CloudBees is pleased to announce the newest CloudBees CD/RO long-term support (LTS) release. You can find specific information about this release in the following sections:
The following changes have been made to the CloudBees CD/RO release notes:
|
Security fixes
The following security fixes and improvements have been made as part of this release:
- Upgraded
com.squareup.okio:okio-jvm
to 3.6.0 -
Upgraded
com.squareup.okio:okio-jvm
to version 3.6.0 to address vulnerability.
- Updated
org.json:json
library -
Upgraded
org.json:json
library to v20231013 for improved security.
- Updated
xmlsec
library -
Upgraded the
xmlsec
library to v2.3.4.
- Netty library update to v4.1.104.Final
-
Upgraded Netty library to version 4.1.104.Final to address multiple vulnerabilities.
curl
path traversal vulnerability resolved-
In previous releases of CloudBees CD/RO, a vulnerability related to
curl
and a possible path traversal exploit was detected and has been resolved.
- PDK v4.0.2 released with updated SnakeYAML
-
PDK v4.0.2 has been released. This PDK version includes an updated SnakeYAML, which addresses previous vulnerabilities. For more information, refer to the PDK release notes.
- Enabled HSTS by default in CloudBees CD/RO Apache web server
-
HTTP Strict Transport Security (HSTS) headers are now active by default in the CloudBees CD/RO Apache web server.
- Java updated to v17.0.9
-
Java has been updated from v17.0.7 to v17.0.9.
- Enhanced XML processing security
-
Improved XML processing to help mitigate potential denial of service scenarios.
- HTML parsing update
-
Enhanced HTML parsing for internal libraries to help prevent potential memory overflow issues and improve handling of malformed markup.
- Logback classic updated to v1.4.14
-
Upgraded Logback library to v1.4.14 to address multiple vulnerabilities.
- Improved HTTP request handling
-
Upgraded the
spring-core
for enhanced request handling.
- Vulnerable library removal
-
The jose4j library has been removed for security reasons.
- Elasticsearch version has been updated
-
Upgraded Elasticsearch to v7.17.16.
- Removed apacheds-kerberos-codec, and KerberosKeytab support
-
Removed
org.apache.directory.server:apacheds-kerberos-codec
, and associated KerberosKeytab API support.
- BouncyCastle was upgraded
-
BouncyCastle, a critical cryptography library, was upgraded to resolve security vulnerabilities.
- Third-party libraries updates
-
The following CloudBees CD/RO third-party libraries have been updated:
-
OpenSSL to version
3.0.13
-
PHP to version
8.1.27
-
- Enhanced input sanitization for data protection
-
Updated handling of HTTP requests that contain unsanitized data to reduce the risk of data exposure.
- Spring framework and plugin version upgrade
-
Updated Spring framework from v6.1.2 to v6.1.3 and Spring Boot Maven Plugin from v3.2.1 to v3.2.2.
- Apache ActiveMQ-Artemis updated
-
Apache ActiveMQ-Artemis was updated to address a vulnerability that could allow remote code execution.
New features
The following new features are introduced as part of this release:
- Configure IP protocols for CloudBees CD/RO Kubernetes, including IPv6 support
-
Starting in CloudBees CD/RO v2024.03.0, you can specify the IP protocol CloudBees CD/RO components use as part of Kubernetes environments. For more information, refer to Configure IP protocol for Helm chart components.
Supported IP configurations include:
-
IPv4-only
-
IPv6-only (EKS)
-
IPv4/IPv6 dual-stack (EKS)
For more information, refer to Supported platforms for CloudBees CD/RO on Kubernetes.
As part of this feature, all CloudBees CD/RO components also now accept and produce IPv6 requests, including for the configuration database, SSO, AD/LDAP, and SMTP. Additionally, CloudBees CD/RO command line tools, ectool, ec-groovy, ec-perl, cb-perl, and dslsync, have been updated to support IPv6.
-
For traditional installations, only IPv4 environments are supported. |
- DSL Git Synchronization CLI is now available
-
Starting in CloudBees CD/RO v2024.03.0, DSL Git Synchronization is now available for installation as part of the standard CloudBees CD/RO Tools. For installation instructions, refer to the CloudBees Tools installation.
