Changelog: Seqera Enterprise

General​

This release backports the default Azure image fix from v25.1.1 to v24.2.x:

Azure Batch support for Ubuntu 20.04 LTS ending

The default Azure Batch Ubuntu image has been updated with sku 22.04. This is to ensure there are no issues with the existing Azure Batch Ubuntu image (sku 20.04) which will be deprecated after April 23, 2025. See, https://github.com/Azure/Batch/issues/174 for more information about the deprecation.

General​

Azure Batch support for Ubuntu 20.04 LTS ending

The default Azure Batch Ubuntu image has been updated with sku 22.04. This is to ensure there are no issues with the existing Azure Batch Ubuntu image (sku 20.04) which will be deprecated after April 23, 2025. See, https://github.com/Azure/Batch/issues/174 for more information about the deprecation.

Seqera Platform Enterprise version 25.1 introduces Studios GA and a number of bug fixes and performance enhancements.

Studios is Seqera's in-platform tool for secure, on-demand, interactive data analysis using containers created from Seqera-managed container template images or your own organization-managed custom environments. You only pay for the compute your Studio sessions consume, and the compute is adjacent to your data, significantly reducing data transfer costs and wasted time copying data from storage to analysis. This significantly reduces infrastructure management requirements, removes data silos, adheres to strict in-platform role-based access control, and lowers your operational costs. Learn more about Studios.

New features and improvements​

Studios​

• Labeled templates: Labels indicate the status of support (recommended or deprecated) for a Seqera-managed Studio container template version. Users can migrate a Studio to a new base container template when Adding as new.
• Private sessions: When adding a new Studio, the number of concurrent connections (private vs. all workspace members) can now be defined in General Config > Collaboration.
• Custom session lifespans: This new feature allows you to set a maximum lifespan for a session, after which time the session is stopped automatically and a checkpoint created, or the session can be extended on-demand.
• Resource labels: Users with at least workspace maintainer role permissions can manage the resource labels inherited from the compute environment and attached to the Studio. Resource labels attached to each Studio don’t affect the default resource labels associated with the compute environment.

Fusion​

• AWS Batch compute environments default to Amazon Linux 2023 AMI when Fusion v2 is enabled.
• Add support for Fusion licensing.

General​

• Updated list of EC2 families with NVMe disks available.
• Audit log update: Pipeline edit events are now logged.
• Switch AWS Batch compute environment dependencies to AWS SDK v2.
• Switch Compute dependencies to AWS SDK v2.
• You can upload custom icons when adding or updating a pipeline. If no user-uploaded icon is defined, Platform will retrieve and attach a pipeline icon in the following order of precedence:
  1. A valid icon key:value pair defined in the manifest object of the nextflow.config file.
  2. The GitHub organization avatar (if the repository is hosted on GitHub).
  3. If none of the above are defined, Platform auto-generates and attaches a pipeline icon.
• New dynamic page title for easy bookmarking.
• Added totalProcesses to workflow progress responses.
• Implement collapsible view for JSON workflow parameters tab and add View as YAML option.
• Update the pipeline name regular expression to allow pipeline names containing dots ('.').
• Allow Nextflow configuration parameters with embedded references to other parameters to be shown verbatim.
• Improved error messaging when pipeline information can't be fetched indicates whether the issue is due to a missing resource, or failed authentication due to expired credentials.
• Azure jobs are now automatically terminated after all tasks are complete.
• Send only added/updated run parameters when launching a pipeline. This includes all defaults and parameters passed during the launch.
• Allow users to remove organization logos.
• New workflow job monitoring collects and publishes Platform metrics.
• Notify the user when secrets cleanup fails.
• Dashboard page: Add a date filter.
• Bump nf-launcher default to version 25.10.5.
• Upgrade to Angular 18.

Bug fixes​

• Studios
  • Fixed resource labels being erroneously non-editable for the Maintain role when adding or starting a Studio session.
  • Fixed searches for names containing special SQL wildcard characters (_, %).
• Prohibit duplicate Git credentials and tie-break on lastUpdated for existing duplicates. Preference is given to the last-updated credentials when there are multiple candidates. A check is also added to avoid duplicates when creating new credentials.
• Set ECS_CONTAINER_START_TIMEOUT to 10 minutes in the ECS settings used by AWS Batch CEs, to prevent Task failed to start - DockerTimeoutError: Could not transition to started; timed out after waiting 3m0s errors.
• Compute environment creation form allows pre- and post-run scripts to be longer than the accepted value of 1024 characters.
• Disable reset selection on data change in workflow list component.
• Take into account the alternative mainScript path.
• Use preferred_username as fallback email field for OIDC login.
• Drop the last characters in job definition names longer than the prescribed limit.
• Fixed an additional reference to the mainScript parameter in the pipeline-info API response.
• Fixed a problem with Entra and javax.mail transitive dependency.
• A change in the nf-core tools template made config profile search in the pipeline launch form inconsistent in Platform as it's prepended by a ternary operator. This release introduces a fix that improves config profile name parsing.
• Do not fetch info for INVALID status pipelines, fetch for all other statuses including DISABLED.
• Fallback to primary compute environment when launching a shared pipeline without an associated compute environment from a private workspace.
• Fixed regression of the quick launch form not selecting the primary compute environment by default.

