Customizations — Open OnDemand 3.1.0 documentation (2024)

Tip

Check out the PUN environment for an overview of how environment variables can beadded.

Announcements¶

To add an announcement message that appears at the top of the dashboard you can create a file at /etc/ood/config/announcement.(md|yml) or /etc/ood/config/announcements.d/any_file_name.(md|yml).

On each request the dashboard will check for the existence of this file. If it exists, the contents will be converted using markdown converter to HTML and displayed inside a bootstrap alert.

For example, if I create an announcement.md file with the contents:

**NOTICE:** There will be a two day downtime on February 21-22, 2017. OSCOnDemand will be unavailable during this period. For details, please visit[http://bit.ly/2jhfyh7](http://bit.ly/2jhfyh7).

the user would see this message at the top of the dashboard:

If the announcement file has the extension yml and is a yaml file it is first rendered using ERB and then the resulting file is parsed as YAML. The valid keys are:

Because the announcement is rendered via ERB you can do some interesting things, like stop showing the announcement past a specified date:

type: warningmsg: | <% if Time.now < Time.new(2018, 9, 24, 12, 0, 0) %> A **Ruby Partial Downtime** for 4 hours on Monday, September 24 from 8:00am to 12:00pm will prevent SSH login to Ruby nodes and and Ruby VDI sessions. <% end %>

Message of the Day (MOTD)¶

You can configure the Dashboard to display the /etc/motd file on the front page - the same file that is displayed when ssh-ing to a login node.

To display a MOTD file on the Dashboard ensure that the environment variables $MOTD_PATH and $MOTD_FORMAT are set, where

MOTD_PATH="/etc/motd" # this supports both file and RSS feed URIsMOTD_FORMAT="txt" # markdown, txt, rss, markdown_erb, txt_erb

We recommend setting this in /etc/ood/config/apps/dashboard/env.

Branding¶

You can customize the logo, favicon, title, and navbar colors of OnDemand.

We recommend setting these values using the OnDemand configuration properties.Currently only the dashboard uses the colors in the navbar.

custom_css_files: ["/myfolder/custom-branding.css"]

Overriding Pages¶

Open OnDemand is built with Ruby on Rails which uses partialsto build the web pages that are ultimately served to the clients.

All partials are held within dashboard’s views folder. Theseare the default partials that get distributed when you installthe package.

Open OnDemand provides a facility to override any of these partialpages by supplying new files in /etc/ood/config/apps/dashboard/views.

Let’s look at an example where a center can provide a different,specialized, footer for the bottom of the page. Overriding thepartial that has been distributed.

First, you would need to find the original partial that is beingdistributed.

We can find this file’s location at layouts/_footer.html.erb(relative to the dashboard’s views folder).

To override it, we simply provide a new file of the same nameand path in the /etc/ood/config/apps/dashboard/views folder.

So, the full file path would be /etc/ood/config/apps/dashboard/views/layouts/_footer.html.erb.By providing a simple html file like the one below, placed in the location in theprevious sentence, your center has now provided a different footer than the onedistributed by the Open OnDemand package.

<div class="text-center h-5 my-3" > My center's custom footer.<div>

Add URLs to Help Menu¶

These URLs can be specified, which will appear in the Help menu and on other locations of the Dashboard. We recommend setting this in /etc/ood/config/apps/dashboard/env.

Since OnDemand 2.1, custom links can be added to the Help menu using the configuration property help_menu.Links will be inserted at the end of the core links already included in the menu by the OnDemand codebase.

help_menu supports all the link definitions developed for the custom navigation configuration.For more information on how to create custom links, see for example adding urls to menus.

For information about how to configure properties, see the OnDemand configuration documentation.

help_menu: - group: "Documentation" - title: "Jupyter Docs" icon: "fas://book" url: "https://mydomain.com/path/jupyter" - title: "Support Docs" icon: "fas://book" url: "https://mydomain.com/path/support/docs" - group: "Custom Pages" - page: "rstudio_guide" title: "RStudio Guide" icon: "fas://window-restore" - group: "Profiles" - profile: "team1" title: "Team 1" icon: "fas://user"

Add Shortcuts to Files Menu¶

The Files menu by default has a single link to open the Files app in the user’sHome Directory. More links can be added to this menu, for Scratch space andProject space directories.

Adding more links currently requires adding a custom initializer to theDashboard app. Ruby code is placed in the initializer to add one or more RubyFavoritePath (or Pathname for backwards compatibility) objects to the OodFilesApp.candidate_favorite_paths array, aglobal attribute that is used in the Dashboard app.

FavoritePath is instantiated with a single String or Pathname argument, thedirectory path, and with an optional keyword argument title specifying ahuman readable title for that path.

