Open OnDemand 4.0 Release

Open OnDemand 4.0 is now available. Thank you to all of the community members who contributed code, suggestions, bug reports, and other assistance across the project.

We especially want to thank:

Leonard Wisniewski, Aday Bujeda, and Michael Reekie at Harvard University: Institute for Quantitative Social Science.

Robin Karlsson and Simon Westersund at CSC - IT Center for Science.

Please see the Acknowledgements section in the release notes for more details on their contributions as well as those of other community members.

Release Overview

This release brings significant enhancements, new features, breaking changes, and dependency updates. Please see the Special Note and Breaking Changes for important notices about this release.

Special Note

We are releasing version 4.0 with four known bugs, two of which are fully related to the Project Manager. The Project Manager is turned off by default, so we hope this impact is minimal. We are actively working on the bug fixes and hope to have a 4.0.1 patch sooner than later. See below for more details on the bugs:

• #4048 The path_selector widget continues to spin even after the directory options are shown. The impacted applications are batch connect apps, such as VS Code, and the Project Manager.

• #4052 The Project Manager template creation is broken. Only when creating a project from a template do issues arise. Creating a new project works as expected.

• #4053 The Project Manager icon picker is broken when creating a new project.

• #4056 The batch connect cards incorrectly display cores. For example, if a user submits a 4 core job, the job will run with 4 cores as selected, but it will only display 1 core. As a reference point for impact, we received one OSC support ticket from our hundreds of users.

Breaking Changes or Changes That May Impact Your Site

• Autoloading during initialization has been removed.

• Configurations whitelist and blacklist have been replaced.

• Batch connect form IDs are now lowercase.

• All configuration files must be root owned.

• NavConfig has been removed.

Deprecations

• POLL_DELAY is replaced by documented configurations.

Dependency Updates

• Ruby 3.3 for RHEL 8 & 9 Only

• NodeJS 20

• Passenger 6.0.23

• NGINX 1.26.1

• ondemand-dex 2.41.1

Several Highlights of New Features and Enhancements

• Support for required announcements and additional support for dismissible announcements.

• Updates to the file editor interface for a seamless, consistent design.

• Enhanced XDMoD job efficiency widget with metrics for CPU, memory, and elapsed time.

• Users can now edit and delete saved settings for interactive applications, which improves control and customization.

• Interactive application forms can display additional text headers for better guidance.

• The nginx_clean method now removes PUNs and files for disabled users, which enhances system operations.

Additional Resources

For a detailed list of changes, please refer to our v4.0 Release Notes or consult the Changelog for a complete overview of the release.

We recommend testing the upgrade on development or test environments before applying it to production systems. Please see the Upgrade Instructions for step-by-step upgrade directions.

We extend our heartfelt thanks to all community contributors for their invaluable support in making this release possible.

Open OnDemand 4.0.1 is now available. Thank you to all community members who contributed code, suggestions, bug reports, and other assistance across the project.

Release Overview

This release contains several bug fixes, including the four known bugs from Open OnDemand 4.0.0. For a full list of changes, please see the changelog. To compare versions 4.0.0 and 4.0.1, please see this link.

Bug Fixes from Known 4.0 Bugs

• The path_selector widget, used in VS Code and the Project Manager, no longer spins indefinitely. Previously, the widget continued to spin even after directory options appeared.

• The Project Manager template creation now works correctly. Previously, only new projects could only be created.

• The Project Manager’s icon picker now functions as expected. Previously, icons could not be selected for projects.

• Batch connect cards now accurately display node and core allocations. Previously, they incorrectly showed only 1 core, regardless of the actual submission.

Bug Fixes

• Native VNC connection tabs now open as expected.

• The path_selector widget correctly handles files with spaces, resolving URL encoding issues.

• OnDemand now properly accounts for usernames that are entirely numeric.

• Usernames with dots (‘.’) can now successfully launch applications.

• Applications with external URLs now function properly, with the menu bar using the external URL instead of a relative URL. This prevents unsafe redirects in OnDemand.

• The Files application now properly handles files containing non-UTF-8 characters.

• Open OnDemand packages now require proc-ps, correcting an issue with sites operating in containerized environments.

Open OnDemand 4.0.2 is now available. Thank you to all community members who contributed code, suggestions, bug reports, and other assistance across the project.

Release Overview

This release includes several bug fixes and usability improvements. For a full list of changes, please see the changelog. To compare versions 4.0.1 and 4.0.2, please see this comparison link.

Bug Fixes

• File transfer failures now correctly display the error modal.

• Plugins now load correctly, resolving fatal errors in previous versions.

• Active navigation link colors now display as expected. Links can be reconfigured to custom colors.

• bc_desktop sessions now launch with a safer PATH, improving environment issues caused by dbus-launch and Python conflicts.

• The “Select Path” button in the path_selector widget now responds to internationalization (i18n).

• Empty title entries in manifest.yml files no longer cause issues in the navigation bar.

