CloudBees CI on modern cloud platforms 2.263.2.2

Rolling release: 2020-01-13

Based on Jenkins LTS 2.263.2-cb-2

Critical issues

Regression in CloudBees Plugin Usage Plugin 2.0, 2.2

CloudBees CI versions 2.263.1.2 and 2.263.2.2 have a potential issue involving the CloudBees Plugin Usage Plugin versions 2.0 and 2.2:

This plugin produces the analysis.json file in $JENKINS/pup. On large instances, for example with many jobs, this file can be quite large. At the next restart of the controller, the plugin usage analyzer tries to parse this file and with large files this could take some time and it may block the start-up process of the controller thereby leading to longer startup time.

CloudBees recommends that you upgrade to CloudBees CI version 2.263.4.1 or later, or upgrade the CloudBees Plugin Usage Plugin to version 2.6. If you cannot upgrade to 2.263.4.1, it’s best to disable the CloudBees Plugin Usage Plugin (short name cloudbees-plugin-usage) until then. If Jenkins is not accessible, see Disabling a plugin when Jenkins is down

This issue is only a problem on startup. Another workaround is to remove the file $JENKINS/pup/analysis.json before starting or restarting Jenkins.

Security fixes

Remove jQuery on cloudbees-monitoring-plugin (CPLT2-6943)

The following jQuery files are no longer being used and have been removed:

  • /scripts/jquery.flot.time.js

  • /scripts/jquery.flot.resize.js

  • /scripts/jquery-2.1.0.min.js

  • /scripts/jquery.flot.hiddengraphs.js

  • /scripts/jquery.flot.js

New features

Added support for Application Load Balancer (ALB) on Amazon EKS (CPLT2-5839)

You can now use ALB when you deploy to AWS EKS. This is the recommended configuration for this platform. See Installing CloudBees CI on EKS.

Update support-core to 2.72 (FNDJEN-3356)

CloudBees now supports the Jenkins Support Core plugin version 2.72 . For more information, see https://github.com/jenkinsci/support-core-plugin/releases.

Detect Insecure Pipeline Interpolation (Password Leaking) (NGPIPELINE-1277)

CloudBees CI now adds warnings on build and log pages when potentially unsafe Groovy constructions are used. For more information, see String interpolation.

Feature enhancements

New logo for CloudBees Plugin Usage Analyzer plugin (FNDJEN-3316)

The plugin now has its own logo in order to differentiate it from the Jenkins Controller plugin manager. For more information on this, see How to determine if a plugin is in use.

Support ingress annotations per Kubernetes cluster endpoint (CPLT2-6932)

When you use a non-default ingress controller, you may need to specify ingress annotations on Operations Center in order to configure the ingress controller. In this release, support has been added for ingress annotations for Kubernetes cluster endpoints. This provides better support for alternate ingress controllers and prevents the need to repeat configuration steps.

Update Operations Center Context plugin dependencies (CTR-2603)

The Operations Center Context plugin is now using jQuery 3.5.1.

Dependency updates (CTR-2944)
  • Minimum jenkins-core upgraded to 2.263.1.2

  • Minimum nectar-license plugin version upgraded to 8.28

  • Minimum cloudbees-template plugin version upgraded to 4.49

  • Minimum script-security plugin version upgraded to 1.75

Change product license URL (CTR-736)

The URL of our license terms has changed to https://www.cloudbees.com/r/subscription.

Resolved issues

Clean up use of profiles in CloudBees CI WAR files (CPLT2-6017)

Operations center and managed controller WAR files for CloudBees CI on modern cloud platforms defined supposedly optional profiles for Kubernetes functionality, but then unconditionally enabled these profiles. Also the Setup Wizard offered the option of installing a number of plugins that were actually installed unconditionally.

The profiles have been removed from the Setup Wizard and the plugin list has been simplified.

Error during saving of Pod template should not resolve in a memory object (CPLT2-6819)

Previously, when you clicked Save while editing a Pod template that contained a container template without an image configured, an error message was displayed. When you reopened the Pod template screen, any previously defined templates disappeared.

This issue was resolved. If you encounter an error when you save a configuration, the previously defined templates are preserved.

Prevent hibernation when the controller URL is incompatible with what is supported (CPLT2-6869)

Previously, you could enable hibernation, even if it was not supported by the controller URL.

This has been fixed and you can no longer enable hibernation if the controller URL does not support the hibernation feature.

Missing nodeselector, tolerations on hibernation monitor deployment (CPLT2-6931)

The nodeSelector and tolerations attributes were missing from the hibernation monitor deployment.

You can now specify these attributes in the chart values as {{.Hibernation.NodeSelector}} and {{Hibernation.Tolerations}}.

Helm chart: Add check for OpenShift 3.11 and allow if not Kubernetes 1.14 (CPLT2-6941)

A previous update created issues for OpenShift Container Platform (OCP) 3.11 users when they tried to implement the Helm chart.

This issue has been resolved, and OCP 3.11 users can install the product using the Helm chart. Kubernetes users using 'helm template' will need to add '--api versions networking.k8s.io/v1beta1/Ingress' to the 'helm template' command.

Upgrade jQuery on cloud-platform-master-provisioning-plugin (CPLT2-6817)

jQuery was out of date on the cloud-platform-master-provisioning-plugin.

jQuery was upgraded to version 3.5.x.

Default value is not filed for Storage class (CPLT2-6791)

When .Values.Persistence.StorageClass is configured, the value isn’t selected by default in the "Storage Class Name" drop-down menu on the master provisioning configuration screen.

The libraries have been updated to pick up the default drop-down value. Changes were made in Jenkins core (#4939).

Cross Team Collaboration could not use the Operations Center router with CasC for Masters (CTR-2088)

With this fix, Cross Team Collaboration can now use the Operations Center router in the Configuration as Code (CasC) for Masters configuration.

Trigger remote job widget is rendering '[' when error on path (CTR-2560)

An invalid path of the downstream job is now properly managed and displayed in the configuration of the Trigger builds on remote/local jobs build step.

Plugins from an https server with SNI certificates cannot be downloaded in Plugin Catalog through Installation Manager (FNDJEN-3070)

Before this release users were unable to download plugins defined in a plugin catalog from servers using SNI certificates.

CloudBees Installation Manager 2.89.0.33 allows downloading plugins from servers configured with SNI certificates. In addition, the new version follows redirections if needed for the plugin download.

Known issues

Kubernetes Plugin - agents are not being provisioned (SECO-868)

If Kubernetes agents aren’t being provisioned after the upgrade, and you see "No slot left for provisioning (global limit)" in your logs, this is due to changes in the way the plugin interprets the "Concurrency Limit" configuration value. To work around the issue, open the configuration screen for the Kubernetes Shared Cloud in operations center and then click the Save button.

No configuration changes are necessary. However, if the "Concurrency Limit" is set to "0" it can be changed to "" (empty) if desired. A permanent fix will be released in a future release, which doesn’t require manual intervention after the upgrade.

Instances using CloudBees Plugin Usage Plugin version 2.0 experience a long start-up time (FNDJEN-3377)

When using CloudBees Plugin Usage Plugin version 2.0 and the controller restarts, the web UI may display the “Please wait while Jenkins is getting ready to work” message for an unusually long period of time. After the instance is started up, the start-up performance logs show that the {{AnalyzerWork.initialize}} had taken a long time.

The loading of the previous plugin usage report file {{analysis.json}} takes too long. CloudBees will fix this issue in an upcoming release. See this knowledge base article CloudBees Plugin Usage Plugin 2.0 slows down Controller Start Up for immediate steps to remedy the issue until the fix is available.

Regressions related to user-created content [CBCI-389]

This release contains multiple regressions related to files in user-created content served by the following CloudBees products:

  • CloudBees CI

  • CloudBees Jenkins Distribution

  • CloudBees Jenkins Platform

  • CloudBees Jenkins Enterprise

You may experience the following issues with user-created content:

  • If you use external artifact storage, like the Artifact Manager S3 Plugin or Compress Artifacts Plugin, it is not possible to download entire directories of archived artifacts as Zip files. Instead, you receive an error message.

  • Zip files containing directories of workspaces, archived artifacts, and similar user-created content do not include top-level directories anymore (typically called “archive” for archived artifacts, and the job name for workspaces), which can break expectations about Zip file structure, for example, in scripted clients.

  • File handles are not closed correctly whenever individual files are downloaded from workspaces, archived artifacts, and similar user-created content. This can result in Jenkins running out of file handles.

These issues are resolved in release 2.263.2.3.

Upgrade notes

CloudBees recommends that you start to prepare for the March release of Jenkins LTS as soon as possible. The March release will include important updates. If you use Jenkins LTS plugins that are not in the CloudBees Assurance Program (CAP), you should update them before upgrading your CloudBees products to ensure compatibility with the March release. If your company uses its own proprietary (non-CloudBees) plugins, CloudBees recommends that you test them against Jenkins version 2.266+ prior to the March release. And, as always, backing up your data before upgrading is strongly encouraged. For details about changes in the March Jenkins LTS release, see https://www.jenkins.io/blog/2020/11/10/spring-xstream/ and https://www.jenkins.io/doc/developer/views/table-to-div-migration/.

If upgrading from a rolling release older than 2.249.1.2, customers may experience technical difficulties. CloudBees ensures compatibility only between supported versions of the product and recommends upgrading early and often to avoid these difficulties. If you are having difficulties upgrading, contact CloudBees Support for assistance.

CloudBees Role-Based Access Control Plugin

With this upgrade, for security reasons, we are disabling the ability to configure RBAC groups and role filters at the views level.

See CloudBees Role-Based Access Control Plugin 5.42 for more information about the security vulnerability.

This change means that any previous groups or role filters created in a view will not be applied and you will not be able to configure them.

This update only affects the views themselves, not the items within them. Previous permissions applied to the items are still enforced.

If you were filtering roles on views before this upgrade, these filters will no longer work, so your users may have a more permissive permission scheme on the views.

CloudBees recommends running this script in your script console to determine if you have a configuration on your instance that will be affected by this change.

If you do have a configuration that will be affected by this change, you have two options:

  1. (CloudBees recommended approach) Recreate each view inside a folder and apply the RBAC configuration to the folder. The folder RBAC configuration is propagated to the view since it is inside the folder.

  2. Enable RBAC configuration on views by setting the system property nectar.plugins.rbac.groups.ViewProxyGroupContainer=true.

    This approach is not recommended for security reasons.

Revisions

Revision 2 (2021-01-14)

Release Notes

Upgraded Jackson2 API Plugin from 2.12.0 to 2.12.1 to fix regressions in the Docker plugin (JENKINS-64343)