CloudBees is pleased to announce the newest CloudBees CD/RO long-term support (LTS) release. You can find specific information about this release in the following sections:

The following changes have been made to the CloudBees CD/RO release notes:

  • The plugin release notes sections Plugin updates and PDK enhancements have been migrated to the Plugin release notes tab.

  • The upgrade notes sections Behavior changes, Installation and upgrade notes, and Configuration notes have been migrated to the new Upgrade notes tab.

Security fixes

The following security fixes and improvements have been made as part of this release:

Upgraded com.squareup.okio:okio-jvm to 3.6.0

Upgraded com.squareup.okio:okio-jvm to version 3.6.0 to address vulnerability.

Updated org.json:json library

Upgraded org.json:json library to v20231013 for improved security.

Updated xmlsec library

Upgraded the xmlsec library to v2.3.4.

Netty library update to v4.1.104.Final

Upgraded Netty library to version 4.1.104.Final to address multiple vulnerabilities.

curl path traversal vulnerability resolved

In previous releases of CloudBees CD/RO, a vulnerability related to curl and a possible path traversal exploit was detected and has been resolved.

PDK v4.0.2 released with updated SnakeYAML

PDK v4.0.2 has been released. This PDK version includes an updated SnakeYAML, which addresses previous vulnerabilities. For more information, refer to the PDK release notes.

Enabled HSTS by default in CloudBees CD/RO Apache web server

HTTP Strict Transport Security (HSTS) headers are now active by default in the CloudBees CD/RO Apache web server.

Java updated to v17.0.9

Java has been updated from v17.0.7 to v17.0.9.

Enhanced XML processing security

Improved XML processing to help mitigate potential denial of service scenarios.

HTML parsing update

Enhanced HTML parsing for internal libraries to help prevent potential memory overflow issues and improve handling of malformed markup.

Logback classic updated to v1.4.14

Upgraded Logback library to v1.4.14 to address multiple vulnerabilities.

Improved HTTP request handling

Upgraded the spring-core for enhanced request handling.

Vulnerable library removal

The jose4j library has been removed for security reasons.

Elasticsearch version has been updated

Upgraded Elasticsearch to v7.17.16.

Removed apacheds-kerberos-codec, and KerberosKeytab support

Removed org.apache.directory.server:apacheds-kerberos-codec, and associated KerberosKeytab API support.

BouncyCastle was upgraded

BouncyCastle, a critical cryptography library, was upgraded to resolve security vulnerabilities.

Third-party libraries updates

The following CloudBees CD/RO third-party libraries have been updated:

  • OpenSSL to version 3.0.13

  • PHP to version 8.1.27

Enhanced input sanitization for data protection

Updated handling of HTTP requests that contain unsanitized data to reduce the risk of data exposure.

Spring framework and plugin version upgrade

Updated Spring framework from v6.1.2 to v6.1.3 and Spring Boot Maven Plugin from v3.2.1 to v3.2.2.

Apache ActiveMQ-Artemis updated

Apache ActiveMQ-Artemis was updated to address a vulnerability that could allow remote code execution.

New features

The following new features are introduced as part of this release:

Configure IP protocols for CloudBees CD/RO Kubernetes, including IPv6 support

Starting in CloudBees CD/RO v2024.03.0, you can specify the IP protocol CloudBees CD/RO components use as part of Kubernetes environments. For more information, refer to Configure IP protocol for Helm chart components.

Supported IP configurations include:

  • IPv4-only

  • IPv6-only (EKS)

  • IPv4/IPv6 dual-stack (EKS)

    As part of this feature, all CloudBees CD/RO components also now accept and produce IPv6 requests, including for the configuration database, SSO, AD/LDAP, and SMTP. Additionally, CloudBees CD/RO command line tools, ectool, ec-groovy, ec-perl, cb-perl, and dslsync, have been updated to support IPv6.

For traditional installations, only IPv4 environments are supported.
DSL Git Synchronization CLI is now available

Starting in CloudBees CD/RO v2024.03.0, DSL Git Synchronization is now available for installation as part of the standard CloudBees CD/RO Tools. For installation instructions, refer to the CloudBees Tools installation.

The DSL Git Synchronization CLI utility extends the functionality of the generateDsl and evalDsl APIs to help manage and promote DSL across multiple files and directories in a GitOps and IDE friendly manner. This feature applies intelligence to the DSL evaluation based upon Git logs, delete or modify actions, and apply only changes. Additionally, unlike EC-DslDeploy, dslsync commands are run directly from a CLI without requiring a CloudBees CD/RO agent. For configuration and usage instructions, refer to DSL Git Synchronization.

Feature enhancements

The following feature enhancements have been made as part of this release:

MariaDB updated to v3.3.0

MariaDB Java connection client/driver has been updated to v3.3.0.

Enhanced Cleanup Associated Workspace procedure

Implemented additional validation checks to confirm resources and workspaces targeted for cleanup are enabled and exist. A new post-processor is now included to capture and signal warnings that may occur during the cleanup process.

GKE demo and production environment examples added

Examples of CloudBees CD/RO demo and production installations have been added for GKE clusters. For more information, refer to CloudBees CD/RO examples GitHub repository.

CloudBees CD/RO now supports OpenShift and ROSA v4.14

OpenShift and ROSA v4.14 have been tested and are supported for CloudBees CD/RO v2024.03.0 running on Kubernetes v1.27. For more information on supported versions, refer to Supported platforms for CloudBees CD/RO on Kubernetes.

Enhanced sorting functionality

Now you can cycle through ascending, descending, and default sorting states directly on list pages such as the pipelines list page. The new default state returns the list view to its original order without needing to refresh or leave the page.

New link opens the Analytics dashboards page

The dashboard page can now be accessed by selecting the new Analytics link in the top menu.

Enhanced web server configuration with new ecconfigure arguments

Introduced new arguments for ecconfigure:

  1. --webEnableHttpHeaderFilter=<1|0> Enable (1) or disable (0) HOST header filter.

  2. --webHttpHeaderWhiteList=hosts The list of host names, separated by a pipeline character |, for request HOST header filter.

  3. --webShowHttpHeaderWhiteList=<1|0> Displays (1) list of allowed request HOST header(s).

IPv6 supported in ectool

To support IPv6 handling, ectool has been updated to allow the following IPv6 inputs:

  • IPv6: Used for standalone IPv6 addresses. For example, 2001:DB8::.

  • [IPv6]: Used for standalone IPv6 addresses. For example, [2001:DB8::].

  • [IPv6]:port: Used for combinations of IPv6 addresses and ports. For example, [2001:DB8::]:443.

    IPv6:port is not supported and result is undefined.
Logging configuration optimized

Optimized the logging configuration by setting the logging level for the HikariCP to:

  • com.zaxxer.hikari=INFO

  • com.zaxxer.hikari.HikariConfig=DEBUG.

Added configurable termination grace period for agent pods

For various reasons, Kubernetes clusters may migrate an agent pod across nodes, which is normally triggered by a sigterm signal to the current agent pod that immediately terminates it. To provide better monitoring and graceful termination options, support has been added to the CloudBees CD/RO Helm charts to configure termination grace periods for agent pods. For more information, refer to Configure graceful termination period for agent pods.

Procedure step editor redesign

The procedure editor interface is redesigned while maintaining the same fields and inputs. This enhancement affects both the creation and editing of procedures.

New option to specify a property

Previously, specifying resources in procedure steps and pipeline stages was limited to directly naming a Resource or a resource pool. A new option in the Assign Resource or Resource Pool interface allows for switching to property mode, enhancing flexibility. This mode requires using a valid path in the property, which is resolved at runtime to either a resource or a pool. An example of a valid server-level property path is /server/super_resource.

Stage editor redesign

The pipeline editor’s stage interface is redesigned while maintaining the same fields and inputs. This enhancement affects both the creation and editing of stages.

Third-party tool updates for CloudBees CD/RO agents

The following third-party tools have been updated:

  • helm to v3.14.0

  • kubectl to v1.29.1

  • kubectl-argo-rollouts to v1.6.5

Updated CloudBees Accessibility Conformance Report

A new CloudBees Accessibility Conformance Report is available that provides information about the accessibility features for CloudBees CD/RO v2024.03. This report is based on the VPAT® (Voluntary Product Accessibility Template) Version 2.4Rev, the WCAG (Web Content Accessibility Guidelines) 2.0 Levels A and AA, Section 508, EN 301 549. For more information, refer to Accessibility.

Elasticsearch upgrade

Elasticsearch has been updated to version 7.17.18.

Added CloudBees Analytics installer option to specify IP protocols

Starting with the v2024.03.0 CloudBees Analytics installer, you can specify the default IP protocol to use. For more information, on CloudBees Analytics server unattended installation, refer to:

  • --elasticsearchPreferIPv4Stack

  • --elasticsearchPreferIPv6Addresses

    These options may be passed when running the installer in any mode.

Resolved issues

The following issues have been resolved as part of this release:

Fixed conflict between the CreateOrModifyScheduleOperation argument rollingDeployManualStepAssignees Collection type and the DSL field String type

The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the rollingDeployManualStepAssignees Collection type of the CreateOrModifyScheduleOperation argument and the DSL field String type.

Fixed conflict between the CreateOrModifyScheduleOperation argument rollingDeployPhases Collection type and the DSL field String type

The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the rollingDeployPhases Collection type of the CreateOrModifyScheduleOperation argument and the DSL field String type.

Fixed conflict between the CreateOrModifyTriggerOperation argument rollingDeployPhases Collection type and the DSL field String type

The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the rollingDeployPhases Collection type of the CreateOrModifyTriggerOperation argument and the DSL field String type.

The myProcess/owningProjectName property disappears after restart

The myProcess/owningProjectName property is now retained after restarting CloudBees CD/RO.

Added InvalidObjectType to EcException for instances when mapping is not found for an objectType

When mapping is not found for an objecftType, the InvalidObjectType EcException now occurs.

Parameter name duplication integrity violation

Resolved a system freeze issue due to duplicate parameter names within a single container. During the upgrade to this release, duplicates are automatically removed.

Fix invalid ELF header caused by libxml2.so.2

In previous releases, when running CloudBees CD/RO agents on Linux ARM, an exception was raised for invalid ELF headerI caused by libxml2.so.2. This issue has been fixed in v2024.03.0.

As a workaround in previous versions, remove the installed version of libxml2.so.2, and point to a local version instead.

Field deleted is excluded from the describeObject API response

Field deleted has been excluded from the describeObject API response when a SearchFilterView view name is specified.

Rename/delete not working for non-property containers

When renaming or deleting an object before this update, validation based on the existing name property failed for non-property containers. This release corrects the issue by ensuring the correct path for the name property is provided for both property containers and non-property containers.

Fixed inconsistent behavior of DSL import overwrite option

When running evalDSL using --overwrite 1, child objects represented as empty entities without any properties were still present after importing the DSL. The overwrite handling has now been updated so that all child objects not specified in DSL are deleted.

The rolling deploy phases size limit was too small

The rolling deploy phases are no longer limited by size.

Commas were not permitted in rolling deploy phase names

Previously, commas (,) were not permitted in the names of a rolling deploy phase. This has been addressed, and now commas are permitted.

Multi-select parameters

The multi-select behavior issue was resolved. Now, adding multiple parameter values works as expected.

Fixed issue with the renderCondition formal parameter field generation in the DSL

Fixed an issue where the renderCondition formal parameter field incorrectly evaluated integer inputs. Now, the parameter is evaluated on input and forces the use of a string.

Improved HTML link display

Updated handling patters for pure HTML to accurately display full address links.

All active CloudBees CI users not displayed in CloudBees CD/RO

Previously, not all active CloudBees CI users were displayed in the CloudBees CD/RO interface. This issue has now been fixed, and CloudBees CD/RO displays an accurate list of active CloudBees CI users.

