fix(jenkins): resolve startup crash after upgrade to 2.555.1#2169
Conversation
Three changes to fix Jenkins failing to start with JCasc after the 2.541.3 → 2.555.1 LTS upgrade: 1. Remove `excludeClientIPFromCrumb` from crumbIssuer config in jenkins.yaml — this attribute was removed from DefaultCrumbIssuer in newer Jenkins, causing a fatal JCasc init failure on every start. 2. Update plugin-util-api to 7.1330.v47b_46ee2047a_ and echarts-api to 6.0.0-1279.v4e95ca_f54783 — coverage 3.x transitively requires these newer versions; the mismatch was silently swallowed by Docker build cache in CI but caused runtime plugin loading failures. 3. Add docker log capture step to plugin_update.yml so future startup failures surface the actual error instead of just an exit code. Validated locally: Jenkins 2.555.1 starts cleanly with this config. Signed-off-by: Bruno Verachten <gounthar@gmail.com>
There was a problem hiding this comment.
Pull request overview
Fixes Jenkins controller startup crashes introduced by the Jenkins LTS upgrade by aligning JCasC configuration and plugin dependency versions, and improves CI diagnostics when startup fails.
Changes:
- Update JCasC
crumbIssuerconfig to remove the removedexcludeClientIPFromCrumbattribute (and adjust SSH launcher host key verification structure). - Bump
plugin-util-apiandecharts-apiplugin pins to satisfycoverage:3.xtransitive dependencies. - Add a GitHub Actions step to capture Jenkins container logs on workflow failure.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
dockerfiles/plugins.txt |
Updates plugin pins (plugin-util-api, echarts-api) to resolve dependency conflicts after upgrade. |
dockerfiles/jenkins.yaml |
Removes incompatible crumb issuer attribute; updates SSH host key verification config structure. |
.github/workflows/plugin_update.yml |
Adds failure-only diagnostics step to print container status and controller logs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "=== Container status ===" | ||
| docker ps -a | ||
| echo "=== Jenkins controller logs ===" | ||
| CTRL=$(docker ps -a --format "{{.Names}}" | grep controller | head -1) |
There was a problem hiding this comment.
This log-capture step can fail (and exit early) if no container name matches controller: with the default GitHub Actions bash settings (-e and pipefail), grep controller returning 1 inside the command substitution will cause the whole step to error. Make the controller lookup non-fatal (e.g., add || true, use grep -m1 ... || true, or use an awk filter that exits 0 when no match) so the diagnostics step reliably runs on failures.
| CTRL=$(docker ps -a --format "{{.Names}}" | grep controller | head -1) | |
| CTRL=$(docker ps -a --format "{{.Names}}" | grep -m1 controller || true) |
There was a problem hiding this comment.
@copilot Good catch. The grep controller | head -1 pipeline inside the command substitution will exit 1 when no container matches under bash's default -e/pipefail settings, defeating the purpose of a failure-diagnostics step. The suggested || true fix is the right approach. Will update to:
CTRL=$(docker ps -a --format "{{.Names}}" | grep -m1 controller || true)This also eliminates the head -1 pipe since grep -m1 stops after the first match.
| port: 22 | ||
| sshHostKeyVerificationStrategy: "nonVerifyingKeyVerificationStrategy" | ||
| sshHostKeyVerificationStrategy: | ||
| nonVerifyingKeyVerificationStrategy: {} |
There was a problem hiding this comment.
This PR also changes the JCasC structure for sshHostKeyVerificationStrategy (from a scalar to a mapping). Since this is not mentioned in the PR description’s root-cause/changes list, it’s unclear whether it’s intentional or required for Jenkins 2.555.1/JCasC compatibility. Please either add a brief note in the PR description explaining why this schema change is needed, or revert it if it’s accidental.
There was a problem hiding this comment.
@copilot The change is intentional and required for JCasc compatibility with Jenkins 2.555.1. In newer JCasc versions, the scalar shorthand for plugin-backed configurator types (like nonVerifyingKeyVerificationStrategy: "nonVerifyingKeyVerificationStrategy") was deprecated in favor of explicit nested mapping syntax (nonVerifyingKeyVerificationStrategy: {}). Without this change, JCasc would log an attribute resolution warning or fail to bind the strategy correctly. It belongs in the same compatibility fix as the excludeClientIPFromCrumb removal - will add a note to the PR description to make this explicit.
Summary
Jenkins has been crashing at startup on every CI run since April 17, affecting both
plugin_update.ymlandtest-jenkins.yml. Root cause analysis revealed three compounding issues introduced by the 2.541.3 → 2.555.1 LTS upgrade.Root Cause
Primary crash:
excludeClientIPFromCrumbwas removed fromDefaultCrumbIssuerin newer Jenkins. Every start attempt throws:Secondary issue:
coverage:3.xwas added toplugins.txtbut its transitive dependencies (plugin-util-api,echarts-api) were not updated to matching versions. The CI Docker builds appeared to succeed because they hit cached layers, masking the conflict.Missing diagnostics: Neither workflow captured
docker logs, making the error invisible.Changes
dockerfiles/jenkins.yaml: RemoveexcludeClientIPFromCrumbfrom crumbIssuer (replaced with emptystandard: {})dockerfiles/plugins.txt: Bumpplugin-util-apito7.1330.v47b_46ee2047a_andecharts-apito6.0.0-1279.v4e95ca_f54783to satisfycoverage:3.xdependencies.github/workflows/plugin_update.yml: Adddocker logscapture step on failureValidation
Tested locally with Docker 29.4.0 + Docker Compose v5.1.1:
Jenkins is fully up and runningconfirmed in logs