Concourse v5.0.0 Release Notes
Release Date: 2019-03-06 // about 5 years ago-
๐ This release is a doozy. You should probably read these release notes in full - there are a ton of substantial new features and a good (bad?) amount of breaking changes.
Sorry this took so long! The holiday season took its toll, but we also got a bit overzealous with piling feature work on
master, and well, we restructured the entire project and re-created its pipeline from scratch, so that didn't help.๐ On the plus side, the project restructure is now done, and we'll be implementing a new release process soon that should prevent these kinds of hold-ups from happening again in the future.
๐ Special thanks to the many individuals in the community who took part in this release - whether you submitted a PR, helped triage issues, helped people out on the forums or in Discord, or simply cheered us on, every little bit helps keep the project humming along. We deeply appreciate it, and look forward to delivering y'all a better and better CI system - hopefully, more continuously.
๐ฑ ๐ feature, breaking
โฌ๏ธ We have done a major internal overhaul of how resource versions are stored. As a result, the version history for each resource across your pipelines will be re-set upon upgrading to v5.0.
โฌ๏ธ The upgrade does however preserve the state of which versions were disabled, and the data relating versions to builds they were inputs to and outputs of.
๐ง In versions prior to v5.0, resource version history was associated to a pipeline resource by name. This meant that if you changed a resource's configuration or type, those old versions would actually stick around, even though they may technically no longer be appropriate.
With v5.0, resource versions are now tied directly to an anonymous "resource config" - basically the
source:andtype:for the resource. Pipeline resources instead point to a config, and if theirsource:ortype:changes, they'll point to a new config with its own version history.This improves the correctness of the system as a whole, eliminating the need to ever "purge" the history of a resource.
In addition, now that versions are tied directly to their configs,
checkcontainers are also shared across teams, reducing the overall container count. As a result however we limited who canfly interceptcheckcontainers.๐ Building on this change, we are currently experimenting with improvements that can now be made to reduce the overall checking overhead across a Concourse cluster that has many equivalent resource definitions across pipelines and teams. This is currently off by default while we learn more about the implications - see Global Resources for more information.
๐ฑ ๐ fix, breaking
๐ง We have removed
--allow-all-usersas almost every use has been a misuse. You must configure users explicitly now instead. This was done for development environments but even those were trivial to switch to a local user whitelist.๐ง If you were setting this flag before, you probably didn't mean to - setting this with GitHub oAuth configured, for example, would allow literally everyone to be a part of your team and manage your pipelines.
โฌ๏ธ After upgrading, any teams that had this configured will preserve the behavior from before - they will continue to allow all users. The next time the teams are configured, however, you will have to specify something else, as the CLI no longer has the flag.
๐ฑ ๐ feature, breaking
The
concoursebinary distribution has been rejiggered. Rather than a self-contained binary, we now ship it as a.tgzcontaining the binary and its dependencies pre-extracted. The.tgzshould be extracted somewhere like/usr/local, resulting in/usr/local/concourse/bin/....๐ท The main benefit of this is simplification and faster startup. The
concourse workercommand no longer needs to extract resource types/etc. on start, so this speeds that up quite a bit.๐ The
concoursebinary no longer directly embeds Garden-runC code, and instead ships alongside thegdnbinary, copied from their releases. This simplifies the interface for configuring Garden and allows us to leverage their build process rather than risking deviation.The "breaking" aspect of this is that if you have been passing esoteric flags to Garden you'll have to switch to using a config file via
--garden-configinstead, or pass them as env vars (e.g.CONCOURSE_GARDEN_FOO_BAR) - flags are no longer supported as those relied on directly embedding their code.๐ฑ ๐ feature, breaking
๐ Workers can now be configured to periodically rebalance so that they don't end up all forwarding through a single
webnode. This is done by setting the--rebalance-intervalflag onconcourse worker. The rebalancing makes sure to drain in-flight connections and should not disrupt any in-flight builds.๐ Along the way, we removed support for direct worker registration. The
--peer-ipflag is no longer available onconcourse worker. To transition to 5.0, just remove the flag - the worker will register via forwarding instead.๐ท Forwarding is more secure as it doesn't require opening your workers up to inbound traffic. It's easier for us to just focus on one registration method and make sure it works well.
๐ท This also sets us up for enforcing TLS for all traffic to the forwarded workers in the future (#2415).
๐ฑ ๐ feature, breaking
๐ The Concourse BOSH release has been redesigned and is now centered around the
concoursebinary.โ > warning: Be sure to recreate your workers after or during the deploy, as the location that the worker stores volumes has changed and the old volume directory will not be cleaned up, effectively leaking disk usage.
โ > warning: The
additional_resource_typesproperty can no longer be configured. We plan to add another mechanism for co-located resources in future releases.๐ The
concourserelease no longer needs to be deployed alongside agarden-runcBOSH release, and instead embeds thegdnbinary directly.๐ Along the way, we have adopted BPM and now use it for deploying the
webnode. We also enforce a highernofilelimit which should make large-scale deployments more...scaley.๐ฑ ๐ fix, breaking
Two flags have been modified to be more consistent with other flag syntax:
๐
concourse web --vault-auth-param foo=barshould now be specified asconcourse web --vault-auth-param foo:bar(note the:).๐
concourse web --tsa-team-authorized-keys team=path/to/keyshould now be specified asconcourse web --tsa-team-authorized-keys team:path/to/key(note the:).๐ฑ ๐ feature
The Concourse GitHub repository has been completely restructured. This isn't really a feature per se, but it should make contributing a lot easier.
โก๏ธ More on this on our blog post: The Great Process Update of 2018.
๐ฑ ๐ feature
๐ A new resource, the
registry-imageresource, has been added to the core. This resource is intended to replace thedocker-imageresource image for image pulling and pushing (but not building).๐ณ This resource improves on the
docker-imageresource in a few ways:๐ณ It doesn't run Docker to fetch the image - it's written in pure Go, using the
google/go-containerregistrypackage. This makes the implementation much less error-prone.Because it doesn't run Docker, it doesn't need a privileged container. The fewer privileged containers in your cluster, the better - especially in light of [v4.2.3](https://github.com/concourse/recent CVE fixes/releases/tag/v4.2.3).
By focusing solely on fetching and pushing, the resource is much smaller and simpler. It also has test coverage!
The output has pretty colors.
This all results in much faster, more efficient, and resilient image fetching. We recommend everyone to try switching your
image_resources and Resource Types over - in most cases this is just a matter of replacingtype: docker-imagewithtype: registry-image.We intend to deprecate and phase out support for the
docker-imageresource in favor of theregistry-imageresource. We can't really do this until there's a solid direction for image building - preferably with a task, not a resource. This is a more natural split, and supports building images without pushing them - a long awaited ask of thedocker-imageresource.๐ An experimental task for this is available at
concourse/builder. This is not yet official, but we've using it in our own pipeline and it's been pretty solid. Feel free to give it a try!๐ The next step from here is to actually kick off an RFC for reusable tasks - we're still collecting our thoughts for that in (RF)RFC #7. Once this is done we can formalize
concourse/builder.๐ฑ ๐ feature
We have introduced the first phase of role-based access control!
๐ Right now there are only a few statically defined roles. We started off by supporting the common request of having read-only team members ('team viewer'), and adding a slightly less powerful 'team member' role. See User Roles & Permissions for more information.
Here's a quick rundown of how things have changed:
Existing team auth config will be transitioned to the Team Owner role - that is, anyone that can authenticate prior to the upgrade will now be authenticated as an owner of their team. This role is the closest equivalent to what they could do before.
The
mainteam still has special admin power, with the slight tweak that only users that are an owner of the main team have admin capabilties.Before, teams members could rename or destroy their own team. Team owners no longer have this power - only admins can do this.
The Team Member role is a new role that allows users to have full read and write powers within the team, except for being able to modify the team itself.
๐ The Team Viewer role is a new role that allows users to browse the team's pipelines, builds, resources, etc. without permitting any sensitive operations (like
fly get-pipelineor triggering builds).โฌ๏ธ For a detailed breakdown of each role's capabilties, see the Permission Matrix. To learn how to configure these roles after upgrading, see Setting User Roles.
If you're curious about the design process for this feature, check out RFC #3 (RBAC)!
๐ฑ ๐ feature
We have replaced resource pausing with resource pinning.
๐ Resource pausing had the effect of disabling the periodic checking for the paused resource. However we found that in most cases it was being used in combination with disabling versions to effectively pin a resource to the most recent available version.
However, with global resource versions, each resource actually points to a shared history, so pausing checking wouldn't be enough - if any other pipelines had the same resource, new versions would still arrive!
So instead, versions can now be pinned individually via the web UI or via the pipeline config (see
version). Pinned resources will also skip periodic checking, but now even if the checking still happens (because some other pipeline had it un-pinned), the resource will stay pinned to the desired version.๐ A comment can also be left on pinned versions for explaining to your team-mates why you decided to pin the resource.
โฌ๏ธ During the 5.0 upgrade, paused resources will be automatically transitioned to their pinned equivalent, by pinning the resource to the most recent available version. A comment will be left on any resources that are migrated so that it's clear to pipeline users.
๐ฑ ๐ feature
๐ Task
((vars))received a bit of an overhaul, thanks to a PR by @ralekseenkov!Values for task
((vars))can now be provided duringfly execute!In addition, values may be provided to a task step in a pipeline via
vars.Tasks can now have
((vars))pretty much anywhere in their config, not just inimage_resource.In all cases, vars can also be satisifed via a credential manager, the same as before.
Admittedly, there is now some cause for confusion with
params. This may see clarification with reusable tasks. In addition, pipeline((params))will now be referred to as pipeline((vars))instead, for consistency.๐ฑ ๐ feature
- ๐ The
webnode can now be configured with afewest-build-containersstrategy, which will place containers on workers that have the fewest build containers.
๐ฑ ๐ feature
- ๐ท Any volumes or containers that disappeared from their worker (possibly due to a worker being re-created and then coming back under the same name) will now be automatically reaped from the database. This makes it easier for Concourse to recover from this situation rather than erroring with
file not foundorunknown handleerrors.
๐ฑ ๐ feature
๐ Logs emitted by Concourse components will now be...slightly prettier? They're still JSON (sorry), but the timestamps and log levels are at least human-readable.
โก๏ธ If you've got anything parsing your logs, make sure to update it accordingly!
๐ฑ ๐ feature
๐ Concourse will now automatically retry fetching credentials when the request to the credential manager fails, thanks to a PR by @ralekseenkov!
0๏ธโฃ By default Concourse will retry 5 times, waiting 1 second between each attempt. This can be adjusted with the
--secret-retry-attemptsand--secret-retry-intervalflags onconcourse web.๐ฑ ๐ feature
๐ Tasks are now permitted to have inputs, outputs, and caches with overlapping paths. This was a hold-over from older versions of the container runtime that did not support this.
This means that for simple tasks that e.g. make a commit a
gitrepo, you no longer need to copy the input to the output. Yay!๐ฑ ๐ feature
- The
putstep can now be explicitly given a list ofinputsto use, rather than using all of them. This can be used to dramatically speed up builds that have a ton of artifacts prior to aput.
๐ฑ ๐ feature
๐ฒ The
fly loginflow has been reworked a bit to better support logging in to a remote session. There's now a prettier landing page that detects when the token transfer fails by allowing you to copy the token to your clipboard instead.The auto-login prompt will also no longer ask for the token, because that disrupts the normal flow of the command. Previously it would ask for a token but then eat half of the keystrokes from then on. Now it just won't ask for a token.
๐ฑ ๐ feature
- ๐ The
concoursebinary now has agenerate-keysubcommand to assist with - you guessed it - key generation. This is more portable to other platforms (I'm looking at you, Windows) and is more likely to generate keys that Concourse can actually accept (I'm looking at you, OpenSSH 7.8).
๐ฑ ๐ feature
- ๐ง The
concourse workercommand can now be given a--garden-use-houdiniflag on Linux to use the "no-op" Houdini Garden backend for those odd cases where you don't really want containerization. (Use sparingly.)
๐ฑ ๐ feature
- ๐ The timestamps shown in the build header will now transition to absolute instead of relative when the build is over 24 hours old. It wasn't very useful to see things like
128d 15h 30m agowhen trying to compare old builds. Thanks for the PR, @Twiknight!
๐ฑ ๐ fix
You may have seen a scary error cropping up around your resources now and then. Something like
worker_resource_config_check__resource_config_check_sessio_fkey references unreticulated spline.๐ We fixed it. That thing doesn't even exist anymore. Don't worry about it.
๐ฑ ๐ fix
With Concourse 4.x configured with an oAuth provider such as GitHub, a user could log in via GitHub even if they weren't technically a member of any team. They couldn't do anything, mind you, but it was confusing that they were allowed to log in in the first place.
This is no longer permitted.
Similarly,
fly loginwill also check to make sure you've successfully logged in to the target team and return an error if the team isn't in your token.๐ฑ ๐ fix
๐ง The AWS SSM credential manager and the AWS SecretsManager credential manager previously had a turf war going on over the
AWS_REGIONenvironment variable. They both declared it as their own, meaning if you set it they would both try to be configured, which would fail.They now have separately namespaced env vars instead.
๐ฑ ๐ fix
- ๐
fly interceptwill now give a better error when it fails to execute the command (e.g. becausebashisn't installed in the image).
๐ฑ ๐ feature
- ๐ท
fly executecan now specify input mappings via-m, which is useful when running with--inputs-from-jobwhen the job renames some inputs.