• Clusters with hyphens in their name now correctly respond to dynamic batch connect directives.

Open OnDemand 4.0.3 is now available. Thank you to all community members who contributed code, suggestions, bug reports, and other assistance across the project.

Release Overview
This release includes a critical security fix and a few bug fixes. For a full list of changes, please see the changelog. To compare versions 4.0.2 and 4.0.3, please see this comparison link.

Security
The Path Selector interactive widget was found to be vulnerable to Cross-Site Scripting (XSS) attacks when handling unsafe file names.

This vulnerability has only been patched in versions 4.0.3 and 3.1.11. Open OnDemand versions 3.0.x will remain vulnerable.

If you are unable to upgrade, you can still mitigate this risk by removing the path_selector widget from your interactive applications. To do this, simply edit the application’s form.yml and replace the widget with a basic text_field that does not include search or select capabilities. See documentation on the Path Selector here and editing form.yml files here.

Bug Fixes

• Shared interactive applications now correctly appear in the left menu panel on the My Interactive Apps page when the navigation bar has been customized.

• Icons are now cached in the browser to improve response times.

Open OnDemand 4.0.5 is available. Thank you to all community members who contributed code, suggestions, bug reports, and other assistance across the project.

Release Overview

This release includes several fixes shown below. For a full list of changes, please see the changelog. To compare versions 4.0.3 and 4.0.5, please see this comparison link.

Changes That May Impact Your Site the Most

• File Editor Size Limit. The file editor will now only open files that are smaller than a configurable size limit. You can configure the maximum file size that can be opened by setting the OOD_FILE_EDITOR_MAX_SIZE environment variable. The default is 12 MB.
• Passenger and Metrics Collection. Passenger has been patched for reduced metrics collection due to efficiency impacts found by CSC - IT Center for Science. Previously, all PUNs paused every 5 seconds to collect data. This duration is now configurable through OOD_OVERRIDE_PASSENGER_ANALYTICS_COLLECTION_SLEEP_TIME_SECONDS, which defaults to 30 seconds. Additionally, each PUN operates on its own timer, improving overall system performance. Centers can revert to the previous behavior (synchronizing every 5 seconds) by defining the environment variable OOD_OVERRIDE_PASSENGER_ANALYTICS_COLLECTION_RESTORE_UPSTREAM_BEHAVIOR. Any defined value, even an empty string or false, is interpreted as true.

Added

• Passenger Telemetry. Passenger telemetry has been disabled by default. If needed, you can re-enable it by setting the passenger_disable_anonymous_telemetry configuration to off in nginx_stage.yml.
• Encrypted Password Fields. password_field form widgets are now encrypted when stored, enhancing security.

Fixed

• Job Composer Fix. The Job Composer now correctly handles erroneous input when creating templates, fixing issue #3426.
• Dashboard Logging Fix. The dashboard’s configuration class now uses $stderr.puts instead of Rails.logger.warn for error logging, as Rails was unavailable in this context, which caused errors.

This is great, unfortunately this release is breaking the installation of 4.0.3 when using the ood-ansible project. Please see Version 4.0.3 failed to installed since 4.0.5 has been released · Issue #4428 · OSC/ondemand

Thanks for summarizing the changes!

A small correction to the Passenger metrics collections, for completeness:

• Passenger has been optimized for collecting metric data.

  • Actually Passenger was badly optimized, and now it has been patched to do less metrics collection, i.e., avoiding work, instead of doing it more efficiently.

• Centers can restore the previous behavior (synchronizing every 5 seconds) by setting OOD_OVERRIDE_PASSENGER_ANALYTICS_COLLECTION_RESTORE_UPSTREAM_BEHAVIOR to true.

  • Actually, it doesn’t need to be true, but any value is interpreted as “trueish”. Also empty string or false, for example. So be sure to not define this environment variable, if you wish to use the newly added performance improvements (this is the default).

Thanks for those findings, @swesters. I have updated my announcement with your comments.

@xpillons Thanks for bringing this to our attention. I do apologize for this. I have a post coming soon spelling out a workaround and an internal discussion planned next week to prevent this from happening again.

Open OnDemand is currently experiencing dependency resolution issues with Debian and Ubuntu packages following recent version updates. This makes it challenging to install older versions, such as 4.0.2 or 4.0.3, and it affects our Ansible automation since it is not configured to handle this scenario.

The current recommended workaround is to manually install the desired older versions by explicitly specifying the package versions for ondemand, ondemand-nginx, and ondemand-passenger.

For example, to install Open OnDemand version 4.0.3, use:

apt install ondemand=4.0.3 ondemand-nginx=1.26.1.p6.0.23.ood4.0.1 ondemand-passenger=6.0.23.ood4.0.1

Special Note: RHEL packages are not affected by this issue.

We apologize for any inconvenience this may cause and appreciate your patience as we work to improve our release process to prevent this from occurring again.