In response to the zero-day vulnerability we fixed in November, I wrote the following:

In early February, several project contributors met after FOSDEM for a one day hackathon. I looked into the feasibility of a purely SSH-based CLI. While I considered the experiment to be a success, it was far from ready to be used in a production environment.

A few weeks later, long-time contributor and Jenkins security team member Jesse Glicktook over, and published a detailed proposal for a new, simple CLI protocol without remoting.

In just a month, he implemented his proposal, and I’m very happy to announce that this new implementation of the Jenkins CLI has now made it into 2.54!

Existing jenkins-cli.jar clients should continue working as before, unless an administrator disables the remoting connection mode in Configure Global Security. That said, we recommend you download the new jenkins-cli.jar in Jenkins, and use its the new -http mode. With few (now deprecated) exceptions, CLI commands work like before. This will allow you to disable the remoting mode for the CLI on the Jenkins master to prevent similar vulnerabilities in the future.

SSH-based CLI use should be unaffected by this change. Note that new Jenkins instances now start with the SSH server port disabled, and the configuration option for that was moved into Configure Global Security.

You can learn all about the CLI and its new behavior in the Jenkins handbook.

Blue Ocean is a new user experience for Jenkins, and version 1.0 is now live! Blue Ocean makes Jenkins, and continuous delivery, approachable to all team members. In my previous post, I showed how easy it is to create and edit Declarative Pipelines using the Blue Ocean Visual Pipeline Editor. In this video, I’ll use the Blue Ocean Activity View to track the state of branches and Pull Requests in one project. Blue Ocean makes it so much easier to find the logs I need to triage failures.

Please Enjoy! In my next video, I’ll switch from looking at a single project to monitoring multiple projects with the Blue Ocean Dashboard.

I am excited to announce the agenda forJenkins World 2017. This year’s event promises to have something for everyone - whether you are a novice, intermediate, or advanced user…​you are covered. Jenkins World 2017 consists of 6 tracks, 60+ Jenkins and DevOps sessions, 40+ industry speakers, 16+ training and workshops.

Here is a sneak peek at Jenkins World 2017:

Blue Ocean is a new user experience for Jenkins, and version 1.0 is now live! Blue Ocean makes Jenkins, and continuous delivery, approachable to all team members. In my previous post, I used the Blue Ocean Activity View to track the state of branches and Pull Requests in one project. In this video, I’ll use the Blue Ocean Dashboard get a personalized view of the areas that of my project that are most important to me, and also to monitor multiple projects. Please Enjoy!

Continuous Delivery and DevOps are well known and widely spread practices nowadays. It is commonly accepted that it is crucial to form great teams and define shared goals first and then choose and integrate the tools fitting best to given tasks. Often it is a mashup of lightweight tools, which are integrated to build up Continuous Delivery pipelines and underpin DevOps initiatives. In this blog post, we zoom in to an important part of the overall pipeline, that is the discipline often called Continuous Inspection, which comprises inspecting code and injecting a quality gate on that, and show how artifacts can be uploaded after the quality gate was met. DevOps enabler tools covered are Jenkins, SonarQube, and Artifactory.

One of the most frequently asked questions for managing a Jenkins instance is "How do I make it secure?" Like any other web application, these issues must be solved:

This blog post details how to securely connect to a Jenkins instance and how to setup a read-only public dashboard. We’ll cover topics like: setting up a reverse proxy, blocking inbound requests to certain URLs and ports, enabling project-based authorization, and making the Jenkins agents accessible through the JNLP protocol.

We just released security updates to Jenkins, versions 2.57 and 2.46.2, that fix several security vulnerabilities, including a critical one.

That critical vulnerability is an unauthenticated remote code execution via the remoting-based CLI.When I announced the fix for the previous vulnerability of this kind, I announced our plans to revisit the design of the CLI that enabled this class of vulnerabilities.

Since Jenkins 2.54, we now have a new CLI implementation that isn’t based on remoting, and deprecated its remoting mode. Despite it being a major feature, we decided to backport it to 2.46.2, so LTS users can also disable the unsafe remoting mode while retaining almost all of the CLI’s existing functionality.

For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. I recommend you read these documents, especially if you’re using the CLI with Jenkins LTS, as there are possible side effects of these fixes.

Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security.

The Jenkins project has learned that a company is trying to register "Jenkins" as a trademark in Colombia. This is alarming for us, and we are trying to oppose it. In order to do this effectively, we need to hear from Colombian users of Jenkins.

The Jenkins project owns a trademark "Jenkins" in the U.S., through a non-profit entity SPI Inc. According to experts on the subject citing the "Washington Convention", our trademark registration in the U.S. does give us some strength in the argument to oppose this. To successfully mount this argument however, we need to be able to show that Jenkins has significant usage and awareness in Colombia. Users, installations, meetups, conference talks, anything of that nature will help.

Those of you with the project for a long time might recall that the name "Jenkins" was born because of a trademark issue with Oracle. So we are particularly sensitive to the issue is trademarks. We want to make sure the same tragedy won’t happen again.

If you know anything about the usage and the name recognition of Jenkins in Colombia, please let us know by submitting the information here. We know that Jenkins is popular in Colombia, because our website traffic shows that Colombian Jenkins users are the third most frequent visitors to jenkins.io in South America after Brazil and Argentina.

This information will be only shared with the Jenkins project board and those involved in the defense, and for the sole purpose of defending the trademark and nothing more.

Please help us spread the word. Thanks!

El proyecto Jenkins se ha enterado de que una compañía está intentando registrar "Jenkins" como marca registrada en Colombia. Esto es alarmante y estamos tratando de oponernos. Para hacerlo de manera efectiva, necesitamos escuchar a los usuarios colombianos de Jenkins.

El proyecto Jenkins posee una marca registrada "Jenkins" en los Estados Unidos, a través de una entidad sin ánimo de lucro SPI Inc. Según los expertos en la materia citando la "Convención de Washington", nuestro registro de marca en los EE.UU. nos da algo de fuerza para oponernos. Sin embargo, para argumentar con éxito, tenemos que ser capaces de demostrar que Jenkins tiene un uso significativo y es conocido en Colombia. Usuarios, instalaciones, encuentros, conferencias, cualquier cosa de ese tipo ayudará.

Aquellos que llevan mucho tiempo con el proyecto pueden recordar que el nombre "Jenkins" nació debido a un problema de marca con Oracle. Por lo tanto, estamos especialmente sensibles al tema de las marcas registradas. Queremos asegurarnos de que el mismo problema no vuelva a ocurrir.

Si sabe algo sobre el uso y el reconocimiento del nombre Jenkins en Colombia, por favor háganoslo saber enviando la información aquí. Sabemos que Jenkins es popular en Colombia, porque nuestro sitio web de tráfico muestra que los usuarios colombianos de Jenkins son los terceros visitantes más frecuentes a jenkins.io en América del Sur después de Brasil y Argentina.

Esta información sólo se compartirá con el comité de proyecto de Jenkins y los involucrados en la defensa, y con el único propósito de defender la marca y nada más.

Por favor, ayúdenos a difundir la palabra. ¡Gracias!

This year at Jenkins World 2017, the Jenkins community will celebrate the Most Valuable Contributor, a Jenkins Security MVP, and the Most Valuable Advocate.

This will be the first year we are commemorating community members who have shown excellence through commitment, creative thinking, and contributions to continue making Jenkins a great open source automation server. Special thanks to CloudBees for the generous donations to make this program possible.

With that said, the Jenkins Community Award nomination is currently open. Nominate your story, or that of a fellow contributor, for recognition at Jenkins World. Ee sure to join us atJenkins World 2017 in San Francisco on August 28-31 to hear the winners announced.

Nominations will be accepted until June 16, 2017.Nominate someone today!

With theongoing migration to Azure, I would like to share my thoughts regarding one of the biggest challenges we have faced thus far: orchestrating container infrastructure. Many of the Jenkins project’s applications are run as Docker containers, making Kubernetes a logical choice as far as running our containers, but it presents its own set of challenges. For example, what would the workflow from development to production look like?

Before going deeper into the challenges, let’s review the requirements we started with:

A high level overview of our "infrastructure as code" workflow would look like:

We identified two possible approaches for implementing our container orchestration with Kubernetes:

Let’s discuss these two approaches in detail.

I’ve only been working with Pipeline for about a year. Pipeline in and of itself has been a huge improvement over old-style Jenkins projects. As a developer, it has been so great be able work with Jenkins Pipelines using the same tools I use for writing any other kind of code.

I’ve also found a number of tools that are super helpful specifically for developing pipelines. Some were easy to find like the built-in documentation and theSnippet Generator. Others were not as obvious or were only recently released. In this post, I’ll show how a few of those tools make working with Pipelines even better.

The Blue Ocean team are proud to announce the release of Blue Ocean 1.1. We’ve shipped a tonne of small improvements, features and bug fixes here that will make your day-to-day experience with Blue Ocean even smoother.

Today is also the first time we are promoting our Public Roadmap. We recognise that using JIRA can be a bit of a pain to track what we are working on at a macro level and the Public Roadmap makes it very easy for anyone to find out what we are working on. We’ve got some really cool stuff coming, so check back here soon!

It’s been an insane two months since the launch of Blue Ocean 1.0 and there are now officially over 10,000 teams using Blue Ocean – so here’s a big “thank you” to all of you for your support.

Now, lets get to the goods!

We have received a good number of nominations for the Jenkins World 2017 Community Awards. These nominations are indicative of the excellent work Jenkins members are doing for the betterment of Jenkins.

The deadline for nomination is this Friday, June 16.

This will be the first year we are commemorating community members who have shown excellence through commitment, creative thinking, and contributions to continue making Jenkins a great open source automation server. The award categories includes:

Submit your story, or nominate someone today! Winners will be announced at Jenkins World 2017 in San Francisco on August 28-31.

We look forward to hearing about the great Jenkins work you are doing.

Jenkins World is approaching fast, and the event staff are all busy preparing. I’ve decided to do something different this year as part of my keynote: I want to invite a few Jenkins users like you come up on stage with me.

There have been amazing developments in Jenkins over the past year. For my keynote, I want highlight how the new Jenkins (Pipeline as code with the Jenkinsfile, no more creating jobs,Blue Ocean) is different and better than the old Jenkins (freestyle jobs, chaining jobs together, etc.). All these developments have helped Jenkins users, and it would be more meaningful to have fellow users, like you, share their stories about how recent Jenkins improvements like Pipeline and Blue Ocean have positively impacted them.

If you’re interested sharing your story, please complete this form so that I can contact you. This is a great opportunity to let the rest of the world (and your boss!) hear about your accomplishments. You’ll also get into Jenkins World for free and get to join me backstage. If you concerns about traveling to Jenkins World, I’m happy to discuss helping with that as well.

I look forward to hearing from you.

Jenkins Pipeline has fundamentally changed how users can orchestrate their pipelines and workflows. Essentially, anything that you can do in a script or program can now be done in a Jenkinsfile or in a pipeline script created within the application. But just because you can do nearly anything directly in those mechanisms doesn’t mean you necessarily should.

In some cases, it’s better to abstract the functionality out separately from your main Pipeline. Previously, the main way to do this in Jenkins itself was through creating plugins. With Jenkins 2 and the tight incorporation of Pipeline, we now have another approach – shared libraries.

Shared libraries provide solutions for a number of situations that can be challenging or time-consuming to deal with in Pipeline. Among them:

To understand how to use shared libraries in Pipeline, we first need to understand how they are constructed. A shared library for Jenkins consists of a source code repository with a structure like the one below:

Each of the top-level directories has its own purpose.

The resources directory can have non-groovy resources that get loaded via the libraryResource step. Think of this as a place to store supporting data files such as json files.

The src directory uses a structure similar to the standard Java src layout. This area is added to the classpath when a Pipeline that includes this shared library is executed.

The vars directory holds global variables that should be accessible from pipeline scripts. A corresponding .txt file can be included that defines documentation for objects here. If found, this will be pulled in as part of the documentation in the Jenkins application.

Although you might think that it would always be best to define library functions in the src structure, it actually works better in many cases to define them in the vars area. The notion of a global variable may not correspond very well to a global function, but you can think of it as the function being a global value that can be pulled in and used in your pipeline. In fact, to work in a declarative style pipeline, having your function in the vars area is the only option.

Let’s look at a simple function that we can create for a shared library. In this case, we’ll just wrap picking up the location of the Gradle installation from Jenkins and calling the corresponding executable with whatever tasks are passed in as arguments. The code is below:

Notice that we are using a structured form here with the def call syntax. This allows us to simply invoke the routine in our pipeline (assuming we have loaded the shared library) based on the name of the file in the vars area. For example, since we named this file gbuild.groovy, then we can invoke it in our pipeline via a step like this:

So, how do we get our shared library loaded to use in our pipeline? The shared library itself is just code in the structure outlined above committed/pushed into a source code repository that Jenkins can access. In our example, we’ll assume we’ve staged, committed, and pushed this code into a local Git repository on the system at /opt/git/shared-library.git.

Like most other things in Jenkins, we need to first tell Jenkins where this shared library can be found and how to reference it "globally" so that pipelines can reference it specifically.

First, though, we need to decide at what scope you want this shared library to be available. The most common case is making it a "global shared library" so that all Pipelines can access it. However, we also have the option of only making shared libraries available for projects in a particular Jenkins Folder structure, or those in a Multibranch Pipeline, or those in a GitHub Organization pipeline project.

To keep it simple, we’ll just define ours to be globally available to all pipelines. Doing this is a two-step process. We first tell Jenkins what we want to call the library and define some default behavior for Jenkins related to the library, such as whether we wanted it loaded implicitly for all pipelines. This is done in the Global Pipeline Libraries section of the Configure System page.

For the second part, we need to tell Jenkins where the actual source repository for the shared library is located. SCM plugins that have been modified to understand how to work with shared libraries are called "Modern SCM". The git plugin in one of these updated plugin, so we just supply the information in the same Configure System page.

After configuring Jenkins so that it can find the shared library repository, we can load the shared library into our pipeline using the @Library('<library name>') annotation. Since Annotations are designed to annotate something that follows them, we need to either include a specific import statement, or, if we want to include everything, we can use an underscore character as a placeholder. So our basic step to load the library in a pipeline would be:

Based on this step, when Jenkins runs our Pipeline, it will first go out to the repository that holds the shared library and clone down a copy to use. The log output during this part of the pipeline execution would look something like this:

Then Pipeline can call our shared library gbuild function and translate it to the desired Gradle build commands.

This is a very basic illustration of how using shared libraries work. There is much more detail and functionality surrounding shared libraries, and extending your pipeline in general, than we can cover here.

Be sure to catch my talk onExtending your Pipeline with Shared Libraries, Global Functions and External Code at Jenkins World 2017. Also, watch for my new book onJenkins 2 Up and Running which will have a dedicated chapter on this – expected to be available later this year from O’Reilly.

As in previous years, there’ll be a contributor summit at Jenkins World 2017:

Details about this year’s agenda are available on the event’s meetup page. Attending is free, and no Jenkins World ticket is needed, but RSVP if you’re going to attend to help us plan.

See you there!

In a past blog post Delivery Pipelines, we talked about pipelines which result in binaries for development versions. Now, in this blog post, I zoom in to different parts of the holistic pipeline and cover the handling of possible downstream steps once you have the binaries of development versions, in our example a Java EE WAR and a Docker image (which contains the WAR). We discuss basic concept of staging software, including further information about quality gates, and show example toolchains. This contribution particularly examines the staging from binaries from dev versions to release candidate versions and from release candidate versions to final releases from the perspective of the automation server Jenkins, integrating with the binary repository manager JFrog Artifactory and the distribution management platform JFrog Bintray, and ecosystem.

C and C++ are present in very important industries today, including Operating Systems, embedded systems, finances, research, automotive, robotics, gaming, and many more. The main reason for this is performance, which is critical to many of these industries, and cannot be compared to any other technology. As a counterpart, the C/C++ ecosystem has a few important challenges to face:

This post will show how to implement DevOps best practices for C/C++ development, using Jenkins CI, Conan C/C++ package manager, and JFrog Artifactory the universal artifact repository.

Multiple Jenkins plugins received updates today that fix several security vulnerabilities, including high severity ones:

Additionally, the SSH Plugin received a security update a few days ago.

For an overview of what was fixed, see the security advisory.

Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security.

Have you experienced that thing where you make a change in an app, and when you go to check on the results of the build, you find an error that really doesn’t seem relevant to your change? And then you notice that your build is the first in over a year. And then you realize that you have accidentally become the subject matter expert in this app.

You have no clue what change caused this failure or when that change occurred. Did one Jenkins agent become asnowflake server, accruing cruft on the file system that is not cleaned up before each build? Did some unpinned external dependency upgrade in a backwards-incompatible fashion? Did the credentials the build plan was using to connect to source control get rotated? Did a dependent system go offline? Or - and I realize that this is unthinkable - did you legitimately break a test?

Not only is this type of archaeological expedition often a bad time for the person who happened to commit to this app ("No good deed goes unpunished"), but it’s also unnecessary. There’s a simple way to reduce the cognitive load it takes to connect cause and effect: build more frequently.

One way we achieve this is by writing scripts to maintain our apps. When we build, the goal is that an equivalent artifact should be produced unless there was a change to the app in source control. As such, we pin all of our dependencies to specific versions. But we also don’t want to languish on old versions of dependencies, whether internal or external. So we also have an auto-maintain script that bumps all of these versions and commit the result.

I’ll give an example. We use docker to build and deploy our apps, and each app depends on a base image that we host in a docker registry. So a Dockerfile in one of our apps would have a line like this:

We build our base images in Jenkins and tag them with the "jenkins" $BUILD_TAG, so this app is using build 5 of the rosettastone/sweet-repo base image. Let’s say we updated our sweet-repo base image to use ubuntu 16.04 instead of 14.04 and this resulted in build 6 of the base image. Our auto-maintain script takes care of upgrading an app that uses this base image to the most recent version. The steps in the auto-maintain script look like this:

We do the same thing with library dependencies. If our Gemfile.lock is referencing an old library, running auto-maintain will update things. The same applies to our Jenkinsfile`s. If we decide to implement a new policy where we discard old builds, we update `auto-maintain so that it will bring each app into compliance with the policy, by changing, for example, this Jenkinsfile:

to this:

We try to account for these sorts of things (everything that we can) in ourauto-maintain script rather than updating apps manually, since this reduces the friction in keeping apps standardized.

Once you create an auto-maintain script (start small), you just have to run it. We run ours based on both "actions" and "non-actions." When an internal library changes, we kick off app builds, so a library’s Jenkinsfile might look like this:

When auto-maintain updates something in an app, we have it commit the change back to the app, which in turn triggers a build of that app, and—​if all is well—​a production deployment.

The only missing link then for avoiding one-year build droughts is to get around the problem where auto-commit isn’t actually updating anything in a certain app. If no dependencies are changing, or if the technology in question is not receiving much attention, auto-maintain might not do anything for an extended period of time, even if the script is run on a schedule usingcron. For those cases, putting a cron trigger in the Pipeline for each app will ensure that builds still happen periodically:

In most cases, these periodic builds won’t do anything different from the last build, but when something does break, this strategy will allow you to decide when you find out about it (by making your cron @weekly, @daily, etc) instead of letting some poor developer find out about it when they do something silly like commit code to an infrequently-modified app.