CloudBees CD/RO v10.6

CloudBees is pleased to announce the 10.6 LTS release of CloudBees CD/RO. With this release, we added several new features and system improvements, including:

  • A Triggers page that allows you to view and manage all of your triggers in a central location.

  • A Configurations menu in the left navigation that replaces the Configurations page.

  • A search feature that allows you to access menu items in the left navigation.

  • The ability to back up DevOps Insight Server (DOIS) Elasticsearch (ES) indices to an AWS S3 or Google Cloud Services (GCS) external repository.

  • CloudBees CI Teams integration that allows you to view the contents of the CloudBees CI Teams folder configured in the operations center.

  • A separate authentication for the Swagger UI is no longer required when you are authenticated in CloudBees CD/RO.

  • HTTPS access for ec-groovy and ec-perl with the ectool.

  • Parameter enhancements allow you to create radio button parameters dynamically from a DSL description similar to dropdown menus.

  • A new formal parameter type, Plugin configuration.

Security fixes

This release includes the following security updates
  • Apache Ant is updated from 1.10.9 to 1.10.12. For details, refer to [BEE-18345]

  • Apache web server is upgraded from 2.4.53 to 2.4.54. For details, refer to [BEE-19836]

  • PHP is upgraded from 7.4.28 to 7.4.30. For details, refer to [BEE-19836]

  • OpenSSL is upgraded from 1.1.1n to 1.1.1o. [BEE-19836]

  • Elasticsearch is upgraded to 7.17.4. [BEE-19838]

  • Logstash is upgraded to 7.17.4. [BEE-19838]

  • The content security policy (CSP) HTTP header is now set correctly. CSP is an added layer of security that helps detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection. HTTP headers allow website owners to declare approved sources of content that browsers allow to be loaded on the page.

  • Upgraded third-party libraries to resolve a security issue. [BEE-19504]

New features

Triggers page

You can now view and manage all of your configured triggers in the system on the Triggers page. From the CloudBees CD/RO main menu, select DevOps Essentials  Triggers.

To locate a trigger in the list, you can use the search field or filter by project, object, or tag.

For more information, refer to Configure event-based triggers.

As of v10.6, webhook triggers configured and scheduled before v10.1 no longer work. Polling triggers configured and scheduled prior to v10.1 continue to work, but they are not available from the UI to review or run.
CloudBees CI Teams integration

CloudBees CD/RO now supports integration with CloudBees CI Teams. The CloudBees CI Teams folder is now displayed during the definition of the Jenkins task in the pipeline. You can browse the content within the CloudBees CI Teams folder configured in the operations center when the corresponding operations center CloudBees CI configuration is selected.

Back up DOIS ES indices to an external repository

You can now back up snapshots of your DOIS ES indices to an AWS S3 or GCS external repository.

Left navigation search

You can now search the left navigation for menu items.

Feature enhancements

Other features and enhancements
  • The Configurations page was converted to subpages in the left navigation menu. You can now access the following system configurations in the left navigation:

    • CI configurations

    • CD licenses

    • CI licenses usage

    • Database configuration

    • Directory providers

    • Email configurations

    • Event log

    • Licenses

    • Service accounts

    • Source code synchronization

    • SSO configurations

    • System health monitoring

      This new submenu replaces the Configurations page. From the CloudBees CD/RO main menu, select Administration  Configurations.
  • A new accessibility topic for VPAT section 508 and WCAG is available in the CloudBees CD/RO documentation. For more information, refer to Accessibility.

  • Parameter enhancements allow you to create radio button parameters dynamically from a DSL description similar to dropdown menus.

  • A new formal parameter type, Plugin configuration, is now available. You can select existing plugin configurations and create new configurations from the same parameter dropdown menu.

  • When you are authenticated in CloudBees CD/RO, a separate authentication for the Swagger UI is no longer required, giving you access to the REST API documentation page and the ability to run REST API calls from this page.

Performance improvements


Plugin enhancements

CloudBees CD/RO plugin catalog

The CloudBees CD/RO plugin catalog is available on the CloudBees CD/RO documentation site.

Plugin updates

Plugin and version


EC-Artifactory 1.7.0

Added support for new plugin configuration and updated documentation.

EC-AWS-EC2 1.0.13

Upgraded third party libraries.

EC-GitHub 4.5.1

Added the Approve Pull Request and Create Repository procedures. Updated third party libraries.

EC-SonarQube 1.5.2

Fixed a potential vulnerability.

Plugin Development Kit enhancements


Resolved issues


Groovy scripts no longer behave differently than the CloudBees CD/RO Groovy API when you run them using the ec-groovy wrapper program.


CloudBees CD/RO documentation now includes configuration instructions for Kerberos to authenticate to an SQL server. For more information, refer to latest@cloudbees-cd:set-up-cdro:alternate-database.adoc.adoc.