Breaking changes and warnings​

OIDC Secrets injection modifications​

The auth-oidc-secrets Micronaut environment has been replaced with oidc-token-import. If you use this configuration, you must change the MICRONAUT_ENV environment variable in the manifest during the migration process. If you activate the feature with the TOWER_OIDC_TOKEN_IMPORT environment variable, no changes are needed.

Seqera AWS ECR repository customer access ends June 1, 2025​

Customers will no longer be able to pull Seqera Enterprise container images from the legacy Seqera AWS ECR repository after June 1, 2025. All Seqera Enterprise images must be retrieved via the cr.seqera.io container registry after this cutoff date. The installation and configuration templates provided for both Docker Compose and Kubernetes installations already reference the cr.seqera.io container image URLs. If you have not yet transitioned to this registry, contact Support to request credentials and for any further assistance.

See Legacy Seqera container image registries for more information on the AWS ECR and other deprecated Seqera container registries.

Redis version change​

From Seqera Enterprise version 24.2:

• Redis version 6.2 or greater is required.
• Redis version 7 is officially supported.

Redisson properties deprecated​

From Seqera Enterprise version 24.2, redisson.* configuration properties are deprecated. If you have set redisson.* properties directly previously, do the following:

• Replace /redisson/* references in AWS Parameter Store entries with TOWER_REDIS_*.
• Replace redisson.* references in tower.yml with TOWER_REDIS_*.

MariaDB driver: New MySQL connection parameter required​

MariaDB driver 3.x requires a special parameter in the connection URL to connect to a MySQL database:

jdbc:mysql://<domain>:<port>/tower?permitMysqlScheme=true

All deployments using a MySQL database (regardless of version: 5.6, 5.7, or 8) must be updated when upgrading to Seqera Enterprise version 24.1 or later.

MariaDB driver: No truncation support for MySQL 5.6​

The MariaDB driver has dropped support for the jdbcCompliantTruncation parameter, which was true by default and set the STRICT_TRANS_TABLES SQL mode. The STRICT_TRANS_TABLES mode produces an error when the value of a VARCHAR column exceeds its limit, instead of truncating it to fit. Most common installations of MySQL 5.7 and 8 already include this mode at the server level, but the Docker container version of MySQL 5.6 does not.

The SQL mode must be set explicitly through the connection URL for deployments still using MySQL 5.6:

jdbc:mysql://<domain>:<port>/tower?permitMysqlScheme=true&sessionVariables=sql_mode='STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION'

Micronaut property key changes​

The property that determines the expiration time of the JWT access token (used for authenticating web sessions and Nextflow-Platform interactions) has changed as of Seqera Enterprise version 24.1:

Enterprise deployments that have customized this value previously will need to adopt the new format.

Upgrade steps​

1. This version includes an update to the Platform Enterprise H8 cache. Do not start the upgrade while any pipelines are in a running state as active run data may be lost.
2. This version requires a database schema update. Make a backup of your Platform database prior to upgrade.
3. If you are upgrading from a version older than 23.4.1, update your installation to version 23.4.4 first, before updating to 25.1 with the steps below.
4. For recommended Platform memory settings, add the following environment variable to your Platform configuration values (tower.env, configmap.yml, etc.):

   JAVA_OPTS: -Xms1000M -Xmx2000M -XX:MaxDirectMemorySize=800m -Dio.netty.maxDirectMemory=0 -Djdk.nio.maxCachedBufferSize=262144
   
5. See Upgrade installation for installation upgrade guidance.

Bug fixes​

A change in the nf-core tools template made config profile search in the pipeline launch form inconsistent in Platform as it's prepended by a ternary operator. This release introduces a fix that improves config profile name parsing.

Bug fixes​

• Solves an issue with Git URLs in Azure DevOps.
• Bumps Nextflow launcher to 24.10.4.

Feature updates and improvements​

• Enterprise telemetry now differentiates between Platform UI and CLI workflow executions.
• Azure Batch job termination now includes the Nextflow head job, so queues no longer remain active after a workflow completes.

Bug fixes​

• Fixed AWS base image security vulnerabilities.
• Fixed runs list view deselecting checked runs.
• Fixed Azure DevOps issues when launching from non-default project repositories.
• Fixed pipeline editing errors for repositories without a main.nf file.

• No changes in this release.

