All Versions
50
Latest Version
Avg Release Cycle
28 days
Latest Release
413 days ago

Changelog History
Page 3

  • v5.6.0 Changes

    October 02, 2019

    ๐Ÿฑ ๐Ÿ”— feature

    There is a new experimental method of resource checking, which is off by default but can be turned on via CONCOURSE_ENABLE_LIDAR.

    The entire system has been redesigned to be asynchronous, but that shouldn't have any affect on your existing workflows. fly check-resource and fly check-resource-type will continue to work the way you expect them to (except for a small change to the command output). In addition you can now specify an --async flag if you don't want to wait for the check to finish.

    It's worth noting that concourse performs a lot of checks (like A LOT). Since we're now storing checks in the database, this table will tend to grow very quickly. By default checks get gc'ed every 6 hrs, but this interval can be configured by specifying a CONCOURSE_GC_CHECK_RECYCLE_PERIOD. If you want to reduce the number of checks that happen, you can start making heavier use of the webhook endpoint to trigger checks from external sources. This allows you to significantly reduce the check_every interval (default 1m) for your resource without impacting the time it takes to schedule a build.

    If you're interested in more detail about what changed you can have a look at the corresponding PR #4202 or the initial issue #3788.

    ๐Ÿฑ ๐Ÿ”— feature

    • ๐Ÿ“Œ Fly has a new sub-command pin-resource, which will pin a resource (and optionally comment) given at least one field of the version to pin to #2702 #4417.

    ๐Ÿฑ ๐Ÿ”— feature

    ๐Ÿฑ ๐Ÿ”— feature

    ๐Ÿฑ ๐Ÿ”— feature

    ๐Ÿ— Credentials fetched from a credential manager will now be automatically redacted from build output, thanks to a couple of PRs by @evanchaoli! #4311 #4398

    ๐Ÿ“„ This feature is currently opt-in. To learn how to enable it, check out the docs.

    ๐Ÿฑ ๐Ÿ”— feature

    • @ralekseenkov added a web runtime flag CONCOURSE_SECRET_CACHE_DURATION_NOTFOUND to set a separate caching interval when a secret is not successfully found in the config store. Defaults to 10s. Addresses #3895 #4009.

    ๐Ÿฑ ๐Ÿ”— feature

    • ๐Ÿ”Š The cluster name can now be added to each and every log line with the handy dandy --log-cluster-name flag, available on the web nodes. This can be used in a scenario where you have multiple Concourse clusters forwarding logs to a common sink and have no other way of categorizing the logs. Thanks again @evanchaoli! #4387

    ๐Ÿฑ ๐Ÿ”— feature

    • @thoHeinze added CONCOURSE_GARDEN_NETWORK_POOL as configurable flag in BOSH release.
      0๏ธโƒฃ Defaults to Garden's range of 10.254.0.0/22. Addresses #4153.

    ๐Ÿฑ ๐Ÿ”— feature

    • @joshzarrabi and @aemengo added CONCOURSE_GARDEN_MAX_CONTAINERS as configurable flag in BOSH release.
      ๐Ÿš€ Defaults to 250. Please note that setting this limit over 250 has not been tested by the Garden team or the Concourse team. #43.

    ๐Ÿฑ ๐Ÿ”— feature

    • ๐Ÿ”Š When the web node is instructing a worker to create a container, any logs emitted will mention that worker's name #4438. Thanks @christophermancini!

    ๐Ÿฑ ๐Ÿ”— feature

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿ›  @robwhitby fixed an issue with fly login where Safari would block your token from being transferred to fly #4314, #4423, #4439.

    ๐Ÿฑ ๐Ÿ”— fix

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿ“š The fly set-team documentation when running --help previously suggested that a list is a valid input to any auth configuration flags. This doesn't mean you can supply a comma-separated list to the flag, rather that the flag can be provided multiple times. The fly set-team help documentation now reflects this, thanks to @niall-byrne! #4348

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿ›  @nelsam fixed a delicate bug where /opt/resource/out scripts in resources could crash web nodes by outputing null to stdout, causing a nil pointer dereference #4442.

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿš€ @kmdouglass fixed a bug introduced by #3037 in v5.5.0 where prometheus metrics would get clogged up with data about workers that were no longer registering #4445.

    ๐Ÿฑ ๐Ÿ”— fix

    ๐Ÿฑ ๐Ÿ”— fix

    ๐Ÿฑ ๐Ÿ”— fix

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿณ @int-tt corrected the DNS proxy used by workers when running in Docker to compress the response message sent to the client. #4479 #4478
  • v5.5.11 Changes

    April 24, 2020

    ๐Ÿฑ ๐Ÿ”— feature

    ๐ŸŒ Operators can now limit the number of concurrent API requests that your web node will serve by passing a flag like --concurrent-request-limit action:limit where action is the API action name as they appear in the action matrix in our docs.

    ๐ŸŒ If the web node is already concurrently serving the maximum number of requests allowed by the specified limit, any additional concurrent requests will be rejected with a 503 Service Unavailable status. If the limit is set to 0, the endpoint is effectively disabled, and all requests will be rejected with a 501 Not Implemented status.

    ๐Ÿ‘ท Currently the only API action that can be limited in this way is ListAllJobs -- we considered allowing this limit on arbitrary endpoints but didn't want to enable operators to shoot themselves in the foot by limiting important internal endpoints like worker registration.