Start by creating the file/etc/ood/config/apps/dashboard/initializers/ood.rb as such:

# /etc/ood/config/apps/dashboard/initializers/ood.rbRails.application.config.after_initialize do OodFilesApp.candidate_favorite_paths.tap do |paths| # add project space directories projects = User.new.groups.map(&:name).grep(/^P./) paths.concat projects.map { |p| FavoritePath.new("/fs/project/#{p}") } # add User scratch space directory paths << FavoritePath.new("/fs/scratch/#{User.new.name}") # Project scratch is given an optional title field paths.concat projects.map { |p| FavoritePath.new("/fs/scratch/#{p}", title: "Scratch") } endend

• The variable paths is an array of FavoritePath objects that define a listof what will appear in the Dashboard menu for Files

• At OSC, the pattern for project paths follows/fs/project/project_name. So above we:

  1. get an array of all user’s groups by name

  2. filter that array for groups that start with P (i.e., PZS0002,PAW0003, …)

  3. using map we turn this array into an array of FavoritePath objects toall the possible project directories the user could have.

  4. extend the paths array with this list of paths

• For possible scratch space directories, we look for either/fs/scratch/project_name or /fs/scratch/user_name

• Additionally project scratch directories have a ‘title’ attribute and willwith in the dropdown with both the title and the path.

On each request, the Dashboard will check for the existence of the directoriesin OodFilesApp.candidate_favorite_paths array and whichever directoriesexist and the user has access to will appear as links in the Files menu underthe Home Directory link.

• You must restart the Dashboard app to see a configuration change take effect.This can be forced from the Dashboard itself by selectingHelp → Restart Web Server from the top right menu.

If you access the Dashboard, and it crashes, then you may have made a mistakein ood.rb file, whose code is run during the initialization of the Railsapp.

Configuration Profiles¶

Configuration properties can be organized in a hierarchy using profiles. With profiles,administrators can create different configuration settings within the same OnDemand installation.A profile can be pre-selected or dynamically changed while using the Dashboard application.

To define profile properties, we have to group them under a profile name within the profiles keyword.Multiple profiles can be created using different files, the configurationlogic will aggregate all profiles into a single consolidated object.

profiles: profile_name: config_property: config_value

OnDemand uses an inheritance and override approach for profiles.The root profile is the default profile created by the system based on all the properties definedoutside any profile definition. All other profiles will inherit these values.

Then, profile properties can override these values or define new ones as required.

The example below shows how the root profile defines a value for pinned_apps and pinned_apps_menu_length properties.The rstudio_group profile inherits the property value for pinned_apps_menu_length,and overrides the value for pinned_apps. As well, it defines a value for the property pinned_apps_group_by.

pinned_apps: [sys/*]pinned_apps_menu_length: 10profiles: rstudio_group: pinned_apps: [sys/rstudio] pinned_apps_group_by: "department"

profile_links: - group: "Profiles" - profile: "" title: "Root Profile" icon: "fas://cog" - profile: rstudio_group title: "Rstudio Profile" icon: "fas://user" - profile: jupyter_group title: "Jupiter Profile" icon: "fas://user"

profiles: www.ondemand.com: config_property: config_value

profiles: www.production.com: &production_profile # Anchor definition config_property: config_value config_property: config_value config_property: config_value www.local.com: *production_profile # Defining an alias to the previously set anchor. www.test.com: *production_profile www.staging.com: *production_profile

Changing the Navigation bar¶

There are a couple ways to change the navigation bar in Open OnDemand, someare simpler than others.

This section provides the outline of how the navigation bar is generated to beginwith, then details the various ways to modify it.

Once you understand how the navigation bar is generated automatically,you can take steps to custimize it as you see fit.

# 'nav_bar' is the left side of the navigation bar.nav_bar: # 'apps' dropdown menu is shown if you've set 'pinned_apps'. - apps - files - jobs - clusters - interactive apps - my interactive sessions # 'all apps' is disabled by default, but would be next if you set 'show_all_apps_link'. # - all apps# 'help_bar' is the right side of the navigation bar.help_bar: - develop - help - user - logout

nav_bar: - "interactive apps"

nav_bar: - "all_apps" - "apps" - "sessions" - "develop" - "help" - "log_out" - "user"

nav_bar: - title: "My Apps" icon: "fas://window-restore" apps: - "sys/Rstudio/*" - "sys/bc_desktop"

nav_bar: - title: "My Apps" icon: "fa://code" links: - "sys/Rstudio/*" - "sys/bc_desktop"

nav_bar: - title: "My Apps" icon: "fa://code" links: - group: "RStudio" - "sys/Rstudio/*" - group: "Remote" - "sys/bc_desktop"

nav_bar: # Single top level link - title: "Title" icon: "fa://desktop" # optional, defaults to fas://cog profile: "team1" new_tab: true # optional, defaults to false # Dropdown menu - title: "Menu Item" links: - title: "Title" icon: "fa://desktop" # optional, defaults to fas://cog profile: "team1" new_tab: true # optional, defaults to false

nav_bar: # Single top level link - title: "Title" icon: "fa://desktop" # optional, defaults to fas://cog page: "documentation" new_tab: true # optional, defaults to false # Dropdown menu - title: "Menu Item" links: - title: "Title" icon: "fa://desktop" # optional, defaults to fas://cog page: "documentation" new_tab: true # optional, defaults to false

nav_bar: # Single top level link - title: "Title" icon: "fa://desktop" # optional, defaults to fas://cog url: "/docs" new_tab: true # optional, defaults to false # Dropdown menu - title: "Menu Item" links: - title: "Title" icon: "fa://desktop" # optional, defaults to fas://cog url: "https://openondemand.org/" new_tab: true # optional, defaults to false