Seqera Enterprise version 24.2 introduces new Data Studios features, global Nextflow configuration at the compute environment level, Azure service principal and managed identity authentication support, and a number of bug fixes and performance enhancements.

New features and improvements​

Data Studios​

• Data Studios now supports custom environments:
  • Create custom analysis environments, or link to public or private ECR containers.
  • Custom environment build events are now added to the audit log. The events data_studio_session_build_started and data_studio_session_build_failed are added to the audit log events table.
• Data Studios dashboard:
  • A new dashboard provides information about Data Studios usage to help you manage your resources.
• In a GPU instance type compute environment, both CPU and GPU resources are supported and can be added to your Data Studio sessions.
• NVMe support added.
• EFS volume mounting is now supported.
• Browse a studio session's mounted data directly from the studio details page using Data Explorer.

Nextflow configuration updates​

• Added a Global Nextflow config field to all compute environments. This field allows you to define Nextflow configuration values in the compute environment that are then pre-filled in the pipeline Nextflow config file field during launch.
• Implemented custom launch container logic in the workflow/launch API endpoint. This allows you to specify a custom container using the launchContainer key in your request body when submitting a workflow execution. For example:

  {
    "launch": {
        "id": "T3xxxxxxxxxxig",
        "launchContainer": "quay.io/seqeralabs/nf-launcher:j17-23.10.1-up1", 
        "computeEnvId": "6Uxxxxxxxxxxxhl",
        "workDir": "s3://your-bucket",
        "pipeline": "https://github.com/nextflow-io/hello",
        ...
    }
  }
  

Azure Batch: Entra service principal and managed identity authentication support​

• Authentication using Microsoft Entra service principals is now supported in manual Azure Batch compute environments. This provides a secure alternative to long-lived access keys, as service principals enable role-based access control with more precise permissions.
• You can now also use a managed identity in conjunction with your credentials (access keys or service principals) to authenticate Nextflow to Azure services. The combination of an Entra service principal and user-assigned managed identity offers enhanced security over access keys. Note that both authentication methods are only supported in manual Azure Batch compute environments.

Launchpad​

• The new Launch Form is now enabled by default. See Core feature configuration for options to disable the launch form per workspace or globally.

Compute environments​

• AWS Batch Forge compute environments now support Amazon Linux 2023. Previously, Batch Forge only created compute environments with Amazon Linux2. Seqera now supports specifying Amazon Linux 2023 ECS-optimized AMIs when you create AWS Batch compute environments. AWS-recommended Amazon Linux 2023 AMI names start with al2023-.
• The Google Life Sciences API will be deprecated in June 2025. A Google Life Sciences API deprecation notice has been added to the Seqera Platform UI.
• Tag propagation has been added to the AWS Batch launch templates created by Batch Forge, which propagates resource labels to storage volumes (as well as instances which are the default).

Credentials​

• The Password field is no longer required for GitLab credentials, as public repositories only require an access token. Note that private repositories will require a credential with both a password and access token.

Settings​

• Added flexibility for pipeline names in workspaces. Pipeline names must be unique at the workspace level for private workspaces, while shared workspaces require names to be unique at the organization level.

General​

• Refactor now reports file streaming over Agent connections directly to the browser.
• Input forms now support JSON schema draft 2020-12 features. Includes: Nested parameters, "anyOf", "allOf", and "oneOf" input form validation support, "dependantSchemas" initial support, and "if-then-else" support. This improves support of JSON schema and prevents form errors for unrecognized validations.
• ECS agent configuration variables have been added to set the timeout for several container actions:
  • ECS_CONTAINER_CREATE_TIMEOUT=10m: Timeout for creating a container.
  • ECS_CONTAINER_STOP_TIMEOUT=10m: Timeout for stopping a container. Increase to prevent Nextflow from being forcibly killed and leave running jobs.
  • ECS_MANIFEST_PULL_TIMEOUT=10m: Timeout for pulling a container manifest. This may be needed when pulling a Wave container with a long build time.
• Disable AWS and Google Cloud Batch spot auto-retry: This disables the automatic retry of Batch jobs submitted by Nextflow in favour of using the classic Nextflow retry mechanism. This is because the Batch automatic retry is completely invisble to Seqera and the user. Nextflow retry gives better feedback and allows the user to have more control.
  note

  This requires a change to pipeline configurations that previously used Spot auto-retry for AWS and Google Cloud Batch.

• Bump nf-launcher:j17-24.10.2.
• Upgrade to Angular 16.
• Security fixes: All security fixes for previous versions.

