CloudBees is pleased to announce the newest CloudBees CD/RO long-term support (LTS) release. You can find specific information about this release in the following sections:
Before upgrading to v2025.03.0, there may be several upgrade notes that require action on your part. For more information, refer to the following (as applicable):
|
Security fixes
The following security fixes and improvements have been made as part of this release:
- Ingress-NGINX critical security mitigation
- Fixed issue that could result in object information exposure
-
When running objects that contained
echo
statements, it was possible that internal information about the object could be exposed as part of theecho
statement. This behavior has been updated to use static strings instead.
- Error messages refactored to enhance data security
-
Error messages have been refactored to prevent potential data leakage and help ensure sensitive information is not exposed.
- Removed Improper security header
-
Removed an improper security header that could have impacted security compliance.
- Enhanced input sanitization for data protection
-
Updated handling of HTTP requests that contain unsanitized data to reduce the risk of data exposure.
- CloudBees Analytics updated with OpenSearch v2.19.0
-
To address security issues, OpenSearch was updated in CloudBees Analytics from v2.14.0 to v2.19.0.
- Go crypto library updated
-
The Go crypto library (
golang.org/x/crypto
) has been updated from version v0.27.0 to v0.31.0 to address security issues and improve CloudBees CD/RO cryptography features.
- Apache MINA version updated
-
To address security issues, the Apache MINA library (
mina-core
), used by the CloudBees CD/RO web server, was updated from v2.2.3 to v2.2.4.
- Spring Security package upgraded
-
The Spring Security package (
spring-security-core
) was upgraded from v6.2.3 to v6.2.8 to address security vulnerabilities.
New features
The following new features are introduced as part of this release:
- Create Windows agent container images
-
CloudBees CD/RO now includes resources to create container images for Windows agents. For more information, refer to Create Windows agent images.
Feature enhancements
The following feature enhancements have been made as part of this release:
- PostgreSQL 16 added to supported databases
-
PostgresSQL 16 has been tested and is supported by CloudBees CD/RO traditional and Kubernetes installations. For more information, refer to:
- Improved navigation on Pipeline runs pages
-
To increase usability and user experience, multiple improvements were made to the navigation on the Pipeline runs pages. These include scrolling within pipeline stages and improved horizontal scrolling.
- Improved sub-pipeline restart visibility and status handling
-
When restarting a sub-pipeline from a higher-level pipeline task, the top-level pipeline is now aware of the restart and updates the task status accordingly. If the sub-pipeline completes successfully after a restart, the associated task in the top-level pipeline is marked as successful, preventing unnecessary task repetition and reducing deployment time.
- Skip keys when using evalDsl overwrite mode
-
Enhanced
evalDsl overwrite=true
to allow you to skip specific properties during overwrite. You can now use theskipOverwriteByKey
option to preserve existing values for designated keys. For details and examples, refer to the evalDsl documentation.
- Configure password enforcement policy
-
You can now configure a custom policy to enforce user password requirements using Configure password enforcement policy.
. For more information on configuring a password enforcement policy, refer to
- Configure naming policy for snapshot names
-
You can now configure a custom naming policy to enforce for snapshot names using Configure snapshot naming enforcement policy.
. For more information on configuring a snapshot naming policy, refer to
- Instructions for manual tasks now support Markdown
-
When configuring a manual steps and tasks, you can now use Markdown in the Instructions field. Additionally, instructions written in Markdown are correctly rendered in emails sent to approvers. For more information, refer to Define manual steps and Define manual tasks.
- Kubernetes v1.31 is now supported
-
Kubernetes v1.31 is now supported. For more information, refer to Supported platforms for CloudBees CD/RO on Kubernetes.
Resolved issues
The following issues have been resolved as part of this release:
- Manual step task parameters not rendering on first pipeline run
-
Fixed an issue where, parameters defined in manual step task definitions were not rendered during the first instance of a pipeline run. When this occurred, aborting the run and restarting the pipeline would display the parameters as expected.
Now, manual step task parameters are rendered correctly on the first run.
- Details not returned for AD LDAP groups with backslash in name
-
Fixed an issue where the
getGroups
API did not return the repository or provider name if the Active Directory (AD) LDAP group name contained a backslash (\
). The API now correctly handles group names with backslashes and includes the repository or provider name in the response.