Fixed an issue that caused environment snapshots to fail when you re-enable change tracking.


The getReleaseInventory API now returns the application type and service name for environmentInventoryDetail or releaseinventoryDetail. The path-to-production view properly displays an application’s microservice.


CyberArk 403 - Forbidden: Access is denied errors now display in a readable form.


Null values are no longer set in formal parameters with checkbox and select types in Oracle.


The Server properties page in the CloudBees CD/RO UI is now available when a property is created without a value from the Platform UI.


Fixed an issue that caused CloudBees CD/RO to require internet access during installation.


Removed incorrect ZKConfigTool options in the CloudBees CD/RO documentation.


Fixed an issue that caused ec-groovy to fail during creation.


CloudBees CD/RO cluster implementation with differences between node times no longer result in a durationMillis must not be negative error during job execution.


When deploying microservices applications, the cluster name is now retrieved successfully.


Duplicated references to the same credential are no longer included in actual parameters.


myComponent and myReferenceComponent shortcuts are now available from an application process step of a component type. If inventory cannot be created because of an issue with resolving a property, the job step and the job are set to a warning status.

Behavior changes


Installation notes

For complete installation and upgrade information, refer to CloudBees CD/RO on Kubernetes and Install CloudBees CD/RO on traditional platforms.

Apache ZooKeeper required update

The ZooKeeper version bundled with CloudBees CD/RO v10.5 was updated from v3.4.6 to v3.8.0. CloudBees CD/RO v10.5+ requires ZooKeeper v3.8.0. For installation and upgrade instructions, refer to Install ZooKeeper and Upgrade a clustered environment.

Legacy services applications and container entities

In CloudBees CD/RO v10.3, the legacy Services applications and Traditional applications with containers were deprecated and removed. Before you upgrade to CloudBees CD/RO v10.3 or later, you must migrate your applications to the current microservices application model.

Also, before upgrading from CloudBees CD/RO v10.2 or earlier you must delete all legacy services and containers. This will prevent upgrade failure, a database consistency break or inability to run the validateDatabase API.

CloudBees CD/RO on Kubernetes

Sample CloudBees CD/RO server and agent Helm chart values, found here, provide CloudBees’s default installation values. The CloudBees CD/RO images.tag value associated with version 10.6 is

CloudBees CD/RO Universal Base Image (UBI)

The actual UBI associated with version 10.6 is 8.6-754.1655117782.

Upgrading gateway agents

All gateway agents that meet these criteria must be updated to CloudBees CD/RO v10.2+:

  • Your enterprise implements a multi-zone environment.

  • Agent versions are a combination of pre-v10.2 and v10.2+.

  • The access route to a v10.2+ agent is configured through a pre-v10.2 gateway agent.

Configuring autostart services for Linux installations

Linux installations that you perform as a non-root user or without sudo permissions cannot automatically start the CloudBees CD/RO server, web server, repository server, or agents. This means that you must set up service autostart after installation is complete. Learn more here.

Upgrading your CloudBees CD/RO environment
Before starting an upgrade, make sure to back up your existing CloudBees CD/RO data.
Upgradable versions

Upgrades to CloudBees CD/RO 10.x are supported only from ElectricCommander 5.0. For upgrade instructions, refer to the Upgrade on traditional platforms.

Updating the MySQL configuration before upgrading

Since release 8.0.1, CloudBees has instructed customers using a MySQL database to use the following two lines in their MySQL configuration:

init_connect='SET collation_connection = utf8_unicode_ci, NAMES utf8'

Before upgrading CloudBees CD/RO, you must remove these lines or comment them out. Otherwise, jobs will not start.

Ensuring the correct default MySQL default collation

Make sure that the default collation for the MySQL database schema is set to utf8_unicode_ci or utf8_general_ci and that no table in the schema overrides this. The CloudBees CD/RO server checks this configuration on startup and logs errors in the server log if it is not set correctly.

If the collation is not configured correctly, then entering non-ASCII text into CloudBees CD/RO might cause errors. For example, setting a release name to a non-ASCII value and attempting a search causes an exception.

If your MySQL database schema or any tables in it are set to a non-UTF-8 collation order, refer to Knowledge Base article KBEC-00385 - Converting a MySQL Database From Latin-1 to UTF-8 for detailed instructions about safely converting your schema to UTF-8. [NMB-26521, NMB-27459]

Upgrading agents that run the ec-groovy job step in multizone deployments

In multizone CloudBees CD/RO deployments, CloudBees CD/RO agents that are in a different zone than the CloudBees CD/RO server must be upgraded to version 9.0 or later for the ec-groovy job step to run successfully on those agents. You must also upgrade the gateway agents that lead back to the server’s zone including those in any zones in between the agent’s zone and the server’s zone. [NMB-27490]

For details about multiple zones and gateway agents, refer to Zones and gateways.

Removing the SSL 2.0 Client Hello or SSLv2Hello protocol from your security configurations

CloudBees recommends removing the SSL 2.0 Client Hello or SSLv2Hello protocol from your security configurations for all components. [NMB-27934, NMB-29326]

  1. Upgrade agents older that fall into this category for security reasons:

    • Microsoft Windows

    • Linux: 6.0.3 or older; 6.2 or older

    • macOS: 8.4 or older

  2. If this warning appears on the Automation Platform UI:

    Note: We recommend removing `SSL 2.0 Client Hello` format from server configuration and upgrade older agents as indicated on the Cloud/Resources Page to avoid security risk.

    then enter the following command on the CloudBees CD/RO server:

    $ ecconfigure --serverTLSEnabledProtocol=TLSv1.2
Upgrading the CloudBees Analytics server

This section provides information about upgrading the CloudBees Analytics server.

Potential breaking change: Elasticsearch update

The Elasticsearch version shipped with CloudBees Analytics v10.2 has been updated from v6.6.2 to v7.10.2. As such, this update may create breaking changes in your custom reports. All changes related to the new version are described in Elasticsearch documentation. The following change may affect your reports the most. [BEE-2717]

  • Accessing missing document values throws an error. The doc['field'].value throws an exception if the document is missing a value for the field field.

    To check if a document is missing a value, you can use doc['field'].size() == 0.

  • It is not possible to upgrade CloudBees Analytics v9.0.1 and below to CloudBees Analytics v10.2.0 and above. The installer exits with an error and an appropriate message when such an update is attempted. If you need to upgrade CloudBees Analytics v9.0.1 and below, you must first upgrade to a version between 9.1.0 and 10.1.0, or 9.0.2 and above. After that, you can upgrade CloudBees Analytics to v10.3.0 or higher. [NMB-31030]

  • For previous CloudBees Analytics upgrades from v9.0.1 and below: CloudBees Analytics data may contain obsolete indices that are incompatible with CloudBees Analytics v10.2.0 and above. To work correctly, it is necessary to re-index these indexes before an upgrade. The installer prompts you to do this before upgrading.

    • In console mode and UI mode, the installer displays the following prompt if outdated indexes are detected:

      One or more Elasticsearch indices were created in an obsolete version of Elasticsearch. These indexes must be re-indexed for the upgrade to be successful. Do you want to start the reindexation? [n/Y]

      After an affirmative answer, the installer automatically re-indexes and continues the upgrade.

    • In silent mode, the installer reindexes automatically.

  • Backing up and restoring custom settings

    The CloudBees Analytics installer overwrites the elasticsearch.yml configuration file with a new file. This file includes a Custom Settings section, which lets you add Elasticsearch settings not managed by the CloudBees Analytics server without being lost during an upgrade. The installer preserves the settings in the Custom Settings section. [NMB-25850]

  • Upgrading CloudBees Analytics clusters

    The principle of forming a cluster in CloudBees Analytics has changed in v10.2 due to the update of Elasticsearch v7.10.2. In this regard, an additional action is required to upgrade to CloudBees Analytics v10.2 or later:

    When updating the first master node, the user must explicitly specify that it is the first node to be updated. If this action is not performed, any cluster that is being updated is placed out of service.

    All installers have been instrumented to accommodate this change. Refer to Upgrade the CloudBees Analytics server for more details. [BEE-2717]

  • CloudBees Analytics server configuration notes

    For a production environment, CloudBees recommends that you install the CloudBees Analytics server on a system other than systems running other CloudBees CD/RO components (such as the CloudBees CD/RO server, web server, repository server, or agent). If you must install it on the same system (such as for testing or other non-production or trial-basis situations), refer to CloudBees Analytics server with other components for details.

    If your CloudBees Analytics server is configured with multiple nodes in a Kubernetes environment, you must pre-generate your certificates. For more information, refer to Install CloudBees CD/RO within Kubernetes.
CloudBees CI operations center configurations

After upgrading to CloudBees CD/RO v10.6 from v10.0.x, you may need to rework your CloudBees CI operations center configurations.

  • In v10.0.x, CloudBees CI operations center URLs specified in configurations are silently appended at runtime with the /cjoc path component.

  • In v10.1, URLs are used as defined in configurations. The /cjoc component is not appended.

To maintain pre-v10.1 runtime compatibility, the v10.1 upgrade process modifies CloudBees CI operations center URLs in existing configurations by hardcoding the /cjoc path component. You need to rework existing URLs in configurations where appending the /cjoc path component is inappropriate.

