Open OnDemand 2.0.31 now available

We are pleased to announce the release of Open OnDemand 2.0.

Highlights of Open OnDemand 2.0 include the list below. Please note that there are breaking changes and they’re detailed in the 2.0 Release notes linked below.

  • Pinned Apps: Enhanced app launch interface using large app icons on the dashboard
  • Custom dashboard widgets and layout
  • New File Manager app
  • Tighter integration between the Dashboard, Active Jobs, and Files apps
  • Adding metadata to app manifests
  • Shell app now has themes
  • Configurations in an ondemand.d directory
  • Changes in All Apps page layout
  • ERB formats for Message of the day
  • Control whether an app link opens in a new window using manifest attribute
  • Memcached Ruby gem available for use in apps
  • Dependency updates

Release notes and upgrade information can be found here:

Also note that there may be more patches released in the 2.0 series. Watch the Milestone for 2.0.x
OOD2.0 Patch Release Milestone · GitHub for the upcoming updates to 2.0. You can also watch for releases on Github to get notifications of when releases are made!


Version 2.0.9 is now available and you should upgrade.

Highlights are:

  • A critical bug was fixed in uploading directories. In 2.0.8 the first file uploaded turns into a directory with no executable permissions. The workaround is to chmod on the directory, move and rename the file - or just delete the file and re-upload it.
  • staged_root is now available in the submit.yml.erb context. So you can do something like this, separating stdout and stderr in the submit file:
  error_path: "<%= staged_root %>/error.log"

We’ve found an issue in the file editor zeroing files. Sites with 2.0.x should disable the file-editor by changing permissions on the directory or this file. This will ensure your users don’t accidentally zero out their files when using the file-editor. We’re working on a fix and will post to this announcement once we have one ready.


2.0.10 now public that fixes the file editor bug that zeros out files with non ASCII characters. Sites using 2.0.x version should upgrade as soon as they’re able.

This should be the last critical bug in the 2.0.x release. In the next 2 weeks or so we’ll publish 2.0.11 that should just have minor tweaks for edge cases.

2.0.13 is now public.

It contains a security fix for kuberenetes & Open ID Connect users. kubectl commands ran as root logged to syslog and these entries contain OIDC tokens. If you run kubernetes with OIDC you should upgrade immediately.

It also fixes peer to peer app sharing and the new pinned apps features. Sites that run p2p app sharing will have to pin all the usr apps to have parity with a 1.8- dashboard landing page. App icons no longer show up by default.

Other items of note:

  • OOD_NAVBAR_TYPE correctly uses light
  • File previews now correctly show utf-8 characters
  • Sites can now disable ‘ssh to compute node’ on a per cluster basis (along with the site wide, global setting)
  • Similar to 1.8, 2.0 can now disable shell button in the files app, though the mechanism has changed. It’s no longer controlled through an environment variable, rather a yaml config in ondemand.d files.

Release notes have been updated for these items where they change.

2.0.16 is now publicly available.

It has mostly kuberenetes fixes in ood_core, but also includes a couple of other bug fixes of note:

  • Fixed removing files when allowlists are in place - 1337.
  • Fixed an issue with non US keyboards could not use + keys in the shell app -
  • Sessions stores can now be overridden in 1321.
  • Files app shell buttons now correctly redirect to the given cluster in 1317.
  • Locales now correctly fallback to english in 1314.

2.0.17, a security release, is now publicly available.

The only change/fix in this version is regarding SVG files in the file browser. SVG files may contain malicious javascript, which if viewed in open ondemand, can execute within that page’s context. 2.0.17 will now force the SVG file to be downloaded so users can inspect the file and/or open it in a new context.

Sites running 2.0.X should update as soon as they can. This does not affect versions 1.8 or below.

I’m terribly sorry to do this, but 2.0.17 released yesterday was only a partial fix for insecure svg files.

2.0.17 incorrectly previewed files with extension .SVG (all caps) or a mix of capitalization and lowercase (like .SvG). 2.0.18 now treats all svg extensions the same – forcing the browser to download the file instead of previewing it.

Sites should update to 2.0.18 to ensure their customers don’t open malicious svg files within their site’s context.

Again, this does not affect versions 1.8 or below.

Version 2.0.23 is now available.

Highlights from .20 are

  • Uppy, a javascript dependency to upload files, has been updated to patch NVD - CVE-2020-8205. Though I don’t believe we were affected.
  • Dynamic batch connect bug fixes
  • Bugfix for uploading files when using nondefault umasks.

Here’s the full changelog for more details:

Open OnDemand 2.0.26 is now available. Items of note are

Note that because we released a new passenger version, you’ll have to update everything

yum update ondemand\*

See the full changelog here.

I’ve updated the release of 2.0.26 note above to detail all the security patches related to 2.0.26.

2.0.27 is now available that fixes a bug that was introduced in 2.0.26.

This is the bug that it fixes. For whatever reason, this doesn’t affect OSC systems because the ownership of this directory just rotates.

Open OnDemand 2.0.28 is now available.


  • Support for Ubuntu 18.04 & 20.04 platforms.
  • fujitsu_tcs support.
  • Dex can now be ran behind the apache proxy by setting dex_uri. This means sites can use apache to proxy to dex instead of opening up 5556 or 5554 ports and accessing dex directly.


  • passenger_options can now correctly be used fixing a bug.
  • PUNs environments are now sanitized, removing OIDC and/or other environment variables from pun_root_pre_hook that aren’t necessary.
  • Dex tls_cert and tls_key get correctly set.
  • Interactive jobs now correctly use TurboVNC 3.0+. Previously the now removed -nohttpd option was always given. -nohttpd will now only be used for TurboVNC versions < 3.0.


  • ondemand-dex has been upgraded from 2.27.0 to 2.32.0. Note that ondemand-dex users will need to upgrade this package as well.

See the full changelog for more details.

Open OnDemand 2.0.29 is now available. The biggest change is around our NodeJS dependency. NodeJS 12 has come to end of life for all platforms, so it’s no longer receiving security patches. So we had to upgrade to NodeJS 14 at this time.

Instructions for upgrading are below and we’re updating our automation for the same.


  • The Job Composer now allows for job composer to copy environment. This will use --EXPORT=ALL instead of --EXPORT=NONE for Slurm (the default is NONE) schedulers to use srun during the jobs execution.
  • The job composer can now hide job arrays based on the OOD_HIDE_JOB_ARRAYS environment variable.
  • A new batch connect template - vnc_container has been added to support running batch connect applications in a container (documentation coming soon).


  • Dynamic batch connect settings for minimums and maximums can now apply to multiple items.
  • Dynanic batch connect settings can now use / in the names.
  • SSH to compute node buttons can be disabled when OOD_BC_SSH_TO_COMPUTE_NODE is set to false.


  • We had to upgrade to node js 14 because 12 is end of life on all platforms and will not receive security updates.
  • SHA1 hashes are used instead of MD5 for systems that have enabled FIPS.

See the instructions on upgrading from 2.0.28 to 2.0.29 here:

See the full changelog here:

Open OnDemand 2.0.31 is now available.

This release fixes:

  • The linux host adapter now correctly interacts with apptainer and singularity both. Previous versions do not account for apptainer’s updates and sites that have upgraded to apptainer and use the linux host adapter may find issues specifically around the ability to delete linux host adapter jobs.
  • Using 0s in data-min- or data-max- directives now works correctly.