Interactive Apps Menu¶

To define a custom interactive apps menu, use the configuration property interactive_apps_menu.The custom menu will replace the Interactive Apps left hand side navigation in theInteractive Apps and My Interactive Sessions pages.

interactive_apps_menu property supports a single navigation item. How to configure navigation items is described in theCustom Dashboard Navbar section

interactive_apps_menu: title: "Custom Apps" links: - group: "Desktop" - apps: "sys/bc_desktop" - group: "Servers" - apps: "sys/Rstudio/*"

Set Upload Limits¶

By default, the file size upload limit is 10737420000 bytes (~10.7 GB).

If you want set this to a lower value, set the FILE_UPLOAD_MAX configurationin the file apps’ configuration file /etc/ood/config/apps/dashboard/env.

If you want to set it to a higher value set nginx_file_upload_maxin /etc/ood/config/nginx_stage.yml to the desired value. If you haveFILE_UPLOAD_MAX set from above, unset it.

If the values differ, the files app will choose the smaller of the two as the maximumupload limit.

If you want to disable file upload altogether, set FILE_UPLOAD_MAX to 0 and leavethe nginx_file_upload_max configuration alone (or comment it out so the defaultis used).

Set Download Limits¶

By default, the maximum file download size is 10.7 GB (10737418240 bytes).If you wish to change this, you can set the OOD_DOWNLOAD_DIR_MAX configuration environmentvariable in the /etc/ood/config/apps/dashboard/env file to the desired value in bytes.

For example, to set the limit to 5 GB, you can add the following line to the /etc/ood/config/apps/files/env file:

OOD_DOWNLOAD_DIR_MAX=5368709120

Note that this will limit the download size for all users of the Open OnDemand instance.

Block or Allow Directory Access¶

By default, all directories are open and accessible through Open OnDemand (barring POSIX file permissions. Open OnDemandcan never read files the user cannot read).

By setting a colon delimited OOD_ALLOWLIST_PATH environment variable, the Job Composer, File Editor, and Files apprespect the allowlist in the following manner:

1. Users will be prevented from navigating to, uploading, downloading, viewing, or editing files that are not an eventual child of the allowlisted paths

2. Users will be prevented from copying a template directory from an arbitrary path in the Job Composer if the arbitrary path that is not an eventual child of the allowlisted paths

3. Users should not be able to get around this using symlinks

We recommend setting this environment variable in /etc/ood/config/nginx_stage.yml as a YAML mapping (key value pairs) in the mapping (hash/dictionary) pun_custom_env i.e. below would a list that allows access to home directories, project space, and scratch space at OSC:

pun_custom_env: OOD_ALLOWLIST_PATH: "/users:/fs/project:/fs/scratch"

Disabling Users¶

You can use the nginx stage configuration for disabling usersto disable access to specific users based on the users’ default shell.

For example you could disable access to Open OnDemand for any user with the /usr/bin/falsedefault shell.

Set Default SSH Host¶

In /etc/ood/config/apps/shell/env set the env var OOD_DEFAULT_SSHHOST to change the default ssh host.Since 1.8, there is no out of the box default (in previous versions it was ‘localhost’, but this has been removed).

This will control what host the shell app ssh’s to when the URL accessed is /pun/sys/shell/ssh/default which is the URL other apps will use (unless there is context to specify the cluster to ssh to).

Since 1.8 you can also set the default ssh host in the cluster configuration as well. Simply adddefault=true attribute to the login section like the example below.

# /etc/ood/config/clusters.d/my_cluster.yml---v2: metadata: title: "My Cluster" login: host: "my_cluster.my_center.edu" default: true

Set SSH Allowlist¶

In 1.8 and above we stopped allowing ssh access by default. Now you have explicitly setwhat hosts users will be allowed to connect to in the shell application.

Every cluster configuration with v2.login.host that is not hidden (it hasv2.metadata.hidden attribute set to true) will be added to this allowlist.

To add other hosts into the allow list (for example compute nodes) add the configurationOOD_SSHHOST_ALLOWLIST to the /etc/ood/config/apps/shell/env file.

This configuration is expected to be a colon (:) separated list of GLOBs.

Here’s an example of of this configuration with three such GLOBs that allow for shellaccess into any compute node in our three clusters.

