CloudBees CI on modern cloud platforms 2.176.4.3

Rolling release: 2019-09-25

Based on Jenkins LTS 2.176.4-cb-3

New features

Support Internet Explorer 11 (NGPIPELINE-619)

The Pipeline Stage View plugin now supports Internet Explorer 11.

Feature enhancements

User-scoped credentials updates (JENSEC-495)

The Pipeline Input Step plugin has been updated to support the new Credentials API for binding credentials parameters to builds and supports user credentials as well as credential parameter name shadowing.

User-scoped credentials (JENSEC-526)

Global and folder credentials were too broadly accessible for certain pipeline use cases, and user credentials were not well supported by pipelines. User-scoped credentials associate credentials to users with manual unlocking of these credentials so that sensitive credentials can be isolated to trusted phases of pipelines and to trusted users.

Resolved issues

Compatibility with OpenShift 4.1 (CPLT2-5821)

Problem: Master Provisioning is not compatible with OpenShift 4.1.

Fix: Upgraded kubernetes-client to 4.4.2, which is compatible with OpenShift 4.1.

Helm Chart TLS load balancer termination (CPLT2-5888)

Bug fixed where the Helm Chart did not allow the client to terminate the TLS at a load balancer, and assumed the user would either terminate TLS at the Nginx-controller or not use TLS.

Default "working directory" for k8s pod templates (CPLT2-5704)

Problem: The working directory for the Kubernetes agent was /home/jenkins. This prevents agent Docker images from providing additional files in this directory.

Fix: The working directory has been changed to /home/jenkins/agent.

Update dependency on kubernetes-plugin to 1.18 (CPLT2-5819)

Updated dependency on kubernetes-plugin to the 1.18 line.

Update OpenJDK8 runtime (CPLT2-5719)

Bump the version of the OpenJDK8 Docker parent image.

Minor Plugin catalog not working (CTR-606)

Users using plugin catalogs with external Maven2 repository layout for plugin resolution were not able to push the plugin catalog to a client master, and were receiving class not found errors. With this fix, we now use the proper classloader to load the involved classes.

Minor Configuration snippets issues (CTR-562)

Configuration snippets from Operations Center could be applied before Jenkins was fully loaded, leading to loss of configuration. With this fix, configuration snippets are no longer applied until we are sure that the Jenkins configuration has been deserialized

When a master is disconnected from Operations Center, some but not all configuration snippets would be removed. With this fix, configuration snippets are no longer removed when a master is removed from an Operations Center cluster, so that the existing configuration can be tweaked or removed as desired.

Active authorization strategy issue (CTR-484)

When the Operations Center authorization strategy was changed from the CloudBees Role Based Authorization strategy to something else, Team masters would still have a copy of the outdated configuration. This situation would allow users who had previously been granted Administrator permissions via the RBAC configuration to still have the Administrator permission even though they should no longer have this level of access. With this fix, if the authorization strategy in Operations Center is not CloudBees Role Based Authorization strategy, then the obsolete configuration will be removed from masters.

Minor Managed Master contextual menu issues (CTR-504)

In Operation Center, the Managed Master contextual menu showed actions that the user was not allowed to execute, so when they would try, they would get an error message. With this fix, the Managed Master contextual menu no shows only the actions that the user is allowed to execute.

Minor Plugins list and Plugin Catalog optional fields (CTR-559)

Client Master instances could not start if users used a configuration bundle without plugins and/or plugin catalogs. With this fix, the plugins list and plugin catalog fields are optional.

Minor Moving Manage/Client masters issue (CTR-496)

Using the Move/Copy/Promote option to move or delete a managed master for the second time was failing because the log file in the managed master’s old location was not properly closed before moving or deleting the files. With this fix, the log file in the managed master’s old location is closed before the master is moved or deleted and using Move/Copy/Promote works as expected.

Administrative monitor warning issues (CTR-558)

The administrative monitor always warned about new versions of the configuration bundle if the client master had a link file. With this fix, the HttpLoader now has its own implementation of getUpstreamVersion, so the configuration is updated correctly.

Updates to the Backup plugin (CTR-429, -428)

The Backup plugin included extraneous libraries that increased the artifact size unnecessarily. With this fix, we now exclude unnecessary dependencies from the httpclient artifact maven dependency.

The Backup plugin had an old version of common-compress as a dependency. With this fix, the Backup plugin has upgraded this out of date dependency.

Fix regression in rss (JENSEC-574)

We fixed a regression in RSS and Atom feeds where an uninitialized variable resulted in partial entries.

