2.440.3 Jenkins using an inbound-agent container image that is being flagged by container scans

frachel · May 14, 2024, 3:06pm

We’re currently running Jenkins 2.440.3 in Docker. When it kicks off an agent and pulls the inbound-agent image, it is pulling “inbound-agent:3206.vb_15dcf73f6a_9-2”.

This image (inbound-agent:3206.vb_15dcf73f6a_9-2) is coming up in our Prisma scans with vulnerabilities that are well beyond our allowed aging ( > 90 days ).

I see there are many later images of inbound-agent in Dockerhub, but I have no idea how to control which version our Jenkins pulls. As of today 2.440.3 is the latest LTS… and we’ll upgrade to the next LTS in a week or so when it’s released, but in general the question is this - is the version of inbound-agent that gets pulled hardcoded/tied to the the version of jenkins, or can it be modifed to use a newer one?

sodul · May 14, 2024, 7:19pm

We run Jenkins under Kubernetes, but I do not know about how it works under Docker itself.

The way we control the agent image is under manage/cloud/kubernetes/template admin page. There we have our default template as such:

metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
spec:
  shareProcessNamespace: true
  dnsConfig:
    options:
      - name: attempts
        value: "5"
  containers:
  - name: "jnlp"
    image: "jenkins/inbound-agent:3206.vb_15dcf73f6a_9-11-alpine-jdk21"
    resources:
      requests:
        cpu: 0.1
      limits:
        cpu: 1
        memory: 425Mi

We further tune the memory and CPU limits on a per pipeline basis through a custom jenkins library which is called during an init stage.

If you use the Docker Plugin (we do not) the documentation is here: Docker

It looks like you should be able to customize the agent container under the clouds docker admin UI.

Tags are listed here: Docker

3206.vb_15dcf73f6a_9-2 is from 4 months ago

3206.vb_15dcf73f6a_9-11-alpine-jdk21 is from 7 days ago.

I do recommend that you keep the jdk version consistent between the controller and the agents. While java marshaling is ‘supposed’ to be transparent, it can introduce hard to troubleshoot bugs.

MarkEWaite · May 14, 2024, 9:09pm

The version of inbound agent that is pulled is not tied to the Jenkins version. You control it from your local configuration. Find that configuration and you can increase the version of that container image to the most recent version.

Topic		Replies	Views
Difference between: jenkins/agent and jenkins/inbound-agent images? Using Jenkins	2	11586	December 15, 2021
Docker Image jnlp-agent-python3 Ask a question git , docker , python	2	1996	June 23, 2023
Using jenkins/inbound-agent image reports version 4.13 or newer is required Using Jenkins question , docker	8	2312	March 13, 2024
Docker pull jenkins/jenkins got a different version then expected Ask a question question , docker	2	505	February 23, 2023
Jenkins Upgrade Issue Using Jenkins	6	4625	November 21, 2023

2.440.3 Jenkins using an inbound-agent container image that is being flagged by container scans

Related topics