# /etc/ood/config/apps/shell/envOOD_SSHHOST_ALLOWLIST="r[0-1][0-9][0-9][0-9].ten.osc.edu:o[0-1][0-9][0-9][0-9].ten.osc.edu:p[0-1][0-9][0-9][0-9].ten.osc.edu"

Set OOD SSH Port¶

As of version 2.1 you are allowed to configure a non-standard ssh port.

To change the ssh port for submitting jobs in OOD, you need to add the configurationOOD_SSH_PORT to the /etc/ood/config/apps/dashboard/env file.

Here’s an example of of this configuration.

# /etc/ood/config/apps/dashboard/envOOD_SSH_PORT="2222"

Shell App SSH Command Wrapper¶

Since OOD 1.7 you can use an ssh wrapper script in the shell application instead of just the ssh command.

This is helpful when you pass add additional environment variable through ssh (-o SendEnv=MY_ENV_VAR) or ensure some ssh command options be used.

To use your ssh wrapper configure OOD_SSH_WRAPPER=/usr/bin/changeme to point to your script in /etc/ood/config/apps/shell/env. Also be sure to make your script executable.

Here’s a simple example of what a wrapper script could look like.

#!/bin/bashargs="-o SendEnv=MY_ENV_VAR"exec /usr/bin/ssh "$args" "$@"

Fix Unauthorized WebSocket Connection in Shell App¶

If you see a 401 error when attempting to launch a Shell app session, where the request URL starts with wss:// and the response header includes X-OOD-Failure-Reason: invalid origin, you may need to set the OOD_SHELL_ORIGIN_CHECK configuration option.

There is a security feature that adds proper CSRF protection using both the Origin request header check and a CSRF token check.

The Origin check uses X-Forwarded-Proto and X-Forwarded-Host that Apache mod_proxy sets to build the string that is used to compare with the Origin request header the browser sends in the WebSocket upgrade request.

In some edge cases this string may not be correct, and as a result valid WebSocket connections will be denied. In this case you can either set OOD_SHELL_ORIGIN_CHECK env var to the correct https string, or disable the origin check altogether by setting OOD_SHELL_ORIGIN_CHECK=off (or any other value that does not start with “http”) in the /etc/ood/config/apps/shell/env file.

Either way the CSRF token will still provide protection from this vulnerability.

# /etc/ood/config/apps/shell/env# to disable it, just configure it with something that doesn't start with httpOOD_SHELL_ORIGIN_CHECK='off'# to change it simply specify the http(s) origin you want to verify against.OOD_SHELL_ORIGIN_CHECK='https://my.other.origin'

Custom Job Composer Templates¶

Below explains how job templates work for the Job Composer and how you can add your own. Here is an example of the templates we use at OSC for the various clusters we have

name: A Template Namehost: rubyscript: ruby.shnotes: Notes about the template, such as content and function.

Job Composer Script Size Limit¶

Since 1.7 the Job composer shows users ‘Suggested file(s)’ and ‘Other valid file(s)’. Other valid files are_any_ files less than OOD_MAX_SCRIPT_SIZE_KB which defaults to 65 (meaning 65kb).

To reconfigure this, simply set the environment variable in the job composers’ env file/etc/ood/config/apps/myjobs/env like so:

# show any file less than or equal to 15 kbOOD_MAX_SCRIPT_SIZE_KB=15

Hiding Job Arrays¶

When composing a new job, the job arrays field is shown on supported clusters. To Hide this field even onsupported clusters, an option was added.

To reconfigure this, simply set the environment variable in the job composers’ env file/etc/ood/config/apps/myjobs/env like so:

# Don't show job arrays field even on supported clustersOOD_HIDE_JOB_ARRAYS=True

Custom Error Page for Missing Home Directory on Launch¶

Some sites have the home directory auto-create on first ssh login, for examplevia pam_mkhomedir.so. This introduces a problem if users first access the systemthrough OnDemand, which expects the existence of a user’s home directory.

In OnDemand <= 1.3 if the user’s home directory was missing a non-helpful singlestring error would display. Now a friendly error page displays. This error pagecan be customized by adding a custom one to /etc/ood/config/pun/html/missing_home_directory.html.

The default error page looks like this:

An example of a custom error page has been provided at /opt/ood/nginx_stage/html/missing_home_directory.html.example.pam_mkhomedir and can be copied to /etc/ood/config/pun/html/missing_home_directory.html. This example directs the user to first click a link to open the shell app which will create the home directory. The shell app’s default host must be configured to be a host that is appropriate for this purpose. The custom error page looks like this:

See this Discourse discussion for details.

Pinning Applications to the Dashboard¶

In version 2.0 you can now pin app Icons to the dashboard that link to the application form.

When configured a widget like the one below will appear on the dashboard’s landing page.

The configuration for what apps to pin allows for three variants.

You can configure specific apps with a string of the type router/app_name.For example sys/jupyter is the system installed app named jupyter.