The DSL Git Synchronization CLI utility extends the functionality of the
generateDsl
andevalDsl
APIs to help manage and promote DSL across multiple files and directories in a GitOps and IDE friendly manner. This feature applies intelligence to the DSL evaluation based upon Git logs, delete or modify actions, and apply only changes. Additionally, unlike EC-DslDeploy,dslsync
commands are run directly from a CLI without requiring a CloudBees CD/RO agent. For configuration and usage instructions, refer to DSL Git Synchronization.
Feature enhancements
The following feature enhancements have been made as part of this release:
- MariaDB updated to v3.3.0
-
MariaDB Java connection client/driver has been updated to v3.3.0.
- Enhanced Cleanup Associated Workspace procedure
-
Implemented additional validation checks to confirm resources and workspaces targeted for cleanup are enabled and exist. A new post-processor is now included to capture and signal warnings that may occur during the cleanup process.
- GKE demo and production environment examples added
-
Examples of CloudBees CD/RO demo and production installations have been added for GKE clusters. For more information, refer to CloudBees CD/RO examples GitHub repository.
- CloudBees CD/RO now supports OpenShift and ROSA v4.14
-
OpenShift and ROSA v4.14 have been tested and are supported for CloudBees CD/RO v2024.03.0 running on Kubernetes v1.27. For more information on supported versions, refer to Supported platforms for CloudBees CD/RO on Kubernetes.
- Enhanced sorting functionality
-
Now you can cycle through ascending, descending, and default sorting states directly on list pages such as the pipelines list page. The new default state returns the list view to its original order without needing to refresh or leave the page.
- New link opens the Analytics dashboards page
-
The dashboard page can now be accessed by selecting the new Analytics link in the top menu.
- Enhanced web server configuration with new
ecconfigure
arguments -
Introduced new arguments for
ecconfigure
:-
--webEnableHttpHeaderFilter=<1|0>
Enable (1) or disable (0) HOST header filter. -
--webHttpHeaderWhiteList=hosts
The list of host names, separated by a pipeline character|
, for request HOST header filter. -
--webShowHttpHeaderWhiteList=<1|0>
Displays (1) list of allowed request HOST header(s).
-
- IPv6 supported in
ectool
-
To support IPv6 handling,
ectool
has been updated to allow the following IPv6 inputs:-
IPv6: Used for standalone IPv6 addresses. For example,
2001:DB8::
. -
[IPv6]: Used for standalone IPv6 addresses. For example,
[2001:DB8::]
. -
[IPv6]:port: Used for combinations of IPv6 addresses and ports. For example,
[2001:DB8::]:443
.IPv6:port
is not supported and result is undefined.
-
- Logging configuration optimized
-
Optimized the logging configuration by setting the logging level for the HikariCP to:
-
com.zaxxer.hikari=INFO
-
com.zaxxer.hikari.HikariConfig=DEBUG
.
-
- Added configurable termination grace period for agent pods
-
For various reasons, Kubernetes clusters may migrate an agent pod across nodes, which is normally triggered by a
sigterm
signal to the current agent pod that immediately terminates it. To provide better monitoring and graceful termination options, support has been added to the CloudBees CD/RO Helm charts to configure termination grace periods for agent pods. For more information, refer to Configure graceful termination period for agent pods.
- Procedure step editor redesign
-
The procedure editor interface is redesigned while maintaining the same fields and inputs. This enhancement affects both the creation and editing of procedures.
- New option to specify a property
-
Previously, specifying resources in procedure steps and pipeline stages was limited to directly naming a Resource or a resource pool. A new option in the Assign Resource or Resource Pool interface allows for switching to property mode, enhancing flexibility. This mode requires using a valid path in the property, which is resolved at runtime to either a resource or a pool. An example of a valid server-level property path is
/server/super_resource
.
- Stage editor redesign
-
The pipeline editor’s stage interface is redesigned while maintaining the same fields and inputs. This enhancement affects both the creation and editing of stages.
- Third-party tool updates for CloudBees CD/RO agents
-
The following third-party tools have been updated:
-
helm
to v3.14.0 -
kubectl
to v1.29.1 -
kubectl-argo-rollouts
to v1.6.5
-
- Updated CloudBees Accessibility Conformance Report
-
A new CloudBees Accessibility Conformance Report is available that provides information about the accessibility features for CloudBees CD/RO v2024.03. This report is based on the VPAT® (Voluntary Product Accessibility Template) Version 2.4Rev, the WCAG (Web Content Accessibility Guidelines) 2.0 Levels A and AA, Section 508, EN 301 549. For more information, refer to Accessibility.
