CloudBees CI on modern cloud platforms 2.263.1.2

Rolling release: 2020-12-03

Based on Jenkins LTS 2.263.1-cb-3

Critical issues

Regression in CloudBees Plugin Usage Plugin 2.0, 2.2

CloudBees CI versions 2.263.1.2 and 2.263.2.2 have a potential issue involving the CloudBees Plugin Usage Plugin versions 2.0 and 2.2:

This plugin produces the analysis.json file in $JENKINS/pup. On large instances, for example with many jobs, this file can be quite large. At the next restart of the controller, the plugin usage analyzer tries to parse this file and with large files this could take some time and it may block the start-up process of the controller thereby leading to longer startup time.

CloudBees recommends that you upgrade to CloudBees CI version 2.263.4.1 or later, or upgrade the CloudBees Plugin Usage Plugin to version 2.6. If you cannot upgrade to 2.263.4.1, it’s best to disable the CloudBees Plugin Usage Plugin (short name cloudbees-plugin-usage) until then. If Jenkins is not accessible, see Disabling a plugin when Jenkins is down

This issue is only a problem on startup. Another workaround is to remove the file $JENKINS/pup/analysis.json before starting or restarting Jenkins.

Security advisories

CloudBees Security Advisory 2020-12-03

Release highlights video

What’s New in CloudBees CI 2.263.1.2

Select to watch a video describing the highlights of this release

What’s New in CloudBees CI 2.263.1.2

Security fixes

snakeyaml:1.10 dependency removed (CTR-2511)

The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.

Upgraded Script Security plugin dependency (CTR-2238)

The Script Security groovy-sandbox library dependency was included as version 1.20 which contains vulnerabilities.

With this fix, the Script Security plugin does not include the groovy-sandbox library dependency as version 1.20.

Plugin Usage page unprotected (FNDJEN-3225)

The Plugin Usage page didn’t check permissions.

The Plugin Usage page now checks that the user has Administer permissions.

Update commons-io to 2.8 (FNDJEN-3006)

Commons-io v2.6 has a security vulnerability that is not exploitable from the existing code.

Commons-io has been updated to 2.8.0 to remove this vulnerability.

New features

CloudBees CI now supports connecting masters using WebSockets (CTR-2656)(CPLT2-6091)

Before, it was only possible to connect Masters to operations center over TCP, which required opening TCP ports across reverse proxies/load balancers and was a manual and cumbersome process. Furthermore, because of this requirement, in Kubernetes environments, we relied on NGINX Ingress controllers to open TCP ports across reverse proxies/load balancers and were prevented from using other Ingress controllers or L7 load balancers provided by Cloud providers. For instance, in OpenShift environments, it is not even possible to expose TCP ports outside.

CloudBees CI now supports connecting any Master to operations center using WebSockets. Connecting masters using WebSockets can be enabled by selecting a checkbox in the Master configuration. No special network configuration is needed, since the regular HTTP(S) port proxied by the CloudBees CI Ingress is used for all communications.

Using WebSockets to connect masters to Operations Center

CloudBees Plugin Usage Analyzer plugin

CloudBees now offers an improved and upgraded way to help track the usage of your installed plugins. The new CloudBees Plugin Usage Analyzer plugin helps CloudBees CI Administrators get a holistic view of plugin usage across both FreeStyle and Pipeline jobs in an easy-to-consume way. Users can also download the report and export the raw data for further processing as they need.

For more information, see How to determine if a plugin is in use

Feature enhancements

Standardized error handling for CasC (CTR-2592)

CloudBees has standardized CasC bundle failures/errors in two ways: making errors occur as soon as possible and fail hard so the user cannot get further into the process only to discover errors later. These updates alleviate confusion and save users time by limiting their need to debug to understand what has gone wrong.

Now an action will fail quickly and definitively when a bundle is set but something is invalid in the following ways:

  • When the link file does not exists.

  • When the plugins.yaml content is not valid.

  • When the plugin-catalog.yaml is not valid or there are some issues applying the plugin catalog described in the yaml file.

Beekeeper Plugin Exceptions are now generally available (GA) (FNDJEN-3069)

For information about this feature, see Beekeeper plugin exceptions.

Dependency updates

The following dependency updates are included with this release:

  • Update minimum required Jenkins version to the latest LTS (2.263.1) (CTR-2577)

  • CloudBees Role-Based Access Control Plugin(nectar-rbac) dependency upgraded to version 5.49 (CTR-2752)

  • The CloudBees License plugin is now compatible with jQuery 3.5.x. (CTR-2602)

Update welcome screen UI - Implementation (FNDJEN-2242)

The Jenkins Welcome screen has been updated.

Users with the Overall/Manage permission can now restart and safe restart Jenkins (CTR-2527)

Some configurations that can be set with Configuration as Code for masters may require a restart of Jenkins or are quicker when using a restart. A user with the Overall/Manage permission can now restart Jenkins.

Resolved issues

Image pull policy update (CPLT2-6853)

The image pull policy in the Helm chart was different than the Kubernetes defaults.

To resolve this issue, the Helm chart now uses the Kubernetes default values for the image pull policy.

Image pull secrets update (CPLT2-6293)

It is now possible to specify image pull secrets for all service accounts managed by the Helm chart.

Remove obsolete script (CPLT2-6831)

A severe warning was displayed at startup regarding the use of a deprecated class.

Scripts using the deprecated class have been removed.

Agent SA is missing when SeparateNamespace is disabled (CPLT2-6799)

Configured image pull secrets are not being passed to agents because they use the default service account.

A service account is now created for Jenkins agents in order to pass configured image pull secrets in place of the default service account.

JENKINS-59959: Kubernetes cloud concurrency limits ignored (CPLT2-6262)

When defining a provisioning limit in Kubernetes Cloud or in a pod template, the limit was not honored.

The provisioning logic has been corrected to honor the defined limits.

PodTemplate YAML from CLI is not persisted on disk or visible in UI (CPLT2-6835)

The YAML for PodTemplate are not properly set when using the CLI.

The YAML is set properly using the CLI in order to be seen within the UI and not be erased on saved.

oc.protocol doesn’t take OperationsCenter.Route.tls.Enable into account (CPLT2-6879)

When using "OperationsCenter.Route.tls.Enable=true" in the Helm chart, the resulting Operations Center URL uses http instead of https.

The Operations Center URL is now correctly using https in this case.

Master Provisioning is passing CJOC URL without trailing / to Managed Master (CPLT2-6833)

Master Provisioning may not pass the trailing / to the Operations Center URL.

Now, the Jenkins URL declared in cluster endpoints always ends with a trailing slash.

Deleting pod templates is not persisted (CPLT2-6856)

Fixed an issue that caused pod templates under Manage Jenkins > Kubernetes Pod Templates to not be persisted when all of them are deleted.

Build widget broken when a user has Read permission on a running Pipeline but not its parents (NGPIPELINE-1546)

Users with Read permission on a running Pipeline but only Discover permission on one of its parents' folders were unable to view the main Jenkins dashboard due to errors in the build widget.

The build widget now operates correctly when users have Read access to a Pipeline but not its parents.

Fix for SECO-757 Jenkins log flooded with SSE gateway plugin-related warnings, which increase memory usage (NGPIPELINE-1507)

With Jenkins deployed on Tomcat, if BlueOcean users close tabs abruptly some internal queues can increase the number of Pipelines thereby generating a lot of events.

The default values of some timeouts now handle exceptions and clear queues more quickly.

Remove jQuery and upgrade frontend toolchain on cloudbees-workflow-ui-plugin (NGPIPELINE-1432)

CloudBees Pipeline Stage View Extensions bundled an outdated version of jQuery, and the dialog for deleting or resuming checkpoints had broken styles when running against Jenkins 2.249 or newer.

CloudBees Pipeline Stage View Extensions no longer bundles jQuery, and the styles of the dialog for deleting or resuming checkpoints now work correctly on all versions of Jenkins.

Performance slowdown when credentials cache file gets large (CTR-788)

A new cache implementation is now in OperationsCenterCredentialsProvider to avoid credentials duplication. The cache also periodically cleans out all entries with no updates/access in the last 48 hours.

Clarify that shared configuration is available to all master types (CTR-2583)

With this fix, the description of the Miscellaneous Configuration Container in operations center indicates that it applies to all masters types, not just Client Masters.

The restore of a backup fails with a digest check error when using Azure Storage (CTR-916)

There was an issue in backup creation when using Azure Storage that caused the backup to be created in Azure without the required digest metadata. Because the backup was created without the required digest metadata, restoring the backup would fail, as there was no digest to check integrity against it.

With this fix, the digest metadata is properly attached to the backup file and then used during the restore process.

The inline help referenced HUDSON_HOME (CTR-2702)

The inline help now references JENKINS_HOME as expected.

Form changes: promoted-builds plugin breaks with tables-to-divs changes (FNDJEN-2775)

No user-facing changes. Internal changes fixing compatibility issues of the plugin with the changes on the layout of the forms of the next LTS.

Known issues

Kubernetes Plugin - agents are not being provisioned (SECO-868)

If Kubernetes agents aren’t being provisioned after the upgrade, and you see "No slot left for provisioning (global limit)" in your logs, this is due to changes in the way the plugin interprets the "Concurrency Limit" configuration value. To work around the issue, open the configuration screen for the Kubernetes Shared Cloud in operations center and then click the Save button.

No configuration changes are necessary. However, if the "Concurrency Limit" is set to "0" it can be changed to "" (empty) if desired. A permanent fix will be released in a future release, which doesn’t require manual intervention after the upgrade.

Instances using CloudBees Plugin Usage Plugin version 2.0 experience a long start-up time (FNDJEN-3377)

When using CloudBees Plugin Usage Plugin version 2.0 and the controller restarts, the web UI may display the “Please wait while Jenkins is getting ready to work” message for an unusually long period of time. After the instance is started up, the start-up performance logs show that the {{AnalyzerWork.initialize}} had taken a long time.

The loading of the previous plugin usage report file {{analysis.json}} takes too long. CloudBees will fix this issue in an upcoming release. See this knowledge base article CloudBees Plugin Usage Plugin 2.0 slows down Controller Start Up for immediate steps to remedy the issue until the fix is available.

Upgrade notes

Jenkins 2.263 upgrade notes

If upgrading from a rolling release older than 2.387.2.4, customers may experience technical difficulties. CloudBees ensures compatibility only between supported versions of the product and recommends upgrading early and often to avoid these difficulties. If you are having difficulties upgrading, contact CloudBees Support for assistance.
snakeyaml:1.10 dependency removed (CTR-2511)

The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.

By removing the Snakeyaml dependency we are also removing old migration code, which means updates from versions of this plugin older than 1.1.0 (3 years old) will require a multi-step upgrade.

The multi-step upgrade involves two steps:

  1. Update to a version previous to this one.

  2. Update to this version.

    If users skip a step in the multi-step process, they could incur data loss.

CloudBees Role-Based Access Control Plugin

With this upgrade, for security reasons, we are disabling the ability to configure RBAC groups and role filters at the views level.

See CloudBees Role-Based Access Control Plugin 5.42 for more information about the security vulnerability.

This change means that any previous groups or role filters created in a view will not be applied and you will not be able to configure them.

This update only affects the views themselves, not the items within them. Previous permissions applied to the items are still enforced.

If you were filtering roles on views before this upgrade, these filters will no longer work, so your users may have a more permissive permission scheme on the views.

CloudBees recommends running this script in your script console to determine if you have a configuration on your instance that will be affected by this change.

If you do have a configuration that will be affected by this change, you have two options:

  1. (CloudBees recommended approach) Recreate each view inside a folder and apply the RBAC configuration to the folder. The folder RBAC configuration is propagated to the view since it is inside the folder.

  2. Enable RBAC configuration on views by setting the system property nectar.plugins.rbac.groups.ViewProxyGroupContainer=true.

    This approach is not recommended for security reasons.