Arvados 2.4.3 Release Notes
September 21, 2022
The Arvados team is pleased to announce Arvados 2.4.3. This release includes a security update to PAM authentication. We strongly recommend that installations of Arvados using PAM for authentication upgrade to 2.4.3 as soon as possible. See Upgrading Arvados for upgrade instructions.
In addition, this release includes several performance improvements, usability improvements, and bug fixes.
Security updates
CVE-2022-39238
In Arvados 2.4.2 and earlier, when using PAM authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host, it would still be accepted for access to Arvados. From 2.4.3 onwards, Arvados now also checks that the account is permitted to access the host before completing the PAM login process.
Other authentication methods (LDAP, OpenID Connect) are not affected by this flaw.
This vulnerability was reported by “Porcupiney Hairs”.
New Features
When a CWL file located in a git checkout is executed or registered
with --create-workflow or --update-workflow, Arvados will record
information about the git commit and use git describe to generate a
version number that is incorporated into the Workflow name.
On the Workbench 2 search panel, items now have a right-click context menu allowing you to open the item in a new tab, allowing you to visit items without losing your place in the search list.
The Salt-based Arvados installer now sets up log rotation for the Rails-based API server and Workbench logs.
Bug Fixes
Several performance slowdowns and unnecessary overhead observed in the S3-compatible API have been resolved.
If two or more collections with the same portable data hash (same
content) are cached by keep-web, changes made through through
keep-web will now be applied to the correct collection. Previously,
changes would sometimes be applied to a different collection with the
same same portable data hash.
Workbench 2 links using “redirectTo” are now recognized as an alias for “redirectToPreview”, so that hyperlinks from 2.4.1 and earlier to work again.
The “Advanced” menu has been renamed “API Details” and the “API Response” tab has been fixed to display the record as intended, instead of “[Object]”.
Workflows which generate a large number of warnings will no longer update the record once the warning text in runtime status has hit the line limit.
Arvados-cwl-runner now correctly accepts output parameters in
cwl.output.json that use relative references to the files in the
output directory.
Containers with Arvados API access enabled and a local keepstore
process (communicating directly with storage) will now have a suitable
ARVADOS_KEEP_SERVICES environment variable passed into the container
so that tasks inside the container are able to use the local keepstore.
Fixed a panic in keep-balance when there is an “unachievable” block
(referenced by a collection, but not returned by any keepstore index).
It was observed that containers would sometimes be cancelled with the
error Error inspecting container: ... context deadline exceeded. We
believe can happens when a host is overloaded resulting in the Docker
daemon being very slow to respond. Arvados will now require three
consecutive timeout failures before abandoning the container.