Release Date: 06/13/2023

  • Primary focus of this release is updates to base components in the containers, bugfixes, and similar.


    • This stack requires Docker 20. Docker 23 has not been tested by us and will likely not work.

    • This stack will not work with configuration from previous versions, requiring the following:

    • .env file for the Base Stack now needs LFT_SALT, which is a secret value used to sign LFT links. If you are upgrading, make sure that you do not destroy already existing keys, or you will break your existing installation.

  • Manual data upgrade is no longer required; Nucleus will do the following steps automatically:

    • Upgrade the DB (if required)

    • Verify the DB

    • If any errors are detected, attempt to repair them

    • Verify the DB post-repair, and not start in case any errors are still present.

    All of the above steps preserve logs and DB snapshots in case support personnel will require them.

    Progress can be observed in STDERR of nucleus-api container.

  • Included Jinja templates for stack and env files

  • Note that with this release, Core versioning scheme was brought up in line with SemVer. Practically, this results in an extra “dot” between hundredths and tens of the version number, ie, 114.0 -> 1.14.0, etc.

  • LFT Compression now disabled by default

  • Resolver Cache is now based on NGINX

  • SSO Gateway is now renamed to Nucleus Auth Router. For now, keeping the external facing names the same not to cause confusion

  • generate-sample-insecure-secrets.sh now has a mode to add missing secrets to the existing set

  • Components updates:

    • Core 1.14.17

    • Discovery Service 1.4.9

    • Authentication Service 1.4.9

    • Search Service 3.2.5

    • Tagging Service 3.1.6

    • Thumbnail Service 1.5.6

    • Nucleus Navigator 3.3.2

    • Auth Router (former SSO Gateway) 1.3.0

View the detailed release notes



  • SlowDown

    • Setting the default max_in_flight_requests_per_connection to 0 - which disables both SlowDown and DrainAndClose feature


  • Docker

    • improving logging in meta dumper

    • meta dumper memory usage optimization


  • Docker

    • New base images


  • API server

    • [meta-upgrade] converted some meta validation errors from error to warning


  • API server

    • bugfixes


  • Connection libraries

    • Fixing support of mTLS on Windows through OMNI_LFT_MTLS_CLIENT_CERTIFICATE/OMNI_LFT_MTLS_CLIENT_PRIVATE_KEY/OMNI_LFT_MTLS_CLIENT_CERTIFICATE_PASS environment variables. The client certificate is supposed to be set in PEM format through OMNI_MTLS_CLIENT_CERTIFICATE/OMNI_MTLS_CLIENT_PRIVATE_KEY and:

    • [Linux] in PEM format through OMNI_LFT_MTLS_CLIENT_CERTIFICATE/OMNI_LFT_MTLS_CLIENT_PRIVATE_KEY (note added _LFT_ suffix)

    • [Windows] in P12 format through OMNI_LFT_MTLS_CLIENT_CERTIFICATE/OMNI_LFT_MTLS_CLIENT_CERTIFICATE_PASS (note added _LFT_ suffix).

    P12 certificate doesn’t need the private key to be specified separately, but might need a password to be specified (if the certificate was issued with the password)


  • API server

    • Fixed retry bug in omniverse_resolver and added new parameter retry_interval into resolver config

    • add setting to prevent listing child on mounts


  • API server

    • Add set_user_agent API to set the connection user agent field, in addition to being able to supply it in auth

    • Added OMNI_DELTA_APPLIER_PORT envvar for omni.delta-applier port

    • fix list2 .empty field for list2 call when listing a folder under a mount

    • subscribe_list supports notifications from mounts

    • change delete and rename to write ACL

    • disconnect_client service API call

    • fixing meta dumper hanging on the lock

    • added special handling in subscribeList for mounted paths

    • Allow operators to configure Resolver in k8s deployments

  • Connection libraries

    • Send proper close frame when closing connection

    • Support mTLS through OMNI_MTLS_CLIENT_CERTIFICATE/OMNI_MTLS_CLIENT_PRIVATE_KEY environment variables

  • LFT

    • Updated the python version to 3.10


  • API server

    • implementing user agent feature in auth/authorize_token


  • API server

    • list2/read_asset_version/stat2 on mounts, user & group management and pings are now executed concurrently

  • Docker

    • Resolver Cache is now based on NGINX rather than Nucleus Cache


  • Resolve a number of CVEs


  • VERSIONING CHANGE: beginning with this release, versioning of Nucleus Core is made compliant with SemVer. Effectively, an extra “dot” is added to separate hundredths from the rest of the version (ie, 114.6 -> 1.14.6).


