        "vmSize": "Standard_A1",
        "targetDedicatedNodes": 2,
        "startTask": {
            "commandLine": "/bin/bash -c \"sudo ls\"",
            "waitForSuccess": true,
            "userIdentity": {
                "autoUser": {
                    "elevationLevel": "admin"
                }
            }
        }
    }

    Thanks,

    Anna



    • Edited by anna.tisch Tuesday, October 17, 2017 9:00 PM Fixed nodeAgentSKUId field name
    • Proposed as answer by anna.tisch Tuesday, October 17, 2017 9:08 PM
    • Marked as answer by ttrunck Wednesday, October 18, 2017 12:37 AM
    Tuesday, October 17, 2017 8:46 PM

All replies

  • Hi there,

    You are quite right - you can use the --json-file command flag to specify a pool with a lot more options than are available by command flags alone.

    The --json-file flag is touched on in the context of creating tasks here:
    https://docs.microsoft.com/en-us/azure/batch/scripts/batch-cli-sample-run-job

    The JSON file you pass in here will be in the format of our API specification, which is fully documented here:
    https://docs.microsoft.com/en-us/rest/api/batchservice/Pool/Add

    A pool JSON with an admin start task could look something like this:

    {
        "id": "sample_pool",
        "virtualMachineConfiguration": {
            "imageReference": {
                "publisher": "Canonical",
                "offer": "UbuntuServer",
                "sku": "16.04-LTS"
            },
            "nodeAgentSKUId": "batch.node.ubuntu 16.04",
        },            
        "vmSize": "Standard_A1",
        "targetDedicatedNodes": 2,
        "startTask": {
            "commandLine": "/bin/bash -c \"sudo ls\"",
            "waitForSuccess": true,
            "userIdentity": {
                "autoUser": {
                    "elevationLevel": "admin"
                }
            }
        }
    }

    Thanks,

    Anna



    • Edited by anna.tisch Tuesday, October 17, 2017 9:00 PM Fixed nodeAgentSKUId field name
    • Proposed as answer by anna.tisch Tuesday, October 17, 2017 9:08 PM
    • Marked as answer by ttrunck Wednesday, October 18, 2017 12:37 AM
    Tuesday, October 17, 2017 8:46 PM
  • Perfect, thanks for the pointer about the JSON. I was able to adapt you sample to do what I want.

    One minor thing, Azure-CLI complains about the extra comma after the "nodeAgentSKUId" 

    Again thanks for your help.

    Wednesday, October 18, 2017 12:40 AM