Current Release: Redwood - Operator/Dev Notes

The 18th Open edX community release will be named Redwood. It will be released Jun 9th, 2024. The open-release/redwood.master branches will be created one month earlier, on May 9th. Code on master/main as of May 9th will be part of Redwood. Code merged after that will need special handling to be part of Redwood.

Put stuff here that we have to remember when we start packaging up Redwood.  Especially important is information that system installers or operators will need to know. Please include your name when you add an item, so that we can get back to you with questions.

Operational

  • The default minimum password length has been updated from 2 characters to 8 characters. (PR)

    • If you have an existing password, this change along will not force you to update it. However if you reset your password or go to change it, you'll have to conform to the new guidelines. If you would like to force people to update their password, you'll probably want to take a look at the password_policy plugin and its settings.

  • [@Tim McCormack] Deployers must ensure that their JWT_AUTH['JWT_PRIVATE_SIGNING_JWK'] Django setting in LMS contains the full complement of private key numbers.

    • Background: In LMS, we are switching from the pyjwkest library to PyJWT for signing JWTs. (pyjwkest is now unmaintained.) However, PyJWT has stricter requirements for the private key in JWT_PRIVATE_SIGNING_JWK. Before you upgrade to Redwood, you will need to update this key using a script. Otherwise, JWT signing will fail, and users will be unable to log in.

    • Steps:

      1. Locate JWT_PRIVATE_SIGNING_JWK in your deployment configuration.

      2. Check if the JSON contains all of the following params: p, q, dp, dq, and qi. If it does, you don’t need to do anything further. Otherwise, continue.

      3. In your edx-platform virtualenv, run python3 scripts/jwk-precompute-params.py and follow the prompts. (It will ask you to paste in the current JSON.)

      4. Update your config’s JWT_AUTH['JWT_PRIVATE_SIGNING_JWK'] with the output of the script.

      5. You may wish to compare the contents of the private key before and after running the script, and verify that the only changes it has made to the contents of the JSON are that the p, q, dp, dq, and qi params have been added. (Some or all may already have been present.)

    • Notes:

      • This should be done while you are still running Quince—it is safe to do ahead of the upgrade, and should not have any visible effect at that time.

      • This key must be handled very carefully. Anyone in possession of the key may impersonate users.

  • The following requirements update into credentials might have implications for anyone who has a massive usersocialauth table.  This is because that table grows endlessly, and the migrations on the table caused by updating the social-auth-app-django package can run out of memory. If maintainers have migration failures on this upgrade, they should run the management command truncate_social_auth.

    • This will remove all entries from the usersocialauth table that haven't been updated in 90 days, which makes the size of the table tractable for the dependency's migration. This is harmless in the Credentials IDA.

  • [Feanil] The scripts related to user retirement across all services have been moved to the edx-platform repository. If you’ve been using the `tubular repo to run retirement scripts you should update your code.

  • edx-platform and cs_comment_service Mongo Upgrades

  • [@Braden MacDonald] The Redwood release includes the Studio Course Search [BETA], which is disabled by default as it depends on a new search engine, Meilisearch. We encourage operators to install Meilisearch, test out this feature, and give us feedback on the viability of using Meilisearch as a replacement for Elasticsearch in future releases of Open edX. Here’s how:

    • For tutor-based deployments, install the tutor-contrib-meilisearch plugin, and apply the changes to your deployment. See that plugin’s README for details. Note in particular that the hostname configured as MEILISEARCH_PUBLIC_HOST must be resolvable on the public internet.

    • If you are not using Tutor, you’ll need to install Meilisearch manually (or use the cloud product), and to explicitly set the related config variables in the CMS as well as set MEILISEARCH_ENABLED=true in the Course Authoring MFE settings.

    • To create and populate the search index, you must run a one-time command from the CMS shell: python manage.py cms reindex_studio --experimental. This command may take a while if you have a lot of courses and/or libraries in Studio; it will display regular progress indicators while it is running. We are interested in hearing how long it takes for you - please share your experience (see next bullet). This command reads from MySQL/MongoDB but does not write to them; it only writes to Meilisearch. Once the indexing has completed, it should not be necessary to run it again; from that point forward, the indexes will be updated automatically as needed.

    • Please share your feedback about Meilisearch, indexing, and operations in this Discourse thread or the #ops Slack channel. Please share feedback about the new course search feature in general in the discussion forums or in the #wg-product-core Slack channel.

Deprecations and Removals

Based on estimated dates 2024-04-09 to 2024-06-09.