  • API server

    • Fixing Memory Leak in omnitrace (with update to 1.2 and improving integration)

    • make LFT ticket salt configurable

    • change delete and rename to write ACL

    • do not parse environment variables into the settings dictionary

    • fixing a bug in rename2

  • Connection libraries

    • send close reason, log close reason received from the server

  • Docker

    • OpenTelemetry: enabled exporting of collectors’ metrics.

    • Fixing docker build

  • Helm

    • CI pipeline and HELM Chart refactored

    • Pulse Docker Image Scan is failing. Changed ubuntu images to refer to ubuntu-18-04-20230208


  • API server

    • [fixing a bug] do not expose metrics on workstation


  • API server

    • do not expose metrics on workstation


  • API server

    • fixing stat2 not reporting correct mtime for mounted paths

    • adding database snapshotting support

Discovery Service


  • Updated base docker image


  • Fixed incorrect discovery metadata registration


  • Set CANONICAL_NAME environment variable for nucleus-discovery Docker service

  • Helm chart re-factored

  • Now properly handling SIGINT and SIGTERM

Authentication Service


  • Updated base docker image


  • Update CI/CD pipeline to fix Pulse and nSpect scans


  • Support putting http(s) and omniverse URLs to the server form.

  • Hide text overflow and wrapping in the login form.


  • Helm chart re-factored for ease of development, CI pipeline for Helm chart updated

  • Use API tokens for resetting user passwords.

Search Service


  • Updated base Docker image


  • Fixed returning tags if they are specified both in prefixes and in the query.


  • Pulse container and source scans enabled

  • Enable database vacuuming

  • Re-factored Helm charts

Tagging Service


  • Updated base Docker images


  • Updated Pulse Scanner to 1.0.0

  • Updated to Python 3.10.11

  • Updated to Ubuntu 22.04 base image for Docker builds.

  • Fixed: Child process will detect when parent process was killed. (Workstation builds)

  • Service reports a more verbose version string.


  • Updated repoman tool versions to fix duplicates and cut-off file names in tagging.client.js package.

  • Updated idl.py to 0.18 (support to add copyright note to generated headers).

  • Updated idl transpiler to 0.10.

  • Updated Python to 3.8.16+nv1

  • Updated docker base image to __NV_ubuntu-18-04-20230208.

  • Updated prometheus-client to 0.16.0

  • Updated psutil to 5.9.4

  • Updated websockets to 10.4

  • Updated PyYAML to 6.0

  • Updated aiohttp to 3.8.3

  • Updated toml to 0.10.2

  • Updated aiosqlite to 0.18.0

  • Updated asyncpg to 0.27.0

  • Updated PyJWT to 2.6.0

  • Updated cryptography to 39.0.1

  • Helm chart refactored


  • New version to fix and whitelist new CVEs.


  • Updated Python to 3.8.14+nv2

  • Send service version to discovery service.

  • nSpect source and Pulse Container Image scans enabled

  • Updated the idl.py package version to 0.16

  • Updated the websockets package version to 10.3


  • Updated the idl.py package to idl.py@0.13+master.

  • Updated PYJWT to 2.4.0.

  • Updated base Docker images

Thumbnail Service


  • Updated base Docker images


  • Updated Pulse scanner to version 1.0.0

  • Updated to Python 3.10.11

  • Updated to Ubuntu 22.04 base image for Docker builds.

  • Fixed: Child process will detect when parent process was killed. (Workstation builds)

  • Service reports a more verbose version string.


  • Updated Pillow to 9.4.0 (fix CVE-2022-45198, CVE-2022-45199).

