Jenkins Blogs

Syndicate content
Pipes Output
Updated: 37 min 52 sec ago

CVE-2014-6271 impact on Jenkins

Thu, 2014-09-25 16:26

I suspect many of you have been impacted by CVE-2014-6271 (aka "shellshock" bash vulnerability.) We had our share of updates to do for various *.jenkins-ci.org servers.

Java application servers in general (including one that ships in Jenkins) do not fork off processes like Apache does to serve requests, so the kind of CGI attacks you see on Apache does not apply. We are currently unaware of any vulnerabilities in Jenkins related to CVE-2014-6271, and no plan to issue a patch for that.

That said, we did come up with one possible way attackers can exploit vulnerable bash through Jenkins, that you might want to be aware of.

When a build is parameterized, parameters are passed to the processes Jenkins launch as environment variables. So if you have a shell step (which uses bash by default), and if Eve only has a BUILD permission but not CONFIGURE permission, then Eve can exploit this vulnerability by carefully crafting parameter values, and have the bash runs arbitrary processes on the slave that run the build.

In most such scenarios, Eve would have to be an authenticated user on Jenkins. Jenkins also leaves the record of who triggered what build with what parameters, so there's an audit trail. But if your Jenkins fits this description, hopefully this serves as one more reason to update your bash.

Finally, to get notified of future security advisories from Jenkins, see this Wiki page.

Jenkins in JavaOne 2014

Wed, 2014-09-24 16:25

There'll be several talks that touch Jenkins. The first is from me and Jesse called Next Step in Automation: Elastic Build Environment [CON3387] Monday 12:30pm.

Then later Tuesday, there's Building a Continuous Delivery Pipeline with Gradle and Jenkins [CON11237] from Benjamin Muschko of Gradleware.

Thursday has several Jenkins talks. One is The Deploy Factory: Open Source Tools for Java Deployment [CON1880] from Bruno Souza (aka the Java Man from Brazil) and Edson Yanaga. In this same time slot, guys from eBay are doing Platform Upgrades as a Service [CON5685], which discusses how they rely on automation to make platform upgrades painless. Then Mastering Continuous Delivery and DevOps [CON1844] from Michael Huttermann.

In the exhibit area, the Jenkins project doesn't have its own booth (JavaOne is too expensive for that), but I'll be at the CloudBees booth, so is Jesse Glick. Find us at the booth for any Jenkins questions or impromptu hacking session, which would really help us as we get distracted from the booth duties that way. Or just drop by to get stickers, pin badges, and other handouts to take for your colleagues.

And finally, Script Bowl 2014: The Battle Rages On [CON2939] gets an honorable mention because our own Tyler Croy is representing JRuby against other scripting languages, including my favorite Groovy. Hmm, who should I root for...

More Jenkins-related continuous delivery events in Chicago, Washington DC, and San Francisco

Wed, 2014-09-24 15:54

The usual suspects, such as CloudBees, XebiaLabs, SOASTA, PuppetLabs, et al are doing a Jenkins-themed continuous delivery event series called "cdSummit." The event is free, has a nice mix of user/vendor talks, and has an appeal to managers and team leads who are working on and struggling with continuous delivery and automation.

I've spoken in the past events, and I enjoyed the high-level pitches from various speakers. The last two events at Paris and London filled up completely, so I suspect others have liked them, too.

If you live near Chicago, Washington DC, or San Francisco, check out the date and see if you can make it. RSVP is from here. If you do, be sure to pick up Jenkins stickers and pin badges!

Jenkins Workflow Summit RSVP

Wed, 2014-09-17 17:47

As was discussed some time ago, the workflow summit is being organized, and it's open for RSVP.

Due to the overwhelming demand, I've increased the capacity this time to 50, but this is an unconference where everyone needs to participate, which means we really cannot have too many people without changing the dynamics of the event.

So please make sure you are willing to participate, as in not just listening and watching, but actually willing to speak. We expect you to bring something to the table — opinions, experiences, rants, presentations, feedbacks, etc. If you don't please let others take the seat, and rest assured we will give a presentation about workflow in JUC Bay Area.

If you understand the criteria, please RSVP is from here.

Jenkins User Meet-up in Paris

Tue, 2014-09-02 14:49

My apologies for the last minute announcement, but there will be a Jenkins user meet-up in Paris on Sep 10th 7:00pm, which is just next week. The event is hosted by Zenika. You'll hear from Gregory Boissinot and Adrien Lecharpentier about plugin development, and I'll be talking about workflow.

It's been a while we do a meet-up in Paris. Looking forward to seeing as many of you as possible. The event is free, but please RSVP so that we know what to expect.

JUC SF 2014 is Here!

Thu, 2014-08-28 14:09

JUC SF on October 23, 2014 is shaping up to be bigger and better this year.

Here’s what we have in store for you!

