Concourse changelog

Changelog History

Page 3

• v5.6.0 Changes

  October 02, 2019

  🍱 🔗 feature

  There is a new experimental method of resource checking, which is off by default but can be turned on via CONCOURSE_ENABLE_LIDAR.

  The entire system has been redesigned to be asynchronous, but that shouldn't have any affect on your existing workflows. fly check-resource and fly check-resource-type will continue to work the way you expect them to (except for a small change to the command output). In addition you can now specify an --async flag if you don't want to wait for the check to finish.

  It's worth noting that concourse performs a lot of checks (like A LOT). Since we're now storing checks in the database, this table will tend to grow very quickly. By default checks get gc'ed every 6 hrs, but this interval can be configured by specifying a CONCOURSE_GC_CHECK_RECYCLE_PERIOD. If you want to reduce the number of checks that happen, you can start making heavier use of the webhook endpoint to trigger checks from external sources. This allows you to significantly reduce the check_every interval (default 1m) for your resource without impacting the time it takes to schedule a build.

  If you're interested in more detail about what changed you can have a look at the corresponding PR #4202 or the initial issue #3788.

  🍱 🔗 feature

  • 📌 Fly has a new sub-command pin-resource, which will pin a resource (and optionally comment) given at least one field of the version to pin to #2702 #4417.

  🍱 🔗 feature

  • 🔧 When configuring a job, a subset of the pinned version's fields can now be provided to the version: field on a get step.

  🍱 🔗 feature

  • 👷 @evanchaoli added age column to fly workers, #4481.

  🍱 🔗 feature

  🏗 Credentials fetched from a credential manager will now be automatically redacted from build output, thanks to a couple of PRs by @evanchaoli! #4311 #4398

  📄 This feature is currently opt-in. To learn how to enable it, check out the docs.

  🍱 🔗 feature

  • @ralekseenkov added a web runtime flag CONCOURSE_SECRET_CACHE_DURATION_NOTFOUND to set a separate caching interval when a secret is not successfully found in the config store. Defaults to 10s. Addresses #3895 #4009.

  🍱 🔗 feature

  • 🔊 The cluster name can now be added to each and every log line with the handy dandy --log-cluster-name flag, available on the web nodes. This can be used in a scenario where you have multiple Concourse clusters forwarding logs to a common sink and have no other way of categorizing the logs. Thanks again @evanchaoli! #4387

  🍱 🔗 feature

  • @thoHeinze added CONCOURSE_GARDEN_NETWORK_POOL as configurable flag in BOSH release.
    0️⃣ Defaults to Garden's range of 10.254.0.0/22. Addresses #4153.

  🍱 🔗 feature

  • @joshzarrabi and @aemengo added CONCOURSE_GARDEN_MAX_CONTAINERS as configurable flag in BOSH release.
    🚀 Defaults to 250. Please note that setting this limit over 250 has not been tested by the Garden team or the Concourse team. #43.

  🍱 🔗 feature

  • 🔊 When the web node is instructing a worker to create a container, any logs emitted will mention that worker's name #4438. Thanks @christophermancini!

  🍱 🔗 feature

  • 🔧 @SimonXming added the content_trust: field to the registry-image resource, so now you can sign your container images with a notary server concourse/registry-image-resource#41, concourse/registry-image-resource#46.

  🍱 🔗 fix

  • 🛠 @robwhitby fixed an issue with fly login where Safari would block your token from being transferred to fly #4314, #4423, #4439.

  🍱 🔗 fix

  • fly now validates that, when specifying a specific version on a get step, only string values (no nested YAML) are allowed #4236.

  🍱 🔗 fix

  • 📚 The fly set-team documentation when running --help previously suggested that a list is a valid input to any auth configuration flags. This doesn't mean you can supply a comma-separated list to the flag, rather that the flag can be provided multiple times. The fly set-team help documentation now reflects this, thanks to @niall-byrne! #4348

  🍱 🔗 fix

  • 🛠 @nelsam fixed a delicate bug where /opt/resource/out scripts in resources could crash web nodes by outputing null to stdout, causing a nil pointer dereference #4442.

  🍱 🔗 fix

  • 🚀 @kmdouglass fixed a bug introduced by #3037 in v5.5.0 where prometheus metrics would get clogged up with data about workers that were no longer registering #4445.

  🍱 🔗 fix

  • 🔧 @bodin fixed an issue with the semver-resource with the git driver: now the resource will create the file: specified in the source configuration if it doesn't already exist exist concourse/semver-resource#102.

  🍱 🔗 fix

  • 🛠 @mgsolid fixed an issue the git driver for the semver-resource would go into an infinite loop when git push failed concourse/semver-resource#92.

  🍱 🔗 fix

  • 🔧 @CliffHoogervorst fixed an issue where the [git resource] would show too many commits when paths: was specified concourse/git-resource#271.

  🍱 🔗 fix

  • 🐳 @int-tt corrected the DNS proxy used by workers when running in Docker to compress the response message sent to the client. #4479 #4478

• v5.5.11 Changes

  April 24, 2020

  🍱 🔗 feature

  🌐 Operators can now limit the number of concurrent API requests that your web node will serve by passing a flag like --concurrent-request-limit action:limit where action is the API action name as they appear in the action matrix in our docs.

