diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dbaa3c2..6550e3f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [v2.452.4-1] - 2024-08-26 +### Changed +- Upgrade Jenkins to 2.452.4 +- Use OpenJDK 17 as default JVM (#161) + - Update docs for "Building with custom OpenJDK versions" + +### Removed +- OpenJDK 8 is no longer supported on jenkins controller node - please use dedicated agents to build legacy projects + +### Security +- Fix CVE-2024-43044 + ## [v2.452.2-2] - 2024-08-15 ### Changed - [#166] Upgrade OpenJDK to 11.0.24-1 diff --git a/Dockerfile b/Dockerfile index 9166924b..4301b891 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ # cesi/scm -FROM registry.cloudogu.com/official/java:11.0.24-1 +FROM registry.cloudogu.com/official/java:17.0.12-1 LABEL NAME="official/jenkins" \ - VERSION="2.452.2-2" \ + VERSION="2.452.4-1" \ maintainer="hello@cloudogu.com" # jenkins home configuration @@ -12,15 +12,15 @@ ENV JENKINS_HOME=/var/lib/jenkins \ # mark as webapp for nginx SERVICE_TAGS=webapp \ # jenkins version - JENKINS_VERSION=2.452.2 \ - SHA256_JENKINS_WAR="360efc8438db9a4ba20772981d4257cfe6837bf0c3fb8c8e9b2253d8ce6ba339" \ + JENKINS_VERSION=2.452.4 \ + SHA256_JENKINS_WAR="eddec1d771e04b009a7027facd02bb79762057b9a393c09ad62509e234a91ae9" \ # glibc for alpine version GLIBC_VERSION=2.35-r1 \ SHA256_GLIB_APK="276f43ce9b2d5878422bca94ca94e882a7eb263abe171d233ac037201ffcaf06" \ SHA256_GLIB_BIN_APK="ee13b7e482f92142d2bec7c4cf09ca908e6913d4782fa35691cad1d9c23f179a" \ SHA256_GLIB_I18N_APK="94c6f9ed13903b59d5c524c0c2ec9a24ef1a4c2aaa93a8a158465a9e819a8065" \ # additional java version for legacy builds - ADDITIONAL_OPENJDK8_VERSION="8.402.06-r0" + ADDITIONAL_OPENJDK11_VERSION="11.0.24_p8-r0" # Jenkins is ran with user `jenkins`, uid = 1000 @@ -37,7 +37,7 @@ RUN set -o errexit \ # coreutils and ttf-dejavu is required because of java.awt.headless problem: # - https://wiki.jenkins.io/display/JENKINS/Jenkins+got+java.awt.headless+problem && apk add --no-cache coreutils ttf-dejavu openssh-client git subversion mercurial curl gcompat \ - && apk add openjdk8="$ADDITIONAL_OPENJDK8_VERSION" \ + && apk add openjdk11="$ADDITIONAL_OPENJDK11_VERSION" \ # could use ADD but this one does not check Last-Modified header # see https://github.com/docker/docker/issues/8331 && curl -L https://mirrors.jenkins-ci.org/war-stable/${JENKINS_VERSION}/jenkins.war -o /jenkins.war \ diff --git a/docs/development/plugin_compatibility_de.md b/docs/development/plugin_compatibility_de.md new file mode 100644 index 00000000..8a6a9926 --- /dev/null +++ b/docs/development/plugin_compatibility_de.md @@ -0,0 +1,22 @@ +# Plugin-Kompatibilitätsliste + +Diese Liste dient der Dokumentation der Kompatibilität der einzelnen Plugins, die derzeit in Jenkins verwendet werden. + +## Mit Dogu installierte Plugins + +| Plugin | Version | Aktiviert | Getestet mit JDK 11 | Getestet mit JDK 17 | Getestet mit JDK 21 | Funktional getestet | +|-----------------------------------|----------------------|-----------|---------------------|---------------------|---------------------|---------------------| +| Mailer Plugin | 472.vf7c289a_4b_420 | j | j | j | j | n | +| CAS Plugin | 1.6.3 | j | n | n | n | j | +| Git | 5.2.1 | j | n | j | j | n | +| Mercurial | 1260.vdfb_723cdcc81 | j | n | n | n | j | +| Subversion | 1256.vee91953217b_6 | j | n | j | j | n | +| SCM Manager | 1.9.3 | j | j | j | n | n | +| Pipeline (Workflow Aggregator) | 596.v8c21c963d92d | j | n | j | j | n | +| Matrix Auth | 3.2.2 | j | n | j | j | n | +| Maven Plugin | 3.23 | j | n | j | n | n | +| Credentials Binding Plugin | 657.v2b_19db_7d6e6d | j | n | j | n | n | +| SSH Build Agents plugin | 2.948.vb_8050d697fec | j | n | j | j | n | +| Pipeline: GitHub Groovy Libraries | 42.v0739460cda_c4 | j | n | n | j | n | +| Authorize Project | 1.7.1 | j | n | j | j | n | +| Pipeline: Stage View Plugin | 2.34 | j | n | n | j | n | \ No newline at end of file diff --git a/docs/development/plugin_compatibility_en.md b/docs/development/plugin_compatibility_en.md new file mode 100644 index 00000000..cca19bf5 --- /dev/null +++ b/docs/development/plugin_compatibility_en.md @@ -0,0 +1,22 @@ +# Plugin compatibility list + +This list serves as documentation of the compatibility of individual plugins that are currently used in Jenkins. + +## Plugins installed with Dogu + +| Plugin | Version | Enabled | Test JDK 11 | Test JDK 17 | Test JDK 21 | Test Functional | +|-----------------------------------|----------------------|---------|-------------|-------------|-------------|-----------------| +| Mailer Plugin | 472.vf7c289a_4b_420 | y | y | y | y | n | +| CAS Plugin | 1.6.3 | y | n | n | n | y | +| Git | 5.2.1 | y | n | y | y | n | +| Mercurial | 1260.vdfb_723cdcc81 | y | n | n | n | y | +| Subversion | 1256.vee91953217b_6 | y | n | y | y | n | +| SCM Manager | 1.9.3 | y | y | y | n | n | +| Pipeline (Workflow Aggregator) | 596.v8c21c963d92d | y | n | y | y | n | +| Matrix Auth | 3.2.2 | y | n | y | y | n | +| Maven Plugin | 3.23 | y | n | y | n | n | +| Credentials Binding Plugin | 657.v2b_19db_7d6e6d | y | n | y | n | n | +| SSH Build Agents plugin | 2.948.vb_8050d697fec | y | n | y | y | n | +| Pipeline: GitHub Groovy Libraries | 42.v0739460cda_c4 | y | n | n | y | n | +| Authorize Project | 1.7.1 | y | n | y | y | n | +| Pipeline: Stage View Plugin | 2.34 | y | n | n | y | n | \ No newline at end of file diff --git a/docs/development/upgrade_guide_de.md b/docs/development/upgrade_guide_de.md new file mode 100644 index 00000000..2c7c4912 --- /dev/null +++ b/docs/development/upgrade_guide_de.md @@ -0,0 +1,5 @@ +# Basis-Image aktualisieren + +Wenn das Basis-Image aktualisiert werden muss und sich die Java-Version ändert, benötigt Jenkins immer noch die vorherige openjdk-Version +um Legacy-Builds zu unterstützen. Laden Sie die alte openjdk-Version mit `apk add openjdk=` in +der Dockerdatei herunter und erweitern Sie die Version im openjdk-Installationsgroovy-Skript `init100NORMjdkautoinstall.groovy`. \ No newline at end of file diff --git a/docs/gui/release_notes_de.md b/docs/gui/release_notes_de.md index dcef7403..8bc1cc07 100644 --- a/docs/gui/release_notes_de.md +++ b/docs/gui/release_notes_de.md @@ -4,6 +4,15 @@ Im Folgenden finden Sie die Release Notes für das Jenkins-Dogu. Technische Details zu einem Release finden Sie im zugehörigen [Changelog](https://docs.cloudogu.com/de/docs/dogus/jenkins/CHANGELOG/). +## Release 2.452.4-1 +* Das Dogu bietet nun die Jenkins-Version 