    ๐Ÿ‘€ It is important to note that, if you use this configuration, it is possible for super-admins to effectively deny service to non-super-admins. This is because when super-admins look at the dashboard, the API returns a huge amount of data (much more than the average user) and it can take a long time (over 30s on some clusters) to serve the request. If you have multiple super-admin dashboards open, they are pretty much constantly consuming some portion of the number of concurrent requests your web node will allow. Any other requetss, even if they are potentially cheaper for the API to service, are much more likely to be rejected because the server is overloaded by super-admins. Still, the web node will no longer crash in these scenarios, and non-super-admins will still see their dashboards, albeit without nice previews. To work around this scenario, it is important to be careful of the number of super-admin users with open dashboards. #5484

    ๐Ÿฑ ๐Ÿ”— breaking

    • โฌ†๏ธ It has long been possible to configure concourse either by passing flags to the binary, or by passing their equivalent CONCOURSE_* environment variables. Until now we had noticed that when an environment variable is passed, the flags library we use would treat it as a "default" value -- this is a bug. We issued a PR to that library adding stricter validation for flags passed via environment variables. What this means is that operators may have been passing invalid configuration via environment variables and concourse wasn't complaining -- after this upgrade, that invalid configuration will cause the binary to fail. Hopefully it's a good prompt to fix up your manifests! #5484

    ๐Ÿฑ ๐Ÿ”— feature

    • โž• Add loading indicator on dashboard while awaiting initial API response. #5427

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿ’ป Now the dashboard will not initiate a request for more data until the previous request finishes. The dashboard page refreshes its data every 5 seconds, and until now, it was possible (especially for admin users) for the dashboard to initiate an ever-growing number of concurrent API calls. This would unnecessarily consume browser, network and API resources, and in some cases could even overload the web node to the point that it would crash. #5472
  • v5.5.10 Changes

    March 24, 2020

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿ›  Fix an edge case of CVE-2018-15798 where redirect URI during login flow could be embedded with a malicious host.
  • v5.5.9 Changes

    March 23, 2020

    ๐Ÿฑ ๐Ÿ”— fix

    • โž• Added a flag, --disable-list-all-jobs. When this flag is passed, the /api/v1/jobs endpoint (which is known to have performance issues) will always return an empty JSON array instead of making complex and expensive database operations. The most significant end-user impact of this change should be that the dashboard will no longer display pipeline previews. #5340
  • v5.5.8 Changes

    February 26, 2020

    ๐Ÿฑ ๐Ÿ”— fix

    • โฌ†๏ธ Bump golang.org/x/crypto module from v0.0.0-20191119213627-4f8c1d86b1ba to v0.0.0-20200220183623-bac4c82f6975 to address vulnerability in ssh package.
  • v5.5.7 Changes

    December 19, 2019

    ๐Ÿ”’ ๐Ÿ”— security

    • ๐Ÿš€ Updates the git resource to v1.6.3 to address a recently reported security vulnerability:
      • CVE-2019-19604:
      • Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.

    ๐Ÿฑ ๐Ÿ”— fix

    0๏ธโƒฃ @vito bumped the autocert dependency so that Let's Encrypt will default to the ACME v2 API. #4912

    0๏ธโƒฃ > Note: This backported fix includes the bump to the default value, which was

    originally a follow-up patch in v5.7.3.

  • v5.5.6 Changes

    November 15, 2019

    ๐Ÿฑ ๐Ÿ”— feature

    • ๐Ÿ’ป API endpoints have been changed to use a single transaction per request, so that they become "all or nothing" instead of holding data in memory while waiting for another connection from the pool. This could lead to snowballing and increased memory usage as requests from the web UI (polling every 5 seconds) piled up. #4494
  • v5.5.5 Changes

    November 08, 2019

    ๐Ÿฑ ๐Ÿ”— feature

  • v5.5.4 Changes

    October 24, 2019

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿ‘ท Concourse now garbage-collects worker containers and volumes that are not tracked in the database. In some niche cases, it is possible for containers and/or volumes to be created on the worker, but the database (via the web) assumes their creation had failed. If this occurs, these untracked containers can pile up on the worker and use resources. #3600 ensures that they get cleaned appropriately.

    ๐Ÿฑ ๐Ÿ”— fix

    • โž• Add 5 minute timeout for baggageclaim destroy calls. #4516

    ๐Ÿฑ ๐Ÿ”— fix

    • โž• Add 5 minute timeout for worker's garden client http calls. This is primarily to address cases such as destroy which may hang indefinitely causing GC to stop occurring. #4467

    ๐Ÿฑ ๐Ÿ”— fix

    • ๐Ÿ‘ท Transition failed state containers to destroying resulting in them being GC'ed. This ensures that if web's call to garden to create a container times out, the container is subsequently deleted from garden prior to being deleted from the db. This keeps the web's and worker's state consistent. #4562
  • v5.5.3 Changes

    September 30, 2019

    Note there is no v5.5.2 release, due to an issue with our release pipeline.

    ๐Ÿ”’ ๐Ÿ”— Security

    • ๐Ÿ”’ This is a Security patch using GoLang v1.13.1 that address a recently reported issue with Go net/http (CVE-2019-16276).
      GoLang's net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling.