CloudBees CI on modern cloud platforms 2.249.2.3

Rolling release: 2020-10-07

Based on Jenkins LTS 2.249.2-cb-1

New features

Integrate Velero with CloudBees CI for backup and restore (CPLT2-5847)

Velero can now be used as an optional tool for backing up and restoring Kubernetes cluster resources.

Support for Network Load Balancer (NLB) (CPLT2-6740)

CloudBees CI on modern cloud platforms now supports the newer Network Load Balancer in addition to the Classic Load Balancer.

Support for Red Hat OpenShift Container Platform (OCP) version 4.5 (CPLT2-6776)

CloudBees CI on modern cloud platforms now supports OCP version 4.5.

See Supported platforms for CloudBees CI on modern cloud platforms for details about all supported platforms.

Feature enhancements

Update source repository for nginx-ingress in Helm chart (CPLT2-6737)

The nginx-ingress Helm chart at stable/nginx-ingress has been deprecated.

CloudBees CI Helm dependencies were updated to use the new ingress-nginx chart museum.

Kube Agent Management plugin (CPLT2-6646)

Analytics are now collected about the usage of this plugin.

Add Pipeline Policies section to the SCM reporting commit status (STICKY-463)

If the CloudBees Pipeline Policies Plugin is installed, users will now see information that includes the applied policies and the violated rules.

Update Pipeline Policies report in Slack message (STICKY-740)

The CloudBees Pipeline Policies report within the CloudBees Slack Integration message now shows information about the applied policy and not only the violated rule.

Improve the observability and error logging of the configuration bundle installation (CTR-2302)

When there is an error during CasC bundle processing, a detailed summary is printed to logs. The summary includes whether the plugin catalog was or was not installed as well as the list of plugins not installed.

We added REST API endpoints and CLI commands for the following CasC actions (CTR-2247)
  • list available bundles in Operations Center

  • regenerate a Configuration as Code (CasC) for Masters bundle token for a specific bundle

  • assign a Master Path to a Configuration as Code (CasC) for Masters bundle

    See CasC API endpoints and CasC CLI commands for more information.

Improve UX of exporting Core CasC bundle(CTR-922)

Users with CloudBees CI masters that have the Configuration as Code (CasC) for Masters plugin installed can now view and export the applicable Configuration as Code (CasC) for Masters bundle, by navigating to Manage Jenkins > Export CloudBees Configuration as Code bundle.

See Exporting a CasC bundle for more information.

Beekeeper plugin exceptions

The following enhancements were made to the Beekeeper plugin exceptions feature:

  • User warned when specific plugins are saved as exceptions (FNDJEN-2409)

    When a plugin catalog containing Beekeeper plugin exceptions is selected on the master configuration page, a warning advising users of the implications associated with Beekeeper plugin exceptions is displayed.

  • Send event when Beekeeper plugin exceptions are enabled or disabled (FNDJEN-2421)

    If the CloudBees Assurance Program is enabled on an instance, CloudBees receives a weekly event to indicate if Beekeeper plugin exceptions were allowed or disallowed on that instance.

New option added to the restore configuration section of Restore/Backup jobs (CTR-2295)(CTR-2501)

CloudBees has added a new option to the restore configuration section of Restore/Backup jobs.

Users can now add a comma-separated list of Ant-style patterns to preserve content in the current JENKINS_HOME directory during the restore process, excluding it from the move operation.

A system property is used to set the list of Ant-style patterns. Users need to add cb.backup.restore.keepFilesPattern to the system properties. For example, -Dcb.backup.restore.keepFilesPattern='.snapshots,**/.snapshots' has to be added to the system properties, to preserve `.snapshots filesystem control files in the $JENKINS_HOME directory during the restore process.

See Restoring from the CloudBees Backup Plugin for more information.

Resolved issues

Corrected error 'Failed to provision master: <name> timed out' (CPLT2-6724)

A hardcoded five-minute timeout in the cloud platform master provisioning plugin conflicted with the recently added readiness probes. If it took more than five minutes for a master to start, an error occurred.

The five-minute timeout has been removed to prevent the error from occurring.

Added missing values mapping for sidecar injector (CPLT2-6732)

The following missing values were added to the Helm chart for sidecar injector:

  • For init job: Tolerations, node selector, annotations

  • For deployment: Node selector

Added missing git-lfs to the cloudbees/cloudbees-core-agent image (CPLT2-6719)

The git-lfs was missing from the cloudbees-core-agent image.

The missing git-lfs is now included.

Restarting a Kubernetes controller from the operations center causes casc-bundle-link error (CPLT2-6739)

When a CasC-enabled Kubernetes controller is restarted from the operations center, an error about the casc-bundle-link secret is displayed.

The Kubernetes client API plugin was updated because it includes a better implementation of the Waitable.waitUntilCondition() method that was causing the error.

Removed OperationsCenter.Ingress.tls.Host and used OperationsCenter.HostName instead (CPLT2-6738)

The field OperationsCenter.Ingress.tls.Host was removed from the Helm values. It is replaced by picking up the value specified in OperationsCenter.HostName.

Fix Slack message URL and title of PRs when the SCM is Bitbucket and the job is rebuilt (STICKY-766)

When a job pulling from Bitbucket was rebuilt and the previous CloudBees Slack Integration messages were updated, the link to the PR would break. Now it is possible to navigate to the PR from previous messages.

Additionally, the repository name and URL are correctly displayed instead of the constant pull-requests.

CasC master path is not updated when the master is moved (CTR-2074)

The CloudBees Configuration as Code (CasC) for masters Master Path was not updated when using Move/Copy/Promote to move a master from one folder to another.

With this fix, the CloudBees CasC for masters Master Path is updated in the CasC configuration on Operations Center if the master is moved to a new location.

Installing plugins by hot reloading a CasC bundle can lead to installing the wrong versions (CTR-1882)

When a master was hot-reloading a CloudBees Configuration as Code (CasC) for masters bundle that included changes on the Plugin Catalog and the plugin list, plugins were installed without considering the changes on the Plugin Catalog.

With this fix, the plugin installation is completed after effectively updating the Update Center with the Plugin Catalog provided in the CasC bundle.

Corrected values from timers used by alerts (CPLT2-6723)

When alerts were defined based on timers, the alerts were triggered erroneously and the reported value was incorrect.

This was fixed by applying the correct unit conversion of durations and rates used by alerts.

Tabular-based layout causing display issues in the CloudBees Template plugin (CPLT2-6649)

Some attribute control GUIs did not display well in newer versions of Jenkins which have switched from tabular to CSS-based layout.

These controls were switched to the newer layout to enable a better display.

Remove obsolete suppress-stack-trace plugin (FNDJEN-3050)

The Suppress Stack Trace plugin’s functionality is now built into Jenkins core.

The new plugin is updated to a 1.6 version, which is empty and can be uninstalled.

[JENKINS-61511] [google-storage-plugin] Outdated/vulnerable dependency (commons-io) (FNDJEN-2042)

The Google Storage Plugin has a vulnerable dependency to commons-io, but it is not exploitable from CloudBees products.

CloudBees updated to the Google Storage Plugin version 1.5.2 to update the dependency, even though it’s not exploitable, to avoid a false-positive in security reports.

[SECURITY-2029] [google-kubernetes-engine] Get rid of groovy-sandbox 1.20 (FNDJEN-3008) (FNDJEN-3002)

The Google Kubernetes Engine 0.8.2 includes a vulnerable dependency, but it is not exploitable from CloudBees products.

The Google Kubernetes Engine has been updated to version 0.8.3, removing the affected dependency.

Durable Task plugin serializes anonymous class via remoting (NGPIPELINE-1362)

Using the sh, bat, and PowerShell steps sometimes results in serialization warnings being logged.

To avoid these errors, Anonymous classes have been converted into Named classes.

Pipelines interrupted while starting incorrectly resume after Jenkins restarts and cannot be stopped (NGPIPELINE-1354)

When Pipeline builds were interrupted during startup, for example, while checking out the SCM for a Pipeline library, their completion state persisted incorrectly.

Because the completion state did not persist correctly, after a Jenkins restart these Pipelines resumed as if they were incomplete and could not be terminated and would pause indefinitely.

This issue has been fixed by making sure that Pipeline builds that are interrupted while starting are persisted correctly so that they do not resume after a Jenkins restart.

Icons missing from Cluster Operations menu items due to incorrect source (CTR-2566)

The Cluster Operations menu items were missing icons due to an incorrect source url. With this fix, the icon urls on the Cluster Operations management menu are now correct.

The format of sidebar links with a context menu is wrong on Jenkins 2.239+ (CTR-1992)

The Cluster Operation menu item in the UI was not displaying correctly after updates to the UI.

With this fix, CloudBees updated the Cluster Operations menu item to be displayed correctly.

Old license displayed after check/install new license (CTR-1583)

The refresh license screen was redirecting to the license screen before the license data was updated and the previous license data was displayed.

Now when users manually refresh the license, they are not redirected until the license is updated.

Issue with Check for new license view (CTR-2491)

With this fix, the Check for newer license view is now compatible with Jenkins core 2.246 and beyond.

Removing an Update Site from a masters' configuration on Operations Center did not correctly remove the Update Site from the master (CTR-2389)

Removing an Update Site now correctly removes the configuration from the master and restores the default configuration.

check configuration would fail when the S3 bucket was provided by scality ring (CTR-1979)

The workaround for incompatibility with scality ring S3 implementation, is to load a non-zero length file in order to validate the configuration.

GitHubAppCredentials are not propagated from Operations Center to connected masters (CTR-2490)

Due to an update to the GitHub Branch Source Plugin in version 2.9.0, GitHubAppCredentials were not properly propagated from Operations Center to connected masters.

With this fix, GitHubAppCredentials are propagated correctly.

Operations Center connections details were not correctly anonymized in the support bundle (CTR-2369)

The Operations Center URL and Proxy details in the Support Component are now correctly anonymized.

Remove the "slave-name" term from the RBAC CLI (CLI-2242)

CloudBees has replaced the "slave" term with "agent" in the CLI output for the CloudBees Role-Based Access Control plugin group-membership command.

Known issues

Version 4.0 or higher of .NET Framework is required to launch controller or agents on Windows services

Starting from this release, .NET Framework 2.0 doesn’t work for launching CloudBees controller or agents as Windows services. Microsoft.NET Framework 4.0 or above is now required for using the default service management features.

This release also upgrades Windows Service Wrapper (WinSW) from 2.3.0 to 2.9.0 and replaces the bundled binary from .NET Framework 2.0 to 4.0. There are many improvements and fixes in these versions, big thanks to NextTurn and all other contributors. You can find the full WinSW changelog here, just a few highlights important to CloudBees users:

  • Prompt for permission elevation when administrative access is required. Now CloudBees users do not need to run the agent process as Administrator to install the agent as a service from GUI.

  • Enable TLS 1.1/1.2 in .NET Framework 4.0 packages on Windows 7 and Windows Server 2008 R2.

  • Enable strong cryptography when running .NET Framework 4.0 binaries on .NET 4.6.

  • Support security descriptor string in the Windows service definition.

  • Support 'If-Modified-Since' and proxy settings for automatic downloads.

  • Fix Runaway Process Killer extension so that it does not kill wrong processes with the same PID on startup.

  • Fix the default domain name in the serviceaccount parameter (jira:JENKINS-12660[])

  • Fix archiving of old logs in the roll-by-size-time mode.

Use-cases affected by .NET Framework 2.0 support removal

If you use .NET Framework 2.0 to run the CloudBees Windows services, the following use cases are likely to be affected:

  • Installing the CloudBees controller as a Windows service from Web UI. The official MSI Installer supports .NET Framework 2.0 for the moment, but it will be changed in future versions.

  • Installing agents as Windows services from GUI. This feature is provided by the Windows Agent Installer Module from the Jenkins core.

  • Installing agents over Windows Management Instrumentation (WMI) via the WMI Windows Agents plugin

  • Auto-updating of Windows service wrappers on agents installed from GUI.

Upgrade guidelines

If all of your CloudBees controller and agent instances already use .NET Framework 4.0 or above, there are no special upgrade steps required.

If you run the CloudBees controller as a Windows Service with .NET Framework 2.0, this instance will require an upgrade of .NET Framework to version 4.0 or above. .NET Framework 4.6.1 or above is recommended because this .NET version provides many platform features by default (e.g. TLS 1.2 encryption and strong cryptography), and Windows Service Wrapper does not have to apply custom workarounds.

If you want to continue running some of your agents with .NET Framework 2.0, the following extra upgrade steps are required:

  1. Disable auto-upgrade of Windows Service Wrapper on agents by setting the -Dorg.jenkinsci.modules.windows_slave_installer.disableAutoUpdate=true flag on the CloudBees controller side.

  2. Upgrade agents with .NET Framework 4.0+ by downloading the recent Windows Service Wrapper 2.x version from WinSW GitHub Releases and manually replacing the wrapper ".exe" files in the agent workspaces.

Upgrade notes

End-of-life announcement

After assessing the viability of our supported plugins, CloudBees no longer supports the Visual Studio Team Service Plugin as of September 9, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

After September 9, 2020, the plugin will lose functionality when upgraded. CloudBees recommends replacing it with the Team Foundation Server plugin.

Users should uninstall the plugin to avoid a credentials ID enumeration security bug.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.