How to Back Up and Restore Your Jenkins Instance
Back up and restore Jenkins safely by archiving JENKINS_HOME, preserving secrets, and testing recovery before you need it.
How to Back Up and Restore Your Jenkins Instance
Jenkins often becomes the control plane for your builds, deployments, credentials, and release history. If you lose $JENKINS_HOME during a disk failure or bad migration, your CI/CD pipelines may stop even if the Jenkins package itself is easy to reinstall.
This guide shows you what to back up, how to create a filesystem archive safely, and how to restore Jenkins without breaking credentials or file ownership.
Understanding the Core: The $JENKINS_HOME Directory
Every Jenkins instance relies on a single root directory, referred to as $JENKINS_HOME. This directory contains all configuration files, plugins, logs, and job data. Backing up Jenkins fundamentally means backing up the contents of this directory.
Depending on your installation method (e.g., Linux package, Docker container), the location of $JENKINS_HOME typically varies:
- Linux (Package Install):
/var/lib/jenkins - Docker: Often mounted to a volume, e.g.,
/var/jenkins_home - Standalone JAR: The directory where the Jenkins process was started, unless specified via environment variables.
Identifying Critical Data Components
While backing up the entire $JENKINS_HOME directory is the simplest approach, it can lead to extremely large archives if build history and workspace data are included. For a quick and efficient disaster recovery backup, you must ensure the following directories and files are captured:
| Component | Path within $JENKINS_HOME |
Purpose |
|---|---|---|
| Global Configuration | config.xml |
Primary configuration file for the Jenkins root instance. |
| Job Definitions | jobs/ |
Contains subdirectories for every configured job, each with its own config.xml. |
| Users and Credentials | users/ and credentials.xml |
User accounts, security realm settings, and stored secrets. |
| Security Keys | secrets/ |
Encryption keys essential for decrypting sensitive data like stored credentials. |
| Plugin List | plugins/ |
Contains the .hpi files for all installed plugins. |
| Node Definitions | nodes/ |
Configurations for all connected build agents (if defined). |
Method 1: The Filesystem Backup (Recommended)
The most reliable method for backing up Jenkins is to create a consistent, compressed archive of the necessary files while the service is momentarily stopped.
Step 1: Stop the Jenkins Service
To ensure data consistency and prevent partial file writes during the backup process, the Jenkins process must be halted. Failing to stop the service risks an incomplete or corrupt backup.
# For systems using systemd (most modern Linux distributions)
sudo systemctl stop jenkins
# Or, for systems using service command
sudo service jenkins stop
Step 2: Create the Backup Archive
Navigate to the parent directory of $JENKINS_HOME and use tar to create a compressed archive. It is highly recommended to exclude the large build artifacts to save space and time.
Assuming $JENKINS_HOME is /var/lib/jenkins:
JENKINS_HOME="/var/lib/jenkins"
BACKUP_TARGET="/mnt/backups/jenkins"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
ARCHIVE_NAME="jenkins_backup_${TIMESTAMP}.tar.gz"
# Create the target directory if it doesn't exist
mkdir -p $BACKUP_TARGET
# Create the archive, excluding build history and workspaces
sudo tar -czvf "${BACKUP_TARGET}/${ARCHIVE_NAME}" \
--exclude="${JENKINS_HOME}/workspace" \
--exclude="${JENKINS_HOME}/caches" \
--exclude="${JENKINS_HOME}/jobs/*/builds" \
"${JENKINS_HOME}"
Tip: Including Build History
If retaining build history (
jobs/*/builds) is critical, you can remove the corresponding--excludeflag. However, be prepared for archive sizes potentially reaching hundreds of gigabytes.
Step 3: Verify and Store Offsite
Once the archive is created, test that it can be read before you trust it:
tar -tzf "${BACKUP_TARGET}/${ARCHIVE_NAME}" >/dev/null
Then transfer it to an external storage location, such as an S3 bucket or a network backup system, so a local disk failure does not destroy both Jenkins and its backup.
Step 4: Restart Jenkins
sudo systemctl start jenkins
Method 2: Utilizing the Jenkins Backup Plugin (Partial Solution)
While plugins like the ThinBackup or Backup Plugin exist, they often only capture configuration files (config.xml) and may not handle large files or all necessary security elements robustly. These are generally suitable for backing up job configurations only and should not be relied upon for a full, secure disaster recovery strategy.
Restoring Your Jenkins Instance
Restoration involves copying the backed-up data to the target machine's $JENKINS_HOME directory and ensuring file permissions are correct before starting the service.
Step 1: Prepare the Target Environment
Ensure that the target system (or the repaired system) has Jenkins installed, but keep the service stopped.
sudo systemctl stop jenkins
Step 2: Clear Existing Jenkins Data (Optional but Recommended)
If you are restoring to a machine that previously hosted Jenkins, clear out the existing $JENKINS_HOME contents to ensure the environment is clean.
# Use caution with the 'rm -rf' command!
sudo rm -rf /var/lib/jenkins/*
Step 3: Extract the Backup Archive
Copy the compressed archive (jenkins_backup_latest.tar.gz) to the target machine and extract it into the $JENKINS_HOME directory. The -C flag specifies the target directory for extraction.
# Assuming the archive is in /tmp and JENKINS_HOME is /var/lib/jenkins
sudo tar -xzvf /tmp/jenkins_backup_latest.tar.gz -C /var/lib/
# Note: If the tar command included the parent directory in the archive, adjust the path.
# The result should be the contents of the archive replacing the contents of /var/lib/jenkins
Step 4: Verify and Correct Permissions
This is the most critical step after restoration. If the file ownership is incorrect, Jenkins will fail to start or operate securely. You must set the ownership recursively to the user and group that the Jenkins service runs as (often jenkins:jenkins).
JENKINS_HOME="/var/lib/jenkins"
JENKINS_USER="jenkins"
JENKINS_GROUP="jenkins"
sudo chown -R $JENKINS_USER:$JENKINS_GROUP $JENKINS_HOME
sudo find "$JENKINS_HOME" -type d -exec chmod 755 {} \;
sudo find "$JENKINS_HOME" -type f -exec chmod 644 {} \;
sudo chmod -R go-rwx "$JENKINS_HOME/secrets" "$JENKINS_HOME/users" 2>/dev/null || true
Step 5: Start Jenkins and Verify
Start the service and monitor the logs to ensure a successful startup.
sudo systemctl start jenkins
# Monitor startup logs
sudo tail -f /var/log/jenkins/jenkins.log
Upon successful startup, verify that all jobs, users, and installed plugins are present and functioning correctly.
Best Practices for Automated Backups
To move beyond manual backups, implement automation using system tools and external configuration management.
1. Leverage Cron Jobs
Schedule the backup script (Steps 1 and 2 from Method 1) to run daily or nightly using cron or a similar scheduler. Ensure the cron job runs as a user with appropriate permissions to stop and start the Jenkins service and read/write to the $JENKINS_HOME directory.
2. Configuration as Code (CasC)
Consider adopting Jenkins Configuration as Code (CasC). CasC defines Jenkins settings, jobs, and plugins using declarative YAML files. By storing these YAML files in a separate source control repository (like Git), your configuration becomes portable and version-controlled, drastically simplifying the core backup requirement.
Takeaway
Treat a Jenkins backup as useful only after you have tested a restore. A good recovery plan preserves config.xml, jobs/, plugins/, users/, credentials.xml, and secrets/, then verifies that jobs can run on a clean instance.
Warning: Securing Credentials
When restoring an instance, ensure that the
secrets/directory is present and correct. If Jenkins cannot find the keys used to encrypt credentials (like API keys or passwords), those credentials will become unusable and must be re-entered manually.