Secondly you can configure globs like sys/* to pin all system installed apps. OrMaybe sys/minimal_* to pin all system installed apps that begin with ‘minimal’.

Lastly you can choose to pin apps based off of fields in their manifest.yml file.You can match by type, category, subcategory and metadata fields. These matches arecumulative. Meaning an app has to match all of these to be pinned. In the examples belowthere is a configuration of type sys and category minimal. This configuration will only pinsystem installed apps that are in the minimal category. An app has to meet both thesecriteria to be pinned to the dashboard.

Full examples are below:

# /etc/ood/config/ondemand.d/ondemand.ymlpinned_apps: - sys/jupyter # pin a specific system installed app called 'jupyter' - sys/bc_desktop/desk1 # pinned desktop app must contain exact desktop name - 'desk1' - 'sys/*' # pin all system install apps. This also works for usr/* and dev/* - category: 'minimal' # pin all the apps in the 'minimal' category - type: sys # pin all system installed apps in the minimal category. category: 'minimal' # pin all system installed apps in the minimal category and the # class instruction subcategory - type: sys category: 'minimal' subcategory: 'class_instruction' # pin all system installed apps in the minimal category, the # class instruction subcategory and the metadata field 'field_of_science' # with an exact match on biology - type: sys category: 'minimal' subcategory: 'class_instruction' field_of_science: 'biology' # pin any app with an exact match on the metadata field_of_science of biology - field_of_science: 'biology' # pin any app with an glob match *bio* on the metadata field_of_science - field_of_science: '*bio*'

Administrators can also configure the pinned apps to be grouped by any fieldin the manifest.yml including metadata fields with the pinned_apps_group_byconfiguration.

This will create a row and a heading for each group like so (the image was generatedfrom grouping by category):

One can also change the menu length in the ‘App’s menu item. If you’vepinned more than 6 apps and you want to them to show up in this dropdownlist, simply increase the length with the option below.

# /etc/ood/config/ondemand.d/ondemand.ymlpinned_apps_menu_length: 6 # the default number of items in the dropdown menu listpinned_apps_group_by: category # defaults to nil, no grouping

tile: title: "Custom Title" icon: fa://desktop border_color: "red" sub_caption: | Custom Text Line 1 Text Line 2 Text Line 3

Custom layouts in the dashboard¶

Administrators can now customize what widgets appear on the dashboard and how they’relayed out on the page.

In it’s simplest form this feature allows for a rearrangement of existing widgets. Asof 2.1 the existing widgets are:

• pinned_apps - Pinned Apps described above

• recently_used_apps - the four most recently used interactive applications.Launching these applications will start a new interactive session with the previously submitted parameters.

• sessions - the three most recent active interactive sessions

• motd - the Message of the Day

• xdmod_widget_job_efficiency - the XDMoD widget for job efficiency

• xdmod_widget_jobs - the XDMoD widget for job information

This feature also allows for administrators to add custom widgets.Simply drop new files into /etc/ood/config/apps/dashboard/views/widgets and reference themin the configuration. These partial files can be any format Rails recognizes, notably .html or.html.erb extensions.

Also if you use subdirectories under widgets, they can be referenced by relative paths. For exampleviews/widgets/cluster/_my_cluster_widget.html.erb would be referenced in the configurationas cluster/my_cluster_widget.

Without setting this configuration, the dashboard will arrange itself depending on what features areenabled. For example if both pinned apps and XDMoD features are enabled it will arrange itself accordinglybased on a default layout.

Here’s the default configuration when all of these features are enabled.

# /etc/ood/config/ondemand.d/ondemand.ymldashboard_layout: rows: - columns: - width: 8 widgets: - pinned_apps - motd - width: 4 widgets: - xdmod_widget_job_efficiency - xdmod_widget_jobs

rows are an array of row elements. Each row element has a columns field which is an arraycolumn elements. Each column element two fields. A width field that specifies the width in thebootstrap grid layout which defaults to 12 columns in total. It also has a widgets field whichis an array of existing or newly added widgets to render in that column.

Customize Text in OnDemand¶

Using Rails support for Internationalization (i18n), we have internationalized many strings in the Dashboard and the Job Composer apps.

Initial translation dictionary files with defaults that work well for OSC and using the English locale (en) have been added (/var/www/ood/apps/sys/dashboard/config/locales/en.yml and /var/www/ood/apps/sys/myjobs/config/locales/en.yml). Sites wishing to modify these strings in order to provide site specific replacements for English, or use a different locale altogether, should do the following:

1. Copy the translation dictionary file (or create a new file with the same structure of the keys you want to modify) to /etc/ood/config/locales/en.yml and modify that copy.

2. If you want apps to look for these dictionary files in a different location than /etc/ood/config/locales/en.yml you can change the location by defining OOD_LOCALES_ROOT environment variable.