CloudBees Workflow Template Plugin (NGPIPELINE-653, -677)

Concurrent executions of the Pipeline Template Catalog CLI commands could cause erroneous behavior. With this fix, the Pipeline Template Catalog CLI commands are now synchronized with respect to other operations that modify Pipeline Template Catalogs so that catalogs are not modified concurrently.

The updateInterval value for Pipeline Template Catalogs could take on values not supported by the UI when using the Pipeline Template Catalog CLI commands. With this fix, the updateInterval value for Pipeline Template Catalogs is now normalized to the next largest (or equal) value that is supported by the UI when using the pipeline-template-catalogs CLI command.

Memory leak from Pub-Sub “light” Bus plugin (NGPIPELINE-515)

In some cases (as in abruptly disconnected browsers) the Pub-Sub “light” plugin was not informed and was unable to store/send messages to some destinations, so some queues kept growing because of retries. With this fix, we have added some TTL (time to live) for the messages queue to discard them after a certain time if not successfully sent.

JIRA site configuration not saved (NGPIPELINE-647)

Modifications to the JIRA configuration completed in the UI were not persisted on disk, only kept in memory. Therefore, after jenkins was restarted, the settings were lost. With this fix, the JIRA configuration are correctly saved on disk.

Unable to restart pipelines at checkpoints (NGPIPELINE-626)

Pipelines could not be restarted from checkpoints in version 2.2 of CloudBees Pipeline Stage View Extensions. With this fix, pipelines are now able to be restarted from checkpoints.

Incorrectly set apiUri field (NGPIPELINE-640)

When configuring new multibranch pipeline projects to build projects hosted on GitHub Enterprise servers, there was a bug that caused the apiUri field in that job’s config.xml file to be incorrectly set to point to github.com. With this fix, we no longer reset the apiUri field if it is already set. Instead, it retains its correctly calculated value of github-enterprise-server/api/v3.

Update Docker Pipeline Plugin (NGPIPELINE-634)

Using the dir step inside of the withContainer step did not work correctly when running Docker 17.12 or older. With this fix, the dir step should now work correctly with older versions of Docker.

The dockerfile.build and image.inside utilities in Docker Pipeline Plugin were very sensitive to the syntax used in the Dockerfile. For example, Dockerfile features such as multi-stage builds were not supported, and changing the case of keywords in the Dockerfile could cause the utilities to fail. With this fix, the Pipeline steps that attempted to parse Dockerfiles to track fingerprints of the images that were being used (dockerFingerprintFrom and dockerFingerprintRun) have been deprecated, and are no longer called as part of docker.build or image.inside.

If you are using the CloudBees Docker Traceability Plugin, which is the only known consumer of these fingerprints, you will need to explicitly call dockerFingerprintFrom and dockerFingerprintRun if you want to maintain the previous behavior.

Unable to restart pipelines at checkpoints (NGPIPELINE-626)

Upgraded CloudBees Pipeline Stage View Extensions from 2.2 to 2.3. Pipelines could not be restarted from checkpoints in version 2.2 of CloudBees Pipeline Stage View Extensions. With this fix, pipelines are now able to be restarted from checkpoints.

Improved Helm docs for OpenShift deployment (CPLT2-5600)

Improvements have been made to the documentation for deploying CloudBees Core on Modern Platforms on OpenShift using Helm.

Update Docker Pipeline Plugin (NGPIPELINE-634)

Upgraded CloudBees Docker Pipeline Plugin from 1.18 to 1.19. Using the dir step inside of the withContainer step did not work correctly when running Docker 17.12 or older. With this fix, the dir step should now work correctly with older versions of Docker.

The dockerfile.build and image.inside utilities in Docker Pipeline Plugin were very sensitive to the syntax used in the Dockerfile. For example, Dockerfile features such as multi-stage builds were not supported, and changing the case of keywords in the Dockerfile could cause the utilities to fail. With this fix, the Pipeline steps that attempted to parse Dockerfiles to track fingerprints of the images that were being used (dockerFingerprintFrom and dockerFingerprintRun) have been deprecated, and are no longer called as part of docker.build or image.inside.

If you are using the CloudBees Docker Traceability Plugin, which is the only known consumer of these fingerprints, you will need to explicitly call dockerFingerprintFrom and dockerFingerprintRun if you want to maintain the previous behavior.