- Elasticsearch upgrade
-
Elasticsearch has been updated to version
7.17.18
.
- Added CloudBees Analytics installer option to specify IP protocols
-
Starting with the v2024.03.0 CloudBees Analytics installer, you can specify the default IP protocol to use. For more information, on CloudBees Analytics server unattended installation, refer to:
-
--elasticsearchPreferIPv4Stack
-
--elasticsearchPreferIPv6Addresses
These options may be passed when running the installer in any mode.
-
Resolved issues
The following issues have been resolved as part of this release:
- Fixed conflict between the
CreateOrModifyScheduleOperation
argumentrollingDeployManualStepAssignees
Collection type and theDSL
field String type -
The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the
rollingDeployManualStepAssignees
Collection type of theCreateOrModifyScheduleOperation
argument and theDSL
field String type.
- Fixed conflict between the
CreateOrModifyScheduleOperation
argumentrollingDeployPhases
Collection type and theDSL
field String type -
The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the
rollingDeployPhases
Collection type of theCreateOrModifyScheduleOperation
argument and theDSL
field String type.
- Fixed conflict between the
CreateOrModifyTriggerOperation
argumentrollingDeployPhases
Collection type and theDSL
field String type -
The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the
rollingDeployPhases
Collection type of theCreateOrModifyTriggerOperation
argument and theDSL
field String type.
- The
myProcess/owningProjectName
property disappears after restart -
The
myProcess/owningProjectName
property is now retained after restarting CloudBees CD/RO.
- Added
InvalidObjectType
toEcException
for instances when mapping is not found for anobjectType
-
When mapping is not found for an
objecftType
, theInvalidObjectType
EcException
now occurs.
- Parameter name duplication integrity violation
-
Resolved a system freeze issue due to duplicate parameter names within a single container. During the upgrade to this release, duplicates are automatically removed.
- Fix invalid ELF header caused by libxml2.so.2
-
In previous releases, when running CloudBees CD/RO agents on Linux ARM, an exception was raised for
invalid ELF headerI
caused by libxml2.so.2. This issue has been fixed in v2024.03.0.
As a workaround in previous versions, remove the installed version of libxml2.so.2, and point to a local version instead.
- Field
deleted
is excluded from thedescribeObject
API response -
Field
deleted
has been excluded from thedescribeObject
API response when aSearchFilterView
view name is specified.
- Rename/delete not working for non-property containers
-
When renaming or deleting an object before this update, validation based on the existing
name
property failed for non-property containers. This release corrects the issue by ensuring the correct path for thename
property is provided for both property containers and non-property containers.
- Fixed inconsistent behavior of DSL import overwrite option
-
When running
evalDSL
using--overwrite 1
, child objects represented as empty entities without any properties were still present after importing the DSL. Theoverwrite
handling has now been updated so that all child objects not specified in DSL are deleted.
- The rolling deploy phases size limit was too small
-
The rolling deploy phases are no longer limited by size.
- Commas were not permitted in rolling deploy phase names
-
Previously, commas (
,
) were not permitted in the names of a rolling deploy phase. This has been addressed, and now commas are permitted.
- Multi-select parameters
-
The multi-select behavior issue was resolved. Now, adding multiple parameter values works as expected.
- Fixed issue with the
renderCondition
formal parameter field generation in the DSL -
Fixed an issue where the
renderCondition
formal parameter field incorrectly evaluated integer inputs. Now, the parameter is evaluated on input and forces the use of a string.
- Improved HTML link display
-
Updated handling patters for pure HTML to accurately display full address links.
- All active CloudBees CI users not displayed in CloudBees CD/RO
-
Previously, not all active CloudBees CI users were displayed in the CloudBees CD/RO interface. This issue has now been fixed, and CloudBees CD/RO displays an accurate list of active CloudBees CI users.
- Wrong request was sent for pipeline run that aborted all pipeline runs
-
Resolved an issue where
abortAllPipelineRuns
requests could be erroneously triggered in pipeline runs associated with a release from the Pipeline runs list page. This issue would cause all pipeline runs associated with the release to be aborted.
