Add support for docker run uid/gid

- Resolves #54

config_templates/jobs.json

@@ -9,6 +9,13 @@
             "environment_variables_keyvault_secret_id": "https://myvault.vault.azure.net/secrets/myjobenv",
             "max_task_retries": 1,
             "allow_run_on_missing_image": false,
+            "user_identity": {
+                "default_pool_admin": true,
+                "specific_user": {
+                    "uid": 1001,
+                    "gid": 1001
+                }
+            },
             "input_data": {
                 "azure_batch": [
                     {

convoy/batch.py

@@ -1891,7 +1891,7 @@ def add_jobs(
                 settings.set_task_name(_task, '{}-{}'.format(job.id, _task_id))
             del _task_id
             task = settings.task_settings(
-                cloud_pool, config, pool, _task, missing_images)
+                cloud_pool, config, pool, jobspec, _task, missing_images)
             # retrieve keyvault task env vars
             if util.is_not_empty(
                     task.environment_variables_keyvault_secret_id):

convoy/settings.py

@@ -157,6 +157,11 @@ DataTransferSettings = collections.namedtuple(
         'container', 'file_share', 'blobxfer_extra_options',
     ]
 )
+UserIdentitySettings = collections.namedtuple(
+    'UserIdentitySettings', [
+        'default_pool_admin', 'specific_user_uid', 'specific_user_gid',
+    ]
+)
 TaskSettings = collections.namedtuple(
     'TaskSettings', [
         'id', 'image', 'name', 'docker_run_options', 'environment_variables',
@@ -1944,13 +1949,14 @@ def set_task_id(conf, id):
     conf['id'] = id
 
 
-def task_settings(cloud_pool, config, poolconf, conf, missing_images):
-    # type: (azure.batch.models.CloudPool, dict, PoolSettings,
+def task_settings(cloud_pool, config, poolconf, jobspec, conf, missing_images):
+    # type: (azure.batch.models.CloudPool, dict, PoolSettings, dict,
     #        dict, list) -> TaskSettings
     """Get task settings
     :param azure.batch.models.CloudPool cloud_pool: cloud pool object
     :param dict config: configuration dict
     :param PoolSettings poolconf: pool settings
+    :param dict jobspec: job specification
     :param dict conf: task configuration object
     :param list missing_images: list of missing docker images on pool
     :rtype: TaskSettings
@@ -1993,6 +1999,23 @@ def task_settings(cloud_pool, config, poolconf, conf, missing_images):
             lower()
         vm_size = cloud_pool.vm_size.lower()
         inter_node_comm = cloud_pool.enable_inter_node_communication
+    # get user identity settings
+    ui = _kv_read_checked(jobspec, 'user_identity', {})
+    ui_default_pool_admin = _kv_read(ui, 'default_pool_admin', False)
+    ui_specific = _kv_read(ui, 'specific_user', {})
+    ui_specific_uid = _kv_read(ui_specific, 'uid')
+    ui_specific_gid = _kv_read(ui_specific, 'gid')
+    del ui
+    del ui_specific
+    if ui_default_pool_admin and ui_specific_uid is not None:
+        raise ValueError(
+            'cannot specify both default_pool_admin and '
+            'specific_user:uid/gid at the same time')
+    ui = UserIdentitySettings(
+        default_pool_admin=ui_default_pool_admin,
+        specific_user_uid=ui_specific_uid,
+        specific_user_gid=ui_specific_gid,
+    )
     # get depends on
     try:
         depends_on = conf['depends_on']
@@ -2143,6 +2166,26 @@ def task_settings(cloud_pool, config, poolconf, conf, missing_images):
             else:
                 run_opts.append('-v {}:{}'.format(
                     sdvkey, shared_data_volume_container_path(sdv, sdvkey)))
+    # append user identity options
+    attach_ui = False
+    if ui.default_pool_admin:
+        # run as the default pool admin user. note that this is *undocumented*
+        # behavior and may break at anytime
+        run_opts.append('-u `id -u _azbatch`:`id -g _azbatch`')
+        attach_ui = True
+    elif ui.specific_user_uid is not None:
+        if ui.specific_user_gid is None:
+            raise ValueError(
+                'cannot specify a user identity uid without a gid')
+        run_opts.append(
+            '-u {}:{}'.format(ui.specific_user_uid, ui.specific_user_gid))
+        attach_ui = True
+    if attach_ui:
+        run_opts.append('-v /etc/passwd:/etc/passwd:ro')
+        run_opts.append('-v /etc/group:/etc/group:ro')
+        run_opts.append('-v /etc/sudoers:/etc/sudoers:ro')
+    del attach_ui
+    del ui
     # env vars
     try:
         env_vars = conf['environment_variables']

docs/14-batch-shipyard-configuration-jobs.md

@@ -17,6 +17,13 @@ The jobs schema is as follows:
             "environment_variables_keyvault_secret_id": "https://myvault.vault.azure.net/secrets/myjobenv",
             "max_task_retries": 3,
             "allow_run_on_missing_image": false,
+            "user_identity": {
+                "default_pool_admin": true,
+                "specific_user": {
+                    "uid": 1001,
+                    "gid": 1001
+                }
+            },
             "input_data": {
                 "azure_batch": [
                     {
@@ -153,6 +160,20 @@ that was not pre-loaded on to the compute node via
 run. Note that you should attempt to specify all Docker images that you intend
 to run in the `global_resources`:`docker_images` property in the global
 configuration to minimize scheduling to task execution latency.
+* (optional) `user_identity` property is to define which user to run the
+container as. By default, if this property is not defined, the container will
+be run as the root user. However, it may be required to run the container
+with a different user, especially if integrating with storage cluster and
+shared file systems. All first-level properties within `user_identity` are
+mutually exclusive of one another.
+  * (optional) `default_pool_admin` specifies if the container should be
+    run with the default pool (compute node) administrator user that Azure
+    Batch automatically configures upon compute node start. This user will
+    have passwordless sudo access.
+  * (optional) `specific_user` specifies to run the container as a specific
+    user.
+    * (required) `uid` is the user id of the user
+    * (required) `gid` is the group id of the user
 * (optional) `input_data` is an object containing data that should be
 ingressed for the job. Any `input_data` defined at this level will be
 downloaded for this job which can be run on any number of compute nodes

scripts/shipyard_glusterfs_on_compute.sh

@@ -43,7 +43,7 @@ if [ $AZ_BATCH_IS_CURRENT_NODE_MASTER == "true" ]; then
     # create volume
     echo "creating gv0 ($bricks)"
     gluster volume create gv0 $voltype $numnodes transport tcp$bricks
-    # modify volume properties
+    # modify volume properties: the uid/gid mapping is UNDOCUMENTED behavior
     gluster volume set gv0 storage.owner-uid `id -u _azbatch`
     gluster volume set gv0 storage.owner-gid `id -g _azbatch`
     # start volume