Last checked and updated on 03 May 2026What Is New in Jenkins 2.346.x
This LTS release focuses on modernizing the platform, enhancing security, and improving the user experience with significant UI updates and Java runtime changes.
| Category | Key Changes |
|---|---|
| Security | Rejects connections from agents with unsupported Remoting versions; requires explicit HTTPS keystore configuration. |
| Modernization | PNG/GIF icons replaced with SVGs; Java Native Runtime (JNR) library removed. |
| Infrastructure | Docker Alpine images no longer include GNU C Library; OpenJDK updates address JIT and metaspace issues. |
| Tooling | Deprecated install-plugins.sh script removed from Docker images in favor of jenkins-plugin-cli. |
Why did Jenkins start rejecting older agent connections?
Jenkins 2.346.1 introduces a security and stability enhancement by rejecting connections from agents using Remoting versions older than 3.14. This change prevents potential compatibility issues and security vulnerabilities that can arise from outdated communication protocols.
When an unsupported agent attempts to connect, its status will show as offline with a message indicating a launch failure. Administrators can override this behavior by setting the system property hudson.slaves.SlaveComputer.allowUnsupportedRemotingVersions to true, though this is not recommended for production environments.
For better visibility, install the Version Node Monitors plugin. It displays agent Remoting and Java versions directly in the Nodes page and can enforce version matching policies.
What changed with icons and the Java Native Runtime?
The entire icon set has been modernized from PNG and GIF formats to Scalable Vector Graphics (SVG). This provides sharper rendering on high-resolution displays and more flexible theming. Ensure all your plugins are updated immediately after the core upgrade to avoid missing images from outdated plugins.
The Java Native Runtime (JNR) library was removed from core. This impacts specific plugins:
- PAM Authentication plugin requires version 1.7 or higher.
- CloudBees File Leak Detector plugin requires version 1.7 or higher.
- Maven Repository Scheduled Cleanup plugin has no compatible version and must be removed.
This cleanup reduces Jenkins' footprint and removes a deprecated dependency.
How do the OpenJDK updates affect my Jenkins instance?
This LTS release aligns with important OpenJDK updates. OpenJDK 11.0.16 and 17.0.4 contained a critical JIT compiler bug (JDK-8292260) that could cause JVM crashes. The official Jenkins Docker images (2.346.3-2 and later) include the patched versions OpenJDK 11.0.16.1 and 17.0.4.1.
These JDK versions also introduce a known metaspace memory leak when used with older versions of the Pipeline: Groovy and Script Security plugins. After upgrading Jenkins core, you must upgrade Pipeline: Groovy to at least 2705.v0449852ee36f and Script Security to at least 1175.v4b_d517d6db_f0.
Furthermore, OpenJDK 11.0.16+ now properly supports cgroups v2, meaning it will correctly detect and respect container memory and CPU limits. This affects garbage collection behavior and thread pool sizing inside containers.
What happened to the automatic HTTPS certificate?
Jenkins no longer automatically generates a self-signed HTTPS certificate if no keystore is provided. This feature was removed to encourage more secure, explicit configuration.
If you run Jenkins and handle HTTPS directly within the Java process (not behind a reverse proxy like Nginx or Apache), you must now provide your own keystore using the arguments --httpsKeyStore=path/to/keystore and --httpsKeyStorePassword=keystorePassword at startup.
This change does not affect the vast majority of deployments where SSL/TLS termination is handled by a dedicated reverse proxy server in front of Jenkins.
Why was the GNU C Library removed from Alpine images?
Older Java versions on Alpine Linux required the GNU C Library (glibc) to run. Modern Eclipse Temurin builds for Alpine now use musl libc natively, making glibc obsolete. Consequently, it has been removed from the official Jenkins Alpine Docker images to reduce image size and complexity.
This primarily affects users who run builds directly on the controller node, which is an anti-pattern. If you use Global Tool Configuration to install binaries (e.g., Node.js, JDK) that are linked against glibc, they will fail to run on the Alpine controller with errors like env: 'node': No such file or directory.
The solutions are: 1) Run jobs on agents instead of the controller; 2) Switch to a Debian-based Jenkins image; or 3) Build a custom Alpine image that installs glibc.
FAQ
My agent was working before the upgrade but is now offline. What happened?
Jenkins now blocks agents using Remoting versions older than 3.14. Check your agent's Remoting version and upgrade it to match the controller. You can temporarily allow the connection by setting the system property hudson.slaves.SlaveComputer.allowUnsupportedRemotingVersions=true, but upgrading the agent is the correct fix.
After upgrading, some icons are missing. How do I fix this?
The core icons were replaced with SVGs. Old plugins that reference the removed PNG/GIF files will break. Update all your plugins to their latest versions immediately after the core upgrade to resolve this.
My Jenkins on Alpine Linux can't run Node.js anymore. Why?
The Alpine image no longer includes the GNU C Library (glibc). The Node.js binary you are trying to use is likely compiled for glibc and is incompatible with the musl libc in Alpine. either switch to a Debian-based image, use an agent, or find a Node.js build compiled for musl libc.
Do I need to change my startup arguments if I use a reverse proxy?
No. The change requiring explicit HTTPS keystore configuration only applies if Jenkins itself is handling HTTPS connections. If you use a reverse proxy (Nginx, Apache, etc.) for SSL termination, you do not need to add the --httpsKeyStore arguments.
Which plugins are broken by the JNR removal and how do I fix them?
The PAM Authentication and CloudBees File Leak Detector plugins will break. You must upgrade PAM Authentication to version 1.7+ and File Leak Detector to 1.7+. The Maven Repository Scheduled Cleanup plugin has no fix and must be uninstalled.