Installation and Administration

Hotfixes Installation Notes for Nuxeo Platform 6.0

Updated: October 16, 2020

The purpose of this page is to describe the additional actions that need to be done when installing the hotfixes on Nuxeo Platform and that cannot be done automatically. The page provides an exhaustive list of manipulations for the installation of Nuxeo Platform 6.0 hotfixes, but you need only to apply those relevant for your own instance.

When you are installing/configuring a new Nuxeo instance, the very first thing to do is to install the hotfixes. Because it will provide fixes on the Nuxeo launcher, on the startup wizard and on the templates, installing them immediately will prevent from encountering known issues.

How to Keep Your Instance up-to-Date

Hotfixes always have dependencies on the previous hotfix. So if you need to install several hotfixes, you can download only the latest one: when you install it, it will trigger the installation of the previous hotfixes.

Installing Hotfixes from the Command Line

The Nuxeo Platform provides a command to automatically install all the available hotfixes. From the command line, run the following command:

  • For Linux and Mac OS users:

    $ ./nuxeoctl mp-hotfix --accept=true
    
  • For Windows users:

    > nuxeoctl.bat mp-hotfix --accept=true
    

The parameter --accept=true automatically replies yes to any prompt, which makes the hotfix installation smoother.

While installing hotfixes, you will see the following message, but you can ignore it and continue.

Use of the <copy /> command on JAR files is not recommended, prefer using <update /> command to ensure a safe rollback. (nuxeo-launcher-8.10-HF01-jar-with-dependencies.jar)

Installing Hotfixes from the Update Center

You can also download and install hotfixes from the Update Center in the Admin tab.The installation of hotfixes requires the server to be restarted to complete the installation: follow the manual installation and configuration steps required by the installed hotfixes before you restart your server.

Hotfix 36

Security Update

A security vulnerability in Nuxeo Platform 6.0 and fixed right away. Nuxeo Platform LTS 2015 and LTS 2016 are not affected. The vulnerability allows a malicious user, with authenticated access to a Nuxeo Platform instance, to upload an arbitrary file to the server where the Nuxeo Platform has write permission.

We are not aware of any exploitation of this vulnerability to this date and it has not be publicly disclosed. Disclosure will happen March 15. We highly recommend our customers to apply the Hotfix 36 before this date.

Hotfix 34

Elasticsearch Configuration

Following backport of NXP-19283, optimistic concurrency control is now enabled by default. Should you want to disable it you would have to edit the Elasticsearch template and add the following to the elasticSearchRemote or elasticSearchLocal tags.

useExternalVersion="false"

Hotfix 33

Package Cleanup

If you have downloaded revision 1.0.0 or 1.0.1 of HF33 package, you need to manually remove it to be able to install the latest revision (i.e. 1.0.2):

./nuxeoctl mp-remove nuxeo-6.0-HF33-1.0.0 --nodeps
./nuxeoctl mp-remove nuxeo-6.0-HF33-1.0.1 --nodeps

Hotfix 32

Package Cleanup

If you have downloaded revision 1.0.0 of HF32 package, you need to manually remove it to be able to install the latest revision (i.e. 1.0.1):

./nuxeoctl mp-remove nuxeo-6.0-HF32-1.0.0 --nodeps

Hotfix 31

Datasource Configuration

NXP-20284 provides a new template for the configuration of the datasources and three new parameters. If you have overridden the template templates/common-base/nxserver/config/datasources-config.xml.nxftl, you have to apply the changes to your template.

The new parameters are:

nuxeo.db.blocking-timeout-millis=10000
nuxeo.db.idle-timeout-minutes=0
nuxeo.db.min-pool-size=5

Password Validity Check

NXP-18751 adds a password validity check on UserManager. By default it is disabled. The new parameter which controls this feature is nuxeo.usermanager.check.password:

nuxeo.usermanager.check.password=false

Hotfix 30

Optimize List Appends in VCS

NXP-19206 introduces an optimization in the way new items are added to a list in VCS. This optimization is disabled by default, so as to avoid introducing a new behavior in your application. You can enable it by adding the following line in your nuxeo.conf:

org.nuxeo.vcs.list-delete-before-append=false

NXP-19266 introduces a new property to define the regular expression which controls the access to the user profile. By default only alphanumerical characters are allowed, which corresponds to the <span class="blob-code-inner"><span class="pl-s">a-zA-Z_0-9<span class="pl-cce">\\</span>-<span class="pl-cce">\\</span>.@</span></span>expression.

