Support Lifecycle and Update Policies for the CloudBees Jenkins Platform

We endeavor to resolve customer issues with the most minimal amount of change to their systems, balanced by our ability to support those systems.

CloudBees supports several Long Term Support (LTS) lines per the Support Timelines table, below. Each support line has its own backporting policy which affects the scope of issue resolution for that line: 

  • The current LTS line: maintained by the community
    • Security fixes are delivered only to the latest release in this line
    • Bug fixes are subject to Jenkins community review and approval
    • Releases provided by:
      • Jenkins community, optionally augmented by the CloudBees Jenkins Enterprise plugins
        Note: The Jenkins community provides, at most, three releases for any LTS line before switching to the next LTS line. Once the LTS line is no longer current, the customer will need to either upgrade to the current LTS line or switch to the corresponding CloudBees Jenkins Platform release
      • CloudBees, as a CloudBees Jenkins Platform release
  • CloudBees-maintained LTS-1: This LTS line is maintained by CloudBees and delivered to customers through CloudBees Jenkins Platform releases
    • Security fixes are delivered only to the latest release in this line
    • Non-security bug fixes are subject to a risk assessment by the CloudBees engineering team
    • Releases provided by:​
      CloudBees, as CloudBees Jenkins Platform releases
  • CloudBees-maintained LTS-2: this LTS line is maintained by CloudBees and delivered to customers through CloudBees Jenkins Platform releases
    • Security fixes are delivered only to the latest release in this line
    • Severity 1 (S1) and Severity 2 (S2) non-security bug fixes are eligible against this line and are subject to a risk assessment by the CloudBees engineering team
    • Releases provided by:​
      CloudBees, as CloudBees Jenkins Platform releases
  • CloudBees-maintained LTS-3: this LTS line is maintained by CloudBees and delivered to customers through CloudBees Jenkins Platform releases
    • Security fixes are delivered only to the latest release in this line
    • Only S1 bug fixes are eligible for non-security areas against this line and are subject to a risk assessment by the CloudBees engineering team
    • Releases provided by:
      CloudBees, as CloudBees Jenkins Platform releases

When a customer reports an issue in their specific line of Jenkins, we need to determine the category of root cause for this issue. The categories are:

Category Analysis Actions/Impact
Configuration Issue These issues can be resolved by changing system settings or by modifying a JVM system property. No upgrade of Jenkins core or a plugin is required to resolve these issues.
External Issue These issues can be resolved by changing an external system; for example, a bug in an SCM server may cause it to send malformed data to Jenkins. No change to Jenkins is required to resolve these issues.
Jenkins Core Issue These issues can only be resolved by a code change in the Jenkins core.

CloudBees first priority is to try to make the fix available in the next release of the line the customer is running.

If the fix is ineligible for inclusion in that release line (either for technical reasons, such as requiring a new feature only available in a newer line, or resulting from the risk assessment of the fix), the customer may be required to upgrade to a newer release line where that fix is eligible.

In certain cases, it may be possible to provide a hot fix/patch in the form of a plugin that may mitigate the issue; such hot fix plugins are only developed for serious issues where the approach is technically feasible.

Plugin Issue These issues can only be resolved by a code change in the plugin(s).

CloudBees first priority is to make the fix available in the next release of the plugin(s).

  • For plugins that are maintained by CloudBees, we aim to ensure that the plugin is compatible with all of our supported release lines. Thus in the majority of cases, upgrading the plugin should not require changing the core release line. However, where a feature has been added to one of our plugins and that plugin requires specific technical features only available in newer release lines of Jenkins, the customer may be required to upgrade the Jenkins core in order to upgrade the plugin and resolve the issue.
  • For plugins that are maintained by the community, the community maintainer is responsible for determining the policy to be followed with regard to tracking the baseline version of Jenkins that new releases will remain compatible with. CloudBees will encourage the maintainer to ensure that the plugin is compatible with all of our supported release lines, but we cannot enforce this. The customer may be required to upgrade the core version of Jenkins in order to upgrade the plugin and resolve their issue.
Interaction Issue Between the Jenkins Core and Plugin(s) This is a combination of the previous two categories where the fix is required both in the Jenkins core and a corresponding plugin.

Typically, these issues can only be resolved in the Jenkins community weekly line and will only become available in older lines as they overtake the weekly version containing the fix.

Unfortunately, due to the cross-system nature of these issues, resolution will generally require the customer to change the core version of Jenkins and upgrade plugins.