๐ฑ ๐ fix
- ๐
fly executewith--include-ignoredwill no longer blow up when files are removed locally.
๐ฑ ๐ feature
- The error message when a task's
filerefers to an unknown artifact source (i.e. thefooinfoo/ci/task.yml) has been made more descriptive.
๐ฑ ๐ feature
- ๐ท There's a new
flycommand for landing workers remotely, called...fly land-worker. This will initiate the landing process via the API and will ultimately result in the worker process exiting. (Which may end up being re-started by whatever process monitor you use, but hey, it landed.)
๐ฑ ๐ feature
- ๐ท The web UI now explains why some
getsteps have a yellow icon, via a handy-dandy tooltip. (Spoiler: it means the job has never run with that version before!)
๐ฑ ๐ fix
- ๐ท
fly set-pipelinewill now notice when the order of Grouping Jobs has changed and show it in the diff.
๐ฑ ๐ feature
- ๐
fly watchcan now be called with--timestampsto show per-line timestamps in the build output. Thanks for the PR, @pivotal-kahin-ng!
๐ฑ ๐ fix
fly get-pipelinewill now throw an error if the specified pipeline does not exist, rather than returning an empty pipeline config.
๐ฑ ๐ fix
๐ฑ ๐ fix
fly loginwill no longer prompt for your auth method when a username/password are given via flags. It'll deduce that you're trying to do local auth.
๐ฑ ๐ fix
- Task
cachesare now supported on Windows!
๐ฑ ๐ fix
- ๐ Fixed an internal bug that made
UNIQUEconstraints forresource_configsineffective (#2509). This was fairly low-impact, but database integrity matters!
๐ฑ ๐ feature
- ๐ BitBucket auth support has been re-introduced thanks to PRs to Dex and Concourse by @edtan!
๐ฑ ๐ fix
- ๐ท The
/api/v1/resourcesand/api/v1/jobsendpoints will now return[]instead ofnullwhen there are no resources or jobs, thanks to a PR by @pivotal-kahin-ng.
๐ฑ ๐ feature
- ๐ The dashboard page will now indicate whether you are seeing a pipeline because it's exposed by showing an ominous "eye" icon.
๐ฑ ๐ fix
- ๐ Fixed handling of auth configs set from empty env vars - previously this would result in bogus Dex configuration (e.g.
github:, with no org or team) and sometimes cause things to misbehave.
๐ฑ ๐ fix
- ๐ป The legibility and anti-aliasing of text in the web UI has been improved.
๐ฑ ๐ fix
Cleaned up some dashboard behavior when there are no pipelines:
๐ you can now see which team you're a member of, rather than one big 'no pipelines set' page
the bar along the bottom will now show up
๐ป there's a fancy ASCII art UI now
the search function is no longer shown (since there's nothing to search)
the HD view has been disabled and just redirects to
/instead, since there was nothing for it to show๐ฑ ๐ fix
- ๐ป The username part of the top bar will no longer detonate when viewed on a tiny mobile browser.
๐ฑ ๐ fix
- ๐ When a resource's metadata is super wide, it will remain cordoned off to the side rather than uncomfortably squishing the resource's
getoutput. Thanks for the fix, @stigtermichiel!
๐ฑ ๐ fix
- Concourse will now send TCP keepalives for connections to the database. This will allow it to detect when the connection has been interrupted ungracefully. Thanks for the PR, @SimonXming!
๐ฑ ๐ fix
- ๐ป The
manifest.jsonhref in the web UI used to be relative to the URL, meaning it was broken on any page except/. This is now fixed.
๐ฑ ๐ fix
- ๐ The
webnode used to leak both a connection and a goroutine for each build that completed when configured to drain build logs to syslog. This is now fixed. Sorry about that!
๐ฑ ๐ fix
- The resources and resource types returned by
fly get-pipelinewill now be in a deterministic order, thanks to a PR by @edtan!
๐ฑ ๐ feature
fly curlis a new command to assist with (hopefully occasional) manual API requests to Concourse. Thanks for the PR and collaboration, @simonjohansson!
๐ฑ ๐ fix
- The
--tsa-authorized-keysflag is now optional, for situations where all authorized keys are associated to teams (via--tsa-team-authorized-keys). Thanks for the fix, @tlwr!
๐ฑ ๐ fix
- The
fly statuscommand will now let you know if your token has expired, rather than happily reporting that everything is fine.
๐ฑ ๐ feature
- A
fly userinfocommand has been added which will let you know which teams you are logged in to and which roles you have in each team.
๐ฑ ๐ fix
- ๐ The positioning of the "no results" text when searching on the dashboard has been fixed.
- ๐ The