Arvados 2.4.3 Release Notes

September 21, 2022

The Arvados team is pleased to announce Arvados 2.4.3. This release includes a security update to PAM authentication. We strongly recommend that installations of Arvados using PAM for authentication upgrade to 2.4.3 as soon as possible. See Upgrading Arvados for upgrade instructions.

In addition, this release includes several performance improvements, usability improvements, and bug fixes.

Security updates

CVE-2022-39238

In Arvados 2.4.2 and earlier, when using PAM authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host, it would still be accepted for access to Arvados. From 2.4.3 onwards, Arvados now also checks that the account is permitted to access the host before completing the PAM login process.

Other authentication methods (LDAP, OpenID Connect) are not affected by this flaw.

This vulnerability was reported by “Porcupiney Hairs”.

New Features

#19464

When a CWL file located in a git checkout is executed or registered with --create-workflow or --update-workflow, Arvados will record information about the git commit and use git describe to generate a version number that is incorporated into the Workflow name.

#19079

On the Workbench 2 search panel, items now have a right-click context menu allowing you to open the item in a new tab, allowing you to visit items without losing your place in the search list.

#19472

The Salt-based Arvados installer now sets up log rotation for the Rails-based API server and Workbench logs.

Bug Fixes

#19368

#19428

Several performance slowdowns and unnecessary overhead observed in the S3-compatible API have been resolved.

#19502

If two or more collections with the same portable data hash (same content) are cached by keep-web, changes made through through keep-web will now be applied to the correct collection. Previously, changes would sometimes be applied to a different collection with the same same portable data hash.

#19421

Workbench 2 links using “redirectTo” are now recognized as an alias for “redirectToPreview”, so that hyperlinks from 2.4.1 and earlier to work again.

#19383

The “Advanced” menu has been renamed “API Details” and the “API Response” tab has been fixed to display the record as intended, instead of “[Object]”.

#19413

Workflows which generate a large number of warnings will no longer update the record once the warning text in runtime status has hit the line limit.

#19454

Arvados-cwl-runner now correctly accepts output parameters in cwl.output.json that use relative references to the files in the output directory.

#19277

Containers with Arvados API access enabled and a local keepstore process (communicating directly with storage) will now have a suitable ARVADOS_KEEP_SERVICES environment variable passed into the container so that tasks inside the container are able to use the local keepstore.

#19414

Fixed a panic in keep-balance when there is an “unachievable” block (referenced by a collection, but not returned by any keepstore index).

#19437

It was observed that containers would sometimes be cancelled with the error Error inspecting container: ... context deadline exceeded. We believe can happens when a host is overloaded resulting in the Docker daemon being very slow to respond. Arvados will now require three consecutive timeout failures before abandoning the container.