2.452.4 an. Die Release Notes von Jenkins finden Sie [hier](https://www.jenkins.io/changelog-stable/2.452.4/). +* Die Standard JVM im Jenkins ist nun JDK17. JDK11 wird weiterhin unterstützt, mehr Informationen finden Sie [hier](https://docs.cloudogu.com/de/docs/dogus/jenkins/operations/Building_with_custom_Java/). +* Der CVE [CVE-2024-43044](https://nvd.nist.gov/vuln/detail/CVE-2024-43044) wird mit dem Update behoben. + +### Breaking Changes +* Durch das Upgrade auf JDK17 müssen die Build Nodes (Agents) ebenfalls auf JDK17 geupdated werden. Weitere Informationen finden Sie [hier](https://www.jenkins.io/doc/book/platform-information/upgrade-java-to-17/#jvm-version-on-agents). +* JDK8 wird vom Jenkins Dogu nicht mehr unterstützt. Hierdurch können keine Projekte mehr mit Java-Version 8 auf dem Jenkins Dogu selbst gebaut werden. Bitte verwenden Sie dedizierte Build Nodes (Agents) falls Sie Java-Version 8 weiterhin nutzen wollen. + ## Release 2.452.2-2 * Behebung von kritischem CVE-2024-41110 in Bibliotheksabhängigkeiten. Diese Schwachstelle konnte jedoch nicht aktiv ausgenutzt werden. diff --git a/docs/gui/release_notes_en.md b/docs/gui/release_notes_en.md index 18d0570a..6af732a8 100644 --- a/docs/gui/release_notes_en.md +++ b/docs/gui/release_notes_en.md @@ -4,6 +4,15 @@ Below you will find the release notes for the Jenkins Dogu. Technical details on a release can be found in the corresponding [Changelog](https://docs.cloudogu.com/en/docs/dogus/jenkins/CHANGELOG/). +## Release 2.452.4-1 +* The Dogu now provides the Jenkins version 2.452.4. You can find the Jenkins release notes [here](https://www.jenkins.io/changelog-stable/2.452.4/). +* The default JVM in Jenkins is now JDK17. JDK8 and JDK11 are still supported, for more information see [here](https://docs.cloudogu.com/en/docs/dogus/jenkins/operations/Building_with_custom_Java/). +* The CVE [CVE-2024-43044](https://nvd.nist.gov/vuln/detail/CVE-2024-43044) will be fixed with this update. + +### Breaking Changes +* By upgrading to JDK17, the build nodes (agents) must also be updated to JDK17. Further information can be found [here](https://www.jenkins.io/doc/book/platform-information/upgrade-java-to-17/#jvm-version-on-agents). +* JDK8 is no longer supported by the Jenkins Dogu. This means that projects with Java version 8 can no longer be built on the Jenkins Dogu itself. Please use dedicated build nodes (agents) if you want to continue using Java version 8. + ## Release 2.452.2-2 * Fix of critical CVE-2024-41110 in library dependencies. This vulnerability could not be actively exploited, though. diff --git a/docs/operations/Building_with_custom_Java_de.md b/docs/operations/Building_with_custom_Java_de.md index 47c7c1bf..60e65b1b 100644 --- a/docs/operations/Building_with_custom_Java_de.md +++ b/docs/operations/Building_with_custom_Java_de.md @@ -4,15 +4,15 @@ title: "Bauen mit speziellen OpenJDK-Versionen" # Bauen mit speziellen OpenJDK-Versionen -Seit Jenkins Dogu Version 2.361.1 ist die Standard-OpenJDK-Version 11 oder 17. Wenn Sie weiterhin ältere OpenJDK z.B. 8 oder 11 für Ihre Builds verwenden möchten, gehen Sie wie folgt vor. +Seit dem Jenkins Dogu in Version 2.361.1 ist die Standard-OpenJDK-Version 11 oder 17. Wenn Sie weiterhin ältere OpenJDK-Versionen z.B. 11 für Ihre Builds verwenden möchten, gehen Sie wie folgt vor. ## Projekt-Builds -In Standard-Java-Build-Projekten können Sie das JDK einfach über die Projektkonfiguration in Jenkins ändern; wählen Sie einfach "OpenJDK-8" oder "OpenJDK-11" in der Kategorie "JDK". +Für Standard-Java-Build-Projekte können Sie das JDK einfach über die Projektkonfiguration in Jenkins ändern. Wählen Sie hierfürch einfach "OpenJDK-11" in der Kategorie "JDK". ## Pipeline-Builds -Bei Pipeline-Builds müssen Sie Ihr Pipeline-Skript anpassen, um OpenJDK 8 oder 11 zu verwenden. +Bei Pipeline-Builds müssen Sie Ihr Pipeline-Skript anpassen, um 11 zu verwenden. ### Deklarative Syntax @@ -22,7 +22,7 @@ Beispiel ``` stage("Java-Version abrufen"){ tools { - jdk "OpenJDK-8" + jdk "OpenJDK-11" } steps{ sh 'java -version' @@ -37,7 +37,7 @@ verwenden, zum Beispiel: ``` stage("Java-Version holen") - def java_home = tool 'OpenJDK-8' + def java_home = tool 'OpenJDK-11' steps{ sh "'${java_home}/bin/java' -version" } @@ -49,7 +49,7 @@ Sie haben auch die Möglichkeit, Docker für Ihre Builds zu verwenden, zum Beisp ``` agent { - docker { image 'openjdk:8-jdk' } + docker { image 'openjdk:11-jdk' } } steps { sh 'java -version' @@ -58,10 +58,10 @@ steps { ## Maven-Builds -Um OpenJDK 8 in Ihren Maven-Builds zu verwenden, initialisieren Sie es auf folgende Weise: +Um OpenJDK 11 in Ihren Maven-Builds zu verwenden, initialisieren Sie es auf folgende Weise: ``` -def javaHome = tool 'OpenJDK-8' +def javaHome = tool 'OpenJDK-11' Maven mvn = new MavenWrapper(this, javaHome) ``` @@ -71,7 +71,7 @@ Unter Verwendung der [ces-build-lib](https://github.com/cloudogu/ces-build-lib) Docker bauen: ``` -Maven mvn = new MavenInDocker(this, "3.5.0-jdk-8") +Maven mvn = new MavenInDocker(this, "3.5.4-jdk-11") mvn ... ``` @@ -79,7 +79,7 @@ oder ``` Maven mvn = new MavenWrapper(this) -new Docker(this).image('openjdk:8-jdk').mountJenkinsUser().inside{ +new Docker(this).image('openjdk:11-jdk').mountJenkinsUser().inside{ mvn ... } ``` \ No newline at end of file diff --git a/docs/operations/Building_with_custom_Java_en.md b/docs/operations/Building_with_custom_Java_en.md index d451fca5..cb318624 100644 --- a/docs/operations/Building_with_custom_Java_en.md +++ b/docs/operations/Building_with_custom_Java_en.md @@ -4,15 +4,14 @@ title: "Building with custom OpenJDK versions" # Building with custom OpenJDK versions -Since Jenkins Dogu version 2.361.1, the default OpenJDK version is 11 or 17. If you still want to use older OpenJDK e.g. 8 or 11 for your builds do the following. +Since Jenkins Dogu version 2.361.1, the default OpenJDK version is 11 or 17. If you still want to use older OpenJDK version e.g. 11 for your builds do the following. ## Project builds -In standard Java build projects, you can easily change the JDK via the project configuration in Jenkins; select "OpenJDK-8" or "OpenJDK-11" in the "JDK" category. - +For standard Java build projects, you can easily change the JDK via the project configuration in Jenkins. To do this, simply select "OpenJDK-11" in the "JDK" category. ## Pipeline builds -Pipeline builds require you to customize your pipeline script to use OpenJDK 8 or 11. +Pipeline builds require you to customize your