CloudBees CI release highlights

What’s new in CloudBees CI 2.387.1.2

Watch video

Security fixes

Symlinks were followed when generating a backup in zip format (BEE-29575)

When using the Backup plugin to generate a backup file in zip format, symlinks were followed instead of ignored or archived. This behavior allowed attackers to create symlinks on the Jenkins controller file system inside one of the directories being backed up to add additional files from the Jenkins controller file system.

This issue has been resolved. Symlinks are now stored as symlinks inside zip archives.

Upgrade jsoup 1.15.2 to jsoup 1.15.3 (BEE-23580)

Upgraded jsoup 1.15.2 to jsoup 1.15.3.

Upgrade jsoup 1.15.2 to jsoup 1.15.3 (BEE-23581)

Upgraded jsoup 1.15.2 to jsoup 1.15.3.

Upgrade jsoup 1.14.3 to jsoup 1.15.3 (BEE-23584)

Upgraded jsoup 1.14.3 to jsoup 1.15.3.

Upgrade XStream 1.4.19 to XStream 1.4.20 (BEE-24093)

Upgraded XStream 1.4.19 to XStream 1.4.20.

Upgrade Commons Text 1.9 to Commons Text 1.10.0 (BEE-25769)

Upgraded Commons Text 1.9 to Commons Text 1.10.0.

Upgrade SSHD :: Core 2.9.1 API to SSHD :: Core 2.9.2 API (BEE-29082)

Upgraded SSHD :: Core 2.9.1 API to SSHD :: Core 2.9.2 API.

Upgrade XStream 1.4.19 to XStream 1.4.20 (BEE-29221)

Upgraded XStream 1.4.19 to XStream 1.4.20.

Upgrade XStream 1.4.19 to XStream 1.4.20 (BEE-29222)

Upgraded XStream 1.4.19 to XStream 1.4.20.

Upgrade XStream 1.4.19 to XStream 1.4.20 (BEE-29980)

Upgraded XStream 1.4.19 to XStream 1.4.20.

Upgrade Okio API 3.2.0 to Okio API 3.3.0 and Kotlin 1.7.22 to Kotlin 1.8.10 (BEE-30251)

Upgraded Okio API 3.2.0 to Okio API 3.3.0 and Kotlin 1.7.22 to Kotlin 1.8.10.

New features

None.

Feature enhancements

Ability to set ephemeral-storage constraints to the operations center container (BEE-30833)

It was not possible to add ephemeral-storage constraints to the operations center container via the helm values OperationsCenter.Resources.Requests.EphemeralStorage and OperationsCenter.Resources.Limits.EphemeralStorage. By default, none is set.

The Helm chart now supports setting 'ephemeral-storage' resource constraints.

New controller image tag added to Kubernetes provisioning (BEE-30689)

A new imageTag macro was added to the Kubernetes controller provisioning. This macro allows the image tag (which includes the CloudBees CI version) to be used in other places such as annotations. Annotations are set a pod level and allows init and side-car containers to access them as environment variables.

Unable to add init containers to operations center (BEE-30702)

Init containers can now be added to the operations center.

New CLI/endpoint to validate raw bundles before adding them (BEE-27419)

A new endpoint (JENKINS_URL/casc-bundle/pre-validate-bundle) and CLI command (casc-pre-validate-bundle) have been created.

They validate the raw bundles before adding them to the operations center and making them available to controllers, providing prevalidation results as a response. Both structural and controller validations (when available) are calculated. Refer to Validating bundles prior to update for more information.

Sanitize plugin information from update centers before rendering in Jenkins (BEE-30777)

Plugin information coming from the Update Center may contain some unwanted elements.

Plugin information is now sanitized before displaying in the Jenkins UI.

Add a monitor that displays a message about the upcoming removal of the Maven Integration plugin (BEE-29864)

Added a monitor that displays a message about the upcoming removal of the Maven Integration plugin.

Resolved issues

Kubernetes client does not support non-proxy hosts with wildcard characters(BEE-30717)

When using the Jenkins HTTP proxy and non-proxy hosts with wildcard characters, the Kubernetes client fails with java.net.MalformedURLException: NO_PROXY URL contains invalid entry: <wildcardEntry>. This was caused by a change of behavior in Kubernetes client version 6.x that now only supports GNU WGet Proxy spec.

This issue is resolved.

Page title duplicated on the Kubernetes Pod Templates page (BEE-30473)

The main title of the Kubernetes Pod Templates page appeared on the side panel of the page.

The main title is now hidden on the side panel.

Wrong layout for the Secret field when defining a BitBucket Cloud endpoint (BEE-514)

The Secret field is displayed within the text flow of its description when defining a BitBucket Cloud endpoint making it difficult to see.

The Secret field is now positioned below its description.

Fix initial value of managed controller endpoint URL after starting up (BEE-27122)

For a brief amount of time before connecting to operations center, the managed controller endpoint could be set incorrectly.

This issue has been resolved.

/casc-bundle/list HTTP API endpoint does not return the controller using a parent bundle (BEE-27773)

Parent bundles returned from the /casc-bundles/list HTTP endpoint did not have controllers used by inherited bundles in the usedBy section of the response.

controllers in the usedBy section of inherited bundles are also in the usedBy section for parent bundles.

System Configuration option missing from CloudBees backup job (BEE-28961)

Administrators missing the "Run Scripts" permission, could not see the System Configuration option under the What to back up list Using the CloudBees Backup plugin.

This issue is resolved. The System Configuration option now appears for Administrators whether or not they have the Run scripts permission.

The TCP agent listener thread is not automatically restarted on uncaught exceptions (BEE-29155)

If the TCP agent listener stops because of an uncaught exception, it is not automatically restarted.

Incoming Inbound TCP (JNLP) agent connections cannot be satisfied anymore. The workaround is to disable/enable the listener by disabling the agents TCP port under Configure Global Security > Agents and then fix it again.

The issue has been fixed. The TCP agent listener is now more resilient to an unexpected failure.

Proxy authentication fails from the Beekeeper SecurityWarningDataProvider (BEE-29387)

In some environments that use the JenkinsProxyAuthenticator in CloudBees CI, the Beekeeper SecurityWarningDataProvider fails to connect.

Now, the JenkinsProxyAuthenticator ignores the case when it checks the authentication scheme. This issue has been resolved.

Prevalidating a bundle with a multibranch item returns a warning message (BEE-29550)

Prevalidating a bundle with a multibranch item in the items.yaml file always return a warning.

A change made in the OSS workflow-multibranch resolves the issue.

Operations center connector logs now honor customization (BEE-29640)

It is possible to override logs root directory by providing a system property. This was ignored by the operations center connector, leading to an inconsistent storage location of logs.

This issue is now resolved.

Removal of all groups from an item defined in Configuration as Code (CASC) for operations center is not enacting on bundle reload (BEE-29650)

If an item had any groups configured and then a CasC bundle was applied where the item no longer had any groups, the removal of groups was not applied.

This issue has been resolved. Groups will now be removed with removeStrategy: SYNC as expected and when no groups are defined.

Page title duplicated on the Event Status for CloudBees Software Delivery Automation Analytics page (BEE-30019)

The main title of the Event Status for CloudBees Software Delivery Automation Analytics page also appears on the side panel of the page.

The main title is now hidden on the side panel.

The WebSocket agent hangs indefinitely after a reload of nginx configuration (BEE-30149)

If the connection is lost, a 5-minute timeout exception is added. This issue has been fixed.

Stack trace shuts down com.cloudbees.opscenter.server.messaging.Transport (BEE-30320)

Messages sent between the operations center and controller generated errors.

This issue is resolved.

Security configuration was calling a deprecated option (BEE-30321)

The operations center still allowed the option to propagate an agent-to-controller security option to controllers that were unavailable.

This issue is resolved. The dead code and configuration UI have been removed.

Blocked bundle retriever causes the unlink between controller and bundles (BEE-30323)

All remote retrievals happen in the same thread now, making retrievals atomic. Any retrieval request will not start until currently running one is completed.

Now, consecutive retrieve requests are enqueued with checkout and all remotes override the individual remote checkout. This issue is resolved.

Parameters definition of non-pipeline jobs gets duplicated after each CasC bundle reload (BEE-30501)

When defining a non-pipeline job (such as a FreeStyle job) with parameters via CasC, the parameters property object is duplicated in the persistence layer (the config.xml). This can cause unexpected behavior when trying to update those parameters. Older values may still be used instead of the newer ones.

The problem is resolved. The parameters property object is now replaced and not duplicated.

Certain combinations of nested node and dir or ws steps in a Pipeline build can result in an incorrect working directory when an agent with mutiple executors was entered twice (BEE-30693)

The nesting order of steps is now tracked more precisely, so that the working directory is always taken from the innermost step that defines the working directory.

This issue has been fixed.

Known issues

Duplicate Pipeline Template Catalogs in the Configuration as Code jenkins.yaml file on each instance restart (BEE-12722)

If a Pipeline Template Catalog is configured in the CasC jenkins.yaml file and the id property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.

Upgrade notes

Java 11 is now required

Beginning with the September release, Java 11 is now required to run CloudBees CI. It is not possible to run the operations center, the controllers, or agents on Java 8 any longer. Java Web Start is no longer supported for inbound agents.

For more information, refer to Migrate to Java 11.

When you upgrade to Java 11, you must update your Java garbage collection arguments (BEE-16018)

Garbage collection has been updated in Java 11. Many of the previously recommended arguments are no longer supported. When you upgrade your JDK to Java 11, you must also update your garbage collection configuration. Using unsupported Java arguments will result in startup failure.

The Pipeline: Declarative Agent API plugin has been removed from CAP (BEE-8883)

The Pipeline: Declarative Agent API plugin was removed from the CloudBees Assurance Program (CAP).

The External Monitor Job Type plugin was removed from CAP (BEE-27147)

The External Monitor Job Type plugin has been removed from the CloudBees Assurance Program (CAP).

The Popper.Js API plugin has been removed from CAP (BEE-27144)

The Popper.Js API plugin was removed from the CloudBees Assurance Program (CAP).

Kubernetes-client upgrade to 6.x (BEE-28247)::

The fabric8 Kubernetes-client has been upgraded from 5.x to 6.x. When configuring a managed controller and using the advanced YAML field; it is now possible to add additional entries such as CustomResourceDefinitions (CRDs) for which the Kubernetes-client has no model. They are now passed as is to the underlying Kubernetes API server.

NOTE: When declaring custom YAML snippets in a controller, apiVersion is now required by the Kubernetes-client library. Additional validation has been added to the UI component to validate that use case.

If the apiVersion is missing, the controller reprovisioning will fail when the operations center is upgraded. For more information on this topic, refer to this knowledge base article, The apiVersion on a resource being deserialized is required after upgrading Kubernetes-client 6.x. This article contains a script you can run to check for invalid configurations. The configurations listed in the output of this script need to be fixed by providing a valid apiVersion.

Contact CloudBees Support for any further questions.

Plugin Removal from the CloudBees Assurance Program (CAP) (BEE-9215)

CloudBees has removed the following plugins from the CloudBees Assurance Program (CAP):

  • Bootstrap 4 API

  • CloudBees Long-Running Build

  • Deployer Framework

  • Deployed on Column

  • JavaScript GUI Lib: Momentjs Bundle

This announcement allows CloudBees to focus on driving new technology and product innovation, as well as maintaining existing products that are actively used by customers.

If you installed any of these plugins using a Configuration as Code bundle via the plugins.yaml file, you must include them in the plugin catalog to continue using them. Refer to Installing non-CAP plugins with plugin catalogs.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

Migration to Jakarta Mail (BEE-22565)

The CloudBees Nodes Plus plugin and the Operations Center Server plugin were updated to use jakarta.mail instead of javax.mail. This migration may break existing scripts that relied upon javax.mail. You may need to recreate any broken scripts.