Open OnDemand 2.0.18 now available

We are pleased to announce the release of Open OnDemand 2.0.

Highlights of Open OnDemand 2.0 include the list below. Please note that there are breaking changes and they’re detailed in the 2.0 Release notes linked below.

  • Pinned Apps: Enhanced app launch interface using large app icons on the dashboard
  • Custom dashboard widgets and layout
  • New File Manager app
  • Tighter integration between the Dashboard, Active Jobs, and Files apps
  • Adding metadata to app manifests
  • Shell app now has themes
  • Configurations in an ondemand.d directory
  • Changes in All Apps page layout
  • ERB formats for Message of the day
  • Control whether an app link opens in a new window using manifest attribute
  • Memcached Ruby gem available for use in apps
  • Dependency updates

Release notes and upgrade information can be found here:

Also note that there may be more patches released in the 2.0 series. Watch the Milestone for 2.0.x
OOD2.0 Patch Release Milestone · GitHub for the upcoming updates to 2.0. You can also watch for releases on Github to get notifications of when releases are made!


Version 2.0.9 is now available and you should upgrade.

Highlights are:

  • A critical bug was fixed in uploading directories. In 2.0.8 the first file uploaded turns into a directory with no executable permissions. The workaround is to chmod on the directory, move and rename the file - or just delete the file and re-upload it.
  • staged_root is now available in the submit.yml.erb context. So you can do something like this, separating stdout and stderr in the submit file:
  error_path: "<%= staged_root %>/error.log"

We’ve found an issue in the file editor zeroing files. Sites with 2.0.x should disable the file-editor by changing permissions on the directory or this file. This will ensure your users don’t accidentally zero out their files when using the file-editor. We’re working on a fix and will post to this announcement once we have one ready.


2.0.10 now public that fixes the file editor bug that zeros out files with non ASCII characters. Sites using 2.0.x version should upgrade as soon as they’re able.

This should be the last critical bug in the 2.0.x release. In the next 2 weeks or so we’ll publish 2.0.11 that should just have minor tweaks for edge cases.

2.0.13 is now public.

It contains a security fix for kuberenetes & Open ID Connect users. kubectl commands ran as root logged to syslog and these entries contain OIDC tokens. If you run kubernetes with OIDC you should upgrade immediately.

It also fixes peer to peer app sharing and the new pinned apps features. Sites that run p2p app sharing will have to pin all the usr apps to have parity with a 1.8- dashboard landing page. App icons no longer show up by default.

Other items of note:

  • OOD_NAVBAR_TYPE correctly uses light
  • File previews now correctly show utf-8 characters
  • Sites can now disable ‘ssh to compute node’ on a per cluster basis (along with the site wide, global setting)
  • Similar to 1.8, 2.0 can now disable shell button in the files app, though the mechanism has changed. It’s no longer controlled through an environment variable, rather a yaml config in ondemand.d files.

Release notes have been updated for these items where they change.

2.0.16 is now publicly available.

It has mostly kuberenetes fixes in ood_core, but also includes a couple of other bug fixes of note:

  • Fixed removing files when allowlists are in place - 1337.
  • Fixed an issue with non US keyboards could not use + keys in the shell app -
  • Sessions stores can now be overridden in 1321.
  • Files app shell buttons now correctly redirect to the given cluster in 1317.
  • Locales now correctly fallback to english in 1314.

2.0.17, a security release, is now publicly available.

The only change/fix in this version is regarding SVG files in the file browser. SVG files may contain malicious javascript, which if viewed in open ondemand, can execute within that page’s context. 2.0.17 will now force the SVG file to be downloaded so users can inspect the file and/or open it in a new context.

Sites running 2.0.X should update as soon as they can. This does not affect versions 1.8 or below.

I’m terribly sorry to do this, but 2.0.17 released yesterday was only a partial fix for insecure svg files.

2.0.17 incorrectly previewed files with extension .SVG (all caps) or a mix of capitalization and lowercase (like .SvG). 2.0.18 now treats all svg extensions the same – forcing the browser to download the file instead of previewing it.

Sites should update to 2.0.18 to ensure their customers don’t open malicious svg files within their site’s context.

Again, this does not affect versions 1.8 or below.