New features

Configuration as Code (CasC) for Controllers now supports item creation based on CloudBees templates (BEE-10387)

When a CloudBees template is created in a controller instance, it is now possible to create an item based on the template using CasC.

Creating items based on a CloudBees template using CasC is a Preview feature. For more information, refer to Creating items with CasC for controllers.

CasC for the operations center now supports the creation and exportation of shared agent and shared cloud items (BEE-3768, BEE-3769, BEE-10974, and BEE-12120)

When a shared cloud is created in an operations center instance, it is now possible to export its configuration in a YAML format that can be used to create and configure shared cloud items using CasC.

By default, shared agent and shared cloud items are configured to be taken online. To configure the shared agent or shared cloud item to be taken offline, add the takeOnline property to the items.yaml and set it to false. For example: takeOnline: false.

Shared agent and shared cloud items for the operations center are Preview features. For more information, refer to Creating items with CasC for the operations center.

Feature enhancements

Migrated the CloudBees Update Center Plugin from async-http-client to okhttp (BEE-9312)

Previously, HTTP communication was managed by an old version of async-http-client.

In this release, the underlying HTTP library has been updated to use okhttp to provide support for Server Name Indication (SNI) and Java 11.

The Restart Aborted Builds plugin has been improved (BEE-9301, BEE-9994, BEE-9995, and BEE-10013)
  • When a controller is restored from a backup:

    • Active Pipeline builds are now listed in the administrative monitor page if still running at the time the page is displayed. You can also navigate to the builds or abort them. Previously, it was difficult to locate all Pipeline builds that were running when a backup was taken, to inspect them for possible errors.

    • Aborted Pipeline builds are now listed on the administrative monitor page. Previously, if an agent was not available after a backup and restore, Pipeline builds were aborted after a few minutes but the Pipeline build was not listed on the administrative monitor page alongside aborted Freestyle builds.

    • The administrative monitor page is now always displayed, even if no aborted builds are currently observed or any restore actions are summarized. Previously, the administrative monitor page was only displayed if there was at least one aborted build.

  • If a Pipeline build is started after a controller backup is taken, when the controller is restored from the backup, new builds may reuse existing build numbers. This is typically harmless because any deployed artifacts or reports should use unique identifiers based on commit, date, or similar. However, some projects may rely on the uniqueness of the Jenkins build number.

    In this scenario, a restore script can now be used to set a controller RESTORED_FROM_BACKUP environment variable to any identifier. If this variable is defined when the controller starts and the environment variable is either reset or set to a different value during the last startup, a pluggable set of actions are launched to adapt to the restoration and adds 1000 to the next build number of every job. This ensures subsequent build numbers are unlikely to overlap with builds that may have started after the corresponding backup.

For more information, refer to Controlling builds.

Elements are no longer enclosed in curly brackets in the exported CasC plugin-catalog.yaml file (BEE-9580)

When the current CasC configuration is exported for a controller, elements are no longer enclosed with curly brackets in the exported plugin-catalog.yaml file.

Plugin IDs are no longer enclosed in curly brackets in the exported CasC plugins.yaml file (BEE-9578)

When the current CasC configuration is exported for a controller or the operations center, the plugin IDs are no longer enclosed with curly brackets in the exported plugins.yaml file.

Exported CasC items only include supported items and properties (BEE-8957)

If a CasC item cannot be exported or an error occurs when a property is exported, the exported item now only contains the properties that were successfully exported.

If an error occurs when a property is exported, a descriptive message is now included in the exported YAML file.

The cloudbees-installation-manager and cloudbees-assurance plugins are now compatible with Guava 30+ (BEE-10591) (BEE-8532)

These two plugins have been updated to be compatible with both current Jenkins versions and upcoming versions that have a newer Guava library.

Resolved issues

The CloudBees CasC Automatic managed controller provisioning option was present in CloudBees CI on traditional platforms environments (BEE-12569)

The CloudBees CasC Automatic managed controller provisioning options were available on the Manage Jenkins Configure System screen in CloudBees CI on traditional platforms environments, but should not have been present because CloudBees CI on traditional platforms does not support managed controller items. CloudBees CI on traditional platforms only support client controller items, which are not related to automatic provisioning.

The CloudBees CasC Automatic managed controller provisioning option no longer appears in CloudBees CI on traditional platforms.

Terminology updates (BEE-11930, BEE-12123)

CloudBees is updating terminology to remove offensive text. During this ongoing initiative, “controller” replaces “master,” “agent” replaces “slave,” “allowlist” replaces “whitelist,” and “denylist” replaces “blacklist.”

Updated deprecated calls to Acegi Security (BEE-9530)

Acegi Security was replaced with Spring Security in a previous release of CloudBees CI. Deprecated calls to Acegi Security were potentially causing an impact on performance.

This issue has been resolved; the calls have been updated for Spring Security.

Removed async-http-client from the Operations center Client Plugin (BEE-12043)

The async-http-client library is not compatible with Java 11.

It was removed from the Operations center Client Plugin in preparation for Java 11 support.

Freestyle builds that use the AWS CLI plugin as a build wrapper failed with a runtime exception (BEE-10118)

Freestyle builds that used version 1.5.15 or earlier of the AWS CLI plugin as a build wrapper were failing with a runtime exception. The Freestyle job had to be saved to manually resolve the issue.

This issue has been resolved. Freestyle jobs that use the AWS CLI plugin as a build wrapper are now properly migrated wihtout any manual intervention.

Update to the operations center Monitoring plugin (BEE-14284)

A security update that was made to the Metrics plugin changed how access keys persisted. The update required a change to the operations center Monitoring plugin to prevent unnecessary remote context synchronization.

Rebuilding an aborted build could result in warnings and inconsistent behavior (BEE-10009)

Rebuilding an aborted build from the administrative monitor page could copy unwanted content from the original build, producing warnings and possibly causing inconsistent behavior.

This issue has been resolved. A standard implementation based on the rebuild action for Pipeline jobs is now used.

A link to the Pipeline Template Catalog was missing from the Pipeline page (BEE-6906)

A standalone Pipeline that was created from a Pipeline Template Catalog was not showing a link to the Template in the left pane.

This issue has been resolved. The link to the Template now appears in the left pane.

The Item Restriction list in Folder configuration displays non-applicable Item types (BEE-8036)

The Item Restriction list in Folder configuration displays only applicable Item types now.

A shared library using Folder-scoped credentials fails to authenticate when using tags (BEE-8326)

Shared library tags using Folder-scoped credentials could not be checked out with Modern Git SCM.

Shared library tags can be fetched using Modern Git SCM with context-accessible credentials.

Known issues

Missing packages in CloudBees CI on traditional platforms Docker images (BEE-14566)

As part of the migration from Debian to Universal Base Images (UBI), various system packages were not included in the CloudBees CI on traditional platforms Docker images, causing issues in some specific use cases.

This issue has been resolved in release 2.319.2.7. CloudBees recommends that you install the latest version to avoid potential issues.

CloudBees CI on traditional platforms default encoding changed (BEE-15083)

In version 2.319.2.5, the default encoding for the CloudBees CI on traditional platforms images was configured as ANSI_X3.4-1968, rather than UTF-8. This may result in encoding issues in Jenkins.

This is a known issue that will be resolved in an upcoming release.

Duplicate Pipeline Template Catalogs in the Configuration as Code (CasC) for Controllers jenkins.yaml file on each instance restart (BEE-12722)

If a Pipeline Template Catalog is configured in the CasC jenkins.yaml file and the id property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.

Upgrade notes

Migrating the Role-Based Access Control (RBAC) plugin

Previously, users were not distinguished from groups in the RBAC configuration, leading to some potential misconfigurations when a user has the same name as a group. This issue has been resolved, users and groups are now properly distinguished and validated when added.

In the unlikely event that you have users and groups with the same names, you must manually select whether those items are users or groups when you upgrade. For more information, refer to Migrating the RBAC plugin from versions prior to 5.65.

Additional steps required for Active Directory plugin users

If you are using the Active Directory plugin to authenticate users then additional steps will be required for upgrading this instance.

The Active Directory plugin versions 2.23.1, 2.24.1, and 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP).

This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory.

Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set to true.

After upgrading, you should review your Active Directory setup and if required enable the require TLS option in the security configuration of Jenkins to require all communication with the LDAP server to be encrypted.

Additionally if previously using the hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps flag you should save the Jenkins security configuration and then remove the system property.

The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.

Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.
Jenkins upgrade notes

Jenkins 2.319 upgrade notes