Support Lifecycle and Update Policies for CloudBees Jenkins Enterprise

CloudBees Jenkins Enterprise is composed of two tiers:

Proposed_Support_Policy_for_CloudBees_Jenkins_Solutions.png

Software Updates:

  • CJE Jenkins tier: This layer is just Jenkins plus its plugins called out in two separate layers for the purpose of this document.
    • Jenkins app layer: Customers can consume new features and fixes on rolling releases typically released every 4-6 weeks. Customers also have a choice to wait for “fixed” releases that are released every 6 months. The primary benefit of rolling over fixed is that customers get features and functionality on a continuous basis. The fixed release has critical patches delivered in the interim 6 months.  CloudBees recommends customers to consume rolling releases in this tier as customers can benefit from regular fixes and features while having a choice on when to upgrade as releases are backward compatible for 9 months. The rolling and fixed releases are both based on Jenkins LTS releases - this implies that CloudBees does not provide fixes on a custom Jenkins release.
    • Jenkins plugins layer: You cannot consume Jenkins without its plugins, this layer clarifies this relationship. CloudBees has a program called CloudBees  Assurance Program where plugins are split into three tiers to offer a level of assurance on open source plugins. The plugins are available in Tier 1 “verified”, Tier 2 “compatible” or Tier 3 “community”. We recommend that customers use the plugins verified through the program. Customers can continue using plugins that are not yet in the program as well. These fixes make their way into the rolling or fixed releases for the Jenkins tier. We exercise caution in fixed releases where new plugins are added at the 6-month boundary.
  • CJE infrastructure tier: New features and fixes to the infrastructure are available every 4-6 weeks.

Software Fixes: 

  • CJE Infrastructure Tier:
    • Security fixes and Severity 1, 2 bug fixes are released on the latest releases. Customers are asked to upgrade to the latest rolling releases to get fixes. We endeavor for a 9-month backward compatibility window so customers can upgrade at their own pace.
  • CJE Jenkins Tier:
    • Jenkins app layer:
      • Rolling release:
        • Security fixes and Severity 1, 2 bug fixes are released on the latest rolling releases. Customers are asked to upgrade to the latest rolling releases to get fixes. We endeavor for a 9-month backward compatibility window so customers can upgrade at their own pace.
    • Jenkins plugin layer:
      • We provide bug fixes and support for Tier 1 and 2, whereas Tier 3 plugins are supported on a commercially reasonable basis. We continue to expand Tier 1 and 2 plugins every month. 

CloudBees Jenkins Enterprise:  Infrastructure tier

The infrastructure tier has frequent releases where new features and important fixes are released as soon as four weeks from the last release. Each release is supported for up to nine months with tested upgrade paths to the latest release. Customers are expected to upgrade to the latest release to receive features and fixes.

Support on a release encompasses the following:

  • Bug and security fixes
    • Severity 1 (S1) and Severity 2 (S2) security fixes are eligible against this line and are subject to a risk assessment by the CloudBees engineering team
    • Non-security bug fixes are subject to a risk assessment by the CloudBees engineering team
    • Fixes are only released to the latest release in this line.
  • Features and suggestions
    • Suggestions on new features are subject to an evaluation against the product roadmap by CloudBees product managers and a risk assessment by CloudBees engineers.
    • New features will be available only in the latest release in this line.
  • Compatibility and upgrades
    • We endeavor to maintain compatibility of functionality between older and newer releases of components of the CloudBees Jenkins Enterprise Infrastructure tier that are nine-months-old and newer.
  • Support will not encompass the following:
    • Bug and security fixes will not be patched on older releases, but instead released with a future CloudBees Jenkins Enterprise release.
  • Releases provided by:
    • CloudBees, as CloudBees Jenkins Enterprise  releases

CloudBees Jenkins Enterprise: The Jenkins Tier

Updates to the Jenkins tier  will be available in one release line:

  • Rolling Release

Each support line has its own backporting policy which affects the scope of issue resolution for that line.

 

Rolling

Bug and Security Fixes

 

Security Fixes

Yes

Bug Fixes

Yes

Features

 

New Features

Yes

Compatibility and Upgrades

 

Verify Compatibility

Yes

Verify Upgrades

Yes

CloudBees Jenkins Enterprise:  Rolling Release for Jenkins tier

Rolling releases are published as important fixes and new features for Jenkins become available, which can be as soon as four weeks from the last release. Rolling releases are a continuous stream of updates and, as such, are the recommended release train and the gold standard of quality and stability for the Jenkins tier.

Rolling releases are supported for up to nine months with tested upgrade paths to the latest Rolling release. The latest Rolling release contains all S1/S2 bug and security fixes, and customers are expected to upgrade to the latest release to receive those fixes. The Rolling CloudBees Jenkins Enterprise release is comprised of CloudBees Jenkins and the CloudBees proprietary plugins.