To allow any character, which could be useful if the user names in your application are like John Doe, add the following line in your nuxeo.conf:

nuxeo.codec.usergroup.allowedCharacters=[^\\/\\?]*

Default Cache for the User Manager

NXP-19584 updates the User Manager configuration to add a default cache. This is done in the template templates/common/config/login-digest-config.xml.

If you have overridden this template, report the modification in your own template.

     <userManager>
       <digestAuthDirectory>digestauth</digestAuthDirectory>
       <digestAuthRealm>NUXEO</digestAuthRealm>
+      <userCacheName>default-cache</userCacheName>
     </userManager>
   </extension>

Hotfix 28

Cluster Mode Issue

A bug was introduced in the hotfix 24 in the way invalidations are processed. If you're using a Nuxeo cluster, you may have experienced a growth of the cluster_invals table and some inconsistencies (document metadata, permissions) between the nodes which are part of your cluster.

The hotfix 28 delivers the fix. Please follow this procedure:

  1. Stop all Nuxeo nodes.
  2. Empty the tables cluster_invals and cluster_nodes.

    TRUNCATE TABLE cluster_invals;
    TRUNCATE TABLE cluster_nodes;
    
  3. Install the last hotfix on each node.

  4. Check that the clustering id is configured for each node, as recommended since hotfix 13.
  5. Start each node one by one.

Package Clean Up

Two versions of the hotfix 28 have been published. If you installed the first one and try now to update your platform, you may receive this message:

The solution found might not be optimal
No solution found.

If you are managing your packages from Nuxeo UI, you may notice that the new version of the hotfix 28 was not installed.

To fix these problems, you must remove the old package with this command:

./nuxeoctl mp-remove nuxeo-6.0-HF28-1.0.0 --nodeps

And after that, install the last version of nuxeo-6.0-HF28:

./nuxeoctl mp-hotfix

Removing nuxeo-6.0-HF28-1.0.0 can also be done from the UI in Admin > Update Center > Local Packages. In this case, you will have to follow these steps:

  1. Uninstall nuxeo-6.0-HF28-1.0.0.
  2. Restart Nuxeo.
  3. Remove nuxeo-6.0-HF28-1.0.0.
  4. Install nuxeo-6.0-HF28-1.1.0.
  5. Restart Nuxeo.

Hotfix 27

Redis Configuration

NXP-18588 introduces two new configuration parameters to setup Redis pool size. The template templates/common-base/nxserver/config/redis-config.xml.nxftl has been updated to take them into account, so you'll need to update your template if you have overridden the default one.

Here are these parameters names and their default values:

nuxeo.redis.maxTotal=16
nuxeo.redis.maxIdle=8

Hotfix 25

Disable "Http Transport returned a 0 status code" Error

Since NXP-16985, you can disable the "Http Transport returned a 0 status code" message by adding this line in your nuxeo.conf:

nuxeo.jsf.ajax.disableErrorFeedback=true

Nuxeoctl Update

Since NXP-13965 and hotfix 25, a new version of the nuxeoctl script is available. The goal is to have all Nuxeo and third-party services/tools making use of java.io.tmpdir to store their temporary files.

It cannot be automatically replaced by the Nuxeo updater because this file needs the execute permission to run the Nuxeo Platform and the updater does not manage the execute flag.

To install the new nuxeoctl script:

  1. Download the new nuxeoctl .
  2. Replace the file in $NUXEO/bin folder.
  3. Set the execute bit on it:

    chmod +x bin/nuxeoctl
    

Hotfix 24

Package Cleanup

In case you downloaded the package nuxeo-6.0-HF24-1.0.0, you must remove it to be able to install its version 1.0.1:

./nuxeoctl mp-remove nuxeo-6.0-HF24-1.0.0 --nodeps

Hotfix 23

VCS Configuration

This hotfix provides a new template for VCS configuration to manage the activation of database optimizations from nuxeo.conf thanks to NXP-18335. Please look at the new file at templates/common-base/nxserver/config/default-repository-config.xml.nxftl if you need to adapt this configuration.

Two new default parameters has been added to nuxeo.defaults:

nuxeo.vcs.optimizations.acl.enabled=true
nuxeo.vcs.optimizations.path.enabled=true

Amazon S3 Package

The joda-time library has been upgraded to 2.8.2 to be compatible with JDK8u60+ thanks to NXP-18077. Therefore a new version of amazon-s3-online-storage, version 1.5.2, will be released to provide a package compatible with the new version of joda-time embedded in the hotfix 23.

Hotfix 22

Elasticsearch Configuration

NXP-17692 provides an enhanced Elasticsearch mapping to support unicode wildcard search and HTML indexing. Therefore a new configuration file is included in this hotfix.

If you have customized the elasticsearch-config.xml.nxftl file, you need to report the changes that correspond to this changeset to your custom configuration file.

Hotfix 20

Nuxeo Automation Client

if you're using the Automation Client library, you have to get the latest version that includes the fix from NXP-17784.

Configuration

A new configuration parameter has been introduced to prevent from accidentally enabling Elasticsearch as the backend for audit logs. The new parameter, audit.elasticsearch.enabled,  is included in the templates/common-base/nuxeo.defaults file embedded with the hotfix 20. These lines were added:

# Use Elasticsearch as a backend for audit logs
audit.elasticsearch.enabled=false

Ignored Components

The blacklist file which was used to ignore the contributions placed in a given component is now replaced by a blacklist.nxftl file. This replacement was motivated by the possibility to dynamically ignore Elasticsearch contributions when audit.elasticsearch.enabled is set to false.

Configuration of Page Providers Used by Document Suggestion Widgets

Document Suggestion Widgets relying on a custom page provider must be adapted. The JavaScript client won't append a % character at the end of the searched term any more. The % character needs to be added to the page provider query pattern (like in NXP-17881 and NXP-18054).

Hotfix 17

Nuxeo Automation Client

if you're using the Automation Client library, you have to get the latest version that includes the fix from NXP-17558.

Hotfix 16

Nuxeo Automation Client

if you're using the Automation Client library, you have to get the latest version that includes the fix from NXP-17425.

Hotfix 13

Cluster Configuration

NXP-17180 provides a fix for cluster invalidation management. A new version of the template nxserver/config/default-repository-config.xml.nxftl will be installed to expose the parameter <span class="blob-code-inner">repository.clustering.id</span> .

You must read the upgrade note for NXP-17180 which highly recommends to force the cluster id.

Redis Configuration

Since NXP-17166, it is possible to configure the Redis key prefix with the parameter nuxeo.redis.prefix. The hotfix 13 embeds a new version of nxserver/config/redis-config.xml.nxftl to configure this prefix with:

 <prefix>${nuxeo.redis.prefix}</prefix>

Hotfix 12

Slash in documents name

Since NXP-16602, the system throws a ClientException when the document name contains a slash on create, move or copy operation.

Package Cleanup

It is recommended after hotfix installation to remove the previous version of nuxeo-6.0-HF05 package from the local store:

./nuxeoctl mp-remove nuxeo-6.0-HF05-1.0.0

VCS Configuration

This hotfix provides a new template for VCS configuration to globally disable full-text thanks to NXP-14907. Please look at the new file at templates/common-base/nxserver/config/default-repository-config.xml.nxftl if you need to adapt this configuration.

A new default parameter has been added to nuxeo.defaults:

nuxeo.vcs.fulltext.search.disabled=false

Redis Configuration

This hotfix provides a new template for Redis configuration to integrate Sentinel thanks to NXP-17047. Please look at the new file at templates/common-base/nxserver/config/redis-config.xml.nxftl if you need to adapt this configuration.

New default parameters have been added to nuxeo.defaults:

nuxeo.redis.ha.enabled=false
nuxeo.redis.ha.master=mymaster
nuxeo.redis.ha.hosts=localhost
nuxeo.redis.ha.timeout=300
nuxeo.redis.ha.port=26379

Hotfix 11

Nuxeo Automation Client

if you're using the Automation Client library, you have to get the latest version that includes fixes from NXP-16890 and NXP-16934.

Elasticsearch Configuration

Since NXP-16360, a new property is available for Elasticsearch configuration.

Hotfix 10

Nuxeo Automation Client

if you're using the Automation Client library, you have to get the latest version that includes fixes from NXP-16929 and NXP-16942.

Elasticsearch

To index document with token field bigger than 32k, fixed by NXP-16807, you need to change the mapping. This can be done using the Admin Center > Elasticsearch > Admin > Re-indexing all the repository.

Hotfix 09

Nuxeo Automation Client

if you're using the Automation Client library, you have to get the latest version that includes fixes from NXP-16808.

Hotfix 08

If you have installed the version 1.0.0 of nuxeo-6.0-HF08, you have to remove it because it prevents the mp-hotfix command to work.