- Documentation improved for findObjects
-
Fixed an issue in the documentation for
findObjects
where examples for filtering based on time-specific fields were not included. To improve usability, the findObjects page now includes multiple examples for filtering based on time-specific fields.
- Empty parameters had default values applied
-
Fixed an issue where, if a parameter had a default value preconfigured but was then assigned an empty value within a step, the preconfigured default value was applied when running the step instead of the empty value as expected. Now, the empty value is applied as expected.
- Stage summaries not selectable in Pipeline runs tab
-
Fixed an issue in the Pipeline runs tab where stage summaries were not selectable. Additionally, All Run Statuses and Expand Latest Run by Default options overlapped the summary, blocking visibility of errors and detailed content.
- Approvers could approve task before parameter validation
-
Fixed an issue where users could approve manual tasks during parameter validation, even if conditions were not yet fulfilled. Now, approvers can only approve a task once all parameters have been validated.
- Last user to access an object is not returned
-
Fixed an issue where, when using
findObjects
withaccessedOnLastLogin
to find the last user who accessed an object, anInvalid filter operand
message was returned. Now, the last user to access an object is returned as expected.
- Component definition field data was unexpectedly cleared
-
Fixed an issue where, when configuring an application component for the first time, the component definition fields were initially populated as expected. However, after navigating to other sections of the application component definition, the data that was populated in the component definition fields was then cleared and must be reentered.
Now, navigating to other sections of the application component definition does not affect the component definition field data.
- Only first 20 artifacts are displayed
-
Fixed an issue where the UI displayed only the first 20 versions of a linked artifact when creating application snapshots. Additionally, version searches only included the first 20 versions, causing issues selecting the correct version. Now, all available versions are searchable and selectable.
- Sub-procedures could not use credentials from parent objects
-
Fixed an issue where, when configuring a sub-procedure with a credential parameter retrieved from its parent object, it failed evaluation with a
Failed to find credential
error message.
- Overlapping label text in Portfolio basic
-
Fixed an issue where, in some browsers, the label text in the page key would overlap and become unreadable when resizing the page. The label text in the page key now has the correct spacing and readable when resizing the page.
- Delete task popup not closing after error message
-
Fixed an issue where the delete confirmation popup did not close after an error response when attempting to delete a task from a stage in a completed release pipeline definition.
- Updating a sub-pipeline stage name after parent pipeline definition caused errors
-
Fixed an issue where pipeline steps running a sub-pipeline would fail if a stage in the sub-pipeline was renamed after being defined. This occurred because the parent pipeline DSL referenced the original stage name from the sub-pipeline.
Renaming a stage in a sub-pipeline no longer causes the parent pipeline to fail, and the parent pipeline operates as expected.
- Updating a sub-release stage name after parent release definition caused errors
-
Resolved an issue where a parent release returned errors if it contained a sub-release where a stage name was changed after being defined in the parent release. These errors prevented the completion of both the parent and sub-releases, which also prevented them from being deleted.
This behavior has been fixed. Renaming stages within a sub-release no longer causes errors in a parent release, and allows both releases to execute, complete, and be deleted as expected.
- Duplicate keys are returned for large release queries
-
Fixed an issue where, when retrieving a large batch of releases (
>500
) usinggetReleases
, anIllegalStateException
caused the operation to fail because of duplicate key in the results. Now,getReleases
returns the query as expected.
- Releases with more than 20 applications cannot be deployed
-
Fixed an issue where adding more than 20 applications to a release caused deploy processes beyond the 20th to not be selected properly. Additionally, even though a selection was made, they were not saved and disappeared when reloading the page, which prevented deployment. This issue has now been resolved.
- Artifacts were retrieved despite validation issues
-
Fixed an issue where artifacts were still copied to a target despite encountering a validation error during retrieval. Retrieving artifacts now works as expected, and if a validation error occurs, the step fails and returns an error message detailing the specific issue.
- Service catalog button hidden by lists
-
Fixed an issue where long parameter lists overflowed, hiding selection buttons and preventing them from being selected.