Wrong request was sent for pipeline run that aborted all pipeline runs

Resolved an issue where abortAllPipelineRuns requests could be erroneously triggered in pipeline runs associated with a release from the Pipeline runs list page. This issue would cause all pipeline runs associated with the release to be aborted.

Previously generated CloudBees Analytics certificates fail in v2023.12.0

When upgrading to v2023.12.0 on Kubernetes, CloudBees Analytics (flow-devopsinsight) fails to start if your certificates were generated using cbflow-tools from v2023.10 or earlier or custom certificates generated using OpenSSL 2. To resolve this issue in v2023.12.0, new certificates must be generated. For more information on generating Analytics server certificates, refer to Configure CloudBees Analytics server certificates.

In v2024.03.0, this issue has been fixed. Additionally, CloudBees Analytics v2024.03.0 is backwards with certificates generated using cbflow-tools from v2023.10 or earlier or custom certificates generated using OpenSSL 2.

Kerberos Keytab configurations removed from UI

Kerberos Keytab configurations are deprecated and no longer supported. UI configurations for this functionality are now removed.

All snapshots were not present in selection menu

Previously, not all snapshots appeared in the selection menu and prevented users from being able to view or select all available snapshots. Now, all snapshots are displayed in the selection menu.

Known issues

The following issues are included as known issues in this release:

MeanLeadTime report does not work correctly without release runs

The MeanLeadTime report does not work correctly when Elasticsearch only has pipeline runs but no release runs.

Artifacts can’t be transferred across zones using UI

The CloudBees CD/RO UI does not allow you to transfer artifacts across zones.

Data from a custom data retention policy schedule is not purged for single runs

When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting.

Using PostgreSQL change tracking may generate errors

When using PostgreSQL with change tracking enabled, EcAuditStrategy errors may appear in the server log. This is a known issue, but is not expected to have any effect on the performance of the system.

Events generated from CloudBees CI create URLs that cause 401 errors

Events that originate from the default CloudBees CI create default configurations. URLs for these new controllers are not Jenkins configured URLs and cause 401 errors.

Kerberos SSO sign-in issues

You may experience SSO sign-in issues when using Kerberos due to a Microsoft known issue.

Process steps modified during runs to be manual will hang

When a process step that is not manual is modified to be manual after the process runs, but before the associated job step evaluated, the step hangs and adds a java.lang.IllegalStateException: Unknown step type: manual exception to the log.

flowRuntime reports existing CloudBees CI job when switching platforms

The flowRuntime response contains hasCIJobs=1 if a release was started from CloudBees CD/RO and the previous release run was triggered within CloudBees CI.

Catalog item objects cannot end in spaces on Windows agents

On Windows agents, "Export DSL" catalog item fails to export objects that end in spaces.

CI build logs are not accessible using getCIBuildLog without controller restart

When running getCIBuildLog for a CloudBees CI build, the build log cannot be accessed without restarting the build CloudBees CI controller. As a workaround, restart your CloudBees CI controller, and set up a number of executors, and getCIBuildLog can then be used to access the CloudBees CI build logs.

v10.2 and earlier legacy services may cause failed upgrades and break database consistency

Before upgrading from CloudBees CD/RO v10.2 and earlier, if legacy services exist in your system, upgrades may fail and database consistency break. Additionally, even if the upgrade returns successfully, it may still be impossible to run the validateDatabase API.

As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade.

Undefined parameters returned in CloudBees CI job response

In CloudBees CI job responses, actual parameters are returned that are not defined within the job. Additionally, saving and reloading the tasks doesn’t clear undefined actual parameters.

Multi-select menu options don’t define specific projects of project objects

Currently, if a formal parameter depends on a dropdown menu to get project parameter dependencies for object-like parameters, such as projectName, you can select multiple options in dropdown menus. However, there is only an object name (or list of names in case of multi-select) in the parameter value with no connection to a project and without the ability to identify which object exists in which projects.

CloudBees does not recommend using multi-select options for parameters used as project parameter dependency for object-like parameters when configuring formal parameters. This applies for the following formal parameter types:

  • Application

  • Procedure

  • Pipeline

  • Release

  • Environment

Running a catalog item from the UI fails if both parameter form and formal parameter(s) are configured

Catalog items configured with both a parameter form and formal parameter(s) fail to run when executed in the UI. As a workaround, delete the formal parameter(s), and run the catalog item with the parameter form.

v10.2 and earlier legacy services may cause failed upgrades and break database consistency

When updating from v10.2 or earlier to v10.3 or later, your upgrade may fail and break database consistency if legacy services or containers exist in your system. Additionally, even if the upgrade completes successfully with legacy services or containers present, it may still be impossible to run the validateDatabase API.

As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade. When upgrading a clustered deployment of CloudBees CD/RO, before running the installer to upgrade, delete the contents inside the broker-data directory, located at <DATA_DIR>/broker-data-<hostname>.

Catalog item parameters with dynamic default values are not populated automatically

In the Service catalog, for catalog item parameters with dynamic default values based on dependencies to another parameter, the default values are not automatically populated when the dependency is initially selected. However, the default values are automatically populated after selecting the dependency default value the second time.

Workaround: Select the dependency value and allow the page to reload, and then select the dependency value a second time. This should populate the remaining item parameters with dynamic default values.

SyncArtifactVersions procedure completes with success when it should fail

SyncArtifactVersions procedure completes with success, rather than showing a warning, when manifest is missing and overwrite = false.

Automation Platform UI requires artifacts to use English characters in their file names

When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error: Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error.

Must restart server to apply LDAP changes

Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or ectool) until the CloudBees CD/RO server is restarted.

Not all Elasticsearch operations can be performed in a red state

(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.

Microsoft Edge® doesn’t support SAML 2.0

The Microsoft Edge® browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Microsoft Edge® is not recommended for sign-in via SAML 2.0.

LANG environment variable must be set to en.US.UTF-8

The LANG environment variable must be set to en.US.UTF-8; otherwise, the upgrade fails. Refer to KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when Lang environment variable is different than en.US.UTF-8 for details.

Schedules missing configuration do display runtime error prompts

Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.

Changing name in Release Dashboard changes stage status color

The stage inclusion status in the Release Dashboard changes color after a stage is renamed.

Steps that cannot access their child steps are not retried

If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses retry on error error handling. The job eventually completes with an error.

Retry count missing from pipeline runtime page

The retry count for group tasks or rules using automated retry on error is missing from the Pipeline runtime page.

Email notifications are not supported for complex environment mapping

Multiple mapped environments with the same name from different projects are not supported in email notifications.

Path-to-production view missing from imported project

A project import might not include the path-to-production view.

All subreleases must be present to link to a release

All subreleases of a release must appear before the release in the DSL for the release-to-subrelease links to be created.

CloudBees Analytics report editor doesn’t include search by assignee

The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.

Additional Release Command Center configurations for Jira

If Release Command Center was set up for Jira for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping projectName:releaseProjectName, then before upgrading to 10.0, the field mapping must be updated to mention the actual release project name using the following field mapping format: "release-project-name-in-CloudBees CD/RO":releaseProjectName.

Approval by email on manual tasks

Approval by email on manual tasks should not expect parameters.

ectool export and ectool import should only be used between same server versions

If you use the ectool export to export your system configuration from a previous release, and then use ectool import to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona-based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to use ectool export and ectool import only between servers at the same version.

SSO requires additional PHP configuration

SSO does not work unless PHP configuration is changed due to a security-related request. As a workaround, change session.cookie_samesite to "Strict" in /opt/electriccloud/electriccommander/apache/conf/php.ini and restart the web server.

No UI to run or review pre-v10.1 triggers

CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.

Legacy definitions and references cause unexpected behavior for full data exports

Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to service objects from applications and releases.

Reverting changes is not possible for all objects

You can only revert changes for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.

Restarting the CloudBees CD/RO server while new records are created for all tracked objects might take at least as long as an export or import of all projects (10 to 40 minutes for a large project).
Recursively traversing nested group hierarchies may cause performance issues

Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server, and the network latency between the servers. Ensure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.

Disabling and re-enabling change tracking may cause performance issues

System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.