Changelog History
Page 3
-
v5.6.0 Changes
October 02, 2019๐ฑ ๐ feature
There is a new experimental method of resource checking, which is off by default but can be turned on via
CONCOURSE_ENABLE_LIDAR
.The entire system has been redesigned to be asynchronous, but that shouldn't have any affect on your existing workflows.
fly check-resource
andfly check-resource-type
will continue to work the way you expect them to (except for a small change to the command output). In addition you can now specify an--async
flag if you don't want to wait for the check to finish.It's worth noting that concourse performs a lot of checks (like A LOT). Since we're now storing checks in the database, this table will tend to grow very quickly. By default checks get gc'ed every 6 hrs, but this interval can be configured by specifying a
CONCOURSE_GC_CHECK_RECYCLE_PERIOD
. If you want to reduce the number of checks that happen, you can start making heavier use of thewebhook
endpoint to trigger checks from external sources. This allows you to significantly reduce thecheck_every
interval (default 1m) for your resource without impacting the time it takes to schedule a build.If you're interested in more detail about what changed you can have a look at the corresponding PR #4202 or the initial issue #3788.
๐ฑ ๐ feature
- ๐ Fly has a new sub-command
pin-resource
, which will pin a resource (and optionally comment) given at least one field of the version to pin to #2702 #4417.
๐ฑ ๐ feature
- ๐ง When configuring a job, a subset of the pinned version's fields can now be provided to the
version:
field on aget
step.
๐ฑ ๐ feature
- ๐ท @evanchaoli added
age
column tofly workers
, #4481.
๐ฑ ๐ feature
๐ Credentials fetched from a credential manager will now be automatically redacted from build output, thanks to a couple of PRs by @evanchaoli! #4311 #4398
๐ This feature is currently opt-in. To learn how to enable it, check out the docs.
๐ฑ ๐ feature
- @ralekseenkov added a web runtime flag
CONCOURSE_SECRET_CACHE_DURATION_NOTFOUND
to set a separate caching interval when a secret is not successfully found in the config store. Defaults to 10s. Addresses #3895 #4009.
๐ฑ ๐ feature
- ๐ The cluster name can now be added to each and every log line with the handy dandy
--log-cluster-name
flag, available on theweb
nodes. This can be used in a scenario where you have multiple Concourse clusters forwarding logs to a common sink and have no other way of categorizing the logs. Thanks again @evanchaoli! #4387
๐ฑ ๐ feature
- @thoHeinze added
CONCOURSE_GARDEN_NETWORK_POOL
as configurable flag in BOSH release.
0๏ธโฃ Defaults to Garden's range of 10.254.0.0/22. Addresses #4153.
๐ฑ ๐ feature
- @joshzarrabi and @aemengo added
CONCOURSE_GARDEN_MAX_CONTAINERS
as configurable flag in BOSH release.
๐ Defaults to 250. Please note that setting this limit over 250 has not been tested by the Garden team or the Concourse team. #43.
๐ฑ ๐ feature
- ๐ When the web node is instructing a worker to create a container, any logs emitted will mention that worker's name #4438. Thanks @christophermancini!
๐ฑ ๐ feature
- ๐ง @SimonXming added the
content_trust:
field to theregistry-image resource
, so now you can sign your container images with a notary server concourse/registry-image-resource#41, concourse/registry-image-resource#46.
๐ฑ ๐ fix
- ๐ @robwhitby fixed an issue with
fly login
where Safari would block your token from being transferred to fly #4314, #4423, #4439.
๐ฑ ๐ fix
fly
now validates that, when specifying a specificversion
on aget
step, only string values (no nested YAML) are allowed #4236.
๐ฑ ๐ fix
- ๐ The fly
set-team
documentation when running--help
previously suggested that a list is a valid input to any auth configuration flags. This doesn't mean you can supply a comma-separated list to the flag, rather that the flag can be provided multiple times. The flyset-team
help documentation now reflects this, thanks to @niall-byrne! #4348
๐ฑ ๐ fix
- ๐ @nelsam fixed a delicate bug where
/opt/resource/out
scripts in resources could crash web nodes by outputingnull
tostdout
, causing a nil pointer dereference #4442.
๐ฑ ๐ fix
- ๐ @kmdouglass fixed a bug introduced by #3037 in v5.5.0 where prometheus metrics would get clogged up with data about workers that were no longer registering #4445.
๐ฑ ๐ fix
- ๐ง @bodin fixed an issue with the
semver-resource
with the git driver: now the resource will create thefile:
specified in the source configuration if it doesn't already exist exist concourse/semver-resource#102.
๐ฑ ๐ fix
- ๐ @mgsolid fixed an issue the git driver for the
semver-resource
would go into an infinite loop whengit push
failed concourse/semver-resource#92.
๐ฑ ๐ fix
- ๐ง @CliffHoogervorst fixed an issue where the [
git resource
] would show too many commits whenpaths:
was specified concourse/git-resource#271.
๐ฑ ๐ fix
- ๐ Fly has a new sub-command
-
v5.5.11 Changes
April 24, 2020๐ฑ ๐ feature
๐ Operators can now limit the number of concurrent API requests that your web node will serve by passing a flag like
--concurrent-request-limit action:limit
whereaction
is the API action name as they appear in the action matrix in our docs.๐ If the web node is already concurrently serving the maximum number of requests allowed by the specified limit, any additional concurrent requests will be rejected with a
503 Service Unavailable
status. If the limit is set to0
, the endpoint is effectively disabled, and all requests will be rejected with a501 Not Implemented
status.๐ท Currently the only API action that can be limited in this way is
ListAllJobs
-- we considered allowing this limit on arbitrary endpoints but didn't want to enable operators to shoot themselves in the foot by limiting important internal endpoints like worker registration.๐ It is important to note that, if you use this configuration, it is possible for super-admins to effectively deny service to non-super-admins. This is because when super-admins look at the dashboard, the API returns a huge amount of data (much more than the average user) and it can take a long time (over 30s on some clusters) to serve the request. If you have multiple super-admin dashboards open, they are pretty much constantly consuming some portion of the number of concurrent requests your web node will allow. Any other requetss, even if they are potentially cheaper for the API to service, are much more likely to be rejected because the server is overloaded by super-admins. Still, the web node will no longer crash in these scenarios, and non-super-admins will still see their dashboards, albeit without nice previews. To work around this scenario, it is important to be careful of the number of super-admin users with open dashboards. #5484
๐ฑ ๐ breaking
- โฌ๏ธ It has long been possible to configure concourse either by passing flags to the binary, or by passing their equivalent
CONCOURSE_*
environment variables. Until now we had noticed that when an environment variable is passed, the flags library we use would treat it as a "default" value -- this is a bug. We issued a PR to that library adding stricter validation for flags passed via environment variables. What this means is that operators may have been passing invalid configuration via environment variables and concourse wasn't complaining -- after this upgrade, that invalid configuration will cause the binary to fail. Hopefully it's a good prompt to fix up your manifests! #5484
๐ฑ ๐ feature
- โ Add loading indicator on dashboard while awaiting initial API response. #5427
๐ฑ ๐ fix
- ๐ป Now the dashboard will not initiate a request for more data until the previous request finishes. The dashboard page refreshes its data every 5 seconds, and until now, it was possible (especially for admin users) for the dashboard to initiate an ever-growing number of concurrent API calls. This would unnecessarily consume browser, network and API resources, and in some cases could even overload the web node to the point that it would crash. #5472
- โฌ๏ธ It has long been possible to configure concourse either by passing flags to the binary, or by passing their equivalent
-
v5.5.10 Changes
March 24, 2020๐ฑ ๐ fix
- ๐ Fix an edge case of CVE-2018-15798 where redirect URI during login flow could be embedded with a malicious host.
-
v5.5.9 Changes
March 23, 2020๐ฑ ๐ fix
- โ Added a flag,
--disable-list-all-jobs
. When this flag is passed, the /api/v1/jobs endpoint (which is known to have performance issues) will always return an empty JSON array instead of making complex and expensive database operations. The most significant end-user impact of this change should be that the dashboard will no longer display pipeline previews. #5340
- โ Added a flag,
-
v5.5.8 Changes
February 26, 2020๐ฑ ๐ fix
- โฌ๏ธ Bump golang.org/x/crypto module from
v0.0.0-20191119213627-4f8c1d86b1ba
tov0.0.0-20200220183623-bac4c82f6975
to address vulnerability in ssh package.
- โฌ๏ธ Bump golang.org/x/crypto module from
-
v5.5.7 Changes
December 19, 2019๐ ๐ security
- ๐ Updates the git resource to v1.6.3 to address a recently reported security vulnerability:
- CVE-2019-19604:
- Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
๐ฑ ๐ fix
0๏ธโฃ @vito bumped the
autocert
dependency so that Let's Encrypt will default to the ACME v2 API. #49120๏ธโฃ > Note: This backported fix includes the bump to the default value, which was
originally a follow-up patch in v5.7.3.
- ๐ Updates the git resource to v1.6.3 to address a recently reported security vulnerability:
-
v5.5.6 Changes
November 15, 2019๐ฑ ๐ feature
- ๐ป API endpoints have been changed to use a single transaction per request, so that they become "all or nothing" instead of holding data in memory while waiting for another connection from the pool. This could lead to snowballing and increased memory usage as requests from the web UI (polling every 5 seconds) piled up. #4494
-
v5.5.5 Changes
November 08, 2019๐ฑ ๐ feature
- ๐ฒ @pivotal-bin-ju @taylorsilva @xtreme-sameer-vohra added batching to the NewRelic emitter and logging info for non 2xx responses from NewRelic #4698.
-
v5.5.4 Changes
October 24, 2019๐ฑ ๐ fix
- ๐ท Concourse now garbage-collects worker containers and volumes that are not tracked in the database. In some niche cases, it is possible for containers and/or volumes to be created on the worker, but the database (via the web) assumes their creation had failed. If this occurs, these untracked containers can pile up on the worker and use resources. #3600 ensures that they get cleaned appropriately.
๐ฑ ๐ fix
- โ Add 5 minute timeout for baggageclaim destroy calls. #4516
๐ฑ ๐ fix
- โ Add 5 minute timeout for worker's garden client http calls. This is primarily to address cases such as destroy which may hang indefinitely causing GC to stop occurring. #4467
๐ฑ ๐ fix
- ๐ท Transition
failed
state containers todestroying
resulting in them being GC'ed. This ensures that if web's call to garden to create a container times out, the container is subsequently deleted from garden prior to being deleted from the db. This keeps the web's and worker's state consistent. #4562
-
v5.5.3 Changes
September 30, 2019Note there is no v5.5.2 release, due to an issue with our release pipeline.
๐ ๐ Security
- ๐ This is a Security patch using GoLang v1.13.1 that address a recently reported issue with Go net/http (CVE-2019-16276).
GoLang's net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling.
- ๐ This is a Security patch using GoLang v1.13.1 that address a recently reported issue with Go net/http (CVE-2019-16276).