Incorrectly set apiUri field (NGPIPELINE-640)

Upgraded GitHub Branch Source Plugin from 2.5.5 to 2.5.6. When configuring new multibranch pipeline projects to build projects hosted on GitHub Enterprise servers, there was a bug that caused the apiUri field in that job’s config.xml file to be incorrectly set to point to github.com. With this fix, we no longer reset the apiUri field if it is already set. Instead, it retains its correctly calculated value of github-enterprise-server/api/v3.

Updates to the Backup plugin (CTR-429, -428)

Upgraded CloudBees Backup Plugin from 3.38.13 to 3.38.14. The Backup plugin included extraneous libraries that increased the artifact size unnecessarily. With this fix, we now exclude unnecessary dependencies from the httpclient artifact maven dependency.

The Backup plugin had an old version of common-compress as a dependency. With this fix, the Backup plugin has upgraded this out of date dependency.

JIRA site configuration not saved (NGPIPELINE-647)

Upgraded JIRA Plugin from 3.0.8 to 3.0.9. Modifications to the JIRA configuration completed in the UI were not persisted on disk, only kept in memory. Therefore, after jenkins was restarted, the settings were lost. With this fix, the JIRA configuration are correctly saved on disk.

Plugin catalog not working (CTR-606)

Users using plugin catalogs with external Maven2 repository layout for plugin resolution were not able to push the plugin catalog to a client master, and were receiving class not found errors. With this fix, we now use the proper classloader to load the involved classes.

Configuration snippets issues (CTR-562)

Configuration snippets from Operations Center could be applied before Jenkins was fully loaded, leading to loss of configuration. With this fix, configuration snippets are no longer applied until we are sure that the Jenkins configuration has been deserialized

When a master is disconnected from Operations Center, some but not all configuration snippets would be removed. With this fix, configuration snippets are no longer removed when a master is removed from an Operations Center cluster, so that the existing configuration can be tweaked or removed as desired.

Active authorization strategy issue (CTR-484)

When the Operations Center authorization strategy was changed from the CloudBees Role Based Authorization strategy to something else, Team masters would still have a copy of the outdated configuration. This situation would allow users who had previously been granted Administrator permissions via the RBAC configuration to still have the Administrator permission even though they should no longer have this level of access. With this fix, if the authorization strategy in Operations Center is not CloudBees Role Based Authorization strategy, then the obsolete configuration will be removed from masters.

Managed Master contextual menu issues (CTR-504)

In Operation Center, the Managed Master contextual menu showed actions that the user was not allowed to execute, so when they would try, they would get an error message. With this fix, the Managed Master contextual menu no shows only the actions that the user is allowed to execute.

Plugins list and Plugin Catalog optional fields (CTR-559)

Client Master instances could not start if users used a configuration bundle without plugins and/or plugin catalogs. With this fix, the plugins list and plugin catalog fields are optional.

Moving Manage/Client masters issue (CTR-496)

Using the Move/Copy/Promote option to move or delete a managed master for the second time was failing because the log file in the managed master’s old location was not properly closed before moving or deleting the files. With this fix, the log file in the managed master’s old location is closed before the master is moved or deleted and using Move/Copy/Promote works as expected.

Administrative monitor warning issues (CTR-558)

The administrative monitor always warned about new versions of the configuration bundle if the client master had a link file. With this fix, the HttpLoader now has its own implementation of getUpstreamVersion, so the configuration is updated correctly.

Fix regression in rss (JENSEC-574)

Fixed a regression in RSS and Atom feeds where an uninitialized variable resulted in partial entries.

CloudBees Workflow Template Plugin (NGPIPELINE-653, -677)

Concurrent executions of the Pipeline Template Catalog CLI commands could cause erroneous behavior. With this fix, the Pipeline Template Catalog CLI commands are now synchronized with respect to other operations that modify Pipeline Template Catalogs so that catalogs are not modified concurrently.

The updateInterval value for Pipeline Template Catalogs could take on values not supported by the UI when using the Pipeline Template Catalog CLI commands. With this fix, the updateInterval value for Pipeline Template Catalogs is now normalized to the next largest (or equal) value that is supported by the UI when using the pipeline-template-catalogs CLI command.

Memory leak from Pub-Sub “light” Bus plugin (NGPIPELINE-515)

In some cases (as in abruptly disconnected browsers) the Pub-Sub “light” plugin was not informed and was unable to store/send messages to some destinations, so some queues kept growing because of retries. With this fix, we have added some TTL (time to live) for the messages queue to discard them after a certain time if not successfully sent.

Known issues

None

Revisions

Revision 2 (2019-10-01)

CloudBees Security Advisory 2019-10-01