Visual Representation

Feature Suggestions

Feature requests or software enhancements are additions of new functionality beyond correcting defects or enabling previously existing functionality.

Customers are encouraged to file feature requests for OSS plugins on the OSS JIRA. The CloudBees team does not accept feature requests for OSS plugins or the core.

Support Lifecycle and Update Policies for CloudBees Jenkins Platform 2.x

For CJP 2.7.19+, the CloudBees Jenkins Platform will be available in two release lines:

  • CloudBees Jenkins Platform Rolling Release
  • Cloudbees Jenkins Platform Fixed Release

Each support line has its own backporting policy which affects the scope of issue resolution for that line.

  Rolling Fixed
Bug and Security Fixes    
Security Fixes Yes Yes
Bug Fixes Yes Yes
Features  

 

New Features Yes

No

Compatibility and Upgrades    
Verify Compatibility Yes Yes
Verify Upgrades Yes Yes

CloudBees Jenkins Platform Rolling Release

The CloudBees Jenkins Platform Rolling release is based on the CloudBees Jenkins Enterprise distribution. Rolling releases are published as important fixes and new features for the platform become available, which can be as soon as 4 weeks from the last release.

Rolling releases are a continuous stream of updates of the CloudBees Jenkins Platform, and as such are the recommended release train and the “gold standard” of quality and stability for the CloudBees Jenkins Platform.

Rolling releases are supported for up to 9 months with tested upgrades paths to the latest Rolling release of the CloudBees Jenkins Platform. The latest Rolling release contains all S1/S2 bug and security fixes, and customers are expected to upgrade to the latest release to receive those fixes.

The Rolling CloudBees Jenkins Platform release is comprised of the CloudBees Jenkins Enterprise distribution and CloudBees’ proprietary plugins.

Support for this line encompasses the following:

  • Bug and security fixes
    • Severity 1 (S1) and Severity 2 (S2) security fixes are eligible against this line and are subject to a risk assessment by the CloudBees engineering team and community contributors when the bug is found in an open source component.
  • Non-security bug fixes are subject to a risk assessment by the CloudBees engineering team and community contributors when the bug is found in an open source component.
    • Fixes are only released to the latest release in this line.
  • Features and suggestions
    • Suggestions on new features  are subject to an evaluation against the product roadmap by CloudBees product managers and a risk assessment by CloudBees engineers.
    • New features will be available only in the latest release in this line.
  • Compatibility and upgrades
    • We endeavor to maintain compatibility of functionality between older and newer releases of components of the CloudBees Jenkins Platform that are 9 months-old and newer.
    • We endeavor to maintain verified upgrade paths between older and newer releases of CloudBees Jenkins Platform Rolling releases, with verified paths being tested between versions that are 9-months old up to the latest release.
      • Support will not encompass the following:
        • Bug and security fixes will not be patched on older releases, but instead released with a future CloudBees Jenkins Platform release.
  • Releases provided by:
    • CloudBees, as CloudBees Jenkins Platform releases

CloudBees Jenkins Platform Fixed Release

The CloudBees Jenkins Platform Fixed release is based on the CloudBees Jenkins Enterprise distribution and CloudBees’ proprietary features..

This is the more traditional model of software delivery, with releases delivered only when security fixes for the distribution are available. Fixed release lines consist solely of incremental security and bug patches for S1/S2 issues, and are suitable for organizations which prefer a more conservative approach to upgrades at the expense of newer CloudBees Jenkins Platform features.

Fixed releases are supported for up to 12 months, with the final 3 months of support limited to diagnosis-only help on reported issues. New CloudBees Jenkins Platform Fixed release lines will be delivered as frequently as every 6 months, allowing for 6 months’ upgrade lead time and featuring verified upgrade paths between each line.

Support for this line encompasses the following:

  • Bug and security fixes
    • Severity 1 (S1) and Severity 2 (S2) security fixes and backports are eligible against this line and are subject to a risk assessment by CloudBees engineering and community contributors when the bug is found in an open source component.
    • In general, Severity 1 (S1) and Severity 2 (S2) bug fixes and backports are eligible against this line and are subject to a risk assessment by CloudBees engineering and community contributors when the bug is found in an open source component.
  • Features and suggestions
    • New features will not be released to this line.
    • Suggestions on new features will not be accepted for this line.
  • Compatibility and upgrades
    • For the final 3 months of this line’s support lifecycle, compatibility support for CloudBees Jenkins Platform Fixed releases will become diagnosis only with no fixes or backports made to the older lines.
    • We endeavor to maintain verified upgrade paths between older and newer releases of the CloudBees Jenkins Platform and between Rolling and Fixed releases, with verified paths being tested between versions 9-months old to the latest release.
    • For the final 3 months of a line’s support lifecycle, upgradeability support for CloudBees Jenkins Platform Fixed releases will generally become diagnosis only with no fixes or backports made to the older lines.
  • Support will not encompass the following:
  • New features will not be released for this line.
  • Releases provided by:
  • CloudBees, as CloudBees Jenkins Platform releases

Plugin Support Policies

Underlying CloudBees Jenkins Platform are CloudBees proprietary plugins and the CloudBees Jenkins Enterprise distribution, which features CloudBees Verified and CloudBees Compatible community plugins.

Plugins provide much of the functionality within Jenkins itself and are essential components of any Jenkins installation.

CloudBees classifies plugins into tiers according to how much risk to a given installation’s stability a given plugin may pose. All such plugins are supported in some capacity by CloudBees, though the scope of that support is constrained by the source plugin’s quality and whether CloudBees engineers can reproduce reported issues. 

  Tier 1 Tier 2 Tier 3
Plugin Tiers CloudBees Verified CloudBees Compatible Community
Bug and security fixes      
Security Fixes Yes Yes Not supported by CloudBees
Bug Fixes Yes Yes Not supported by CloudBees
Fix Release Latest Release Latest Release Not supported by CloudBees
Features      
New Features Yes No Not supported by CloudBees
Compatibility and upgrades      
Verified Compatibility Yes No No
Verified Upgrades Yes No No

Tier 1 - CloudBees Verified, CloudBees Jenkins Platform and CloudBees Partner Plugins

CloudBees Verified plugins have been verified to meet their critical use cases, are stable when used in conjunction with a CloudBees Jenkins Platform installation, and may be used with confidence in a CloudBees Jenkins Platform installation.

CloudBees Verified plugins encompass all CloudBees partner plugins and the CloudBees Jenkins Enterprise distribution that has been verified as stable and compatible with the CloudBees Jenkins Platform. CloudBees Jenkins Platform proprietary plugins also are categorized as Tier 1 plugins.

These plugins are covered by the CloudBees support SLA and are refreshed with each release of the CloudBees Jenkins Platform.

These plugins undergo all available testing in the CloudBees Assurance Program.

Risk level: Minimal - CloudBees curated with end-to-end testing against the CloudBees Jenkins Platform.

  • Support for these lines encompasses the following:
    • Bugs and security fixes
      • In general, Severity 1 (S1) and Severity 2 (S2) security and bug fixes are eligible against this line and are subject to a risk assessment by CloudBees engineering and the plugin maintainer.
    • Non-security bug fixes are subject to a risk assessment by CloudBees engineering and the plugin maintainer.
    • Features and suggestions
    • Suggestions on new features are subject to an evaluation against the product roadmap by CloudBees product managers and a risk assessment by CloudBees engineers and plugin maintainers.
      • Suggestions on new features for open-source plugins are subject to a risk assessment by the plugin maintainer and will not be accepted by CloudBees.
      • New features will be committed only to the latest release in a plugin release line.
    • Compatibility and upgrades
      • We endeavor to maintain compatibility of functionality between older and newer releases of CloudBees Verified plugins that are 9 months old and newer.
      • We endeavor to maintain verified upgrade paths between older and newer releases of CloudBees Verified plugins, with verified paths being tested between versions 9-months old to the latest release.
  • Support does not encompass the following:
    • Backports of features or bug fixes to older releases.
    • Suggestions on new features for open-source plugins.
    • Releases provided by:
      • CloudBees, as CloudBees Jenkins Enterprise distribution releases
      • CloudBees, as CloudBees Jenkins Platform release
      • CloudBees partners

Tier 2 - CloudBees Compatible Plugins

These are plugins which have a reputation for their quality, but have not undergone end-to-end testing with the CloudBees Jenkins Platform.

These plugins have been verified to be stable when used in a CloudBees Jenkins Platform installation. These plugins are covered by the CloudBees support SLA, and open source plugins in tier 2 are part of the CloudBees Jenkins Enterprise distribution. All tier 2 plugins are refreshed with each release of the CloudBees Jenkins Platform.

Risk level: Low - CloudBees-curated with some compatibility testing against the CloudBees Jenkins Platform.