- Unable to modify CI job task parameters
-
Fixed an issue, where in some cases, the Task edit drawer did not close after saving changes to a CI job type task, such as renaming. Specifically, this issue occurred only if the CI job was inside a folder or nested folders of a CloudBees CI controller.
- Null value in ACLs caused project DSL export to fail
-
Fixed an issue where, when using the EC-DslDeploy plugin procedure generateDslToDirectory to export a project that used custom ACLs. The same issue was also observed with
ectool
commands, such as:ectool generateDsl "/projects/myProject" --withAcls true
In both cases, the exports failed due to a
NullPointerException
(NPE).This issue was fixed by implementing null check logic for ACLs to prevent the NPE issue during project DSL export. This fix has been applied to v2024.12.1 and later.
- DSL export injects unexpected ACL
-
Fixed an issue where DSL export injected an unexpected ACL when a trigger existed in a pipeline or procedure, preventing successful DSL code import using DSL Sync.
- ZooKeeper
bin
directory missing in v2024.12.x -
Fixed an issue, where in v2024.12.0 and v2024.12.1, the ZooKeeper installation (
zookeeper-3.9.3
), was missing thebin
directory. The ZooKeeper installation now includes thebin
directory.If you are trying to fix this issue for v2024.12.0 or v2024.12.1, refer to the CloudBees CD/RO v2024.12.0 Known issues
- Unable to scroll in side panels
-
Fixed an issue where, for pipeline steps that contained a side panel, you were unable to scroll through the list of items displayed within the panel. Now, you can scroll within the panel as expected.
- Different behavior for local users verses LDAP/AD users
-
Fixed an issue where the
getWorkItems
API returned a count of 0 when using theuserName
parameter for LDAP/AD users, while it worked correctly for local users.
- Error message returned for ec-specs dependencies
-
Due to potential security issues, CloudBees has migrated the archive for the ec-specs JAR to its own dedicated archive repository. If you recieve a
[ERROR] 503 Service Temporarily Unavailable
message, you must update the ec-specs-examples Git repository and recompile your tests.For more information, refer to ec-specs.
Known issues
The following issues are included as known issues in this release:
MeanLeadTime
report does not work correctly without release runs-
The
MeanLeadTime
report does not work correctly when Elasticsearch only has pipeline runs but no release runs.
- Data from a custom data retention policy schedule is not purged for single runs
-
When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting.
- Artifacts can’t be transferred across zones using UI
-
The CloudBees CD/RO UI does not allow you to transfer artifacts across zones.
- Using PostgreSQL change tracking may generate errors
-
When using PostgreSQL with change tracking enabled,
EcAuditStrategy
errors may appear in the server log. This is a known issue, but is not expected to have any effect on the performance of the system.
- Events generated from CloudBees CI create URLs that cause 401 errors
-
Events that originate from the default CloudBees CI create default configurations. URLs for these new controllers are not Jenkins configured URLs and cause 401 errors.
- Process steps modified during runs to be manual will hang
-
When a process step that is not manual is modified to be manual after the process runs, but before the associated job step evaluated, the step hangs and adds a
java.lang.IllegalStateException: Unknown step type: manual exception
to the log.
flowRuntime
reports existing CloudBees CI job when switching platforms-
The
flowRuntime
response containshasCIJobs=1
if a release was started from CloudBees CD/RO and the previous release run was triggered within CloudBees CI.
- CloudBees CI build logs are not accessible using
getCIBuildLog
without controller restart -
When running
getCIBuildLog
for a CloudBees CI build, the build log cannot be accessed without restarting the build CloudBees CI controller. As a workaround, restart your CloudBees CI controller, and set up a number of executors, andgetCIBuildLog
can then be used to access the CloudBees CI build logs.
- Catalog item objects cannot end in spaces on Windows agents
-
On Windows agents, "Export DSL" catalog item fails to export objects that end in spaces.
- Undefined parameters returned in CloudBees CI job response
-
In CloudBees CI job responses, actual parameters are returned that are not defined within the job. Additionally, saving and reloading the tasks doesn’t clear undefined actual parameters.
- Multi-select menu options don’t define specific projects of project objects
-
Currently, if a formal parameter depends on a dropdown menu to get project parameter dependencies for object-like parameters, such as
projectName
, you can select multiple options in dropdown menus. However, there is only an object name (or list of names in case of multi-select) in the parameter value with no connection to a project and without the ability to identify which object exists in which projects.CloudBees does not recommend using multi-select options for parameters used as project parameter dependency for object-like parameters when configuring formal parameters. This applies for the following formal parameter types:
-
Application
-
Procedure
-
Pipeline
-
Release
-
Environment
-
- v10.2 and earlier legacy services may cause failed upgrades and break database consistency
-
Before upgrading from CloudBees CD/RO v10.2 and earlier, if legacy services exist in your system, upgrades may fail and database consistency break. Additionally, even if the upgrade returns successfully, it may still be impossible to run the
validateDatabase
API.As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade.
dslsync apply
does not delete microservice mapping when source microservice has fewer mappings than target-
Mapping for microservices is not deleted when the source microservice contains fewer mappings than the target microservice. This mismatch of microservices occurs when the following actions are performed.
On the DEV server:
-
A microservice with 1 mapping is modified.
-
dslsync apply
is used promote DEV changes to:-
DEV Git and CD/RO instances.
-
PROD Git and CD/RO instances.
Expected/Actual Result: Both DEV and PROD data is synchronized = miroservice with 1 mapping
-
-
The microservice is renamed.
-
dslsync apply
is used to promote changes to DEV Git and CD/RO instances.Expected/Actual Result: DEV and PROD data is NOT synchronized.
-
DEV = Renamed microservice with 1 mapping.
-
PROD = miroservice with the old name and 1 mapping .
-
On the PROD server.
-
Mapping is added to the microservice with the old name.
dslsync apply
is used to promote changes to PROD Git and CD/RO instances.Expected/Actual Result: DEV and PROD data is NOT synchronized.
-
DEV = Renamed microservice with 1 mapping.
-
PROD = miroservice with the old name and 2 mappings.
-
-
dslsync apply
is used to promote DEV changes to PROD Git and CD/RO instances.-
Expected Result: Both DEV and PROD data is synchronized = Renamed microservice with 1 mapping
-
Actual Result: Dev and PROD data is NOT synchronized. DEV = Renamed microservice with 1 mapping. PROD = Renamed microservice and 2 mappings.
-
- Kerberos SSO sign-in issues
-
You may experience SSO sign-in issues when using Kerberos due to a Microsoft known issue.
- v10.2 and earlier legacy services may cause failed upgrades and break database consistency
-
When updating from v10.2 or earlier to v10.3 or later, your upgrade may fail and break database consistency if legacy services or containers exist in your system. Additionally, even if the upgrade completes successfully with legacy services or containers present, it may still be impossible to run the
validateDatabase
API.As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade. When upgrading a clustered deployment of CloudBees CD/RO, before running the installer to upgrade, delete the contents inside the
broker-data
directory, located at<DATA_DIR>/broker-data-<hostname>
.
- CloudBees Analytics server cannot be configured in legacy UI
-
On
, the messageWARNING: 'getDevOpsInsightServerConfiguration' API is deprecated.
is displayed, because Elasticsearch is no longer supported. Additionally, it is no longer possible to configure CloudBees Analytics from this page, because it is deprecated and will be removed in a future release.To configure your CloudBees Analytics server, navigate to
.
- UI settings for Instance header can cause the navigation to disappear after updating
-
If upgrading from v2023.06.0 or earlier to v2023.10.0 or later, if
is Enabled, and has anull
value for the UI header label, the navigation may not load after an upgrade.-
Workaround if you have already upgraded:
-
Downgrade back to the pre-upgrade version.
-
Navigate to
and set Instance header to Disabled. -
Perform the upgrade again.
-
-
Workaround if you have not already upgraded:
-
Navigate to
, and either:-
Set Instance header to Disabled.
-
Set Instance header to Enabled, and add a value in UI header label.
-
-
-
- Widget X-axis labels may overlap if a pipeline with only a few runs is returned
-
In the Pipeline Stats dashboard, if your query returns a pipeline with only a few runs, the widget labels on the X-axis may overlap in some cases, which may cause them to be unreadable. This is issue is fixed once a greater number of results are returned.
- Pipeline progress does not update if sub-pipeline restart
-
When running a pipeline with sub-pipelines, the progress percentage of the main pipeline does not update correctly when a sub-pipeline is restarted.
