We are pleased to announce the release of Open OnDemand 2.0.
Highlights of Open OnDemand 2.0 include the list below. Please note that there are breaking changes and they’re detailed in the 2.0 Release notes linked below.
Pinned Apps: Enhanced app launch interface using large app icons on the dashboard
Custom dashboard widgets and layout
New File Manager app
Tighter integration between the Dashboard, Active Jobs, and Files apps
Adding metadata to app manifests
Shell app now has themes
Configurations in an ondemand.d directory
Changes in All Apps page layout
ERB formats for Message of the day
Control whether an app link opens in a new window using manifest attribute
Also note that there may be more patches released in the 2.0 series. Watch the Milestone for 2.0.x OOD2.0 Patch Release Milestone · GitHub for the upcoming updates to 2.0. You can also watch for releases on Github to get notifications of when releases are made!
Version 2.0.9 is now available and you should upgrade.
Highlights are:
A critical bug was fixed in uploading directories. In 2.0.8 the first file uploaded turns into a directory with no executable permissions. The workaround is to chmod on the directory, move and rename the file - or just delete the file and re-upload it.
staged_root is now available in the submit.yml.erb context. So you can do something like this, separating stdout and stderr in the submit file:
We’ve found an issue in the file editor zeroing files. Sites with 2.0.x should disable the file-editor by changing permissions on the directory or this file. This will ensure your users don’t accidentally zero out their files when using the file-editor. We’re working on a fix and will post to this announcement once we have one ready.
2.0.10 now public that fixes the file editor bug that zeros out files with non ASCII characters. Sites using 2.0.x version should upgrade as soon as they’re able.
This should be the last critical bug in the 2.0.x release. In the next 2 weeks or so we’ll publish 2.0.11 that should just have minor tweaks for edge cases.
It contains a security fix for kuberenetes & Open ID Connect users. kubectl commands ran as root logged to syslog and these entries contain OIDC tokens. If you run kubernetes with OIDC you should upgrade immediately.
It also fixes peer to peer app sharing and the new pinned apps features. Sites that run p2p app sharing will have to pin all the usr apps to have parity with a 1.8- dashboard landing page. App icons no longer show up by default.
Other items of note:
OOD_NAVBAR_TYPE correctly uses light
File previews now correctly show utf-8 characters
Sites can now disable ‘ssh to compute node’ on a per cluster basis (along with the site wide, global setting)
Similar to 1.8, 2.0 can now disable shell button in the files app, though the mechanism has changed. It’s no longer controlled through an environment variable, rather a yaml config in ondemand.d files.
Release notes have been updated for these items where they change.
2.0.17, a security release, is now publicly available.
The only change/fix in this version is regarding SVG files in the file browser. SVG files may contain malicious javascript, which if viewed in open ondemand, can execute within that page’s context. 2.0.17 will now force the SVG file to be downloaded so users can inspect the file and/or open it in a new context.
Sites running 2.0.X should update as soon as they can. This does not affect versions 1.8 or below.
I’m terribly sorry to do this, but 2.0.17 released yesterday was only a partial fix for insecure svg files.
2.0.17 incorrectly previewed files with extension .SVG (all caps) or a mix of capitalization and lowercase (like .SvG). 2.0.18 now treats all svg extensions the same – forcing the browser to download the file instead of previewing it.
Sites should update to 2.0.18 to ensure their customers don’t open malicious svg files within their site’s context.
Again, this does not affect versions 1.8 or below.
[Fixed in 6.0.14] [CVE-2018-25032] zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
[Fixed in 6.0.14] A use after free memory safety issue was introduced in 6.0.12, and fixed in 6.0.14.
The shell app correctly ignores cluster.d that it cannot read. I.e., sites can correctly limit cluster usage by file permissions on these cluster files.
Note that because we released a new passenger version, you’ll have to update everything
Dex can now be ran behind the apache proxy by setting dex_uri. This means sites can use apache to proxy to dex instead of opening up 5556 or 5554 ports and accessing dex directly.
Fixed
passenger_options can now correctly be used fixing a bug.
PUNs environments are now sanitized, removing OIDC and/or other environment variables from pun_root_pre_hook that aren’t necessary.
Dex tls_cert and tls_key get correctly set.
Interactive jobs now correctly use TurboVNC 3.0+. Previously the now removed -nohttpd option was always given. -nohttpd will now only be used for TurboVNC versions < 3.0.
Changed
ondemand-dex has been upgraded from 2.27.0 to 2.32.0. Note that ondemand-dex users will need to upgrade this package as well.
Open OnDemand 2.0.29 is now available. The biggest change is around our NodeJS dependency. NodeJS 12 has come to end of life for all platforms, so it’s no longer receiving security patches. So we had to upgrade to NodeJS 14 at this time.
Instructions for upgrading are below and we’re updating our automation for the same.
Added
The Job Composer now allows for job composer to copy environment. This will use --EXPORT=ALL instead of --EXPORT=NONE for Slurm (the default is NONE) schedulers to use srun during the jobs execution.
The job composer can now hide job arrays based on the OOD_HIDE_JOB_ARRAYS environment variable.
A new batch connect template - vnc_container has been added to support running batch connect applications in a container (documentation coming soon).
Fixed
Dynamic batch connect settings for minimums and maximums can now apply to multiple items.
Dynanic batch connect settings can now use / in the names.
SSH to compute node buttons can be disabled when OOD_BC_SSH_TO_COMPUTE_NODE is set to false.
Changed
We had to upgrade to node js 14 because 12 is end of life on all platforms and will not receive security updates.
SHA1 hashes are used instead of MD5 for systems that have enabled FIPS.
The linux host adapter now correctly interacts with apptainer and singularity both. Previous versions do not account for apptainer’s updates and sites that have upgraded to apptainer and use the linux host adapter may find issues specifically around the ability to delete linux host adapter jobs.
Using 0s in data-min- or data-max- directives now works correctly.