./nuxeoctl mp-remove nuxeo-6.0-HF08-1.0.0

Hotfix 06

Elasticsearch Configuration Options

        [NXP-15207](https://jira.nuxeo.com/browse/NXP-15207) introduces new configuration parameters
## Name of the Elasticsearch index for the default document repository
#elasticsearch.indexName=nuxeo

## Number of replicas (not for embedded mode)
#elasticsearch.indexNumberOfReplicas=1

## Display Elasticsearch cluster and nodes information in admin center
## default is false (always true for embedded mode)
#elasticsearch.adminCenter.displayClusterInfo=true

And the templates/common-base/nuxeo.defaults has been automatically updated with the last version which contains this new line

# Display Elasticsearch cluster and nodes information in the admin center @since 6.0-HF06, always true for embedded mode
elasticsearch.adminCenter.displayClusterInfo=false

Hotfix 04

Configuration: since NXP-16318, the dollar character is a reserved key and cannot be used in the configuration, especially in password fields.

Nuxeo Automation Client

if you're using the Automation Client library, you have to get the latest version that includes fixes from NXP-16229.

Hotfix 03

Elasticsearch Configuration Options

NXP-16206 introduces new configuration parameters. See templates/common-base/nuxeo.defaults for more Elasticsearch options.

Nuxeo Shell

Thanks to NXP-16242, a new fix for Nuxeo Shell has been done: use the latest version to benefit from it.

Nuxeo Automation Client

if you're using the Automation Client library, you have to get the latest version that includes fixes from NXP-16244.

Hotfix 01

Nuxeo Platform Installed under a Path with Spaces

NXP-15982 provides a fix to an issue that prevented your Nuxeo Platform instance to start if it is installed in a path with spaces.

  1. Edit the nuxeo.conf file and replace the following line:

    JAVA_OPTS=$JAVA_OPTS -Xloggc:${nuxeo.log.dir}/gc.log -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps
    

    by:

    JAVA_OPTS=$JAVA_OPTS -Xloggc:"${nuxeo.log.dir}/gc.log" -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps
    
  2. Edit the $NUXEO/bin/nuxeoctl file and replace the following lines:

               echo Launcher command: $JAVA $LAUNCHER_DEBUG -Dlauncher.java.opts="$JAVA_OPTS" -Dnuxeo.home="$NUXEO_HOME" -Dnuxeo.conf="$NUXEO_CONF" -Dnuxeo.log.dir="$LOG_DIR" -jar $TMPLAUNCHER "$@"
      echo [`date`] Launcher command: $JAVA $LAUNCHER_DEBUG -Dlauncher.java.opts="$JAVA_OPTS" -Dnuxeo.home="$NUXEO_HOME" -Dnuxeo.conf="$NUXEO_CONF" -Dnuxeo.log.dir="$LOG_DIR" -jar $TMPLAUNCHER "$@" >> "$LOG_DIR"/nuxeoctl.log
    
    

    by:

               echo "Launcher command: $JAVA $LAUNCHER_DEBUG -Dlauncher.java.opts=\"$JAVA_OPTS\" -Dnuxeo.home=\"$NUXEO_HOME\" -Dnuxeo.conf=\"$NUXEO_CONF\" -Dnuxeo.log.dir=\"$LOG_DIR\" -jar \"$TMPLAUNCHER\" $@"
      echo [`date`] "Launcher command: $JAVA $LAUNCHER_DEBUG -Dlauncher.java.opts=\"$JAVA_OPTS\" -Dnuxeo.home=\"$NUXEO_HOME\" -Dnuxeo.conf=\"$NUXEO_CONF\" -Dnuxeo.log.dir=\"$LOG_DIR\" -jar \"$TMPLAUNCHER\" $@" >> "$LOG_DIR"/nuxeoctl.log
    

Manual Notification on a Document

NXP-16031 fixed a conflict between the mail subject parameter and subject form field . For example, if the notification subject was defined by

subject="[MyNuxeoApp] ${subject}"

the rendered subject did not contain the prefix MyNuxeoApp . NXP-16031 brings disambiguation by renaming the subject and content form fields.

Therefore, if you have overridden the "Email document" notification or its related template emailDocument, you have to update them to use mailSubject and mailContent strings instead of subject and content ones. Your code should look like:

Email Document notification

subject="[MyNuxeoApp] ${mailSubject}"

emailDocument template

${mailContent}