What's New in Altair AI Hub 2025.0.0?
Released: Xth December 2024
Version 2025.0 is compatible with version 10 and 2024. When you’re still on version 9, then upgrading to 2025 is a major version upgrade. Please make sure to read the upgrade from AI Hub 9 migration instructions!
The following describes the enhancements and bug fixes in AI Hub 2025.0.0:
AI Hub Server
Enhancements
- Endpoint added to scoring-agent to query loaded and failed extensions
- Spring Boot
3.3.6
and Java 17 changes- All components use Java 17
- Upgrade Studio Core from
2024.1.1
to2025.0.0
- Upgrade License Agent from
1.1.1
to2.0.1
- Upgrade JXBrowser from
7.38.0
to7.41.1
- Upgrade several dependencies to latest versions
- Cleaning of Web API Deployments on Web API Agent restart can be turned off (default on)
- Delete all locks held by the current AI Hub instance (via volatile application ID) from distributed locking table on shutdown
- Centralize configuration of concurrent task scheduler
- Move
scheduler.task-scheduler.pool-size
toaihub.task-scheduler.pool-size
(defaults to20
instead of previously1
) - Move
scheduler.task-scheduler.thread-priority
toaihub.task-scheduler.thread-priority
(defaults5
)
- Move
- Wait for any schedule firing with
spring.quartz.wait-for-jobs-to-complete-on-shutdown
(defaults totrue
) - Change location of JMS properties
- Move receive timeout from
jobservice.queue.receive-timeout
toaihub.jms.receive-timeout
- Move cache level from
jobservice.queue.cache-level
toaihub.jms.cache-level
- Move receive timeout from
- Adjust concurrency configuration for JMS listeners
- Add
aihub.jms.core-pool-size
to configure core pool size (defaults to5
) - Add
aihub.jms.max-pool-size
to configure max pool size (defaults to2147483647
)
- Add
- Validation of Web API Group names (alphanumeric uppercase) now the same in the backend as it was in the frontend
- Track
*.rmmodel
in LFS for newly created Projects - Disallow plain HTTP connections by increasing versions of frontend dependencies
react-oidc-context
andoidc-client-ts
- Introduced backend pagination and filtering for projects
- Add a frontend page for administrators to view internally running tasks
- Add a frontend page in case of denied permissions
- Properly clean up unsuccessful deployments to Scoring and Web API Agent
- Improve speed when uploading LFS objects
- Add more descriptive error message, when process returns a non-ExampleSet IOObject
- Improved CacheRepository implementation in RTSA and WebAPI Agent
- Introduced
scoring-agent.cache.repository.evict-in-background
which evicts expired cache entries in the background for RTSA and WebAPI Agent (default:true
) - Changed default of
scoring-agent.cache.repository.access-expiration
from 60 minutes to 15 minutes to reduce memory footprint for unused cache entries
Fixed
- Invalid job locations break Executions frontend page
- Stop all jobs action is not force stopping jobs on first invocation
- Redirect to origin when creating or editing endpoints from Projects frontend page
- Project contents not always up-to-date in Endpoint creation and editing wizard
License Proxy
- Move to Spring Boot 3 and Java 17
- Upgrade several dependencies to latest versions
License Agent
- Bump to License Proxy API
2.0.2
- Move to Java 17
- Upgrade several dependencies to latest versions
ActiveMQ Artemis
- Bump to AMQ
2.38.0
- Move to Java 17
Deployment fixes and enhancements
Upgrades
- Upgraded Panopticon to version 2025.0.0 (Requires Altair Licence v25)
- Upgraded many containers to use Ubuntu 24.04 as a base image
- Upgraded Postgresql images to 14.15, 15.10, 16.6
- Upgraded Java version to 17.0.13_11
- Upgraded Jupyterhub version to 5.2.1
- Upgraded Jupyter Notebook version to 5.2.0
- Upgraded Keycloak version to 26.0.7
- Upgraded Grafana version to 11.4.0
Feaure improvements
New certificate management
Starting with version 2025.0.0 the deployment has a separated certificate configuration for: - TLS offloading: those certificates are used in the proxy container (still requires the fullchain) - Custom Certificate Authority certificates: those certificates are added to the trust-store of every container, so certificates issued by those CAs will be trusted by the containers
For details please see Certificate Setup Page
Dynamic Web-API Agent configuration
Starting with version 2025.0.0 the webapi-agent configuration has been changed so that way multiple webapi agent groups can be defined as part of the deployment as the following example shows:
webApiAgents:
imageName: "rapidminer-scoringagent"
ssoClientId: "aihub-webapiagent"
ssoClientSecret: "<SCORING-AGENT-OIDC-CLIENT-SECRET-PLACEHOLDER>"
...
agents:
- configName: "webapi-agent-config-default-queue"
statefulsetName: "webapi-agent-default-queue"
eurekaInstanceHostname: "webapi-agent-default-queue"
selectorLabels:
app: webapi-agent-app-default-queue
tier: backends
replicasNumber: "1"
resources:
requests:
memory: "1G"
cpu: "1"
limits:
memory: "5G"
cpu: "2"
...
- configName: "webapi-agent-config-second-queue"
statefulsetName: "webapi-agent-second-queue"
eurekaInstanceHostname: "webapi-agent-second-queue"
selectorLabels:
app: webapi-agent-app-second-queue
tier: backends
replicasNumber: "1"
resources:
requests:
memory: "1G"
cpu: "1"
limits:
memory: "5G"
cpu: "2"
Security improvements
"Content-Security-Policy" header
Several new properties got introduced to better control the "Content-Security-Policy" header in the responses.
According to the following default settings the value of the header will be the public url because if the webapi, rts or keycloak variable is empty, it will use the value of the general one as a failback.
ACCESS_CONTROL_ALLOW_ORIGIN_GENERAL=${PUBLIC_URL}
ACCESS_CONTROL_ALLOW_ORIGIN_WEBAPI=
ACCESS_CONTROL_ALLOW_ORIGIN_RTS=
ACCESS_CONTROL_ALLOW_ORIGIN_KEYCLOAK=
"Content-Security-Policy" header
A new propertie got introduced to provide control the "Content-Security-Policy" header in the responses.
As part of this change we reviewed the policy itself as well. To have the previous behaviour if needed you can find the previous settings in the templates.
# Improved security value
CONTENT_SECURITY_POLICY="default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';frame-src 'self';font-src 'self';media-src 'self';object-src 'none';manifest-src 'self';worker-src blob: 'self';form-action 'self';frame-ancestors 'self';"
# Backward compatible value
# CONTENT_SECURITY_POLICY="worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval';"
New properties in for the upgrade scenario
- Added a new property
CUSTOM_CA_CERTS_FILE
which controls the filename of the custom certificate that deployment-init will look for the custom certificates. Please note, that the custom CA cert file mounted into the deployment-init container shall match the value of this variable. - Added a new property
JOBAGENT_CONTAINER_JVM_CUSTOM_OPTIONS
to JobAgent to configure TZ properly - Added a new property
GRAFANA_PROXY_THREAD_NUMBERS
to grafana-proxy to control the number of threads used whithin the container - Added a new property
GF_SECURITY_ANGULAR_SUPPORT_ENABLED
. Grafana was upgraded to 11.4 which requires this environment variable allow Angular based plugins like Rapidminer datasource. - The default value for
SCORING_AGENT_CACHE_REPOSITORY_ACCESS_EXPIRATION
(Maximum age in the cache) property was modified to 900000 - Added a missing depends_on property to Panopticon Vizapp