  • Helm Chart refactored

  • Updated Python to 3.8.16+nv1

  • Updated websockets to 10.4

  • Updated aiohttp to 3.8.3

Nucleus Navigator



  • Fixed a race condition in move/rename commands that could cause data uploaded in parallel to be lost.


  • Updated base Docker image



  • Soft Delete and Restore support.

  • Support changing permissions for multiple selected paths.

  • Added a “Log in” button to the offline mode warning.

  • Display the default Omniverse application name instead of “Open in Launcher” button.

  • Added undoable action for changing path permissions.

  • Allow renaming added servers and synchronizing them with auth.toml instead of System Monitor.

  • Allow users to toggle hidden files visibility.

  • Display download/upload speed and time estimation.

  • Refresh the server list in the UI automatically if it’s updated in other apps.

  • Display folder size and contents.

  • Implement the cut command.


  • Update context menu options for the current working directory.

  • Optimize the launch time when users have multiple servers added to Navigator.

  • Optimize queries and time required for loading thumbnails.

  • Increase the login form size and improve text overflow for server names.

  • Updated the context menu option order and text for obliterate commands.

  • Pull permissions required for Nucleus commands.


  • Hide “Share” option for Nucleus checkpoints.

  • Fixed context menu actions trigger on selected paths.

  • Redirect users to the authenticated server when logging in via SSO.

  • Fixed pasting absolute server links into breadcrumbs.

  • Trailing slashes are no longer required for opening directories.

  • Support putting http(s) and omniverse URLs to the login form.

  • Improved loading speed for context menu displayed for offline servers.

  • Fixed an issue with setting redirection param for mounting private S3 buckets.

  • Use touch events for opening context menus.

  • Fixed incorrect icon displayed for cancelled cross-server transfers.

  • Fixed “The tags have been updated by someone else” error being displayed randomly for Workstation.

  • Fixed an issue with text overflow for bookmarks, users and groups in the grid view.

  • Fixed an issue where deleted files remained selected in the right panel.

  • Fixed an issue where clicking on the filesystem root didn’t work on Linux.

  • Fixed displaying menu separators at the beginning of context menus.

  • Fixed a race condition that could happen when users pasted Omniverse links to the address bar.

  • Fixed an issue where Ctrl+V could be used when paste command is not allowed.

  • Fixed an issue that allowed deleting gm group.

  • Fixed an issue that allowed renaming system groups.

  • Fixed an issue where bookmarks from local hard drive wasn’t working.


  • Removed the advanced mode for tag editor.



  • Refactored Helm Chart



  • Add Key Commands for select all (ctrl+a), copy (ctrl+c), and paste (ctrl+v) in content browser.

  • Added the crash reporter window that allows to restart the app or clear its cache in case of an error.

  • Added new context menu option for creating checkpoints.

  • Support adding tags for directories.


  • Display system folders under “My Computer” before disk drives.

  • Moved the resize area for the left panel away from its border.


  • Fixed an issue where parent folders could be moved in their children.

  • Fixed multiple selection for the table view in the content browser.

  • Close the dialog for renaming files and folders if the name is not changed.

  • Fixed an issue with initialization for ordering table columns.

  • Fixed an issue with inconsistent server names displayed on the home page.

  • Fixed an issue where users couldn’t right-click on multiple selected items.

  • Fixed a bug where “This month” section wasn’t displayed for checkpoints.

  • Hide generated API token if it’s deleted from the dialog.

  • Fixed “Path does not exist” error occurred when users pasted file links to the breadcrumbs.

  • Fixed an issue where users got redirected to the server root when the current directory was renamed.

  • Fixed displaying authentication dialog for filesystem paths.

  • Fixed an issue with copying paths other than folders, files and omni-objects.

  • Fixed invalid cross-server file transfers that led to corrupted files.

  • Fixed triggering authentication if the server with the same canonical name is already added.

  • Fixed an issue where list view wasn’t updated correctly when path permissions were updated.

Nucleus Auth Router


  • Service was renamed to Nucleus Auth Router

  • Implemented OpenID Support

  • Misc cleanups