Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-72467

Unable to install mapdb api plugin using Jenkins UI or via JCASC automation.

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • mapdb-api-plugin
    • None

      We build ALL our Jenkins using Helm and JCASC 100% automation.

      • Upgrading via Jenkins UI to latest MapDB API and restarting leaves 1.0.9.0.
      • Upgrading via JCASC automated plugin install leaves 1.0.9.0
      • Installing via JCASC automated plugin install to latest MapDB API on a fresh Jenkins installs 1.0.9.0

      As a result I am unable to update/install the Subversion plugin to 2.17.3. If I try if does not allow Jenkins to start. If someone attempts to update both via UI or JCASC the Jenkins refuses to start after.

        1. plugins.txt
          7 kB
        2. plugins-original.txt
          7 kB
        3. run-jenkins.sh
          0.9 kB

          [JENKINS-72467] Unable to install mapdb api plugin using Jenkins UI or via JCASC automation.

          Mark Waite added a comment - - edited

          I'm unable to duplicate the problem as described. You'll need to provide more details so that others can duplicate the issue. Steps that I took while trying to duplicate the problem:

          1. Create a plugins.txt file with the original plugins and versions you provided with the content in plugins-original.txt
          2. Create a run-jenkins.sh script that downloads Jenkins 2.414.3 and downloads the plugin versions that you specified
          3. Use the Jenkins plugin manager to install the subversion 2.17.3 update and the mapdb plugin update
          4. Use the Jenkins script console and the groovy script to list all the installed plugins and their versions
          5. Create a plugins.txt file that includes the plugins and versions after the upgrade
          6. Confirm that the Jenkins plugin manager downloads the correct plugin versions based on the upgraded version numbers included in the plugins.txt file
          7. Confirm that Jenkins 2.414.3 runs as expected with the updated plugins that as listed in the plugins.txt file

          One guess is that your plugin definition may not include all the plugins that you are installing. It is almost always better to list every plugin and its version number rather than relying on dependency analysis to choose a plugin or its version.

          While reviewing those plugins, there are some other areas of concern for your consideration.

          Security warnings (probably unrelated to the issue report)

          While trying to duplicate your environment, I see the following security warnings for the plugins you have installed. You should review each of those security issues and decide if it is worth continuing to include the vulnerable plugin in your installation:

          Security warnings:

          Deprecated plugins (probably unrelated to this issue)

          The following installed plugins are deprecated:

          • Pipeline: Declarative Agent API
          • Green Balls
          • JavaScript GUI Lib: Handlebars bundle plugin
          • Popper.js 2 API Plugin
          • JavaScript GUI Lib: jQuery bundles (jQuery and jQuery UI) plugin
          • Pipeline: Deprecated Groovy Libraries
          • JavaScript GUI Lib: Moment.js bundle plugin
          • Multiple SCMs plugin
          • Popper.js API Plugin
          • Bootstrap 4 API Plugin
          • JavaScript GUI Lib: ACE Editor bundle plugin
          • WMI Windows Agents Plugin

          In general, this means that these plugins are either obsolete, no longer being developed, or may no longer work. See the linked web pages for further information about the cause for the deprecation, and suggestions on how to proceed.

          Mark Waite added a comment - - edited I'm unable to duplicate the problem as described. You'll need to provide more details so that others can duplicate the issue. Steps that I took while trying to duplicate the problem: Create a plugins.txt file with the original plugins and versions you provided with the content in plugins-original.txt Create a run-jenkins.sh script that downloads Jenkins 2.414.3 and downloads the plugin versions that you specified Use the Jenkins plugin manager to install the subversion 2.17.3 update and the mapdb plugin update Use the Jenkins script console and the groovy script to list all the installed plugins and their versions Create a plugins.txt file that includes the plugins and versions after the upgrade Confirm that the Jenkins plugin manager downloads the correct plugin versions based on the upgraded version numbers included in the plugins.txt file Confirm that Jenkins 2.414.3 runs as expected with the updated plugins that as listed in the plugins.txt file One guess is that your plugin definition may not include all the plugins that you are installing. It is almost always better to list every plugin and its version number rather than relying on dependency analysis to choose a plugin or its version. While reviewing those plugins, there are some other areas of concern for your consideration. Security warnings (probably unrelated to the issue report) While trying to duplicate your environment, I see the following security warnings for the plugins you have installed. You should review each of those security issues and decide if it is worth continuing to include the vulnerable plugin in your installation: Security warnings: ssh (2.6.1): SECURITY-2093 CSRF vulnerability and missing permission checks allow capturing credentials https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2093 ssh (2.6.1): SECURITY-2315 Missing permission check allows enumerating credentials IDs https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2315 aws-codecommit-trigger (3.0.12): SECURITY-3099 Arbitrary file read vulnerability https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3099 aws-codecommit-trigger (3.0.12): SECURITY-3101-1 Missing permission check allows enumerating credentials IDs https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3101%20(1 ) aws-codecommit-trigger (3.0.12): SECURITY-3101-2 CSRF vulnerability and missing permission check https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3101%20(2 ) aws-codecommit-trigger (3.0.12): SECURITY-3102 HTML injection vulnerability https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3102 ivy (2.5): SECURITY-2924 XXE vulnerability https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-2924 ivy (2.5): SECURITY-3093 CSRF vulnerability https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3093 rich-text-publisher-plugin (1.5): SECURITY-2332 Stored XSS vulnerability https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2332 extended-choice-parameter (376.v2e02857547b_a_): SECURITY-1350 CSRF vulnerability and missing permission checks allow SSRF https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-1350 extended-choice-parameter (376.v2e02857547b_a_): SECURITY-1351 Arbitrary JSON and property file read vulnerability https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-1351 extended-choice-parameter (376.v2e02857547b_a_): SECURITY-2232 Stored XSS vulnerability https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2232 extended-choice-parameter (376.v2e02857547b_a_): SECURITY-2617-extended-choice-parameter Stored XSS vulnerability https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617 sonar-quality-gates (1.3.1): SECURITY-1523 Credentials transmitted in plain text https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1523 quality-gates (2.5): SECURITY-1519 Credentials transmitted in plain text https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1519 scriptler (334.v29792d5a_c058): SECURITY-3205 Arbitrary file deletion vulnerability https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3205 scriptler (334.v29792d5a_c058): SECURITY-3206 Missing permission check https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3206 JDK_Parameter_Plugin (1.2): SECURITY-2717-JDK_Parameter_Plugin Stored XSS vulnerability https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2717 Deprecated plugins (probably unrelated to this issue) The following installed plugins are deprecated: Pipeline: Declarative Agent API Green Balls JavaScript GUI Lib: Handlebars bundle plugin Popper.js 2 API Plugin JavaScript GUI Lib: jQuery bundles (jQuery and jQuery UI) plugin Pipeline: Deprecated Groovy Libraries JavaScript GUI Lib: Moment.js bundle plugin Multiple SCMs plugin Popper.js API Plugin Bootstrap 4 API Plugin JavaScript GUI Lib: ACE Editor bundle plugin WMI Windows Agents Plugin In general, this means that these plugins are either obsolete, no longer being developed, or may no longer work. See the linked web pages for further information about the cause for the deprecation, and suggestions on how to proceed.

          Dax Games added a comment - - edited

          The plugin list I provided was generated using the script run on Jenkins so it SHOULD be a complete list.

          That list is fed into JCASC as is when building new Jenkins instances in Kubernetes via Jenkins Helm Chart v4.11.1.

          Thanks for the extended info I am working on cleaning up the deprecated and insecure plugins along with updating to current. That is how I found this issue.

          I am not sure what more info I can give you.

          I will try to follow what you did and see if I come up with the same results.

          Dax Games added a comment - - edited The plugin list I provided was generated using the script run on Jenkins so it SHOULD be a complete list. That list is fed into JCASC as is when building new Jenkins instances in Kubernetes via Jenkins Helm Chart v4.11.1. Thanks for the extended info I am working on cleaning up the deprecated and insecure plugins along with updating to current. That is how I found this issue. I am not sure what more info I can give you. I will try to follow what you did and see if I come up with the same results.

          Dax Games added a comment -

          I cannot explain this but I was able to successfully update by doing the following:

          1. Update via the Jenkins UI both MapDB API and Subversion but not restarting Jenkins.
          2. Edit the kubernetes configmap that creates plugins.txt to match the newly installed versions.
          3. Delete the jenkins-0 pod using kubectl.
          4. Jenkins starts normally.
          5. Generate plugin list using the same script I always use. (The only diffs were MapDB and Subversion)
          6. Update the JCASC to use this list. (I have tried to build clean using this exact list many times)
          7. Jenkins builds and starts normally with the newer plugins using automation.

          Dax Games added a comment - I cannot explain this but I was able to successfully update by doing the following: 1. Update via the Jenkins UI both MapDB API and Subversion but not restarting Jenkins. 2. Edit the kubernetes configmap that creates plugins.txt to match the newly installed versions. 3. Delete the jenkins-0 pod using kubectl. 4. Jenkins starts normally. 5. Generate plugin list using the same script I always use. (The only diffs were MapDB and Subversion) 6. Update the JCASC to use this list. (I have tried to build clean using this exact list many times) 7. Jenkins builds and starts normally with the newer plugins using automation.

          Mark Waite added a comment -

          daxgames do you want to spend more time on this to try to understand the conditions that caused the problem or would you rather close the issue and call it resolved?

          Mark Waite added a comment - daxgames do you want to spend more time on this to try to understand the conditions that caused the problem or would you rather close the issue and call it resolved?

          Jared Kauppila added a comment - - edited

          I'm running into the same problem as I'm updating plugins in our containerized controller. Are there particular logs to look at when attempting to dig into this?

          If I were to (blindly) guess, maybe Jenkins thinks that `1.0.9.0` is newer than `1.0.9-28.vf251ce40855d` and doesn't want to update it?

          Jared Kauppila added a comment - - edited I'm running into the same problem as I'm updating plugins in our containerized controller. Are there particular logs to look at when attempting to dig into this? If I were to (blindly) guess, maybe Jenkins  thinks that `1.0.9.0` is newer than `1.0.9-28.vf251ce40855d` and doesn't want to update it?

          I was able to resolve this by updating my plugins.txt to include the `1.0.9-28.vf251ce40855d` version and then uninstall the mapdb plugin via the UI so then it would reload with the correct updated version after a restart.

          Jared Kauppila added a comment - I was able to resolve this by updating my plugins.txt to include the `1.0.9-28.vf251ce40855d` version and then uninstall the mapdb plugin via the UI so then it would reload with the correct updated version after a restart.

          Dax Games added a comment -

          markewaite It can be closed as far as I am concerned.

          Dax Games added a comment - markewaite It can be closed as far as I am concerned.

            Unassigned Unassigned
            daxgames Dax Games
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: