Around a year ago, during Jenkins World 2016, the CloudBees Assurance Program (CAP) was announced, and it has been quite a ride since then.
The amazing Jenkins ecosystem is enabled by the great extensibility provided by the Jenkins core. In Jenkins, the different features are provided by multiple plugins that can evolve independently of each other, which fosters a great pace of innovation. However, having the latest and greatest functionality introduces risk that may not be acceptable in your organization.
The CloudBees Assurance Program is a set of initiatives to provide the best of both worlds, access to the greatest and latest new features and fixes and at the same time, excitingly boring operation and upgrades, which is the foundation of Business Critical Jenkins .
The key element to achieve this rock-solid Jenkins goal is the distribution , which:
Is a curated selection of components, Jenkins core and selected plugins in specific versions (recommended configuration) that evolves in a coordinated way from release to release.
Goes through a strong and extensive QA process, which provides full verification in the context of the distribution as a whole and its upgrade paths.
Includes the latest security fixes.
The Release Notes application shows how CAP provides the classification of the plugins in the distribution
In order to have all the advantages of the fast pace of evolution of the Jenkins ecosystem, the distributions are delivered in a rolling release train , in which a new release, with an updated recommended configuration providing fixes and features is shipped out every 4-6 weeks.
So, what can we say about the first year of the CloudBees Assurance Program?
First of all, from its initial appearance in the CloudBees Jenkins Platform, during this year is has become an integral part of the CloudBees Jenkins Solutions, with the distribution model being at the foundation of CloudBees Jenkins Team and CloudBees Jenkins Enterprise .
The recommended configuration not only contains certain plugins, but for each release of the distribution there is a specific Jenkins core version to use. Throughout this year the rolling train has gradually come closer and closer to the Jenkins LTS release train schedule, which provides the capability to deliver the latest fixes in Jenkins core sooner in the CloudBees Jenkins Solutions. In fact, since last July, CloudBees has started using private builds for all releases1 . This approach enables CloudBees to start distribution-level hardening at the same moment the Jenkins Core LTS release candidate (RC) testing starts in the community and provides the following benefits:
It reinforces the feedback loop with the community, increasing the testing effort during the RC cycle and contributing to an even higher level of confidence in the final result.
It reduces the time to make the latest improvements and fixes available in the CloudBees Jenkins Solutions.
Having private Jenkins core builds2 also provides the additional flexibility of having some differences with the community provided Jenkins LTS core, such as including fixes that are being considered for a later LTS release but that may have special impact in the CloudBees products. This is only used in exceptional situations and we work closely with the Jenkins project to keep these differences to a minimum.
Last, but not least, let’s talk about security. The approach described above is also important to deliver security fixes to the Jenkins core in the CloudBees Jenkins Solutions at the same time they are available in the community and with the same level of hardening as any other release. What about plugins? The distribution model enables delivering security fixes for plugins as a new recommended configuration that automatically upgrades dependent and / or related plugins needed to ensure everything continues to work as expected. Besides, a new feature delivered last January, incremental upgrades , improves the experience of applying plugins-only security upgrades while maintaining all the advantages of the distribution model.
In the year since the the Customer Assurance Program commenced, it has been a huge success and a key value add for customers. With the Customer Assurance Program, you get the best of open source innovation without introducing any risk into your business. There are still many improvements in the backlog to make the operation and upgrades of the distributions even more excitingly boring and we look forward to delivering them.
1 Previously it was done on-demand or only for versions in LTS lines no longer supported by the community.
2 This refers to the use of private core builds when a CloudBees product is based on the current, community-supported LTS line. CloudBees also uses internal core builds to backport security fixes to supported products based on older LTS lines.
Andres Rodriguez
Senior Software Engineer
CloudBees