- Manual task window does not close when using actual parameters
-
When using actual parameters in a Manual task, when selecting to approve or reject the task, the task dialog window may not close. As a workaround, open the Parameter(s) menu, select to approve or reject the task, and select OK.
- Credentials removed when viewing or updating a procedure
-
Due to a change in credential handling introduced in v2025.03.0, credentials configured for a procedure using Credential type > Attach are removed when viewing or updating a procedure, and you select Save, if the credential is located in the same project as the procedure.
As a result, after making any updates—or even just viewing the procedure and selecting Save—you must reattach any credentials that are of type Attach, and reside in the same project.
To mitigate this issue:
-
After making updates to a procedure that uses Credential type > Attach with credentials from the same project, reopen the procedure.
-
Reattach the credential.
-
Select Save.
The credential is not removed in this scenario.
Workarounds:
-
If possible, use a Credential type > Attach from a different project. These are not affected by this issue.
-
If you are only viewing a procedure and not making changes, select Cancel instead of Save, which will not remove the credential.
-
-
SyncArtifactVersions
procedure completes with success when it should fail-
SyncArtifactVersions
procedure completes with success, rather than showing a warning, when manifest is missing andoverwrite = false
.
- Automation Platform UI requires artifacts to use English characters in their file names
-
When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error:
Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error
.
- Must restart server to apply LDAP changes
-
Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or
ectool
) until the CloudBees CD/RO server is restarted.
- Not all Elasticsearch operations can be performed in a red state
-
(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.
- Microsoft Edge® doesn’t support SAML 2.0
-
The Microsoft Edge® browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Microsoft Edge® is not recommended for sign-in via SAML 2.0.
- LANG environment variable must be set to
en.US.UTF-8
-
The LANG environment variable must be set to
en.US.UTF-8
; otherwise, the upgrade fails. Refer to KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when Lang environment variable is different than en.US.UTF-8 for details.
- Schedules missing configuration do display runtime error prompts
-
Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.
- Changing name in Release Dashboard changes stage status color
-
The stage inclusion status in the Release Dashboard changes color after a stage is renamed.
- Steps that cannot access their child steps are not retried
-
If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses
retry on error
error handling. The job eventually completes with an error.
- Retry count missing from pipeline runtime page
-
The retry count for group tasks or rules using
automated retry on error
is missing from the Pipeline runtime page.
- Email notifications are not supported for complex environment mapping
-
Multiple mapped environments with the same name from different projects are not supported in email notifications.
- Path-to-production view missing from imported project
-
A project import might not include the path-to-production view.
- All subreleases must be present to link to a release
-
All subreleases of a release must appear before the release in the DSL for the release-to-subrelease links to be created.
- CloudBees Analytics report editor doesn’t include search by assignee
-
The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.
- Additional Release Command Center configurations for Jira
-
If Release Command Center was set up for Jira for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping
projectName:releaseProjectName
, then before upgrading to 10.0, the field mapping must be updated to mention the actual release project name using the following field mapping format:"release-project-name-in-CloudBees CD/RO":releaseProjectName
.
- Approval by email on manual tasks
-
Approval by email on manual tasks should not expect parameters.
ectool export
andectool import
should only be used between same server versions-
If you use the
ectool export
to export your system configuration from a previous release, and then useectool import
to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona-based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to useectool export
andectool import
only between servers at the same version.
- SSO requires additional PHP configuration
-
SSO does not work unless PHP configuration is changed due to a security-related request. As a workaround, change
session.cookie_samesite
to"Strict"
in/opt/electriccloud/electriccommander/apache/conf/php.ini
and restart the web server.
- No UI to run or review pre-v10.1 triggers
-
CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.
- Legacy definitions and references cause unexpected behavior for full data exports
-
Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to
service
objects from applications and releases.
- Reverting changes is not possible for all objects
-
You can only revert changes for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.
Restarting the CloudBees CD/RO server while new records are created for all tracked objects might take at least as long as an export or import of all projects (10 to 40 minutes for a large project).
- Recursively traversing nested group hierarchies may cause performance issues
-
Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server, and the network latency between the servers. Ensure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.
- Disabling and re-enabling change tracking may cause performance issues
-
System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.