Configuration notes

Performing a full import

During a full import, the import operation might hang in the following scenarios. To import successfully into CloudBees CD/RO 8.0 and newer versions, perform the appropriate workarounds [CEV-15447, CEV-11873]:

  • A manual process step in a process has formal parameters. The workaround is to remove the entry related to the property sheet for the job step that is associated with the manual process step.

  • In the exported XML file from the earlier release, two pipelines are in different projects, and both pipelines have no gate tasks. The flow associated with the pipeline is duplicated under both projects. The workaround is to remove the flow element under the projects.


When an application is cloned from one project (the original project) to another (the destination project), the tier maps for the application point to the environments with the same names in the destination project. To deploy the application to the environments in the original project, you must create tier maps connecting the application to those environments.

Known issues


With CloudBees CD/RO v10.2.1 and earlier, the DSL Import service catalog fails for grouped tasks.


CloudBees CI build details are not present after project import.


The MeanLeadTime report does not work correctly when Elasticsearch only has pipeline runs but no release runs.


CloudBees CI jobs time out when triggered, resulting in pipeline failures. Increase the COMMANDER_HTTP_TIMEOUT property.


When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting.


The Preview tab does not display a correct list of objects to be archived for data retention rules.


When you save DSL for a dropdown menu, the code is evaluated to catch syntax errors. This evaluation is not the same as when the parameter is used. This can result in a property reference error because the properties may only be available when the parameter values are set. A workaround is to use a try-catch statement where the property path is a property that is not available in the definition context:

def value try { value = getProperty(propertyName: 'property path').value } catch (e) { return [] }


CloudBees CI job tasks fail with a $[] branchName in the definition.


When using Postgres with change tracking enabled, EcAuditStrategy errors may appear in the server log. This is a known issue, but is not expected to affect system performance.


Traditional full XML imports and exports with ScmSync objects fail with the java.langIllegalStateException. As a workaround, delete all scmSync objects before you export, and then recreate them after the import. CloudBees recommends using generateDsl or evalDsl to export/import ScmSync objects.


Browser redirects to port 2080 during first navigation to CloudBees CD/RO deployed from CloudBees Software Delivery Automation and Flow Helm charts.


SyncArtifactVersions procedure completes with success, rather than showing a warning, when manifest is missing and overwrite = false.


When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error: Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error.


Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or ectool) until the CloudBees CD/RO server is restarted.


(Microsoft Windows platforms only) If the Elasticsearch cluster, which is used by CloudBees Analytics, is in the red state (in Elasticsearch this means that it only partly functions and some data is unavailable) then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.


The Microsoft Edge browser does not work with SAML 2.0 and a self-signed certificate during redirection from the identity provider to the service provider. Edge is not recommended for sign-in via SAML 2.0.


The LANG environment variable must be set to en.US.UTF-8; otherwise, the upgrade fails. Refer to KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when Lang environment variable is different than en.US.UTF-8 for details.


When an application with snapshots created in CloudBees CD/RO 6.1 or earlier is cloned and a project containing this application is imported to CloudBees CD/RO 6.3 or higher, the import operation fails.


Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.


The stage inclusion status in the Release Dashboard changes color after a stage is renamed.


No error prompt appears for failed tasks and retry tasks during a pipeline runtime.


If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter) then the step is not retried even if it uses "retry on error" error handling. The job eventually completes with an error.


The retry count for group tasks or rules using "automated retry on error" is missing from the Pipeline runtime page.


Multiple mapped environments with the same name from different projects are not supported in email notifications.


A project import might not include the path-to-production view.


Jobs might not appear upon drill-down into the "Clusters With Most Deployments" widget in the CloudBees Analytics Microservices Dashboard if the service does not contain a deploy step in the process.


All subreleases of a release must appear before the release in the DSL for the release-to-subrelease link to be created.

CEV-19239 CEV-19259

The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.


If Release Command Center was set up for JIRA for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping ` projectName:releaseProjectName`, then before upgrading to 10.0 the field mapping must be updated to mention the actual release project name using the following field mapping format: "release-project-name-in-CloudBees CD/RO":releaseProjectName


Approval by email on manual tasks should not expect parameters.


If you use the ectool export to export your system configuration from a previous release and then use ectool import to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to use ectool export and ectool import only between servers at the same version.


SSO does not work unless PHP configuration is changed due to a security-related request. Workaround: Change session.cookie_samesite to "Strict" in /opt/electriccloud/electriccommander/apache/conf/php.ini and restart the web server.


CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.


Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to service objects from applications and releases.


You can revert changes only for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.

Restarting the CloudBees CD/RO server while new records are created for all tracked objects might take at least as long as an export or import of all projects (10 to 40 minutes for a large project).


Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server and the network latency between the servers. Make sure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.


System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.