Categories

Versions

What's New in Altair AI Hub 2025.0.0?

Released: Xth December 2024

Version 2025.0 is compatible with version 10 and 2024. When you’re still on version 9, then upgrading to 2025 is a major version upgrade. Please make sure to read the upgrade from AI Hub 9 migration instructions!

The following describes the enhancements and bug fixes in AI Hub 2025.0.0:

AI Hub Server

Enhancements

  • Endpoint added to scoring-agent to query loaded and failed extensions
  • Spring Boot 3.3.6 and Java 17 changes
    • All components use Java 17
    • Upgrade Studio Core from 2024.1.1 to 2025.0.0
    • Upgrade License Agent from 1.1.1 to 2.0.1
    • Upgrade JXBrowser from 7.38.0 to 7.41.1
    • Upgrade several dependencies to latest versions
  • Cleaning of Web API Deployments on Web API Agent restart can be turned off (default on)
  • Delete all locks held by the current AI Hub instance (via volatile application ID) from distributed locking table on shutdown
  • Centralize configuration of concurrent task scheduler
    • Move scheduler.task-scheduler.pool-size to aihub.task-scheduler.pool-size (defaults to 20 instead of previously 1)
    • Move scheduler.task-scheduler.thread-priority to aihub.task-scheduler.thread-priority (defaults 5)
  • Wait for any schedule firing with spring.quartz.wait-for-jobs-to-complete-on-shutdown (defaults to true)
  • Change location of JMS properties
    • Move receive timeout from jobservice.queue.receive-timeout to aihub.jms.receive-timeout
    • Move cache level from jobservice.queue.cache-level to aihub.jms.cache-level
  • Adjust concurrency configuration for JMS listeners
    • Add aihub.jms.core-pool-size to configure core pool size (defaults to 5)
    • Add aihub.jms.max-pool-size to configure max pool size (defaults to 2147483647)
  • Validation of Web API Group names (alphanumeric uppercase) now the same in the backend as it was in the frontend
  • Track *.rmmodel in LFS for newly created Projects
  • Disallow plain HTTP connections by increasing versions of frontend dependencies react-oidc-context and oidc-client-ts
  • Introduced backend pagination and filtering for projects
  • Add a frontend page for administrators to view internally running tasks
  • Add a frontend page in case of denied permissions
  • Properly clean up unsuccessful deployments to Scoring and Web API Agent
  • Improve speed when uploading LFS objects
  • Add more descriptive error message, when process returns a non-ExampleSet IOObject
  • Improved CacheRepository implementation in RTSA and WebAPI Agent
  • Introduced scoring-agent.cache.repository.evict-in-background which evicts expired cache entries in the background for RTSA and WebAPI Agent (default: true)
  • Changed default of scoring-agent.cache.repository.access-expiration from 60 minutes to 15 minutes to reduce memory footprint for unused cache entries

Fixed

  • Invalid job locations break Executions frontend page
  • Stop all jobs action is not force stopping jobs on first invocation
  • Redirect to origin when creating or editing endpoints from Projects frontend page
  • Project contents not always up-to-date in Endpoint creation and editing wizard

License Proxy

  • Move to Spring Boot 3 and Java 17
  • Upgrade several dependencies to latest versions

License Agent

  • Bump to License Proxy API 2.0.2
  • Move to Java 17
  • Upgrade several dependencies to latest versions

ActiveMQ Artemis

  • Bump to AMQ 2.38.0
  • Move to Java 17

Deployment fixes and enhancements

Upgrades

  • Upgraded Panopticon to version 2025.0.0 (Requires Altair Licence v25)
  • Upgraded many containers to use Ubuntu 24.04 as a base image
  • Upgraded Postgresql images to 14.15, 15.10, 16.6
  • Upgraded Java version to 17.0.13_11
  • Upgraded Jupyterhub version to 5.2.1
  • Upgraded Jupyter Notebook version to 5.2.0
  • Upgraded Keycloak version to 26.0.7
  • Upgraded Grafana version to 11.4.0

Feaure improvements

New certificate management

Starting with version 2025.0.0 the deployment has a separated certificate configuration for: - TLS offloading: those certificates are used in the proxy container (still requires the fullchain) - Custom Certificate Authority certificates: those certificates are added to the trust-store of every container, so certificates issued by those CAs will be trusted by the containers

For details please see Certificate Setup Page

Dynamic Web-API Agent configuration

Starting with version 2025.0.0 the webapi-agent configuration has been changed so that way multiple webapi agent groups can be defined as part of the deployment as the following example shows:

webApiAgents:
  imageName: "rapidminer-scoringagent"
  ssoClientId: "aihub-webapiagent"
  ssoClientSecret: "<SCORING-AGENT-OIDC-CLIENT-SECRET-PLACEHOLDER>"
  ...
  agents:
  - configName: "webapi-agent-config-default-queue"
    statefulsetName: "webapi-agent-default-queue"
    eurekaInstanceHostname: "webapi-agent-default-queue"
    selectorLabels:
      app: webapi-agent-app-default-queue
      tier: backends
    replicasNumber: "1"  
    resources:
      requests:
        memory: "1G"
        cpu: "1"
      limits:
        memory: "5G"
        cpu: "2"
    ...
  - configName: "webapi-agent-config-second-queue"
    statefulsetName: "webapi-agent-second-queue"
    eurekaInstanceHostname: "webapi-agent-second-queue"
    selectorLabels:
      app: webapi-agent-app-second-queue
      tier: backends
    replicasNumber: "1"  
    resources:
      requests:
        memory: "1G"
        cpu: "1"
      limits:
        memory: "5G"
        cpu: "2"

Security improvements

"Content-Security-Policy" header

Several new properties got introduced to better control the "Content-Security-Policy" header in the responses.

According to the following default settings the value of the header will be the public url because if the webapi, rts or keycloak variable is empty, it will use the value of the general one as a failback.

ACCESS_CONTROL_ALLOW_ORIGIN_GENERAL=${PUBLIC_URL}
ACCESS_CONTROL_ALLOW_ORIGIN_WEBAPI=
ACCESS_CONTROL_ALLOW_ORIGIN_RTS=
ACCESS_CONTROL_ALLOW_ORIGIN_KEYCLOAK=

"Content-Security-Policy" header

A new propertie got introduced to provide control the "Content-Security-Policy" header in the responses.

As part of this change we reviewed the policy itself as well. To have the previous behaviour if needed you can find the previous settings in the templates.

# Improved security value
CONTENT_SECURITY_POLICY="default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';frame-src 'self';font-src 'self';media-src 'self';object-src 'none';manifest-src 'self';worker-src blob: 'self';form-action 'self';frame-ancestors 'self';"
# Backward compatible value
# CONTENT_SECURITY_POLICY="worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval';"

New properties in for the upgrade scenario

  • Added a new property CUSTOM_CA_CERTS_FILE which controls the filename of the custom certificate that deployment-init will look for the custom certificates. Please note, that the custom CA cert file mounted into the deployment-init container shall match the value of this variable.
  • Added a new property JOBAGENT_CONTAINER_JVM_CUSTOM_OPTIONS to JobAgent to configure TZ properly
  • Added a new property GRAFANA_PROXY_THREAD_NUMBERS to grafana-proxy to control the number of threads used whithin the container
  • Added a new property GF_SECURITY_ANGULAR_SUPPORT_ENABLED. Grafana was upgraded to 11.4 which requires this environment variable allow Angular based plugins like Rapidminer datasource.
  • The default value for SCORING_AGENT_CACHE_REPOSITORY_ACCESS_EXPIRATION (Maximum age in the cache) property was modified to 900000
  • Added a missing depends_on property to Panopticon Vizapp