Recent Blog Posts

The Jenkins security team has been made aware of a new attack vector for a remote code execution vulnerability in the Jenkins CLI, according to this advisory by Daniel Beck: We have received a report of a possible unauthenticated remote code execution vulnerability in Jenkins (all versions). We strongly advise anyone running a Jenkins instance on a public network disable the CLI for now. As this uses the same attack vector as SECURITY-218, you can reuse the script and instructions published in this repository: https://github.com/jenkinsci-cert/SECURITY-218 We have since been able to confirm the vulnerability and strongly recommend that everyone follow the instructions in the linked repository. As Daniel mentions in the security advisory, the advised mitigation strategy is to disable the CLI subsystem via this Groovy script. If you are a Jenkins administrator, navigate to the 'Manage Jenkins' page and click on the 'Script Console', which will allow you to run the Groovy script to immediately disable the CLI. In order to persist this change across restarts of your Jenkins controller, place the Groovy script in $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy so that Jenkins executes the script on each boot. We are expecting to have a fix implemented, tested and included in an updated weekly and LTS release this upcoming Wednesday, November 16th. For users who are operating Jenkins on public, or otherwise hostile, networks, we suggest hosting Jenkins behind reverse proxies such as Apache or Nginx. These can help provide an additional layer of security, when used appropriately, to cordon off certain URLs such as /cli. Additionally, we strongly recommend that all Jenkins administrators subscribe to the jenkinsci-advisories@googlegroups.com mailing list to receive future advisories. The Jenkins project has a responsible disclosure policy, which we strongly encourage anybody who believes they have discovered a potential vulnerability to follow. You can learn more about this policy and our processes on our security page.

We created new native packages for Jenkins 2.7.1 today. These replace the existing packages. Due to a release process issue, the packaging (RPM, etc.) was created the same way as Jenkins 1.x LTS, resulting in problems starting Jenkins on some platforms: While we dropped support for AJP in Jenkins 2.0, some 1.x packages had it enabled by default, resulting in an exception during startup. These new packages for Jenkins 2.7.1, dated July 14, have the same scripts and parameters as Jenkins 2.x and should allow starting up Jenkins without problems. If you notice any further problems with the packaging, please report them in the packaging component.

It’s been almost three months since we’ve released Jenkins 2.0, the first ever major version upgrade for this 10 year old project. The 2.x versions since then has been adopted by more than 20% of the users, but one segment of users who haven’t seen the benefits of Jenkins 2 is those who has been running LTS releases. But that is no more! The new version of Jenkins LTS release we just released is 2.7.1, and now LTS users get to finally enjoy Jenkins 2. This release also officially marks the end-of-life for Jenkins 1.x. There won’t be any future release of Jenkins 1.x beyond this point. If you are worried about the upgrade, don’t be! The core of Jenkins is still the same, and all the plugins & existing configuration will just work.

+ (This is a guest post from https://twitter.com/michaelneale[Michael Neale]) + + + + Recently at the Docker Conference (DockerCon) the https://hub.docker.com[Docker Hub] was announced. + + The hub (which includes their image building and storage service) also provides some "official" images (sometimes they call them repositories - they are really just sets of images). + So after talking with all sorts of people we decided to create an official https://registry.hub.docker.com/_/jenkins/[Jenkins image] - which is hosted by the docker hub simply as "jenkins". + + So when you run "docker pull jenkins" - it will be grabbing this image. This is based on the current LTS (and will be kept up to date with the LTS) - but does not include the weekly releases (yet). Having a jenkins image that is fairly basic (it includes enough to run some basic builds, as well as jenkins itself) built on the LTS, on the latest LTS of Ubuntu seemed quite convenient - and easy to maintain using the official Ubuntu/Debian packaging of Jenkins. + + Docker is a great way to try and use server based systems - it brings all the dependencies needed and the images actually are portable (ie anywhere docker runs you can run docker images). There are official images for many popular server platforms (redis, mysql, all the linux distros and so on) so it seemed crazy to not include Jenkins along with this list. + "docker run -p 8080:8080 jenkins" is all you need to get going with LTS Jenkins now. + You can also use "docker run jenkins:1.554" to get the latest of that lineage of LTS releases, or pick a specific one: "docker run jenkins:1.554.3" if you like. Leaving off a version assumes the latest. Check the https://registry.hub.docker.com/_/jenkins/tags/manage/[tags] page to see what is available. + + + + You can read more and see how you https://registry.hub.docker.com/_/jenkins/[can use it here.] + + + + There has been some questions and discussions on how to make use of Jenkins with the docker hub for creating new and interesting docker image based workflows for deployment. + In fact, Jenkins featured in one of the first slides of the first keynote of docker con: + + image:https://3.bp.blogspot.com/-qAC-f6ceVho/U5rfqpzj3VI/AAAAAAAAC8w/Ta4pzEhm-8A/s1600/Screen+Shot+2014-06-13+at+8.34.10+pm.png[image] + + To make this dream a reality some additional https://wiki.jenkins.io/display/JENKINS/DockerHub+Plugin[plugins] had to be created - but this leaves the possibility of working with the docker hub (builds, stores images) and Jenkins (workflow, testing, deployment) to build out some kind of a continuous pipeline for handling docker based apps. I attempted to describe this more https://developer-blog.cloudbees.com/2014/07/announcing-dockerhub-jenkins-plugin.html[here]. + + + + This image is maintained in this github https://github.com/cloudbees/jenkins-ci.org-docker[repo] and the official images are build by the https://github.com/docker/stackbrew["stackbrew" system]. (We may move this repo to the jenkinsci github group shortly so keep an eye out). + + + It will be interesting to watch this grow and change. +

+ Over the past 30 days or so, https://github.com/jenkinsci/acceptance-test-harness/[the acceptance test project] has made a great progress. + + + This project consists of a reusable harness that can be used by plugin developers and users to write functional test cases. These tests can be run against Jenkins instances that are deployed in https://github.com/jenkinsci/acceptance-test-harness/blob/master/docs/CONTROLLER.md[all sorts of different ways], and can interact with https://github.com/jenkinsci/acceptance-test-harness/blob/master/docs/FIXTURES.md[complex real fixtures]. These tests can be also run with specific version of Jenkins core and a combination of plugins. + + + The number of tests have https://jenkins.ci.cloudbees.com/job/core/job/acceptance-test-harness/[steadily increased to above 300]. Several of those are by https://github.com/eidottermihi[Michael Prankl], where he tests https://github.com/jenkinsci/acceptance-test-harness/blob/master/src/test/java/plugins/LdapPluginTest.java[the LDAP plugin with the real OpenLDAP server instance] that runs inside Docker — a kind of test that just wasn't possible before can be now easily written. + + + https://github.com/jenkinsci/acceptance-test-harness/graphs/contributors[More than a dozen people] have contributed. https://github.com/jenkinsci/acceptance-test-harness/commits/master[A dozen changes are going in every single day], and more are coming — for example, Stephen is working on modularizing this harness and adding new pieces that allow people to do scalability and load testing. That'll be a part of this effort soon. + + + If you are one of the large scale users who are interested in automating some of your Jenkins acceptance testing, please https://groups.google.com/forum/#!forum/jenkinsci-dev[drop us a note at the DEV list] so that we can work together. You can also watch the recording of our last https://wiki.jenkins.io/display/JENKINS/Office+Hours[office hours] where I demoed how you'd develop a test on top of this: + + + + + I think we all agree that this is an important effort/ Looking forward to joining the efforts with more people in the community! + +

+ The final LTS release of the 1.532.x line is out today. You can download it from http://mirrors.jenkins-ci.org/[the usual location]. Changelog is https://jenkins-ci.org/changelog-stable[here]. + + + Starting with the next 1.554.x LTS, the release model will https://wiki.jenkins.io/display/JENKINS/LTS+Release+Line[switch to the train model], where we commit to dates and get whatever we can ship by that date. + + + You can see https://jenkins-ci.org/content/event-calendar[the scheduled dates in our event calendar]. Backporting window for 1.554.1 is almost closing, so if you want to have your favorite issues nominated for it, please see https://wiki.jenkins.io/display/JENKINS/LTS+Release+Line[the process] in the Wiki and hurry!

We just posted the updated Long-term Release (LTS) of 1.409.2. + Just as a recap, with LTS releases, we plan on providing a release train that only has backported changes. 1.409.2 contains https://jenkins-ci.org/changelog-stable[a handful of important bug fixes] since 1.409.1. For more about LTS, https://wiki.jenkins.io/display/JENKINS/LTS+Release+Line[see this wiki page]. + + + Thanks to the heroic effort of those who are involved, namely Vojtech Juranek and a bunch of heroes, this release went through a rather rigorous testing, including all the automated tests we have plus https://wiki.jenkins.io/display/JENKINS/LTS+1.409.x+RC+Testing[a considerable number of manual eye-ball tests]. + + + To download, click the "Long-Term Support Release" tab from https://jenkins-ci.org/[the top page]. If you've already been using LTS, you should start receiving update notifications soon.

A couple of months ago Jenkins embarked on an new project, the Jenkins "LTS" (Long Term Support) release line. A LTS branch of development is common in most major open source projects, especially those with substantial corporate adoption, so this was a great step for the project as a whole. We’re now coming up on the second LTS release, which will be an incremental update to the previous one (1.409.1) with only the most important fixes back-ported to the branch. Now is when we need your help. We need testers and interested parties from the community to help verify the stability of the planned LTS update, 1.409.2, which is now in the release candidate stages. The testing of 1.409.2 has been spearheaded by community member vjuranek who has created this fantastic test matrix to help coordinate testing of release candidates. The LTS project is entirely community driven, so your input is invaluable in making these releases successful. If you’re interested in helping, speak up on the -dev mailing list and start pitching in on the test matrix!