Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jenkins Best Practices

Tip

Always secure Jenkins.

This best practice is around authenticating users and enforcing access control on a Jenkins instance
In the default configuration, Jenkins does not perform any security checks. This means any person accessing the website can execute arbitrary code on the Jenkins master and all connected slaves, including extracting all your passwords, certificates, and other private data, besides just configure Jenkins and jobs, and perform builds. While this This configuration is normally only acceptable for intranet use and quick setup, it introduces high security risks, like someone accidentally deleting your build jobs, reconfiguring your job to run every minute, kicking off too many builds at the same time, reconfiguring your build instance, etcin (very small) intranets, and test setups.

Tip

In larger systems, don't build on the master.

If you have a more complex security setup that allows some users to only configure jobs, but not administer Jenkins, you need to prevent them from running builds on the master node, otherwise they have unrestricted access into the JENKINS_HOME directory. You can do this by setting the executor count to zero. Instead, make sure all jobs run on slaves. This ensures that the jenkins master can scale to support many more jobs, and it also protects builds from modifying potentially sensitive data on $JENKINS_HOME accidentally/maliciously. If you need some jobs to run on the master (e.g. backups of Jenkins itself), use the Job Restrictions Plugin to limit which jobs can be executed there.

Tip

Backup Jenkins Home regularly.

...

Tip

Configure Jenkins bootstrapper to update your working copy prior to running the build goal/target

Tip

In larger systems, don't build on the master.

You can do this by setting the executor count to zero. Instead, make sure all jobs run on slaves. This ensures that the jenkins master can scale to support many more jobs, and it also protects builds from modifying potentially sensitive data on $JENKINS_HOME accidentally/maliciously. If you need some jobs to run on the master (e.g. backups of Jenkins itself), use the Job Restrictions Plugin to limit which jobs can be executed there.