Three Tracks

We’ve received a record high of 40 stellar proposals this year. To accommodate the many community proposals, we’ve decide to add a third track to the agenda. JUC SF sessions are now available for you to view. We have speakers from Google, Target, Gap, Cloudera, Ebay, Chicago Drilling Company, and much more. Register now for early bird price. The early bird price is only good until September 21, 2014.

Live Stream

If you can’t attend the conference in person, Track 1 sessions will be available via live stream, it’s all free. Brought to you by CloudBees. Registration for JUC SF live stream is here.

Get Drunk on Code

Have a beer while learning how to write Jenkins plugin. Steve Christou, Jenkins support engineer will lead this lecture from 3:30pm to 6:00pm. He will teach everything from how to get started, to techniques like writing a new CLI Command, to writing your own builder.

Ask the Experts

Meet the Jenkins creator, committers, support engineers, and developers. We have dedicated time slot(s) for our attendees to get 1 on 1 access to our experts. Exact time is TBD. Ask them anything from plugins, configuration, technical support, to bug fixes.

Our current list of experts are:

  • Andrew Bayer
  • Gareth Bowles
  • Steve Christou
  • Jesse Glick
  • Kohsuke Kawaguchi
  • Dean Yu

Want to join our panel of experts? Contact Alyssa Tong aly13@gmail.com

Exhibit Mixer

Sixteen technology sponsors will be showcasing their newest technologies during the exhibition hour from 2:25 – 3:30pm. Grab a beer, visit with sponsors and see how they are using Jenkins.

This is just a taste of what you’ll see at JUC SF. We look forward to seeing you there!!

Workflow plugin code walk-through

Thu, 2014-08-28 09:38

Jesse and I will walk through the source code of the workflow plugin, highlights key abstractions and extension points, and discuss how they are put together.

If you are interested in developing or retrofitting plugins to work with workflows, I think you'll find this session interesting.

The event will be on Google Hangout tomorrow. The time of the day is the same as usual office hours.

Official Jenkins LTS docker image

Tue, 2014-08-12 16:43

(This is a guest post from Michael Neale)

Recently at the Docker Conference (DockerCon) the Docker Hub was announced.

The hub (which includes their image building and storage service) also provides some "official" images (sometimes they call them repositories - they are really just sets of images).

So after talking with all sorts of people we decided to create an official Jenkins image - which is hosted by the docker hub simply as "jenkins".

So when you run "docker pull jenkins" - it will be grabbing this image. This is based on the current LTS (and will be kept up to date with the LTS) - but does not include the weekly releases (yet). Having a jenkins image that is fairly basic (it includes enough to run some basic builds, as well as jenkins itself) built on the LTS, on the latest LTS of Ubuntu seemed quite convenient - and easy to maintain using the official Ubuntu/Debian packaging of Jenkins.

Docker is a great way to try and use server based systems - it brings all the dependencies needed and the images actually are portable (ie anywhere docker runs you can run docker images). There are official images for many popular server platforms (redis, mysql, all the linux distros and so on) so it seemed crazy to not include Jenkins along with this list. "docker run -p 8080:8080 jenkins" is all you need to get going with LTS Jenkins now. You can also use "docker run jenkins:1.554" to get the latest of that lineage of LTS releases, or pick a specific one: "docker run jenkins:1.554.3" if you like. Leaving off a version assumes the latest. Check the tags page to see what is available.

You can read more and see how you can use it here.

There has been some questions and discussions on how to make use of Jenkins with the docker hub for creating new and interesting docker image based workflows for deployment. In fact, Jenkins featured in one of the first slides of the first keynote of docker con: To make this dream a reality some additional plugins had to be created - but this leaves the possibility of working with the docker hub (builds, stores images) and Jenkins (workflow, testing, deployment) to build out some kind of a continuous pipeline for handling docker based apps. I attempted to describe this more here.

This image is maintained in this github repo and the official images are build by the "stackbrew" system. (We may move this repo to the jenkinsci github group shortly so keep an eye out).

It will be interesting to watch this grow and change.

Jenkins User Meet-up in London

Tue, 2014-08-12 16:23

As I was alluding to earlier, I was hoping to have a meetup of Jenkins users in London for a while. I'm happy to report that the agenda is final and RSVP is open! The date is September 8th.

I'll talk about my recent chef/puppet integration work in Jenkins. Sven from Perforce will talk about how to leverage Perforce features from Jenkins, and then James Nord will talk about workflow. It will be a worthy 2 hours.

If the line up of talks will not be enough to sway you, you should also know that I will bring some Jenkins give-aways!

I'm not sure how many people to expect, but there's a cap at 80 people, so if you are thinking about coming, be sure to RSVP. Looking forward to seeing many of you there!

Finally, if you are in London, the usual suspects (CloudBees, PuppetLabs, XebiaLabs, MidVision, SOASTA, et al) are doing a free event titled "How To Accelerate Innovation with Continuous Delivery" that you might also be interested in.

User Interface Refresh

Mon, 2014-08-11 11:44

This is a guest post from Tom Fennelly

Over the last number of weeks we've been trying to "refresh" the Jenkins UI, modernizing the look and feel a bit. This has been a real community effort, with collaboration from lots of people, both in terms of implementation and in terms of providing honest/critical feedback. Lots of people deserve credit but, in particular, a big thanks to Kevin Burke and Daniel Beck.

You're probably familiar with how the Jenkins UI currently looks, but for the sake of comparison I think it's worth showing a screenshot of the current/old UI alongside a screnshot of the new UI.

Current / Old Look & Feel

New Look & Feel

Among other things, you'll see:

  • A new responsive layout based on <div> elements (as opposed to <table> elements). Try resizing the screen or viewing on a smaller device. More to come on this though, we hope.
  • Updated default font from Verdana to Helvetica.
  • Nicer form elements and nicer buttons.
  • Smoother side panels e.g. Build Executors, Build Queues and Build History panes.
  • Smoother project views with more modern tabs.

You might already be seeing these changes if you're using the latest and greatest code from Jenkins. If not, you should see them in the next LTS release.

We've been trying to make these changes without breaking existing features and plugins and, so far, we think we've been successful but if you spot anything you think we might have had a negative effect on, then please log a JIRA and we'll try to address it.

One thing we've "sort of" played with too is cleaning up of the Job Config page - breaking into sections and making it easier to navigate etc. This is a big change and something we've been shying away from because of the effect it will have on plugins and form submission. That said, I think we'll need to bite the bullet and tackle this sooner or later because it's a big usability issue.

Geek Choice Awards 2014

Wed, 2014-07-30 11:24

RebelLabs started annual Geek Choice Awards, and Jenkins was one of the 10 winners. See the page they talk about Jenkins.

My favorite part is, to quote, "Jenkins has an almost laughably dominant position in the CI server segment", and "With 70% of the CI market on lockdown and showing an increasing rate of plugin development, Jenkins is undoubtably the most popular way to go with CI servers."

If you want to read more about it and other 9 technologies that won, they have produced a beautifully formatted PDF for you to read.

Jenkins figure is available in shapeways

Mon, 2014-07-28 12:25

Some time ago, we've built Jenkins bobble head figures. This was such a huge hit that everywhere I go, I get asked about them. The only problem was that it cannot be individually ordered, and we didn't have enough cycles to individually sell and ship them for those who wanted them.

So I decided to have the 3D model of Mr.Jenkins built, which would allow anyone to print them via 3D printer. I comissioned akiki, a 3D model designer, to turn our beloved butler into a fully-digital color-printable figure. He was even kind enough to discount the price with the understanding that this is for an open-source project.

The result was IMHO excellent, and when I finally came back to my house yesterday from a two-weeks trip, I found it delivered to my house: With the red bow tie, a napkin, a blue suit, and his signature beard, it is instantly recognizable as Mr.Jenkins. He's mounted on top of a red base, and is quite stable. I think the Japanese sensibility of the designer is really showing! Note that the material has a rough surface and it is not very strong, but that's what you trade to get full color.

I've put it up on Shapeways so that you can order it yourself. The figure is about 2.5in/6cm tall. The price includes a bit of markup toward recovering the cost of the design. My goal is to sell 25 of them, which will roughly break it even. Any excess, if it ever happens, will be donated back to the project.

Likewise, once I hit that goal, I will make the original data publicly available under CC-BY-SA, so that other people can modify the data or even print it on their own 3D printers.

JUC Israel report

Fri, 2014-07-18 07:52

This year marks the 3rd annual Jenkins User Conference in Israel. While the timing of the event turned out to be less than ideal for reasons beyond our control, that didn't stop 400 Jenkins users from showing up at the "explosive" event at a seaside hotel near Tel Aviv.

Shlomi Ben-Haim kicked off the conference by reporting that JUC Israel just keeps getting bigger, and that we sold out 2 weeks earlier and the team had to turn down people who really wanted to come in. The degree of adoption of Jenkins is amazing in this part of the world, and we might have to find a bigger venue next year to accomodate everyone who wants to come.

It turns out most of the talks were in Hebrew, so it was difficult for me to really understand what's going on, but the talks ranged from highly technical ones like how to provision Jenkins from configuration management (the server as welll as jobs), all the way to more culture focused one like how to deploy CD practice in an organization. Companies large and small were well represented, and I met with a number of folks who actively contribute to the community.

There were a lot of hall way conversations, and those of us at the booth had busy time.

Thanks everyone who came, thanks JFrog for being on the ground for the event (and congratulations for the new round of funding) and CloudBees for hosting the event. Please let us know if there are things we can do better, and see you again next year!

Planned changes in Jenkins User Conference contact information collection

Wed, 2014-07-09 16:10

One of the challenges of running Jenkins User Conferences is to ballance the interest of attendees and the interest of sponsors. Sponsors would like to know more about attendees, but attendees are often weary of getting contacted. Our past few JUCs have been run by making it opt-in to have the contact information passed to sponsors, but the ratio of people who opt-in is too low. So we started thinking about adjusting this.

So our current plan is to reduce the amount of data we collect and pass on, but to make this automatic for every attendee. Specifically, we'd limit the data only to name, company, e-mail, and city/state/country you are from. But no phone number, no street address, etc. We discussed this in the last project meeting, and people generally seem to think this is reasonable. That said, this is a sensitive issue, so we wanted more people to be aware.

By the way, the call for papers to JUC Bay Area is about to close in a few days. If you are interested in giving a talk (and that's often the best way to get feedback and take credit on your work), please make sure to submit it this week.

Workflow plugin tutorial: writing a Step impl

Tue, 2014-07-08 15:36

The other day I was explaining how to implement a new workflow primitive to Vivek Pandey, and I captured it as a recording.

The recording goes over how to implement the Step extension point, which is the workflow equivalent of BuildStep extension point. If you are interested in jumping on the workflow plugin hacking, this might be useful (and don't forget to get in touch with us so that we can help you!)

Jenkins User Event & Code Camp 2014, Copenhagen

Thu, 2014-07-03 09:28

This is a guest post from Adam Henriques.

On August 22nd Jenkins CI enthusiasts will gather in Copenhagen, Denmark for the 3rd consecutive year for a day of networking and knowledge sharing. Over the past two years the event has grown and this year we are expecting a record number of participants representing Jenkins CI experts, enthusiasts, and users from all over the world.

The Jenkins CI User Event Copenhagen has become cynosure for the Scandinavian Jenkins community to come together and share new ideas, network, and harness inspiration from peers. The program offers invited as well as contributed speaks, tech talks, case stories, and facilitated Open Space discussions on best practice and application of continuous integration and agile development with Jenkins.

The Jenkins CI Code Camp 2014

The Jenkins CI User Event will be kicked off by The Jenkins CI Code Camp on August 21st, the day before the User Event. Featuring Jenkins frontrunners, this full day community driven event has become very popular, where Jenkins peers band together to contribute content back to the community. The intended audience is both experienced Jenkins developers and developers who are looking to get started with Jenkins plugin development.

For more information please visit the Jenkins CI User Event 2014, Copenhagen website.

JUC Berlin summary

Thu, 2014-07-03 09:23

After a very successful JUC Boston we headed over to Berlin for JUC Berlin. I've heard the attendance number was comparable to that of JUC Boston, with close to 400 people registered and 350+ people who came.

The event kicked off at a pre-conference beer garden meetup, except it turned out that the venue was closed on that day and we had to make an emergency switch to another nearby place, and missed some people during that fiasco. My apologies for that.

But the level of the talks during the day more than made up for my failing. They covered everything from large user use cases from BMW to Android builds, continuous delivery to Docker, then of course workflow!

One of the key attractions of events like this is actually meeting people you interact with. There are all the usual suspects of the community, including some who I've met for the first time.

Most of the slides are up, and I believe the video recordings will be uploaded shortly, if you missed the event.

Pictures from JUC and cdSummit

Thu, 2014-07-03 09:06

I've uploaded pictures I've taken during JUC Boston and JUC Berlin.

JUC Berlin pictures starts with pre-conference beer garden meet-up. See Vincent Latombe gives a talk about Literate plugin. I really appreciated his coming to this despite the fact that the event was only a few days before his wedding:

In JUC Boston pictures, you can see some nice Jenkins lighting effect, as well as my fellow colleague Corey Phelan using World Cup to lure attendees into a booth:

Pictures from the cdSummits are also available here and here.

If you have taken pictures, please share with us as your comment here so that others can see them.

Jenkins Office Hours: dotCi

Thu, 2014-07-03 08:51

Surya walked us through the dotCI source code yesterday, and a bunch of ideas about how to reuse pieces are discussed. The recording is on YouTube, and my notes are here.

Jenkins Office Hours: dotCi

Tue, 2014-07-01 12:19

Tomorrow in Jenkins office hours, Surya Gaddipati will be going over DotCi, a package of features that integrates Jenkins closely with GitHub, configuration via .ci.yml file in source tree, built-in Docker support and MongoDB backend.

I think there's a number of interesting pieces here that could be split into individual plugins for reuse, and possible alignment with existing efforts like Script Security plugin or Literate plugin.

To record the show, this event will be in a different hangout from the usual one, but the time is the same. Looking forward to seeing you!