  • Support for these lines encompasses the following:
    • Bugs and security fixes
      • In general, Severity 1 (S1) and Severity 2 (S2) security and bug fixes are eligible against this line, but are subject to a risk assessment by CloudBees engineers and the plugin maintainer.
    • Non-security bug fixes are subject to a risk assessment by CloudBees engineers and the plugin maintainer.
    • Features and suggestions
    • Suggestions on new features are subject to a risk assessment by the plugin maintainer and will not be accepted by CloudBees.
      • New features will be committed only to the latest release in this line.
    • Compatibility and upgrades
    • We endeavor to maintain compatibility of functionality between older and newer releases of CloudBees Compatible plugins that are 9 months old and newer.
    • We endeavor to maintain verified upgrade paths between older and newer releases of CloudBees Compatible plugins, with verified paths being tested between versions 9-months old to the latest release.
  • Support does not encompass the following:
    • Backports of features or bug fixes to older releases.
    • End-to-end use-case testing against the CloudBees Jenkins Platform.
    • New features for open source plugins.
    • Releases provided by:
      • CloudBees, as CloudBees Jenkins Enterprise distribution releases
      • CloudBees, as CloudBees Jenkins Platform releases
      • CloudBees partners
      • Jenkins Community

Tier 3 - Community Maintained and Unknown Plugins

These are plugins which have not yet been verified by CloudBees or CloudBees partners. These plugins should be used with caution in a given installation, because their stability is unknown. These plugins will be supported on a best-effort, diagnosis-only basis and are not subject to the CloudBees support SLA.

Risk Level: Moderate to high - untested plugins with no verification of functionality or compatibility by the CloudBees engineering team, but may be tested by the Jenkins community.

  • Support for these lines encompasses the following:
    • Bugs and security fixes
      • CloudBees has no obligation to provide bug or security fixes for unverified plugins.
    • Features and suggestions
      • No suggestions for new features will be accepted for unverified plugins.
    • Compatibility and upgrades
      • CloudBees does not evaluate unverified plugins’ upgradeability and compatibility with the CloudBees Jenkins Platform.
  • Releases provided by:
    • Jenkins Community

Bug and Security Issue Severity Levels Definition

Bug Severity Levels Description
Severity 1 (S1) Proven error of the product in a production environment. The product software halts, crashes or is inaccessible, resulting in a critical impact on the operation. No workaround is available.
Severity 2 (S2) The product will operate but due to an error in a production environment, its operation is severely restricted. No workaround is available.
Severity 3 (S3) The product will operate with limitations due to an error in a production environment that is not critical to the overall operation. For example, a workaround forces a user and/or a systems operator to use a time consuming procedure to operate the system, or removes a non-essential feature.
Severity 4 (S4) Due to an error in a production environment, the product can be used with only slight inconvenience.
Security/CVE Severity Levels Description
Severity 1 (S1) This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user or an unlikely configuration are not classed as Severity 1 vulnerability.
Severity 2 (S2) This rating is given to flaws that can easily compromise the confidentiality, integrity or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service. These flaws that require an authenticated remote user or a local user. Vulnerabilities in unlikely configuration are not classed as Severity 2 vulnerability.
Severity 3 (S3) This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of resources, under certain circumstances. These are the types of vulnerabilities that could have had a critical impact or important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
Severity 4 (S4) This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.

Support Timelines

CloudBees Jenkins Enterprise

CloudBees Version Jenkins Core Version CloudBees GA Date Jenkins OSS LTS GA Date Intermediate CloudBees Releases End of Feature Improvements End Of Life
2.7.19 rolling 2.7.19 2016-09-14 2016-08-31 Continuously delivered through the rolling lifecycle Improvements continuously delivered through the rolling lifecycle Not applicable - Rolling model
2.7.19 fixed 2.7.19 2016-09-14 2016-08-31   Not Applicable - Only Rolling releases have feature improvements 2017-09-01
16.06 1.651 2016-07-07 2016-04-14   2016-09-14 2017-04-14
15.11 1.642 2016-02-02 2016-01-21 1.642.18.2 (2016-06-21)
1.642.18.1 (2016-05-10)
1.642.4.2 (2016-04-14)
1.642.4.1 (2016-04-01)
1.642.3.2 (2016-03-20)
1.642.2.2 (2016-03-10)
1.642.2.1 (2016-02-24)
1.642.1.1 (2016-02-02)
  2017-01-21
15.11 1.625 2015-11-19 2015-10-14 1.625.18.2 (2016-06-21)
1.625.18.1 (2016-05-10)
1.625.16.1 (2016-02-24)
1.625.3.2 (2016-02-04)
1.625.3.1 (2015-12-09)
1.625.2.2 (2015-11-24)
1.625.2.1 (2015-11-19)
 

2016-10-14
NO LONGER SUPPORTED

15.05 1.609 2015-06-15 2015-05-30 1.609.18.2 (2016-06-21)
1.609.18.1 (2016-05-10)
1.609.16.1 (2016-02-24)
1.609.15.2 (2016-02-15)
1.609.15.1 (2015-12-09)
1.609.14.2 (2015-11-24)
1.609.14.1 (2015-11-11)
1.609.3.1 (2015-10-01)
1.609.1.1 (2015-06-15)
 

2016-05-30
NO LONGER SUPPORTED

CloudBees Jenkins Operations Center

CloudBees Version Jenkins Core Version CloudBees GA Date Jenkins OSS LTS GA Date Intermediate CloudBees Releases End of Feature Improvements End Of Life
2.7.19 rolling 2.7.19 2016-09-14 2016-08-31 Continuously delivered through the rolling lifecycle Improvements continuously delivered through the rolling lifecycle Not applicable - Rolling model
2.7.19 fixed 2.7.19 2016-09-14 2016-07-06   Not applicable - Only Rolling releases have feature improvements 2017-09-01
1.8 1.625 2015-11-19 2015-10-14 1.625.18.4 (2016-06-21)
1.625.18.3 (2016-05-24)
1.625.18.1 (2016-05-10)
1.625.16.2 (2016-03-10)
1.625.16.1 (2016-02-24)
1.625.3.2 (2016-01-31)
1.625.3.1 (2015-12-09)
1.625.2.2 (2015-11-24)
1.625.2.1 (2015-11-19)
 : 2017-07-17
1.7 1.609 2015-06-15 2015-05-30 1.609.18.1 (2016-05-10)
1.609.16.1 (2016-02-24)
1.609.15.2 (2016-02-15)
1.609.15.1 (2015-12-09)
1.609.14.2 (2015-11-24)
1.609.14.1 (2015-11-11)
1.609.3.1 (2015-10-01)
1.609.1.1 (2015-06-15)
  2016-09-14
NO LONGER SUPPORTED

Supported Java Application Servers

CloudBees recommends running CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise as standalone applications installed with one of the following:

  • Running “java -jar jenkins-oc.war” or “java -jar jenkins.war
  • Installing the native package for Red Hat (.rpm), Debian/Ubuntu (.deb) or Windows (.msi)

CloudBees also supports running CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise on Java application servers with the following requirements

  • The CloudBees Jenkins Operations Center .war application (resp CJE .war application) must be the only web application running on the Java application server
  • The restart capabilities of the application server must not be used. The only supported ways to restart a Jenkins instance is to restart the process of the JVM or to use the  built-in restart feature of Jenkins if it is enabled by the installer
Application Server Minimum Version End Of Support
Apache Tomcat 7.0 and lower Not supported  
Apache Tomcat 8.0 v8.0.32 2017-03-01
Apache Tomcat 8.5 v8.5.0 (1)
Apache Tomcat 9.0 Not yet supported as it is still a milestone release (1)

(1) CloudBees only supports two versions of Apache Tomcat and try its best to support the latest GA version.

As several documents published by the Apache Tomcat community say that the ETA for the release of Apache Tomcat 9.0 is Q4 2016, we plan to support Apache Tomcat 9.0 soon after, during Q1 2017. The CloudBees Jenkins Platform will then support Apache Tomcat version 9.0 and 8.5. Version 8.0 will no longer be supported. The same logic will apply for the end of support of Apache Tomcat 8.5 and for all the versions of Apache Tomcat.

Supported Docker Environments

CloudBees supports running CloudBees Jenkins Operations Center and/or Client Masters in Docker containers, subject to the following constraints:

Supported Java Virtual Machines and Operating Systems

See CloudBees Support Knowledge Base:

Compatibility Matrix for CloudBees Jenkins Operations Center and Client Masters

    Operations Center    
    2.7.19 1.8 1.7
Client Master 2.7.19 Yes No No
  16.06 Yes Yes Yes
  15.11  Yes Yes Yes

Starting with CloudBees Jenkins Platform 2.7, the version of CloudBees Jenkins Operations Center must always be more recent or as old as the version of the Client Masters that are connected to this CloudBees Jenkins Operations Center. All the Client Masters connected to a CloudBees Jenkins Operations Center do not have to be at the same version.

For example, CloudBees Jenkins Operations Center version 2.7.19 can be connected to Client Masters version 1.7.19 and/or 16.06 and/or 15.11.