3. The default locale is “en”. You can use a custom locale. For example, if you want the locale to be French, you can create a /etc/ood/config/locales/fr.yml and then configure the Dashboard to use this locale by setting the environment variable OOD_LOCALE=fr where the locale is just the name of the file without the extension. Do this in either the nginx_stage config or in the Dashboard and Job Composer env config file.

In each default translation dictionary file the values that are most site-specific (and thus relevant for change) appear at the top.

en: dashboard: welcome_html: | %{logo_img_tag} <p class="lead">OnDemand provides an integrated, single access point for all of your HPC resources.</p> motd_title: "Message of the Day"

Disk Quota Warnings on Dashboard¶

You can display warnings to users on the Dashboard if theirdisk quota is nearing its limit. This requires an auto-updated (it isrecommended to update this file every 5 minutes with a cronjob) JSON filethat lists all user quotas. The JSON schema for version 1 is given as:

{ "version": 1, "timestamp": 1525361263, "quotas": [ {}, {} ]}

Where version defines the version of the JSON schema used, timestampdefines when this file was generated, and quotas is a list of quota objects(see below).

You can configure the Dashboard to use this JSON file (or files) by setting theenvironment variable OOD_QUOTA_PATH as a colon-delimited list of all JSONfile paths in the /etc/ood/config/apps/dashboard/env file. In addition topointing to files OOD_QUOTA_PATH may also contain HTTP(s) or FTP protocolURLs. Colons used in URLs are correctly handled and are not treated as delimiters.

The default threshold for displaying the warning is at 95% (0.95), but thiscan be changed with the environment variable OOD_QUOTA_THRESHOLD.

An example is given as:

# /etc/ood/config/apps/dashboard/envOOD_QUOTA_PATH="/path/to/quota1.json:https://example.com/quota2.json"OOD_QUOTA_THRESHOLD="0.80"

{ "type": "user", "block_limit": 5000000, "file_limit": 1000000, "path": "/path/to/volume2", "total_block_usage": 400000, "total_file_usage": 1000, "user": "user1"}

{ "type": "fileset", "user": "user1", "path": "/path/to/volume2", "block_usage": 500, "total_block_usage": 1000, "block_limit": 2000, "file_usage": 1, "total_file_usage": 5, "file_limit": 10}

Balance Warnings on Dashboard¶

You can display warnings to users on the Dashboard if theirresource balance is nearing its limit. This requires an auto-updated (it isrecommended to update this file daily with a cronjob) JSON filethat lists all user balances. The JSON schema for version 1 is given as:

{ "version": 1, "timestamp": 1525361263, "config": { "unit": "RU", "project_type": "project" }, "balances": [ {}, {} ]}

Where version defines the version of the JSON schema used, timestampdefines when this file was generated, and balances is a list of quota objects(see below).

The value for config.unit defines the type of units for balances andconfig.project_type would be project, account, or group, etc.Both values are used in locales and can be any string value.

You can configure the Dashboard to use this JSON file (or files) by setting theenvironment variable OOD_BALANCE_PATH as a colon-delimited list of all JSONfile paths.

The default threshold for displaying the warning is at 0, but thiscan be changed with the environment variable OOD_BALANCE_THRESHOLD.

An example is given as:

# /etc/ood/config/apps/dashboard/envOOD_BALANCE_PATH="/path/to/balance1.json:/path/to/balance2.json"OOD_BALANCE_THRESHOLD=1000

{ "user": "user1", "value": 10}

{ "user": "user1", "project": "project1", "value": 10}

Maintenance Mode¶

As an administrator you may want to have some downtime of the Open OnDemand service for various reasons,while still telling your customers that the downtime is expected.

You can do this by setting Open OnDemand in ‘Maintenance Mode’.While Maintenance mode is active, Apache will not serve requests for paths outside the/public/maintenance/* wildcard. Instead, it will serve the /var/www/ood/public/maintenance/index.htmlfile, which you can change or brand to be your own. Changes to this file will persist through upgrades.Any assets (e.g., images, stylesheets, or javascript) needed by the HTML file should be placedin the /var/www/ood/public/maintenance/ directory. You can also put symbolic links into the/var/www/ood/public/maintenance/ directory, if you want to reuse assets located elsewhere in yourfile system.

While in maintenance mode, Apache returns the HTML file and a 503 response code to all users whoseIP does not match one of the configured allowlist regular expressions.The allowlist is to allow staff, localhost or a subset of your users access while restricting others.

In this example we allow access to anyone from 192.168.1..* which is the 192.168.1.0/24 CIDR andthe single IP ‘10.0.0.1’.

These are the settings you’ll need for this functionality.

# /etc/ood/config/ood_portal.ymluse_rewrites: trueuse_maintenance: truemaintenance_ip_allowlist: # examples only! Your ip regular expressions will be specific to your site. - '192.168.1..*' - '10.0.0.1'

To start maintenance mode (and thus start serving this page) simply touch /etc/ood/maintenance.enableto create the necessary file. When your downtime is complete just remove the file and all thetraffic will be served normally again. The existence of this file is what starts or stops maintenancemode, not it’s content, so you will not need to restart apache or modify it’s config files for this totake affect.

Grafana support¶

It’s possible to display Grafana graphs within the ActiveJobs app when a user expands a given job.

Grafana must be configured to support embedded panels and at this time it is also required to have a anonymous organization. Below are configuration options are needed to support displaying Grafana panels in ActiveJobs. Adjust org_name to match whatever organization you wish to be anonymous.

[auth.anonymous]enabled = trueorg_name = Publicorg_role = Viewer[security]allow_embedding = true

The dashboard used by OSC is the OnDemand Clusters dashboard.

Settings used to access Grafana are configured in the cluster config. The following is an example from OSC:

custom: grafana: host: "https://grafana.osc.edu" orgId: 3 dashboard: name: "ondemand-clusters" uid: "aaba6Ahbauquag" panels: cpu: 20 memory: 24 labels: cluster: "cluster" host: "host" jobid: "jobid" cluster_override: "mysite"

When viewing a dashboard in Grafana choose the panel you’d wish to display and select Share.Then choose the Embed tab which will provide you with the iframe URL that will need to be generated within OnDemand.The time ranges and values for labels (eg: var-cluster=) will be autofilled by OnDemand.

• orgId is the orgId query parameter

• The dashboard name is the last segment of the URI before query parameters

• The uid is the UID portion of URL that is unique to every dashboard

• The panelId query parameter will be used as the value for either cpu or memory depending on the panel you have selected

• The values for labels are how OnDemand maps labels in Grafana to values expected in OnDemand. The jobid key is optional, the others are required.

• The cluster_override can override the cluster name used to make requests to Grafana if the Grafana cluster name varies from OnDemand cluster name.

Disable Host Link in Batch Connect Session Card¶

Batch connect session cards like this have links to the compute node on which the job is currently running (highlighted).

However, some sites may want to disable this feature because they do not allow ssh sessions on the computenodes.

To disable this, simply set the environment variable in the dashboards’ env file/etc/ood/config/apps/dashboard/env to a falsy value (0, false, off).

# don't show ssh link in batch connect cardOOD_BC_SSH_TO_COMPUTE_NODE=off

If you wish to disable on a per-cluster basis, you can set the following in your cluster YAML configuration.

v2: # ... batch_connect: ssh_allow: false

Set Illegal Job Name Characters¶

If you encounter an issue in running batch connect applications complaining about invalidjob names like the error below.

Unable to read script file because of error: ERROR! argument to -N option must not contain /

To resolve this set OOD_JOB_NAME_ILLEGAL_CHARS to / for all OOD applications in thepun_custom_env attribute of the /etc/ood/config/nginx_stage.yml file.

# /etc/ood/config/nginx_stage.ymlpun_custom_env: OOD_JOB_NAME_ILLEGAL_CHARS: "/"

Customize Dex Theme¶

It’s possible to use a customized theme when authenticating with Dex when using OnDemand’s default authentication.Refer to the upstream Dex template docs for additional information on templating Dex.

The simplest approach is to copy the OnDemand theme and make changes. This is idea if you wish to make the following changes:

• Change navigation or login page logos

• Change favicon

• Change CSS styles

cp -r /usr/share/ondemand-dex/web/themes/ondemand /usr/share/ondemand-dex/web/themes/mycenter

To update the theme you must modify /etc/ood/config/ood_portal.yml and regenerate the Dex configuration:

dex:# ... frontend: theme: mycenter

The default ondemand theme can also be configured using the following configuration keys within /etc/ood/config/ood_portal.yml:

dex:# ... frontend: issuer: "MyCenter OnDemand" extra: navLogo: "/public/nav-logo.png" loginLogo: "/public/logo.png" loginTitle: "Log in with your Center username and password" loginButtonText: "Log in with your Center account" usernamePlaceholder: "center-username" passwordPlaceholder: "center-password" loginAlertMessage: "Login services will be down during center maintenance between 8:00 AM EST and 10:00 AM EST" loginAlertType: "warning"

Changes are applied by running update_ood_portal and restarting the ondemand-dex service.

sudo /opt/ood/ood-portal-generator/sbin/update_ood_portalsudo systemctl restart ondemand-dex.service

XDMoD Integration¶

XDMoD Integration requires XDMoD 9+, OnDemand 1.8+, and the ability to facilitate single sign on between the two services. Currently this has been demonstrated to work using OpenID Connect via Keycloak as well as a modified instance of Dex Identity Provider to support sessions.