  🌐 If the web node is already concurrently serving the maximum number of requests allowed by the specified limit, any additional concurrent requests will be rejected with a 503 Service Unavailable status. If the limit is set to 0, the endpoint is effectively disabled, and all requests will be rejected with a 501 Not Implemented status.

  👷 Currently the only API action that can be limited in this way is ListAllJobs -- we considered allowing this limit on arbitrary endpoints but didn't want to enable operators to shoot themselves in the foot by limiting important internal endpoints like worker registration.

  👀 It is important to note that, if you use this configuration, it is possible for super-admins to effectively deny service to non-super-admins. This is because when super-admins look at the dashboard, the API returns a huge amount of data (much more than the average user) and it can take a long time (over 30s on some clusters) to serve the request. If you have multiple super-admin dashboards open, they are pretty much constantly consuming some portion of the number of concurrent requests your web node will allow. Any other requetss, even if they are potentially cheaper for the API to service, are much more likely to be rejected because the server is overloaded by super-admins. Still, the web node will no longer crash in these scenarios, and non-super-admins will still see their dashboards, albeit without nice previews. To work around this scenario, it is important to be careful of the number of super-admin users with open dashboards. #5484

  🍱 🔗 breaking

  • ⬆️ It has long been possible to configure concourse either by passing flags to the binary, or by passing their equivalent CONCOURSE_* environment variables. Until now we had noticed that when an environment variable is passed, the flags library we use would treat it as a "default" value -- this is a bug. We issued a PR to that library adding stricter validation for flags passed via environment variables. What this means is that operators may have been passing invalid configuration via environment variables and concourse wasn't complaining -- after this upgrade, that invalid configuration will cause the binary to fail. Hopefully it's a good prompt to fix up your manifests! #5484

  🍱 🔗 feature

  • ➕ Add loading indicator on dashboard while awaiting initial API response. #5427

  🍱 🔗 fix

  • 💻 Now the dashboard will not initiate a request for more data until the previous request finishes. The dashboard page refreshes its data every 5 seconds, and until now, it was possible (especially for admin users) for the dashboard to initiate an ever-growing number of concurrent API calls. This would unnecessarily consume browser, network and API resources, and in some cases could even overload the web node to the point that it would crash. #5472

• v5.5.10 Changes

  March 24, 2020

  🍱 🔗 fix

  • 🛠 Fix an edge case of CVE-2018-15798 where redirect URI during login flow could be embedded with a malicious host.

• v5.5.9 Changes

  March 23, 2020

  🍱 🔗 fix

  • ➕ Added a flag, --disable-list-all-jobs. When this flag is passed, the /api/v1/jobs endpoint (which is known to have performance issues) will always return an empty JSON array instead of making complex and expensive database operations. The most significant end-user impact of this change should be that the dashboard will no longer display pipeline previews. #5340

• v5.5.8 Changes

  February 26, 2020

  🍱 🔗 fix

  • ⬆️ Bump golang.org/x/crypto module from v0.0.0-20191119213627-4f8c1d86b1ba to v0.0.0-20200220183623-bac4c82f6975 to address vulnerability in ssh package.

• v5.5.7 Changes

  December 19, 2019

  🔒 🔗 security

  • 🚀 Updates the git resource to v1.6.3 to address a recently reported security vulnerability:
    • CVE-2019-19604:
    • Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.

  🍱 🔗 fix

  0️⃣ @vito bumped the autocert dependency so that Let's Encrypt will default to the ACME v2 API. #4912

  0️⃣ > Note: This backported fix includes the bump to the default value, which was

  originally a follow-up patch in v5.7.3.

• v5.5.6 Changes

  November 15, 2019

  🍱 🔗 feature

  • 💻 API endpoints have been changed to use a single transaction per request, so that they become "all or nothing" instead of holding data in memory while waiting for another connection from the pool. This could lead to snowballing and increased memory usage as requests from the web UI (polling every 5 seconds) piled up. #4494

• v5.5.5 Changes

  November 08, 2019

  🍱 🔗 feature

  • 🌲 @pivotal-bin-ju @taylorsilva @xtreme-sameer-vohra added batching to the NewRelic emitter and logging info for non 2xx responses from NewRelic #4698.

• v5.5.4 Changes

  October 24, 2019

  🍱 🔗 fix

  • 👷 Concourse now garbage-collects worker containers and volumes that are not tracked in the database. In some niche cases, it is possible for containers and/or volumes to be created on the worker, but the database (via the web) assumes their creation had failed. If this occurs, these untracked containers can pile up on the worker and use resources. #3600 ensures that they get cleaned appropriately.

  🍱 🔗 fix

  • ➕ Add 5 minute timeout for baggageclaim destroy calls. #4516

  🍱 🔗 fix

  • ➕ Add 5 minute timeout for worker's garden client http calls. This is primarily to address cases such as destroy which may hang indefinitely causing GC to stop occurring. #4467

  🍱 🔗 fix

  • 👷 Transition failed state containers to destroying resulting in them being GC'ed. This ensures that if web's call to garden to create a container times out, the container is subsequently deleted from garden prior to being deleted from the db. This keeps the web's and worker's state consistent. #4562

• v5.5.3 Changes

  September 30, 2019

  Note there is no v5.5.2 release, due to an issue with our release pipeline.

  🔒 🔗 Security

  • 🔒 This is a Security patch using GoLang v1.13.1 that address a recently reported issue with Go net/http (CVE-2019-16276).
    GoLang's net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling.

• « First
• ‹ Prev
• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »