CloudBees CI on modern cloud platforms 2.263.2.3

Rolling release: 2021-01-21

Based on Jenkins LTS 2.263.2-cb-4

Critical issues

User-created content regressions

Version 2.263.2.3 fixes some critical regressions found in version 2.263.2.2 of the following products:

  • CloudBees CI

  • CloudBees Jenkins Distribution

  • CloudBees Jenkins Platform

  • CloudBees Jenkins Enterprise

Potential issues include:

  • If you use external artifact storage, it is not possible to download entire directories of archived artifacts as Zip files.

  • Zip files containing directories of workspaces, archived artifacts, and similar user-created content are missing top-level directories.

  • File handles are not closed directly whenever individual files are downloaded from workspaces, archived artifacts, and other user-created content. This could result in Jenkins running out of file handles.

CloudBees recommends that you upgrade to version 2.263.2.3 to prevent potential issues with user-created content.

Security advisories

Release highlights video

Select to watch a video describing the highlights of this release

Known issues

Kubernetes Plugin - agents are not being provisioned (SECO-868)

If Kubernetes agents aren’t being provisioned after the upgrade, and you see "No slot left for provisioning (global limit)" in your logs, this is due to changes in the way the plugin interprets the "Concurrency Limit" configuration value. To work around the issue, open the configuration screen for the Kubernetes Shared Cloud in operations center and then click the Save button.

No configuration changes are necessary. However, if the "Concurrency Limit" is set to "0" it can be changed to "" (empty) if desired. A permanent fix will be released in a future release, which doesn’t require manual intervention after the upgrade.

Upgrade notes

CloudBees recommends that you start to prepare for the March release of Jenkins LTS as soon as possible. The March release will include important updates. If you use Jenkins LTS plugins that are not in the CloudBees Assurance Program (CAP), you should update them before upgrading your CloudBees products to ensure compatibility with the March release. If your company uses its own proprietary (non-CloudBees) plugins, CloudBees recommends that you test them against Jenkins version 2.266+ prior to the March release. And, as always, backing up your data before upgrading is strongly encouraged. For details about changes in the March Jenkins LTS release, see https://www.jenkins.io/blog/2020/11/10/spring-xstream/ and https://www.jenkins.io/doc/developer/views/table-to-div-migration/.

If upgrading from a rolling release older than 2.249.1.2, customers may experience technical difficulties. CloudBees ensures compatibility only between supported versions of the product and recommends upgrading early and often to avoid these difficulties. If you are having difficulties upgrading, contact CloudBees Support for assistance.

CloudBees Role-Based Access Control Plugin

With this upgrade, for security reasons, we are disabling the ability to configure RBAC groups and role filters at the views level.

See CloudBees Role-Based Access Control Plugin 5.42 for more information about the security vulnerability.

This change means that any previous groups or role filters created in a view will not be applied and you will not be able to configure them.

This update only affects the views themselves, not the items within them. Previous permissions applied to the items are still enforced.

If you were filtering roles on views before this upgrade, these filters will no longer work, so your users may have a more permissive permission scheme on the views.

CloudBees recommends running this script in your script console to determine if you have a configuration on your instance that will be affected by this change.

If you do have a configuration that will be affected by this change, you have two options:

  1. (CloudBees recommended approach) Recreate each view inside a folder and apply the RBAC configuration to the folder. The folder RBAC configuration is propagated to the view since it is inside the folder.

  2. Enable RBAC configuration on views by setting the system property nectar.plugins.rbac.groups.ViewProxyGroupContainer=true.

    This approach is not recommended for security reasons.