v3.0 Release Notes
Warning
3.0.2 has security fixes that no prior release has. Any version beyond this will also include these fixes.
There are also some breaking changes in 3.0. See the upgrade directions below for details.
Administrative changes
New Features
Thanks!
We’d like to thank a bunch of folks’ for contributing to this release. As we only know the Github username, that’s what’s being referenced here.
We’d like to thank Harvard for many contributions around layouts
and navigation. Notably, adaybujeda
and whorka
to name a few.
We’d like to thank CSC Finland for contributing remote file browsing.
Specifically robinkar
and CSC-swesters
.
We’d also like to give a big thanks to these folks’ for their first time contributing to Open OnDemand.
Micket
made their first contribution in #1426aebruno
made their first contribution in #1766mayank-agarwal-96
made their first contribution in #1776whorka
made their first contribution in #1854SaumyaBhushan
made their first contribution in #1992davidmonro
made their first contribution in #2091mnakao
made their first contribution in #2194georgiastuart
made their first contribution in #2323covert8
made their first contribution in #2327
If we have missed listing anyone here, please let us know!
Security Fixes
Versions prior to 3.0 are vulnerable to these security related issues:
OOD_ALLOWLIST_PATH
can be circumvented in several scenarios.Users may inject malicious Ruby code into certain user owned ERB files that the system reads.
These have been fixed in version 3.0.2 and up. Thank you to the the team at CSC - IT Center for Science, Finland for disclosing these.
Details of administrative changes
Breaking Changes
Support for Ubuntu 18.04 has been dropped.
Support for Ubuntu 18.04 has been dropped because the platform has upgraded to Ruby on Rails 6.1. This version is not compatible with Ruby 2.5 which is what Ubuntu 18.04 has.
context.json
file locations have changed
This is an internal item to Open OnDemand and not likely to really affect you at all.
In versions 2.0 and below, batch connect apps wrote a context.json file to
a directory like ~/ondemand/data/sys/dashboard/batch_connect/sys/<APPNAME>/context.json
.
OnDemand uses these files to cache the choices a user makes for the next time they
use that app.
Version 3.0 now writes files like ~/ondemand/data/sys/dashboard/batch_connect/cache/<APPNAME>.json
Deprecations
Auto-loading during initialization is deprecated.
This comes from the Ruby on Rails framework that Open OnDemand utilizes. It affects initializers you may have written, for example to Add Shortcuts to Files Menu.
To resolve this, wrap your code in a Rails.application.config.after_initialize
block.
For example, if you have:
# /etc/ood/config/apps/dashboard/initializers/ood.rb
OodFilesApp.candidate_favorite_paths.tap do |paths|
# add User project space directory
paths << FavoritePath.new("/fs/project/#{User.new.name}")
end
You will need to modify that file like so:
# /etc/ood/config/apps/dashboard/initializers/ood.rb
Rails.application.config.after_initialize do
OodFilesApp.candidate_favorite_paths.tap do |paths|
# add User project space directory
paths << FavoritePath.new("/fs/project/#{User.new.name}")
end
end
whitelist & blacklist configurations are deprecated
These configurations have been updated to use more inclusive language.
Configurations that have “whitelist” or “blacklist” in the name have been deprecated in version 3.0 and replaced with “allowlist” or “blocklist” respectively in version 4.0.
The configurations maintenance_ip_whitelist
for configuring maintenance IPs
has been replaced by maintenance_ip_allowlist
.
The WHITELIST_PATH
environment variable for configuring inaccessible paths
in the file browser has been replaced by OOD_ALLOWLIST_PATH
.
ACL configurations in cluster.d
files now use allowlist
and blocklist
instead of whitelist
and blacklist
. However, sites should use
Linux FACLs to control these files instead of relying on these configurations.
Dependency updates
This release updates the following dependencies:
Ruby 3.0
Warning
The change in Ruby version means any Ruby based apps that are not provided by the OnDemand RPM must be rebuilt or supply their own
bin/ruby
to use the older version of ruby.Note
Ruby 2.7 is still supported and used by Ubuntu 20.04.
NodeJS 14
Warning
The change in Node version means any Node based apps that are not provided by the OnDemand RPM must be rebuilt.
Passenger 6.0.14
NGINX 1.20.2
ondemand-dex 2.32.0
OnDemand package now depends on Python 3 instead of Python 2
SELinux changes
The ondemand_use_shell_app
SELinux boolean was removed and replaced with ondemand_use_ssh
that is enabled by default.
The ondemand_use_kubernetes
SELinux boolean was added and is disabled by default.
See the OnDemand SELinux documentation for details
Dex behind Apache reverse proxy by default
Warning
Dex behind the Apache reverse proxy is a behavior change from OnDemand 2.0 where the reverse proxy configuration was optional. This is to improve security as well as allow Apache to provide access logs. If you have opened ports for Dex they can be closed as all traffic to Dex will flow through Apache.
By default Dex now sits behind the Apache reverse proxy.
If you wish to go back to Dex being directly accessed set the following in /etc/ood/config/ood_portal.yml
:
dex_uri: false
Documentation changes
As you may have noticed, we have restructured the documentation in an attempt to group sections more logically. Please reach out if you have further suggestions on improving our documentation in either its content or its organization.
Upgrade directions
Danger
Ensure websockify
version is >= 0.10.0
on the compute nodes in order for desktops to launch correctly after upgrade.
Warning
Update the development or test instances of OnDemand installed at your center first before you modify the production instance.
Warning
The OnDemand upgrade has only been tested going from 2.0.x to 3.0.x.
Update OnDemand release RPM
sudo yum install -y https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm
Enable dependency repositories
RHEL/Rocky 8 only
sudo dnf module reset nodejs sudo dnf module enable nodejs:14 sudo dnf module reset ruby sudo dnf module enable ruby:3.0
Update OnDemand
sudo yum clean all sudo yum update ondemand
(Optional) If using Dex based authentication, update the
ondemand-dex
package.sudo yum update ondemand-dex
Update Apache configuration and restart Apache.
sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
RHEL/Rocky 8 only
sudo systemctl try-restart httpd
RHEL/CentOS 7 only
sudo systemctl try-restart httpd24-httpd.service
(Optional) If
ondemand-dex
was installed, restart theondemand-dex
service.sudo systemctl try-restart ondemand-dex.service
(Optional) If
ondemand-selinux
was installed, see SELinux after UpdatesForce all PUNs to restart
sudo /opt/ood/nginx_stage/sbin/nginx_stage nginx_clean -f
(Optional) Remove old dependencies from prior versions of OOD if they are not used by other applications.
Warning
See Dependency updates warning before uninstalling old Ruby versions.
RHEL/CentOS 7 only
sudo yum remove rh-nodejs12\* rh-ruby27\*
Details of new features
EL9 and Ubuntu 22.04 packages
See Install Software for instructions on how to install OnDemand using the new EL9 and Ubuntu 22.04 packages. 3.0 also has support for EL8, EL7 and Ubuntu 20.04.
Support for Profiles
3.0 adds support for profiles. Profiles are basically distinct
sets of configurations. For example you may have one profile that
only shows applications for the biology
category and nothing
else. You may have another profile that shows all applications.
Users can then toggle between the two different profiles to have
two different views into the same Open OnDemand installation.
See Configuration Profiles for more details.
Support for custom pages
2.0 allowed sites to modify the layout of the dashboard’s landing page.
3.0 extends this by allowing sites to create brand new pages in which sites can modify the layout in the same manner you modify the layout of the landing page.
See Custom Pages for more information.
Automatic Form Options
3.0 ships with some form.yml
options that populate forms automatically. This includes
auto_primary_group
, auto_groups
, auto_accounts
and auto_modules
.
See the section on Automatic Predefined Attributes for all available options.
Support for remote files
3.0 ships with the ability to browse, edit and download remote files from rclone
.
Refer to Accessing Remote File Systems for how to turn this feature on.
Quick Launch Apps
Quick Launch Apps launch with one click and hard coded settings. This allows for sites with common resource requests to hard code those requests into the app such that the user is never presented with the form.
These launch with 1 click from the user and do not allow for choices. I.e., the user is never presented with a form to fill out, the app simply launches when clicked.
See the documentation for Quick Launch Apps for more information.
Deleting old interactive app directories
3.0 provides a mechanism to automatically delete all the directories that interactive
applications create in ~/ondemand/data/sys/dashboard/batch_connect/...
after some
time period. The system provides two options for this: One to enable the feature
altogether and the other is to specify how old a directory must be to be removed.
See the configuration options for removing old directories for more details.
Disabling interactive app versions
Sites can now disable showing interactive application versions through the
hide_app_version
ondemand.d property.
Recently Used Apps widget
In 2.0 we provided a way to change the dashboard layout. Now, in 3.0 there
are more widgets to choose from, namely the recently_used_apps
widget.
This widget will show the last 4 recently used applications. What’s more is, they’re Quick Launch Apps so users only need to click on them to submit the job with the same parameters they used before.
Running Sessions widget
Along with recently_used_apps
widget above, we’re also providing the
sessions
widget which will show the same cards that are shown in the
My Interactive Sessions
page.
This means users who have running interactive applications can now connect to them through the landing page without having to navigate anywhere else.
Displaying Form options
Sites can now display form choices in the resulting connection card.
See Displaying form items in the session card for more information.
Submitting Help tickets
Sites can enable submitting help tickets from interactive cards.
See Support Tickets for more information on how this behaves and how to enable it.