This release provides security patches.
See also the fleetcommand-agent Release Notes.
-
Domino now ships with an updated version of
buildkit
andrunc
in response to Common Vulnerabilities and Exposures (CVE) associated with "Leaky Vessels".
-
Fixed an issue with previous 5.9.X versions of Domino where the Offline installer would fail for remote data plan installation. The offline installer has been fixed to package the correct image for remote data plane installations.
-
Fixed an issue where VSCode would fail to upgrade the Websocket connections on remote data planes.
-
A small number of Domino executions will fail due to a transient issue in the underlying Kubernetes API version 1.28.3. If you encounter an execution failure with the error message,
MountVolume.SetUp failed for volume 'execution-secrets-vol': failed to sync secret cache
, retry the execution to attempt to resolve the error.
-
S3 buckets must have CORS enabled to use the View Latest Raw File button in the code file browser if the file is > 5 MB (
com.cerebro.domino.frontend.defaultMaxFileSizeToRenderInBytes
). As a workaround, use the Download button to download larger files and view them on your computer.
-
In Azure Blob Store deployments, projects with many files may fail to sync through the Domino CLI. To work around this issue, do not disable file locking when prompted by Domino.
-
You cannot view the latest raw file if you click View Latest Raw File. In the navigation pane, go to Files and click a file to view its details.
-
When uploading a large file to the Azure blob store by syncing a Workspace, you may encounter a Java Out of Memory error from Azure if the file/blob already exists. To work around this issue, use the Domino CLI to upload the file to the Project.
-
Model Monitoring data sources aren’t validated. If you enter an invalid bucket name and attempt to save, the entry will go through. However, you won’t be able to see metrics for that entry because the name points to an invalid bucket.
-
Domino instances that make use of Azure Blob Storage may experience stalled Jobs within Projects with many large files.
-
If you attach a Git repository to a DFS project that points to a tagged release, the tag won’t be honored when building a model API in that Project. The build log will show an error similar to the following, and the model will be built using the default branch of your Git repository instead of the tagged branch:
Jul 05 2023 14:36:27 -0500 #10 6.481 WARN [d.r.d.GitRepoUpdater] could not parse ref: v1.3.0 checking out default branch correlationId="iA2qWrYSLQ" thread="main"
To work around this issue, use the branch name when building model APIs instead of the release tag.
-
If an admin resets a user’s password, it invalidates all the user’s authentication tokens, including tokens used for long-running tasks like Jobs, Workspaces, or Apps. The user must create a new password, log back into Domino, and restart all executions. This also applies to CLI authentication; the user must re-login to their Domino CLI.
-
In Domino 5.6, the cost analyzer pod (inactive unless Kubecost is enabled) defaults to a different
storageClass
compared to Domino 5.7. As a result, the pod won’t run after upgrading to 5.7, breaking Kubecost functionality. However, data will continue to persist in Prometheus (or custom storage if using Kubecost Enterprise).To prevent this issue while still in Domino 5.6, override the default storageClass
gp2
with the one expected in 5.7,dominodisk
, during Kubecost installation by settingrelease_overrides.cost-analyzer.chart_values.persistentVolume.storageClass
todominodisk
in the agent YAML before installing Kubecost.If you’ve already installed Kubecost on Domino 5.6, avoid the upgrade error by setting
release_overrides.cost-analyzer.chart_values.persistentVolume.storageClass
togp2
in the agent YAML configuration file before upgrading to 5.7.
-
The Rename dataset’s file button is not available when the user navigates to the Dataset from the global Dataset page.
To work around this issue, navigate to the Dataset from the Project’s page.
-
The sample script for making asynchronous Model API requests contains an extra
/
at the end of theDOMINO_URL
variable. As a result, running the script will show an error similar to the following.{'requestId': 'key not found: HandlerDef', 'errors': ['java.util.NoSuchElementException: key not found: HandlerDef']}
To work around this issue, remove the trailing
/
at the end of theDOMINO_URL
variable.
-
The Jobs REST API uses
GitRefV1
to reference Git objects (commits, branches, and tags). Not all examples in the API spec worked, so they’ve been updated to reflect the actual valid values. This change doesn’t affect API functionality; it’s just a fix to the documentation.