pipeline script to use OpenJDK 11. ### Declarative syntax @@ -22,7 +21,7 @@ For example: ``` stage("Get Java version"){ tools { - jdk "OpenJDK-8" + jdk "OpenJDK-11" } steps{ sh 'java -version' @@ -37,7 +36,7 @@ For example: ``` stage("Get Java version") - def java_home = tool 'OpenJDK-8' + def java_home = tool 'OpenJDK-11' steps{ sh "'${java_home}/bin/java' -version" } @@ -49,7 +48,7 @@ You also have the option to use Docker for your builds, for example: ``` agent { - docker { image 'openjdk:8-jdk' } + docker { image 'openjdk:11-jdk' } } steps { sh 'java -version' @@ -58,10 +57,10 @@ steps { ## Maven builds -To use OpenJDK 8 in your Maven builds, initialize it in the following way: +To use OpenJDK 11 in your Maven builds, initialize it in the following way: ``` -def javaHome = tool 'OpenJDK-8' +def javaHome = tool 'OpenJDK-11' Maven mvn = new MavenWrapper(this, javaHome) ``` @@ -70,7 +69,7 @@ Maven mvn = new MavenWrapper(this, javaHome) Using the [ces-build-lib](https://github.com/cloudogu/ces-build-lib), you can easily build your Maven project in Docker: ``` -Maven mvn = new MavenInDocker(this, "3.5.0-jdk-8") +Maven mvn = new MavenInDocker(this, "3.5.4-jdk-11") mvn ... ``` @@ -78,7 +77,7 @@ or ``` Maven mvn = new MavenWrapper(this) -new Docker(this).image('openjdk:8-jdk').mountJenkinsUser().inside{ +new Docker(this).image('openjdk:11-jdk').mountJenkinsUser().inside{ mvn ... } ``` diff --git a/dogu.json b/dogu.json index 3a80befe..6d90dcd4 100644 --- a/dogu.json +++ b/dogu.json @@ -1,6 +1,6 @@ { "Name": "official/jenkins", - "Version": "2.452.2-2", + "Version": "2.452.4-1", "DisplayName": "Jenkins CI", "Description": "Jenkins Continuous Integration Server", "Category": "Development Apps", diff --git a/resources/upgrade-notification.sh b/resources/upgrade-notification.sh index a1ad64ab..7ef94217 100755 --- a/resources/upgrade-notification.sh +++ b/resources/upgrade-notification.sh @@ -32,3 +32,10 @@ if [ "2.249.3-1" == "$(printf "%s\\n2.249.3-1" "${TO_VERSION}" | sort | head -n1 printf "\nYou are upgrading the Jenkins dogu to version 2.249.3-1 or higher. DO NOT change the CES global admin group at the same time!" printf "\nIf you have changed the global admin group (via /config/_global/admin_group etcd key), restart the Jenkins dogu before upgrading it!" fi + +# print upgrade notice for jenkins based on java 17 +if [ "2.440.3-1" == "$(printf "%s\\n2.440.3-1" "${TO_VERSION}" | sort | head -n1)" ] && [ "2.440.3-1" != "$(printf "%s\\n2.440.3-1" "${FROM_VERSION}" | sort | head -n1)" ]; then + printf "\nYou are upgrading the Jenkins dogu to version 2.440.3-1 or higher. There have been changes to the installed jdk version. \\nSince 2.440.3-1, Jenkins is based on OpenJDK version 17. \nLegacy builds using the internal jdk of Jenkins must switch to the configured jdk \"OpenJDK-11\"." + printf "\nBe aware that the JVM on all agents must be updated to Java 17 as well." + printf "\nFor more information see %s \n\n" "https://www.jenkins.io/doc/book/platform-information/upgrade-java-to-17/#jvm-version-on-agents" +fi diff --git a/resources/var/tmp/resources/init.groovy.d/scripts/init030CRITinstallplugins.groovy b/resources/var/tmp/resources/init.groovy.d/scripts/init030CRITinstallplugins.groovy index 