Bug fixes​

• Check if a workspace is disabled before fetching data links.
• Allow resume with compatible compute environments when using Tower Agent and $TW_AGENT_WORKDIR as working directory.
• Fix input form view for private GitHub repositories using pipeline Quicklaunch.
• Fix issue where workspace secrets were not being selected by default when using pipeline Quicklaunch.
• Fix incorrect role access in new launch form which allowed users with "Maintain" role and lower to edit resource labels when launching.
• Fix Entra and javax.mail transitive dependency problem.
• Shared pipelines without an associated compute environment now default to using the workspace primary compute environment.
• Display initial mounted data when starting an existing Data Studio session.
• Add managedIdentityId to the API response payload when describing a compute environment.
• Send fetch schema request in quicklaunchmode, even if revision is empty.
• Fix issue where searching for task tags using underscores wasn't returning the expected values.
• Improve performance of queries reported as intensive on the RDS database. Added an index to the tw_workflow(complete) column, which improves the performance of the query that finds workflows with missing progress. Added an index to the tw_workflow(status) column conditionally; the index was already present in the cloud.seqera.io database, but not previously included in the database migration scripts.
• Avoid using master as the fallback pipeline revision, so that pipeline repositories without a master version don't return errors on Quicklaunch.
• Update lastUsed on compute environment when creating a job for a Data Studios session.
• Enable task working directory navigation using Data Explorer in personal workspaces.
• Allow changing the working directory when launching a pipeline.
• Encode file names when requesting a download URL in Data Explorer.
• Fix report access issue for Nextflow CLI runs with TOWER_CONTENT_URL set.
• Fix NF schema nested object values being lost when switching to input form view. Remove processing of unsupported JSON schema types inside pipeline input form components.
• Show CORS modal when detecting an incorrect eTag configuration for Data Explorer, and update link to Seqera docs.

Breaking changes and warnings​

Seqera AWS ECR repository customer access ends June 1, 2025​

Customers will no longer be able to pull Seqera Enterprise container images from the legacy Seqera AWS ECR repository after June 1, 2025. All Seqera Enterprise images must be retrieved via the cr.seqera.io container registry after this cutoff date. The installation and configuration templates provided for both Docker Compose and Kubernetes installations already reference the cr.seqera.io container image URLs. If you have not yet transitioned to this registry, contact Support to request credentials and for any further assistance.

See Legacy Seqera container image registries for more information on the AWS ECR and other deprecated Seqera container registries.

Redis version change​

From this version of Seqera Platform:

• Redis version 6.2 or greater is required.
• Redis version 7 is officially supported.

Redisson properties deprecated​

From this version of Seqera Platform, redisson.* configuration properties are deprecated. If you have set redisson.* properties directly previously, do the following:

• Replace /redisson/* references in AWS Parameter Store entries with TOWER_REDIS_*.
• Replace redisson.* references in tower.yml with TOWER_REDIS_*.

MariaDB driver: New MySQL connection parameter required​

MariaDB driver 3.x requires a special parameter in the connection URL to connect to a MySQL database:

jdbc:mysql://<domain>:<port>/tower?permitMysqlScheme=true

All deployments using a MySQL database (regardless of version: 5.6, 5.7, or 8) should be updated accordingly when upgrading to Platform version 24.1 or later.

MariaDB driver: No truncation support for MySQL 5.6​

The MariaDB driver has dropped support for the jdbcCompliantTruncation parameter, which was true by default and set the STRICT_TRANS_TABLES SQL mode. The STRICT_TRANS_TABLES mode produces an error when the value of a VARCHAR column exceeds its limit, instead of truncating it to fit. Most common installations of MySQL 5.7 and 8 already include this mode at the server level, but the Docker container version of MySQL 5.6 does not.

The SQL mode must be set explicitly through the connection URL for deployments still using MySQL 5.6:

jdbc:mysql://<domain>:<port>/tower?permitMysqlScheme=true&sessionVariables=sql_mode='STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION'

Micronaut property key changes​

The property that determines the expiration time of the JWT access token (used for authenticating web sessions and Nextflow-Platform interactions) has changed since version 24.1:

Enterprise deployments that have customized this value previously will need to adopt the new format.

Upgrade steps​

1. This version includes an update to the Platform Enterprise H8 cache. Do not start the upgrade while any pipelines are in a running state as active run data may be lost.
2. This version requires a database schema update. Make a backup of your Platform database prior to upgrade.
3. If you are upgrading from a version older than 23.4.1, update your installation to version 23.4.4 first, before updating to 24.2 with the steps below.
4. For recommended Platform memory settings, add the following environment variable to your Platform configuration values (tower.env, configmap.yml, etc.):

   JAVA_OPTS: -Xms1000M -Xmx2000M -XX:MaxDirectMemorySize=800m -Dio.netty.maxDirectMemory=0 -Djdk.nio.maxCachedBufferSize=262144
   
5. See Upgrade installation for installation upgrade guidance.

Bug fixes​

• Search task names in run details.

Bug fixes​

• Mailer dependency issue causing email send failures.

Security updates​

• Fix critical frontend vulnerabilities.