Steps to enable the XDMoD reports in the OnDemand Dashboard:

1. Configure OnDemand with XDMoD host URL in PUN /etc/ood/config/nginx_stage.yml

   pun_custom_env: OOD_XDMOD_HOST: "https://xdmod.osc.edu"

2. Add OnDemand host as domain to XDMoD portal settings for CORS /etc/xdmod/portal_settings.ini

   domains = "https://ondemand.osc.edu"

3. Configure identity provider to include OnDemand host in HTTP Content-Security-Policy for frame-ancestors since OnDemand uses iFrames to trigger SSO with XDMoD when a user logs in. Below is what we ensured Content-Security-Policy header for frame-ancestors was set to when configuring Keycloak:

   frame-ancestors https://*.osc.edu 'self'

4. If you want the XDMoD links in the OnDemand Job Composer you also need to configure OnDemand with XDMoD resource id in each cluster config. For example, in the hpctoolset the resource_id for the hpc cluster is 1 in XDMoD, so we modify /etc/ood/config/clusters.d/hpc.yml to add a xdmod map to the custom map at the bottom of the file:

   v2: metadata: title: "HPC Cluster" login: host: "frontend" job: adapter: "slurm" cluster: "hpc" bin: "/usr/bin" custom: xdmod: resource_id: 1

5. In the Job Composer, Open XDMoD job links will include a warning message that the job may not appear in XDMoD for up to 24 hours after the job completed. The message is to address the gap of time between the job appearing as completed in the Job Composer and the job appearing in Open XDMoD after the ingest and aggregation script is run. This message appears from the time the Job Composer becomes aware of the job completion status, till an elapsed time specified in seconds by the locale key en.jobcomposer.xdmod_url_warning_message_seconds_after_job_completion which defaults to 24 hours (86400 seconds) with a text message specified by locale key en.jobcomposer.xdmod_url_warning_message. To disable this message, set the value you your locale file under /etc/ood/config/locales. For example, in the default locale we have these values:

   en: jobcomposer: xdmod_url_warning_message: "This job may not appear in Open XDMoD until 24 hours after the completion of the job." xdmod_url_warning_message_seconds_after_job_completion: 86400

   Which results in these warning messages appearing in Job Composer:

   

   

Accessing Remote File Systems¶

Since 2.1 you can use rclone to interact with remote file systems. Sinceevery command in Open OnDemand is issued as the user, the user themselvesare required to setup their rclone remotes.

You can refer to the OSC’s rclone documentation on how to configure rcloneremotes.

To enable this feature ensure that rclone is installed on the same machinethat Open OnDemand is installed. You also have to enable the feature throughthe configuration entry for enabling remote filesystems.

Cancel Interactive Sessions¶

We can now cancel an interactive session from the session panel without deleting the session card.This functionality will allow users to remove the job from the scheduler and keep the information in the OnDemand interface.

This feature is disabled behind a feature toggle. To enable it, set the configuration property cancel_session_enabled: true.For more information on how to configure properties, see configuration documentation.

When enabled, the cancel button will appear for active sessions.When the session is cancelled, the job will be cancelled in the scheduler,the status will change to completed, and the session card will be kept.For completed sessions, the system will only show the delete button.

Custom Pages¶

Custom pages allow administrators to add custom content to new dashboard pages.These new pages are configured using layouts and widgets, in the same way ascustomizing the layout for the dashboard.

To create a custom page, add a layout under a new page_code to the custom_pages property object.For more information on how to setup dashboard properties, see OnDemand configuration files

Custom pages have their own URL based on their page_code: /pun/sys/dashboard/custom/page_code.

The example configuration below creates a custom page with the page_code: documentation.It will render a layout with the pinned_apps widget under the URL: /pun/sys/dashboard/custom/documentation.

custom_pages: documentation: rows: - columns: - width: 12 widgets: - "pinned_apps"

Links to the custom pages can be added the Help dropdown menu.To add links to the Help menu use the configuration property help_menu.See the documentation on adding urls to the Help menu for details and examples.

Adding custom pages links uses the same notation and attributes as when created for the custom Dashboard navbar.See How to add menus for custom pages.

# Adding a link to the custom page with page_code = "documentation"help_menu: - group: "Custom Pages" - page: "documentation" title: "Site Documentation" icon: "fas://book"

Support Tickets¶

The Dashboard now supports sending a support ticket to your institution Help Desk system.The feature uses email as the delivery mechanism, but it could be extended to support others.

To enable this feature, define the settings needed using the the configuration property support_ticket.Once this configuration object is defined, the Submit Support Ticket link will be shown in the Help navigation menuand in all interactive session cards.

The support ticket page has a simple form to gather information that will be submitted to the support system via email.If triggered from a session card, the system will automatically add information about the selectedsession to the body of the email to help troubleshoot the issue.

A brief description of the default form fields used in the support ticket form:

• Username: Logged in user. Username will be added to the support ticket body for reference.

• Email: Email address to communicate regarding this support ticket. A single email address is supported.

• CC: Additional email address to communicate regardig this ticket. A single email address is supported.

• Subject: Brief description of the problem.

• Attachments: Add screeshots of the problem to help with debugging and troubleshooting.

• Description: Detail description of the problem.