Jenkins Course
Beginner Best Practices
You now have a working Jenkins install, a mental model of how it's structured, and your first job running. This lesson is about the ten habits that keep that setup healthy — and the mistakes that quietly destroy it.
This lesson covers
10 habits every Jenkins user should build from day one — covering jobs, security, agents, plugins, and build hygiene
Most Jenkins problems aren't caused by bugs or missing features. They're caused by small habits that compound over time — a credential stored in plain text here, a build running on the master there, a plugin updated without testing. None of these feel dangerous in the moment. Six months later, they're the reason your Jenkins is unreliable and nobody trusts it.
These ten practices cost almost nothing to adopt at the start and are painful to retrofit later. Start here.
1. Never Run Builds on the Master
The Jenkins master holds your entire configuration — every job, every credential, every plugin. If a rogue build script runs on the master and consumes all disk space, corrupts a file, or opens a security hole, your entire Jenkins is compromised. Always set the master's executor count to zero.
How to do it:
Go to Manage Jenkins → Manage Nodes and Clouds → Built-In Node → Configure. Set Number of executors to 0. Save. From now on, no build will ever run on the master.
2. Store Credentials in Jenkins — Never in Job Config
Passwords, API keys, SSH keys, and tokens must never be typed directly into a build step or shell command. Anyone with read access to the job can see them in plain text. Jenkins has a built-in encrypted credential store specifically for this purpose.
How to do it:
Go to Manage Jenkins → Credentials → System → Global credentials → Add Credentials. Store your secret once. Reference it in jobs by its ID — Jenkins injects it as a masked environment variable at build time, hidden in all logs.
3. Limit Build History — Don't Let Logs Eat Your Disk
By default Jenkins keeps every build log forever. A job that runs every 5 minutes will accumulate thousands of logs. Each log can be several megabytes. Left unchecked, Jenkins will eventually run out of disk space and crash mid-build.
How to do it:
Open any job → Configure → General → Discard old builds. Check the box. Set Max # of builds to keep to 20–50 for most jobs. Also set Days to keep builds to 30. Do this for every job you create.
4. Use Descriptive Job Names From the Start
Job names in Jenkins cannot be easily renamed once other jobs depend on them, webhooks reference them, or scripts use their names. A job called test or build1 causes confusion the moment your team grows beyond two people.
❌ Bad names
test
build1
myjob
pipeline-new
deploy-FINAL
✅ Good names
payment-service-test
checkout-api-deploy-staging
frontend-build-main
user-auth-integration-test
5. Enable Security on Day One
A fresh Jenkins install with no security configured lets anyone on your network log in as admin. This is fine for five minutes on a local laptop. It is catastrophic on any server with a network interface. Enable security before you do anything else — not after something goes wrong.
How to do it:
Manage Jenkins → Configure Global Security. Make sure Enable Security is checked. Set Security Realm to Jenkins' own user database. Set Authorization to Logged-in users can do anything as a starting point, then tighten with roles as your team grows.
6. Update Plugins Regularly — But Test First
Outdated plugins are the number one source of Jenkins security vulnerabilities. Jenkins shows a badge on the Manage Jenkins page when plugin updates are available. Update regularly — but never update all plugins at once on a production server without testing on a staging Jenkins first.
The safe update workflow:
Read the plugin changelog → update staging Jenkins → run your critical jobs to verify → then update production. Always take a backup before any plugin update.
7. Back Up JENKINS_HOME Automatically
Everything Jenkins knows — every job config, every credential, every plugin, every build log — lives in one directory: /var/lib/jenkins. Back this up and you can restore a completely destroyed Jenkins server in minutes. Don't back it up and you start from scratch.
How to do it:
Install the ThinBackup plugin from Manage Jenkins → Plugin Manager. Configure it to back up to an external location daily. Automate it — never rely on manual backups.
8. Move Toward Pipeline Jobs — Away From Freestyle
Freestyle jobs store their configuration only inside Jenkins. If Jenkins dies, the job config is gone. Pipeline jobs store their configuration in a Jenkinsfile that lives in your code repository — backed up with your code, reviewable in pull requests, reproducible on any Jenkins server.
Freestyle — The Risk
Config lives only in Jenkins. No review. No history. No recovery if Jenkins dies.
Pipeline — The Right Way
Jenkinsfile in Git. Reviewed in PRs. Versioned. Recoverable. Reproducible.
9. Label Your Agents — Always
An agent with no labels can receive any job. That sounds flexible, but it means a Windows-only build might land on a Linux agent and fail with a cryptic error. Labels are the routing system that ensures the right job always runs on the right machine.
Good labelling strategy:
Use OS labels (linux, windows) combined with capability labels (docker, node18, dotnet). A job needing Docker on Linux requests linux && docker. Jenkins routes it automatically.
10. Keep Jenkins Itself Updated
Jenkins releases a new LTS (Long Term Support) version every 12 weeks. Running an outdated Jenkins means missing security patches and eventually finding that plugins drop support for your version. Check your current version in the bottom-right corner of any Jenkins page.
The safe update path:
Check the Jenkins LTS changelog for breaking changes → back up JENKINS_HOME → update during low-traffic hours → verify key builds run cleanly.
The Setup Checklist
Every time you set up a new Jenkins instance or onboard to an existing one, run through this. Any unchecked item is a risk waiting to become a problem.
Teacher's Note
Run that checklist on every Jenkins server you ever touch. It takes five minutes and saves hours.
Practice Questions
1. What should the executor count on the Jenkins master be set to in a production setup?
2. What setting in a Jenkins job's General configuration section controls how many old builds are kept?
3. What is the name of the single directory that contains all Jenkins jobs, credentials, plugins, and build history?
Quiz
1. Where should API keys, passwords, and SSH keys be stored in Jenkins?
2. Why are Pipeline jobs safer than Freestyle jobs when it comes to disaster recovery?
3. What is a good strategy for labelling Jenkins agents?
Up Next · Lesson 11
What is a Jenkins Pipeline
Section I is done. Now we go deep — Jenkinsfiles, stages, steps, and the pipeline syntax that powers real production CI/CD.