- Previously generated CloudBees Analytics certificates fail in v2023.12.0
-
When upgrading to v2023.12.0 on Kubernetes, CloudBees Analytics (
flow-devopsinsight
) fails to start if your certificates were generated usingcbflow-tools
from v2023.10 or earlier or custom certificates generated using OpenSSL 2. To resolve this issue in v2023.12.0, new certificates must be generated. For more information on generating Analytics server certificates, refer to Configure CloudBees Analytics server certificates.In v2024.03.0, this issue has been fixed. Additionally, CloudBees Analytics v2024.03.0 is backwards with certificates generated using
cbflow-tools
from v2023.10 or earlier or custom certificates generated using OpenSSL 2.
- Kerberos Keytab configurations removed from UI
-
Kerberos Keytab configurations are deprecated and no longer supported. UI configurations for this functionality are now removed.
- All snapshots were not present in selection menu
-
Previously, not all snapshots appeared in the selection menu and prevented users from being able to view or select all available snapshots. Now, all snapshots are displayed in the selection menu.
Known issues
The following issues are included as known issues in this release:
MeanLeadTime
report does not work correctly without release runs-
The
MeanLeadTime
report does not work correctly when Elasticsearch only has pipeline runs but no release runs.
- Artifacts can’t be transferred across zones using UI
-
The CloudBees CD/RO UI does not allow you to transfer artifacts across zones.
- Data from a custom data retention policy schedule is not purged for single runs
-
When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting.
- Using PostgreSQL change tracking may generate errors
-
When using PostgreSQL with change tracking enabled,
EcAuditStrategy
errors may appear in the server log. This is a known issue, but is not expected to have any effect on the performance of the system.
- Events generated from CloudBees CI create URLs that cause 401 errors
-
Events that originate from the default CloudBees CI create default configurations. URLs for these new controllers are not Jenkins configured URLs and cause 401 errors.
- Kerberos SSO sign-in issues
-
You may experience SSO sign-in issues when using Kerberos due to a Microsoft known issue.
- Process steps modified during runs to be manual will hang
-
When a process step that is not manual is modified to be manual after the process runs, but before the associated job step evaluated, the step hangs and adds a
java.lang.IllegalStateException: Unknown step type: manual exception
to the log.
flowRuntime
reports existing CloudBees CI job when switching platforms-
The
flowRuntime
response containshasCIJobs=1
if a release was started from CloudBees CD/RO and the previous release run was triggered within CloudBees CI.
- Catalog item objects cannot end in spaces on Windows agents
-
On Windows agents, "Export DSL" catalog item fails to export objects that end in spaces.
- CI build logs are not accessible using getCIBuildLog without controller restart
-
When running
getCIBuildLog
for a CloudBees CI build, the build log cannot be accessed without restarting the build CloudBees CI controller. As a workaround, restart your CloudBees CI controller, and set up a number of executors, andgetCIBuildLog
can then be used to access the CloudBees CI build logs.
- v10.2 and earlier legacy services may cause failed upgrades and break database consistency
-
Before upgrading from CloudBees CD/RO v10.2 and earlier, if legacy services exist in your system, upgrades may fail and database consistency break. Additionally, even if the upgrade returns successfully, it may still be impossible to run the
validateDatabase
API.As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade.
- Undefined parameters returned in CloudBees CI job response
-
In CloudBees CI job responses, actual parameters are returned that are not defined within the job. Additionally, saving and reloading the tasks doesn’t clear undefined actual parameters.
- Multi-select menu options don’t define specific projects of project objects
-
Currently, if a formal parameter depends on a dropdown menu to get project parameter dependencies for object-like parameters, such as
projectName
, you can select multiple options in dropdown menus. However, there is only an object name (or list of names in case of multi-select) in the parameter value with no connection to a project and without the ability to identify which object exists in which projects.CloudBees does not recommend using multi-select options for parameters used as project parameter dependency for object-like parameters when configuring formal parameters. This applies for the following formal parameter types:
-
Application
-
Procedure
-
Pipeline
-
Release
-
Environment
-
- Running a catalog item from the UI fails if both parameter form and formal parameter(s) are configured
-
Catalog items configured with both a parameter form and formal parameter(s) fail to run when executed in the UI. As a workaround, delete the formal parameter(s), and run the catalog item with the parameter form.
