OnDemand 3.1 release

Hi. We’ve just made the Open OnDemand 3.1.0 release available. We’ve had it installed at OSC for just about a week and have not found any issues, though CSC has found one when using ssh_allow in batch connect applications.

Highlights for this release include:

• a path_selector widget that replaces GitHub - OSC/bc_js_filepicker: A file picker for Batch Connect applications
• Globus integration
• Dynamic checkboxes.
• Better shell connectivity.
• Disabling uploads and downloads.

See the full release notes here for more information. Thank you to everyone who contributed to this release!

https://osc.github.io/ood-documentation/latest/release-notes/v3.1-release-notes.html

To be clear, the bug CSC found was pertains to this configuration ssh_allow.

https://osc.github.io/ood-documentation/latest/installation/cluster-config-schema.html?highlight=ssh_allow#batch-connect

3.1.1 has been released with the bugfix for centers that disable shell connections with ssh_allow.

3.1.4 is generally available with some bug fixes and a few security related fixes.

Fixed

• The path_selector now responds to labels and can be hidden in in 3467.
• Pinned app icons are now centered correctly in 3374.

Added

• ood_core now sends heartbeats to noVNC connections to keep them alive in 3467.
• Batch connect jobs now serialize completed_at attributes in 3467.

Security

• The files app now uses ActionController::Live to support streaming large files in 3467 preventing out of memory exceptions.
• The regular expression for mime types has been updated in 3482.

3.1.7 is now generally available with some bug fixes and at least 1 security related fix. Note that the security fix is around leaking secret environment variables so it’s very important to update.

Fixed

• Logo Images no longer take 100% width.
• Dynamic batch connect forms now accept fields with numbers like data-hide-gpus-num-v100
• host_based_profiles now correctly route to the correct server alias

Added/Changed

• ood_portal.yml now has http_redirect_host to specify the host to redirect to when redirecting from http to https (to support `host_based_profiles).
• Passenger and Ngxinx have been updated to 6.0.20 and 1.24.0 respectively.
• Nginx stage commands for cleaning PUNs use ps instead of lsof for performance in containerized environments.

Security

• The dashboard and job composer now sanitize the environment before submitting jobs. This prevents leaking sensitive environment variables like SECRET_KEY_BASE to the job.

See here for the full changelog: Comparing v3.1.4...v3.1.7 · OSC/ondemand · GitHub

Open OnDemand 3.1.9 is now available. Thank you to all of the community members who contributed code, suggestions, bug reports, and other assistance across the project.

Release Overview

This release contains a number of security fixes, bugfixes, and optimizations. 3.1.9 also the first release that supports for Ubuntu 24.04 operating system. Please see the section on Supported Operating Systems for more information.

Security

• Ping Ponging. Ping ponging in the shell application has been disabled by default. When ping ponging is enabled, the shell connection can stay active for longer than the authentication session. Open OnDemand version 3.1 added this feature, but after unanticipated findings of the shell session continuing after the authentication token expired, we have decided to turn ping ponging off by default. For more information on these new configuration items, please see to the documentation here.

Bug Fixes

• Apache httpd 2.4.62. OnDemand now supports httpd 2.4.62. The latest version of Apache is announced here.
• Dex and Maintenance Mode. Maintenance mode now correctly works when using Dex for Open OnDemand authentication.
• Files Successful if Chown Fails. Files now successfully upload to a directory when the setgid bit is set. This is true even if changing the group permissions, or chown, fails.
• Downloads Disabled for Unix Domain Sockets and FIFOs. The download button for FIFO and socket files has been removed from dropdown menu. These files were previously failing silently when users attempted to download them. To clear up any confusion, we disabled downloads of these certain files.
• User Mapping and At Sign Symbol. Mapping the remote authenticated username to the locally system username, ood_user_map, can now account for the “@” symbol in usernames.

Optimizations

• Quicker Viewing of Directories. The OnDemand server previously converted files sizes to human readable units, causing a noticeable delay in loading the page. In this release, the Open OnDemand client’s browser does the conversion. As a result, viewing directories with many files is now faster.

Changelog

• Please see the full changelog here.

Special Note

• 3.1.9 has not yet been installed into production here at OSC. It will be installed in the coming weeks after we internally determine timeout settings for the ping ponging change mentioned above. It is currently installed on our test systems and our team of developers have thoroughly verified it.

Thank you for notifying us of the bugs in 3.1.9 involving the Ubuntu 24.04 build and shell application.

Ubuntu 24.04 was compiled incorrectly on our end. We did not build 24.04 accurately due to versioning oversights on our end. There is no workaround at this time for Ubuntu 24.04 support since 3.1.9 was supposed to be the first version supporting 24.04.

Open OnDemand version 3.1.9, including the shell application, seems to have broken at centers running Apache httpd 2.4.37-56. All RHEL appstream repositories now hold httpd version 2.4.37-65. Apache has vaulted versions below 2.4.37-65 because they no longer provide support.

Two workarounds are highlighted below:

• Downgrade to the previous version you were running before 3.1.9
• Update Apache httpd to version 2.4.37-65

We highly recommend updating httpd since the previous versions are vaulted and old versions pose security threats. The version compatible with Open OnDemand 3.1.9 has the most recent security patches not available on versions 2.4.37-56. Please see the patches here and here.

We are working hard to release 3.1.10 to fix these bugs in the coming weeks. We deeply apologize for the inconveniences this is causing.

Open OnDemand 3.1.10 is now generally available. Thank you for your understanding and patience as we quickly worked to fix the bugs from 3.1.9.

Fixed

Open OnDemand now has more specific requirements for Apache httpd on enterprise Linux systems. OnDemand requires at least version 2.4.37-56 for EL8 and at least 2.4.57-8 for EL9. If your Apache version does not meet this requirement, an update to OnDemand 3.1.10 will also upgrade Apache.

Ubuntu 24.04 packages are now built against the correct NodeJs version, correcting a packaging issue in 3.1.9 for that OS.

Please see the full changelog here.