209ccee5..c864fc0e 100644 --- a/resources/var/tmp/resources/init.groovy.d/scripts/init030CRITinstallplugins.groovy +++ b/resources/var/tmp/resources/init.groovy.d/scripts/init030CRITinstallplugins.groovy @@ -133,6 +133,8 @@ if (updateCenter.isRestartRequiredForCompletion()) { jenkins.restart(); } -if (!isVersionSufficient(currentCasPlugin, MINIMAL_CAS_PLUGIN_VERSION)) { - throw new Exception("Installed cas-plugin version " + currentCasPlugin.getVersion() + " is too old. It needs to be at least " + MINIMAL_CAS_PLUGIN_VERSION); -} +if (currentCasPlugin != null) { + if (!isVersionSufficient(currentCasPlugin, MINIMAL_CAS_PLUGIN_VERSION)) { + throw new Exception("Installed cas-plugin version " + currentCasPlugin.getVersion() + " is too old. It needs to be at least " + MINIMAL_CAS_PLUGIN_VERSION); + } +} \ No newline at end of file diff --git a/resources/var/tmp/resources/init.groovy.d/scripts/init100NORMjdkautoinstall.groovy b/resources/var/tmp/resources/init.groovy.d/scripts/init100NORMjdkautoinstall.groovy index bdbc3ef2..617db915 100644 --- a/resources/var/tmp/resources/init.groovy.d/scripts/init100NORMjdkautoinstall.groovy +++ b/resources/var/tmp/resources/init.groovy.d/scripts/init100NORMjdkautoinstall.groovy @@ -10,10 +10,11 @@ print 'Starting JDK configuration\n' String JDK_8_NAME = 'OpenJDK-8' String JDK_11_NAME = 'OpenJDK-11' +String JDK_17_NAME = 'OpenJDK-17' // add more jdk-entries to the map to install multiple jdks by default -def requestedJDKVersions = [ (JDK_11_NAME): 'java-11-openjdk', (JDK_8_NAME): 'java-1.8-openjdk']; +def requestedJDKVersions = [ (JDK_17_NAME): 'java-17-openjdk', (JDK_11_NAME): 'java-11-openjdk']; -// the installations consists of all already installed jdks and all jdks definied in requestedJDKVersions +// the installations consists of all already installed jdks and all jdks defined in requestedJDKVersions def installations = []; for (jdk in requestedJDKVersions) { @@ -23,6 +24,7 @@ for (jdk in requestedJDKVersions) { } for (jdk in installedJDKs) { + print("Installed JDK configuration ${jdk.getName()}\n") // do not add requestedJDKVersions if (!(jdk.getName().equals(JDK_11_NAME)) && !(jdk.getName().equals(JDK_8_NAME))) { print("Keeping JDK configuration ${jdk.getName()}\n") diff --git a/resources/var/tmp/resources/init.groovy.d/scripts/init140NORMconfigureLogLevels.groovy b/resources/var/tmp/resources/init.groovy.d/scripts/init140NORMconfigureLogLevels.groovy index 5f253d69..059f46c5 100644 --- a/resources/var/tmp/resources/init.groovy.d/scripts/init140NORMconfigureLogLevels.groovy +++ b/resources/var/tmp/resources/init.groovy.d/scripts/init140NORMconfigureLogLevels.groovy @@ -10,7 +10,7 @@ static Map getValuesFromEtcd(String key) { def json = new JsonSlurper().parseText(url.text); if (json.node.nodes == null) { println "no valid logging configuration found" - return Map.of(); + return [:] } def logLevels = json.node.nodes.stream() .filter({ node -> !node.key.isEmpty() && !parseLoggerName(node.key).isEmpty() && !node.value.isEmpty() }) @@ -19,7 +19,7 @@ static Map getValuesFromEtcd(String key) { } catch (FileNotFoundException) { println "no valid logging configuration found" } - return Map.of(); + return [:] } static String parseLoggerName(String registryPath) {