- v10.2 and earlier legacy services may cause failed upgrades and break database consistency
-
When updating from v10.2 or earlier to v10.3 or later, your upgrade may fail and break database consistency if legacy services or containers exist in your system. Additionally, even if the upgrade completes successfully with legacy services or containers present, it may still be impossible to run the
validateDatabase
API.As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade. When upgrading a clustered deployment of CloudBees CD/RO, before running the installer to upgrade, delete the contents inside the
broker-data
directory, located at<DATA_DIR>/broker-data-<hostname>
.
- Catalog item parameters with dynamic default values are not populated automatically
-
In the Service catalog, for catalog item parameters with dynamic default values based on dependencies to another parameter, the default values are not automatically populated when the dependency is initially selected. However, the default values are automatically populated after selecting the dependency default value the second time.
Workaround: Select the dependency value and allow the page to reload, and then select the dependency value a second time. This should populate the remaining item parameters with dynamic default values.
SyncArtifactVersions
procedure completes with success when it should fail-
SyncArtifactVersions
procedure completes with success, rather than showing a warning, when manifest is missing andoverwrite = false
.
- Automation Platform UI requires artifacts to use English characters in their file names
-
When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error:
Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error
.
- Must restart server to apply LDAP changes
-
Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or
ectool
) until the CloudBees CD/RO server is restarted.
- Not all Elasticsearch operations can be performed in a red state
-
(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.
- Microsoft Edge® doesn’t support SAML 2.0
-
The Microsoft Edge® browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Microsoft Edge® is not recommended for sign-in via SAML 2.0.
- LANG environment variable must be set to
en.US.UTF-8
-
The LANG environment variable must be set to
en.US.UTF-8
; otherwise, the upgrade fails. Refer to KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when Lang environment variable is different than en.US.UTF-8 for details.
- Schedules missing configuration do display runtime error prompts
-
Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.
- Changing name in Release Dashboard changes stage status color
-
The stage inclusion status in the Release Dashboard changes color after a stage is renamed.
- Steps that cannot access their child steps are not retried
-
If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses
retry on error
error handling. The job eventually completes with an error.
- Retry count missing from pipeline runtime page
-
The retry count for group tasks or rules using
automated retry on error
is missing from the Pipeline runtime page.
- Email notifications are not supported for complex environment mapping
-
Multiple mapped environments with the same name from different projects are not supported in email notifications.
- Path-to-production view missing from imported project
-
A project import might not include the path-to-production view.
- All subreleases must be present to link to a release
-
All subreleases of a release must appear before the release in the DSL for the release-to-subrelease links to be created.
- CloudBees Analytics report editor doesn’t include search by assignee
-
The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.
- Additional Release Command Center configurations for Jira
-
If Release Command Center was set up for Jira for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping
projectName:releaseProjectName
, then before upgrading to 10.0, the field mapping must be updated to mention the actual release project name using the following field mapping format:"release-project-name-in-CloudBees CD/RO":releaseProjectName
.
- Approval by email on manual tasks
-
Approval by email on manual tasks should not expect parameters.
ectool export
andectool import
should only be used between same server versions-
If you use the
ectool export
to export your system configuration from a previous release, and then useectool import
to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona-based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to useectool export
andectool import
only between servers at the same version.
- SSO requires additional PHP configuration
-
SSO does not work unless PHP configuration is changed due to a security-related request. As a workaround, change
session.cookie_samesite
to"Strict"
in/opt/electriccloud/electriccommander/apache/conf/php.ini
and restart the web server.
- No UI to run or review pre-v10.1 triggers
-
CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.
- Legacy definitions and references cause unexpected behavior for full data exports
-
Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to
service
objects from applications and releases.
- Reverting changes is not possible for all objects
-
You can only revert changes for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.
Restarting the CloudBees CD/RO server while new records are created for all tracked objects might take at least as long as an export or import of all projects (10 to 40 minutes for a large project).
- Recursively traversing nested group hierarchies may cause performance issues
-
Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server, and the network latency between the servers. Ensure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.
- Disabling and re-enabling change tracking may cause performance issues
-
System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.