-
Links to Stack Trace and CPU Flame Graph in the Ray Cluster UI’s Cluster tab are broken due to an issue in Ray 2.4 not supporting links when hosted behind a reverse proxy. This problem is specific to the Cluster tab; links correctly function in other tabs. The issue is fixed in Ray 2.7 and will be updated in future Domino Ray image releases.
-
The section, Account Settings > Login Profile, has been temporarily disabled for all users, resulting in users not being able to edit their username, name, email, etc. This section will be rebuilt in a future Domino release.
-
Cost-analyzer provisions a new default blob storage on S3 that will be used as default storage for AWS users who use Domino-automated infrastructure install and upgrades. This storage is created with a 15-day retention period. As a result, data that was stored in Prometheus during the upgrade may not be available on S3 but still accessible on Prometheus. Additionally, data stored in S3 will only be available for 15 days. To increase the retention period, update the S3 lifecycle.
-
Cost-analyzer provides up to 15 days of data for users without an Enterprise license. As a result, no notification will be sent after 15 days if the budget threshold has been reached. To receive notifications after 15 days, please reach out to your Domino representative.
-
If a user is a collaborator on a project that contains some registered models in a model registry, and some of these models have a deployed model API, but the user doesn’t have permission to access them, then the user won’t be able to view the project’s model registry page. This issue is fixed in Domino 5.11.0.
-
Viewing dataset files in an Azure-based Domino cluster may lock files, preventing them from being deleted or modified. Restarting Nucleus frontend pods will release the lock. This issue is fixed in Domino 5.11.1.
-
Workspace auto-deletion notifications and the deletion itself may not complete successfully. The error
"Cannot apply $addToSet to non-array field"
may be observed in nucleus-workspace-volume-snapshot-cleaner or nucleus-develop pods. This issue may prevent idle workspaces from being automatically deleted. Contact Domino Support if you need help. This is fixed in Domino 6.0.0.
-
There is a known issue when upgrading to 5.9.x, or doing a fresh install, with Keycloak email notifications enabled through
domino.yml
that will cause Keycloak’s installation to fail. The solution is to setemail_notifications.enabled
tofalse
in thedomino.yml
during installation, then manually add the environment variables to the stateful set once the deployment is complete.
- name: KEYCLOAK_SMTP_HOST
value: {{ .Values.email_notifications.server }}
- name: KEYCLOAK_SMTP_PORT
value: {{ .Values.email_notifications.port }}
- name: KEYCLOAK_SMTP_FROM
value: {{ .Values.email_notifications.from_address }}
- name: KEYCLOAK_SMTP_FROM_DISP_NAME
value: {{ .Values.email_notifications.from_address }}
- name: KEYCLOAK_SMTP_SSL
value: {{ .Values.email_notifications.enable_ssl | quote }}
- value: KEYCLOAK_SMTP_FORGOT_PASSWORD_ENABLED
value: "true"
- name: KEYCLOAK_SMTP_USER_NAME
value: {{ .Values.email_notifications.authentication.username }}
- name: KEYCLOAK_SMTP_PASSWORD
value: {{ .Values.email_notifications.authentication.password }}
-
GKE users that provisioned their infrastructure with Domino’s terraform-gcp-gke module must apply the changes introduced for
5.7.0
as of terraform-gcp-gke v2.5.0 when upgrading to ensure firewall rules work properly. -
VPN support from within executions was updated to be disabled by default. Support can be enabled by setting the global config value
com.cerebro.domino.computegrid.executions.allowVpn = true
.
-
MongoDB is no longer the authoritative source of truth for User Roles. Keycloak has taken over the role. User Groups in Keycloak now correspond to Domino Global Roles, and a user’s membership status in these groups defines their Domino roles. The Central Config key
authentication.oidc.externalRolesEnabled
has been retired and no longer has any effect. Any edits made to roles in MongoDB will be overridden by the data from Keycloak.
-
EKS users are recommended to update the AWS VPC CNI settings to enable
ANNOTATE_POD_IP
to prevent execution timeout errors when an image pull takes longer than 10 minutes. To bypass the validation check during an upgrade, pass--warn-only
as a command line option to the installer.
-
EKS users who provisioned their infrastructure with Domino’s terraform-aws-eks module must validate whether they want the new costs blob storage to be provisioned by default.
-
For customers with an XL-sized deployment that are upgrading to 5.9.0, RabbitMQ and New Relic resource requirements have increased.