CloudBees CI on modern cloud platforms

Rolling release: 2020-03-25

Based on Jenkins LTS 2.222.1-cb-7

Security fixes

Configuration as Code (CasC) for Controllers bundle processing in the installation manager is subject to RCE (CTR-1251)

There was a risk of remote code execution (RCE) when parsing YAML files from a Configuration Bundle.

With this fix, the YAML parser has been properly configured to mitigate such risk.

This update only affects installations using the Configuration as Code Plugin.

Fix persistent XSS vulnerability in the List View (CTR-1036)

The Operations Center Cluster Operations Plugin did not escape the click event on the Cluster Operation checkbox. This lapse resulted in a stored cross-site scripting vulnerability, exploitable by users with Overall/Administer permissions in Operations Center.

The JavaScript code was changed to prevent this vulnerability.

This update only affects installations using the Operations Center Cluster Operations Plugin.

New features

Set up separate namespace for build agents (CPLT2-6186)

It is now possible to schedule build agents in a separate namespace from Managed Masters.

Set up a secondary namespace which will be used to schedule build agents. Build agents are untrusted, using the default service account (no privilege).

Managed masters must be able to schedule build agents only in the second namespace using a rolebinding defined in the second namespace, pointing to the service account running the managed master.

Managed masters must be preconfigured to target the second namespace.

This setup should prevent any privilege escalation, such as launching a build agent using a service account that is meant to be used by operations center or managed masters.

Conversion of Freestyle jobs to Declarative Pipelines (NGPIPELINE-442)

Maintaining Freestyle jobs in Jenkins is cumbersome. Declarative Pipelines provide a more modern, recommended approach. However, attempting to convert Freestyle jobs to Declarative Pipelines manually is time-consuming and error-prone. Using the Declarative Pipeline Migration Assistant plugin streamlines this process. The Declarative Pipeline Migration Assistant uses a best-effort approach during the conversion; supported configurations in Freestyle projects are automatically converted, and placeholder stages are created for plugins that are not yet supported.

Feature enhancements

Add groupId segment field in events sent (FNDJEN-1922)

CloudBees now collects the name of the company that is licensed to use our products. This applies to operations center, CloudBees Jenkins Enterprise, CloudBees Jenkins Enterprise Operations Center, and CloudBees Jenkins Enterprise Managed Masters.

Update GUI with new branding (CTR-1131)

With this release, we have updated the CloudBees branding in the header icons and favicons of the graphical user interface (GUI) of our products.

Fix multitesting enforcer issue for nectar-rbac-license-plugin on 2.204.1 and 2.211 (CTR-1064)

The public API method, hudson.model.UpdateSite.doPostBack, has been removed from the UpdateSite class to comply with an upstream code removal for security reasons.

Resolved issues

When specifying a pod template working directory to /home/jenkins, upon restart it is reverted to /home/jenkins/agent. (CPLT2-6215)

This has been resolved to enable whatever value is provided to working directory to be persisted upon restart.

When using OperationsCenter.Platform = aws, some annotations were added to the Operations Center ingress despite not changing any behavior as they were suited for services. (CPLT2-6201)

The annotations from the Operations Center ingress have been removed.

The nginx-ingress chart provided by the CloudBees Core helm chart contained security issues, and was incompatible with Kubernetes 1.17. (CPLT2-6227)

The nginx-ingress chart has been upgraded to the latest version available (1.31.0).

When running a pod template using the default jnlp image in OpenShift environment, an exception is raised about a file access denied. (CPLT2-6138)

An nss_wrapper was added to the agent image and used in container entrypoint to provide a valid entry in the passwd file for the dynamic UID provided by OpenShift.

Update UBI version number (CPLT2-6149)

Docker images for CloudBees Core on modern cloud platforms (Operations Center, Managed Masters, and agents) were running on RedHat Universal Base Image version 7.

The images are now based on UBI 8.1.

Kubernetes Managed Master shows as stale, but it should not (CPLT2-6177)

Managed Master configuration screens in Operations Center were doing simple string comparisons for master disk, memory, and CPU measurements, while the information read from Kubernetes used various formats such as 4G or 4Gi or 4100M. Under some conditions, Operations Center would show the master configuration as out of date when in fact it was not.

Comparisons on these three metrics now consider standard decimal and binary prefixes.

Added a better default Pipeline snippet (CPLT2-6045)

The GUI editor for Pipeline scripts offered a few introductory samples that did not take advantage of Kubernetes capabilities. Several samples presumed the use of globally configured Jenkins tool installations, whereas the preferred style for a modern system is to use Docker images to define tooling.

The list of sample scripts was customized to include Kubernetes-oriented idioms, and tool-based samples were suppressed.

Updated system locale (CPLT2-6160)

The system locale for Operations Center, Managed Masters, and agents was set to en_US.UTF-8, which is not appropriate for a server.

The locale is now set to C.UTF-8.

Git 2.x in images (CPLT2-6148)

The Git package that was installed in UBI-based images (Operations Center, Managed Masters, and agents) was a very old 1.x release, which did not support some modern features.

All images now use Git 2.x.

Monitor Ingress won’t work across multiple namespaces (CPLT2-6078)

Due to Ingress conflicts, the Managed Master hibernation monitor could not be installed in multiple namespaces.

A new ingress URL pattern was introduced to route requests to the desired namespace.

Cannot move/copy/promote a ComputedFolder if indexing hasn’t run (CTR-167)

It was not possible to move, copy or promote Multibranch Pipelines if the source repository had not been scanned.

With this fix, these operations now work as expected, regardless of the state of indexing.

NullPointerException error when using the ItemParameterDefinition without filters (CTR-1087)

A parameterized Cluster Operations project returned a NullPointerException error when it was run using Select Items parameters that included Client Master / Managed Masters Using a specified update center and Update center using a specified update center source as sources.

With this fix, running a parameterized Cluster Operations project with Select Items parameters including Client Master / Managed Masters Using a specified update center and Update center using a specified update center source as sources works as expected.

JellyTagException when including parameter values in a Cluster Operations build (CTR-1105)

The Parameters link on the Cluster Operations build page failed with a JellyTagException when Select Items parameters were included. With this fix, the Parameters link on the Cluster Operations build page works as expected when Select Items parameters are included.

Remove dependency on the Trilead API plugin (CTR-1379, CTR-1351)

The CloudBees License Manager plugin’s dependency on the Trilead API plugin was not installed in bootstrap scope, preventing the previous release to be used by the product.

The CloudBees License plugin no longer relies on the Trilead API plugin as the area of code has been refactored.

This update only affects installations that use the xref:release-notes:plugins:cloudbees-license-plugin/index.adoc[CloudBees License Manager plugin

CloudBees License Manager plugin not showing up in the setup wizard on Jenkins 2.217+ (CTR-1295)

Jenkins 2.216 replaced js-builder with webpack. Since this release, the CloudBees Assurance Plugin and the CloudBees License Plugin both failed to load and display in the setup wizard.

With this fix, the frontend toolchain now uses webpack and is compatible with Jenkins 2.217+.

This update only affects installations that use the CloudBees Assurance plugin and the CloudBees License Manager plugin.

CloudBees Pipeline: Templates Plugin test failures in PCT (NGPIPELINE-689)

The PCT was failing for the cloudbees-workflow-template plugin.

We upgraded the parent pom to allow PCT to pass for the cloudbees-workflow-template plugin.

This update only affects installations that use the CloudBees Pipeline: Templates Plugin.

GovernancePipelineTemplatesFolder has "placeholder display name" (NGPIPELINE-716)

When configuring a folders-plus item restriction, an option under This folder can contain the following items was placeholder display name.

This placeholder text has been removed from the GUI.

Catalog templates incompatible with Checkpoints (NGPIPELINE-930)

Pipeline restarts from a Checkpoint were failing if the Pipeline was defined using a Pipeline Template from a Pipeline Template Catalog. Pipelines were built from scratch instead of resuming from the Checkpoint.

With this fix, Pipelines defined using Pipeline Templates from Pipeline Template Catalogs are now able to resume from Checkpoints correctly.

Known issues

Global build discarders configuration isn’t loaded from disk (JENKINS-61688)

The global build discarder configuration gets saved, but it’s never loaded.

On every restart, Jenkins 2.221+ will always start with the "Job Build Discarder" configured, which means

  • Any custom global build discarder configuration is lost.

  • Users who don’t want background build discarders get the default one.

Upgrade notes

End of life announcement

After assessing the viability of our supported plugins, CloudBees ended support for the CloudBees VMware Pool Autoscaling Plugin on April 30, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

End of life announcement

As of July 1, 2020, CloudBees will no longer support Alpine container images. Red Hat Universal Base Image (UBI) images will be the standard going forward.

For information about UBI, see the Red Hat documentation.

The decision to move from Alpine to UBI was made because OpenJDK no longer supports Alpine. CloudBees has been building and maintaining these images. However, CloudBees is aware of DNS issues with some Kubernetes clusters that span from the Alpine base using muslc libraries as well as other binary differences when using the muslc vs standard c libraries.

Customers moving from Alpine to UBI container images should not see any impact from this change and should not need to migrate data.

This affects CloudBees Core on modern platforms only. CloudBees will continue to release Alpine images for CloudBees Jenkins Enterprise 1.x customers who have purchased extended support.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.


Revision 2 (2020-03-26)

Plugin updates