Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update to reflect new agents terminology

...

This best practice is around authenticating users and enforcing access control on a Jenkins instance
In the default configuration, Jenkins does not perform any security checks. This means any person accessing the website can execute arbitrary code on the Jenkins master and all connected slavesagents, including extracting all your passwords, certificates, and other private data, besides just configure Jenkins and jobs, and perform builds. This configuration is only acceptable for use in (very small) intranets, and test setups.

...

If you have a more complex security setup that allows some users to only configure jobs, but not administer Jenkins, you need to prevent them from running builds on the master node, otherwise they have unrestricted access into the JENKINS_HOME directory. You can do this by setting the executor count to zero. Instead, make sure all jobs run on slavesagents. This ensures that the jenkins master can scale to support many more jobs, and it also protects builds from modifying potentially sensitive data on $JENKINS_HOME accidentally/maliciously. If you need some jobs to run on the master (e.g. backups of Jenkins itself), use the Job Restrictions Plugin to limit which jobs can be executed there.

...

Between archived builds, build logs that let you determine exactly what happened, and the SCM history information that tells you exactly what was built, Jenkins contains a lot of information you don't want to lose.

Tip

Limit project names to a sane (e.g. alphanumeric) character set

Jenkins uses project names for folders related to the project. Many poorly written tools cannot handle spaces, dollar signs, or similar characters in file paths. So it's easiest to limit yourself to e.g. [a-zA-Z0-9_-]+ in project names, and use the Display Name feature to make them look nice. You can define a pattern for allowed project names in Configure Jenkins to enforce this restriction on all your users.

Tip

Use "file fingerprinting" to manage dependencies.

...

One of advantages of using CI tools is to detect problems early in the development lifecycle. Setting up a different job/project for each branch you create will help to maximize the benefit of detecting problems early as part of supporting parallel development efforts and reducing risk.

Tip

Prevent resource collisions in jobs that are running in parallel.

Multiple jobs running at the same time often cause collisions if they set up some kind of service, or need exclusive access. If your builds involve use of databases or other networked services, you need to ensure that they don't interfere with each other. Allocate a different port for parallel project builds

...

to avoid build collisions. If that's not possible (e.g. in the case of a persistent resource that needs to be locked) you can prevent builds that use it from running at the same time

...

Multiple jobs running using e.g. Throttle Concurrent Builds Plugin.

Tip

Avoid scheduling all jobs to start at the same time

...

Try to avoid scheduling all jobs to start at the same time. Allocate a different port for parallel project builds to avoid build collisionsIf you're using timer triggers or are periodically polling SCM, use the H syntax in the cron expression, or predefined tokens such as @hourly, to distribute job starting times evenly.

Tip

Set up email notifications mapping to ALL developers in the project, so that everyone on the team has his pulse on the project's current status.

Configure each person on the people list with his or her their correct email address and what role he or she is they are currently playing.

Tip

Take steps to ensure failures are reported as soon as possible.

For example, it may be appropriate to run a limited set suite of "sniff smoke tests " before the full suitebefore running time consuming test suites.

Tip

Write jobs for your maintenance tasks, such as cleanup operations to avoid full disk problems.

Tip

Tag, label, or baseline the codebase after the successful build.

Tip

Configure Jenkins bootstrapper to update your working copy prior to running the build goal/target