Support for this line encompasses the following:

  • Bug and security fixes
    • Severity 1 (S1) and Severity 2 (S2) security fixes are eligible against this line and are subject to a risk assessment by the CloudBees engineering team and community contributors when the bug is found in an open source component.
    • Non-security bug fixes are subject to a risk assessment by the CloudBees engineering team and community contributors when the bug is found in an open source component.
    • Fixes are only released to the latest release in this line.
  • Features and suggestions
    • Suggestions on new features are subject to an evaluation against the product roadmap by CloudBees product managers and a risk assessment by CloudBees engineers.
    • New features will be available only in the latest release in this line.
  • Compatibility and upgrades
    • We endeavor to maintain compatibility of functionality between older and newer releases of components of the CloudBees Jenkins Enterprise that are nine months-old and newer.
    • We endeavor to maintain verified upgrade paths between older and newer releases of CloudBees Jenkins Enterprise Rolling releases, with verified paths being tested between versions that are nine months old, up to the latest release.
  • Support will not encompass the following:
    • Bug and security fixes will not be patched on older releases, but instead released with a future CloudBees Jenkins Enterprise release.
  • Releases provided by:
    • CloudBees, as CloudBees Jenkins Enterprise releases

Support Timelines

Client Master

CloudBees Version

Jenkins Core Version

CloudBees GA Date

Jenkins OSS LTS GA Date

Intermediate CloudBees Releases

End of Feature Improvements

End Of Life

2.32 rolling

2.32

2017-01-19

2016-12-24

2.32.1.1

Improvements continuously delivered through the rolling lifecycle

Not applicable - Rolling model

2.7 fixed

2.7

2016-09-14

2016-08-31

2.7.21.0.2

2.7.20.0.2

2.7.19.0.1

Not Applicable - Only Rolling releases have feature improvements

2017-09-01

Operations Center

CloudBees Version

Jenkins Core Version

CloudBees GA Date

Jenkins OSS LTS GA Date

Intermediate CloudBees Releases

End of Feature Improvements

End Of Life

2.32 rolling

2.32

2017-01-19

2016-12-24

2.32.1.1

Improvements continuously delivered through the rolling lifecycle

Not applicable - Rolling model

2.7 fixed

2.7

2016-09-14

2016-07-06

2.7.21.0.2

2.7.20.0.2

2.7.19.0.1

Not applicable - Only Rolling releases have feature improvements

2017-09-01

Support levels and response times

Support levels and response times covered here.

Category of Issues

Category

Analysis

Actions/Impact

Configuration Issue

These issues can be resolved by changing system settings or by modifying a JVM system property.

No upgrade of Jenkins core or a plugin is required to resolve these issues.

External Issue

These issues can be resolved by changing an external system; for example, a bug in an SCM server may cause it to send malformed data to Jenkins.

No change to Jenkins is required to resolve these issues.

Jenkins Core Issue

These issues can only be resolved by a code change in the Jenkins core.

CloudBees first priority is to try to make the fix available in the next release of the line the customer is running.

If the fix is ineligible for inclusion in that release line (either for technical reasons, such as requiring a new feature only available in a newer line, or resulting from the risk assessment of the fix), the customer may be required to upgrade to a newer release line where that fix is eligible.

In certain cases, it may be possible to provide a hot fix/patch in the form of a plugin that may mitigate the issue; such hot fix plugins are only developed for serious issues where the approach is technically feasible.

Plugin Issue

These issues can only be resolved by a code change in the plugin(s).

CloudBees first priority is to make the fix available in the next release of the plugin(s).

  • For plugins that are maintained by CloudBees, we aim to ensure that the plugin is compatible with all of our supported release lines. Thus in the majority of cases, upgrading the plugin should not require changing the core release line. However, where a feature has been added to one of our plugins and that plugin requires specific technical features only available in newer release lines of Jenkins, the customer may be required to upgrade the Jenkins core in order to upgrade the plugin and resolve the issue.
  • For plugins that are maintained by the community, the community maintainer is responsible for determining the policy to be followed with regard to tracking the baseline version of Jenkins that new releases will remain compatible with. CloudBees will encourage the maintainer to ensure that the plugin is compatible with all of our supported release lines, but we cannot enforce this. The customer may be required to upgrade the core version of Jenkins in order to upgrade the plugin and resolve their issue.

Interaction Issue Between the Jenkins Core and Plugin(s)

This is a combination of the previous two categories where the fix is required both in the Jenkins core and a corresponding plugin.

Typically, these issues can only be resolved in the Jenkins community weekly line and will only become available in older lines as they overtake the weekly version containing the fix.

Unfortunately, due to the cross-system nature of these issues, resolution will generally require the customer to change the core version of Jenkins and upgrade plugins.

Bug and Security Issue Severity Levels Definition Category of Issues

Bug Severity Levels

Description

Severity 1 (S1)

Proven error of the product in the production environment. The product software halts, crashes or is inaccessible, resulting in a critical impact on the operation. No workaround is available.

Severity 2 (S2)

The product will operate, but due to an error in the production environment, its operation is severely restricted. No workaround is available.

Severity 3 (S3)

The product will operate with limitations due to an error in the production environment that is not critical to the overall operation. For example, a workaround forces a user and/or a systems operator to use a time-consuming procedure to operate the system, or removes a non-essential feature.

Severity 4 (S4)

Due to an error in the production environment, the product can be used with only slight inconvenience.

 

Security/CVE Severity Levels

Description

Severity 1 (S1)

This rating is given to flaws that could be easily exploited by a remote, unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user or an unlikely configuration are not classed as Severity 1 vulnerability.

Severity 2 (S2)

This rating is given to flaws that can easily compromise the confidentiality, integrity or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code or allow remote users to cause a denial of service. These flaws require an authenticated remote user or a local user. Vulnerabilities in unlikely configuration are not classed as Severity 2 vulnerability.

Severity 3 (S3)

This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances. These are the types of vulnerabilities that could have had a critical impact or important impact, but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.

Severity 4 (S4)

This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.

Feature Suggestions

Feature requests or software enhancements are additions of new functionality beyond correcting defects or enabling previously existing functionality.

Customers are encouraged to file feature requests for community plugins on the  Jenkins JIRA. The CloudBees team does not accept feature requests for OSS plugins or the core.

Have more questions? Submit a request

0 Comments

Article is closed for comments.