v3.0 Release Notes

Warning

3.0.2 has security fixes that no prior release has. Any version beyond this will also include these fixes.

There are also some breaking changes in 3.0. See the upgrade directions below for details.

Thanks!

We’d like to thank a bunch of folks’ for contributing to this release. As we only know the github username, that’s what’s being referenced here.

We’d like to thank Harvard for many contributions around layouts and navitation. Notably, adaybujeda and whorka to name a few.

We’d like to thank CSC Finland for contributing remote file browsing. Specifically robinkar and CSC-swesters.

We’d also like to give a big thanks to these folks’ for their first time contributing to Open OnDemand.

  • Micket made their first contribution in #1426

  • aebruno made their first contribution in #1766

  • mayank-agarwal-96 made their first contribution in #1776

  • whorka made their first contribution in #1854

  • SaumyaBhushan made their first contribution in #1992

  • davidmonro made their first contribution in #2091

  • mnakao made their first contribution in #2194

  • georgiastuart made their first contribution in #2323

  • covert8 made their first contribution in #2327

If we’ve missed listing anyone here, please let us know!

Security Fixes

Versions prior to 3.0 are vulnerable to these security related issues:

  • OOD_ALLOWLIST_PATH can be circumvented in several scenarios.

  • Users may inject malicous Ruby code into certian user owned ERB files that the system reads.

These have been fixed in version 3.0.2 and up. Thank you to the the team at CSC - IT Center for Science, Finland for disclosing these.

Details of administrative changes

Breaking Changes

Support for Ubuntu 18.04 has been dropped.

Support for Ubuntu 18.04 has been dropped because the platform has upgraded to Ruby on Rails 6.1. This version is not compatible with Ruby 2.5 which is what Ubuntu 18.04 has.

context.json file locations have changed

This is an internal item to Open OnDemand and not likely to really affect you at all.

In versions 2.0 and below, batch connect apps wrote a context.json file to a directory like ~/ondemand/data/sys/dashboard/batch_connect/sys/<APPNAME>/context.json. OnDemand uses these files to cache the choices a user makes for the next time they use that app.

Version 3.0 now writes files like ~/ondemand/data/sys/dashboard/batch_connect/cache/<APPNAME>.json

Deprecations

Autoloading during initialization is deprecated.

This comes from the Ruby on Rails framework that Open OnDemand utilizes. It affects initializers you may have written, for example to Add Shortcuts to Files Menu.

To resolve this, wrap your code in a Rails.application.config.after_initialize block.

For example, if you have:

# /etc/ood/config/apps/dashboard/initializers/ood.rb

  OodFilesApp.candidate_favorite_paths.tap do |paths|
    # add User project space directory
    paths << FavoritePath.new("/fs/project/#{User.new.name}")
  end

You will need to modify that file like so:

# /etc/ood/config/apps/dashboard/initializers/ood.rb

  Rails.application.config.after_initialize do
    OodFilesApp.candidate_favorite_paths.tap do |paths|
      # add User project space directory
      paths << FavoritePath.new("/fs/project/#{User.new.name}")
    end
  end

whitelist & blacklist configs are deprecated

These configurations that have whitelist in the name have been deprecated in 3.0 and replaced with allowlist or blocklist in 4.0.

The configurations maintenance_ip_whitelist for configuring maintenance ips has been replaced by maintenance_ip_allowlist.

The WHITELIST_PATH environment variable for configuring inaccessible paths in the file browser has been replaced by OOD_ALLOWLIST_PATH.

ACL configurations in cluster.d files now use allowlist and blocklist instead of whitelist and blacklist, though sites should just use Linux FACLs to control these files instead of these configurations.

Dependency updates

This release updates the following dependencies:

  • Ruby 3.0

    Warning

    The change in Ruby version means any Ruby based apps that are not provided by the OnDemand RPM must be rebuilt or supply their own bin/ruby to use the older version of ruby.

    Note

    Ruby 2.7 is still supported and used by Ubuntu 20.04.

  • NodeJS 14

    Warning

    The change in Node version means any Node based apps that are not provided by the OnDemand RPM must be rebuilt.

  • Passenger 6.0.14

  • NGINX 1.20.2

  • ondemand-dex 2.32.0

  • OnDemand package now depends on Python 3 instead of Python 2

SELinux changes

The ondemand_use_shell_app SELinux boolean was removed and replaced with ondemand_use_ssh that is enabled by default.

The ondemand_use_kubernetes SELinux boolean was added and is disabled by default.

See the OnDemand SELinux documentation for details

Dex behind Apache reverse proxy by default

Warning

Dex behind the Apache reverse proxy is a behavior change from OnDemand 2.0 where the reverse proxy configuration was optional. This is to improve security as well as allow Apache to provide access logs. If you have opened ports for Dex they can be closed as all traffic to Dex will flow through Apache.

By default Dex now sits behind the Apache reverse proxy. If you wish to go back to Dex being directly accessed set the following in /etc/ood/config/ood_portal.yml:

dex_uri: false

Documentation changes

As you may have noticed, we have restructured the documentation in an attempt to group sections more logically. Please reach out if you have further suggestions on improving our documentation in either its content or its organization.

Upgrade directions

Danger

Ensure websockify version is >= 0.10.0 on the compute nodes in order for desktops to launch correctly after upgrade.

Warning

Update the development or test instances of OnDemand installed at your center first before you modify the production instance.

Warning

The OnDemand upgrade has only been tested going from 2.0.x to 3.0.x.

  1. Update OnDemand release RPM

    sudo yum install -y https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm
    
  2. Enable dependency repos

    RHEL/Rocky 8 only

    sudo dnf module reset nodejs
    sudo dnf module enable nodejs:14
    sudo dnf module reset ruby
    sudo dnf module enable ruby:3.0
    
  3. Update OnDemand

    sudo yum clean all
    sudo yum update ondemand
    
  4. (Optional) If using Dex based authentication, update the ondemand-dex package.

    sudo yum update ondemand-dex
    
  5. Update Apache configuration and restart Apache.

    sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
    

    RHEL/Rocky 8 only

    sudo systemctl try-restart httpd
    

    RHEL/CentOS 7 only

    sudo systemctl try-restart httpd24-httpd.service
    
  6. (Optional) If ondemand-dex was installed, restart the ondemand-dex service.

    sudo systemctl try-restart ondemand-dex.service
    
  7. (Optional) If ondemand-selinux was installed, see SELinux after Updates

  8. Force all PUNs to restart

    sudo /opt/ood/nginx_stage/sbin/nginx_stage nginx_clean -f
    
  9. (Optional) Remove old dependencies from prior versions of OOD if they are not used by other applications.

    Warning

    See Dependency updates warning before uninstalling old Ruby versions.

    RHEL/CentOS 7 only

    sudo yum remove rh-nodejs12\* rh-ruby27\*
    

Details of new features

EL9 and Ubuntu 22.04 packages

See Install Software for instructions on how to install OnDemand using the new EL9 and Ubuntu 22.04 packages. 3.0 also has support for EL8, EL7 and Ubuntu 20.04.

Significant changes to navbar configurations

Significant changes have been made to allow for very granular modification of the navigation bar. At a high level sites can now modify any aspect of the navigation bar.

See Changing the Navigation bar and the subsequent sections for more details.

Support for Profiles

3.0 adds support for profiles. Profiles are basically distinct sets of configurations. For example you may have one profile that only shows applications for the biology category and nothing else. You may have another profile that shows all applications. Users can then toggle between the two different profiles to have two different views into the same Open OnDemand installation.

See Configuration Profiles for more details.

Support for custom pages

2.0 allowed sites to modify the layout of the dashboard’s landing page.

3.0 extends this by allowing sites to create brand new pages in which sites can modify the layout in the same manner you modify the layout of the landing page.

See Custom Pages for more information.

Automatic Form Options

3.0 ships with some form.yml options that populate forms automatically. This includes auto_primary_group, auto_groups, auto_accounts and auto_modules.

See the section on Automatic Predefined Attributes for all available options.

Support for remote files

3.0 ships with the ability to browse, edit and download remote files from rclone. Refer to Accessing Remote File Systems for how to turn this feature on.

Quick Launch Apps

Quick Launch Apps launch with one click and hard coded settings. This allows for sites with common resource requests to hard code those requests into the app such that the user is never presented with the form.

These launch with 1 click from the user and do not allow for choices. I.e., the user is never presented with a form to fill out, the app simply launches when clicked.

See the documentation for Quick Launch Apps for more information.

Deleting old interactive app directories

3.0 provides a mechanism to automatically delete all the directories that interactive applications create in ~/ondemand/data/sys/dashboard/batch_connect/... after some time period. The system provides two options for this: One to enable the feature altogether and the other is to specify how old a directory must be to be removed.

See the configuration options for removing old directories for more details.

Disabling interactive app versions

Sites can now disable showing interactive application versions through the hide_app_version ondemand.d property.

Recently Used Apps widget

In 2.0 we provided a way to change the dashboard layout. Now, in 3.0 there are more widgets to choose from, namely the recently_used_apps widget.

This widget will show the last 4 recently used applications. What’s more is, they’re Quick Launch Apps so users only need to click on them to submit the job with the same parameters they used before.

Running Sessions widget

Along with recently_used_apps widget above, we’re also providing the sessions widget which will show the same cards that are shown in the My Interactive Sessions page.

This means users who have running interactive applications can now connect to them through the landing page without having to navigate anywhere else.

Displaying Form options

Sites can now display form choices in the resulting connection card.

See Displaying form items in the session card for more information.

Submitting Help tickets

Sites can enable submitting help tickets from interactive cards.

See Support Tickets for more information on how this behaves and how to enable it.