Skip to main content
Version: 25.2

Azure

Batch compute environments

Use separate Batch pools for head and compute nodes

The default Azure Batch implementation in Seqera Platform uses a single pool for head and compute nodes. This means that all jobs spawn dedicated/on-demand VMs by default. To save cloud costs by using low priority VMs for compute jobs, specify separate pools for head and compute jobs:

  1. Create two Batch pools in Azure:
note

Both pools must meet the requirements of a pre-existing pool as detailed in the Nextflow documentation.

  1. Create a manual Azure Batch compute environment in Seqera Platform.
  2. In Compute pool name, specify your dedicated Batch pool.
  3. Specify the Low priority pool using the process.queue directive in your nextflow.config file either via the launch form, or your pipeline repository's nextflow.config file.

Azure Kubernetes Service (AKS)

... /.git/HEAD.lock: Operation not supported

This error can occur if your Nextflow pod uses an Azure Files-type (SMB) persistent volume as its storage medium. By default, the jgit library used by Nextflow attempts a filesystem link operation which is not supported by Azure Files (SMB).

To avoid this problem, add the following code snippet in your pipeline's Pre-run script field:

cat <<EOT > ~/.gitconfig
[core]
	supportsatomicfilecreation = true
EOT

SSL

Problem with the SSL CA cert

This can occur if a tool/library in your task container requires SSL certificates to validate the identity of an external data source. Mount SSL certificates into the container to resolve this issue. See SSL/TLS for more information.

Azure SQL database error: Connections using insecure transport are prohibited while --require_secure_transport=ON

This error is due to Azure's default MySQL behavior which enforces the SSL connections between your server and client application, as detailed in SSL/TLS connectivity in Azure Database for MySQL. To fix this, append useSSL=true&enabledSslProtocolSuites=TLSv1.2&trustServerCertificate=true to your TOWER_DB_URL connection string. For example:

TOWER_DB_URL: jdbc:mysql://mysql:3306/tower?permitMysqlScheme=true/azuredatabase.com/tower?serverTimezone=UTC&useSSL=true&enabledSslProtocolSuites=TLSv1.2&trustServerCertificate=true

Azure Entra ID / OIDC

When attempting to authenticate via Azure (Entra ID) on Seqera Platform v25.2.3 and below, users fail to log in, and the following error appears in the backend logs:

java.lang.IllegalArgumentException: No enum constant io.micronaut.security.oauth2.endpoint.AuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH**

This issue is caused by a change in Azure's supported authentication methods which creates an incompatibility with the OIDC library used in older versions of Seqera Platform.

To resolve this, force the authentication method to client_secret_post by adding the following environment variable to your `tower.env' file or Kubernetes ConfigMap:

MICRONAUT_SECURITY_OAUTH2_CLIENTS_OIDC_OPENID_TOKEN_AUTH_METHOD=client_secret_post