v6.7.5

🐞 Bug Fixes

• backport pkger fix to 6.7.x (#6480) @vito _^🔗

• Backport #6478 to 6.7.x branch (#6496) @kirillbilchenko _^🔗

  • Some OIDC providers don't include the email_verified claim, which causes a validation error by default
  • To support these providers, you can set CONCOURSE_OIDC_SKIP_EMAIL_VERIFIED_VALIDATION to true

🤷 Miscellaneous

• Back-port integration test suite (#6499) @aoldershaw _^🔗

📦 Bundled resource types

• bosh-io-release: v1.0.3
• bosh-io-stemcell: v1.0.3
• cf: v1.1.0
• docker-image: v1.5.1
• git: v1.11.0
• github-release: v1.5.1
• hg: v1.2.0
• mock: v0.11.0
• pool: v1.1.4
• registry-image: v0.14.0
• s3: v1.1.0
• semver: v1.2.1
• time: v1.4.0
• tracker: v1.0.3

v6.7.4

This patch is focused on fixing some bugs that came from bumping dex in 6.7.3. If you were having auth issues after upgrading to 6.7.3 try this patch!

✈️ Features

• Backport #6362 to 6.7.x: handle slow Vault (#6413) @evanchaoli _^🔗
  Enhanced var_sources to handle slow Vault, like Vault login might take longer than 5 seconds.

🐞 Bug Fixes

• Add team groups to Dex response for Bitbucket connector (#6442) @aoldershaw _^🔗

  • Fixes Bitbucket Cloud auth, which was previously attempting to use a deprecated (and recently removed) API endpoint

• Fix OIDC connector not fetching groups claim (#6448) @xtremerui _^🔗
  Fixed a regression that introduced in 6.7.3 that OIDC connector by default not fetching groups claim. Now OIDC connector always fetches groups claim unless --oidc-disable-groups flag is set. Backport of #6436.

• Fix an ATC crash caused by parallel load_var steps (#6457) @evanchaoli _^🔗

  • When multiple load_var steps were running in parallel, there was the risk of the ATC crashing due to concurrent map writes

🤷 Miscellaneous

• Optimize fly windows tests (#6450) @aoldershaw _^🔗

📦 Bundled resource types

• bosh-io-release: v1.0.3
• bosh-io-stemcell: v1.0.3
• cf: v1.1.0
• docker-image: v1.5.1
• git: v1.11.0
• github-release: v1.5.1
• hg: v1.2.0
• mock: v0.11.0
• pool: v1.1.4
• registry-image: v0.14.0
• s3: v1.1.0
• semver: v1.2.1
• time: v1.4.0
• tracker: v1.0.3

v6.7.3

🚨 Breaking

• [6.7.x] Bump dex to 2.27.0 (#6371) @taylorsilva _^🔗
  • Bump Dex to 2.27.0 which fixes a vulnerability in the go XML library
  • This is only a breaking change for the OIDC connector when the downstream provider returns a preferred_username claim
    • Previously, the preferred_username claim would be ignored in favor of the --oidc-user-name-key concourse auth flag.
    • Now, the preferred_username claim takes precedence so its value will be used as concourse OIDC username.

✈️ Features

• Allow underscore in identifiers (#6389) @aoldershaw _^🔗

🐞 Bug Fixes

• Fix auth bug (#6396) @evanchaoli _^🔗
  Fix an authorization bug, when a user has multiple roles in a team, then it may randomly hit "forbidden" error. Backport of #6368.

• Add missing --team to fly set-pipeline: (#6406) @evanchaoli _^🔗
  Fixed a bug of fly set-pipeline where --team option was missing in the prompted unpause pipeline command. Backport of #6336.

v6.7.2

This release focuses on optimizations and bug fixes.

✈️ Features

• Optionally skip resource checking for put-only resources. (#6271) @evanchaoli _^🔗
  Resource checking for put resources can be optionally turned off by using the feature flag CONCOURSE_ENABLE_SKIP_CHECKING_NOT_IN_USE_RESOURCES on the web command. Only resources which are used as inputs to a job will be checked as a result. This can lower the resource checking load on some instances. This feature was originally added in 6.0.0 and reverted in 6.6.0 because of two side effects: 1) put-only resources will no longer show version history in the UI, and 2) custom resource types of put-only resources will no longer be automatically checked. Please note that these side effects still exist at the moment.

• Add index to improve pipeline and build deletion (#6273) @vito _^🔗
  Pipeline deletion had become slow and even caused some deadlocks in the database. This migration fixes those issues.

• Ensure pipelines contain at least one job (#6310) @taylorsilva _^🔗
  Pipelines are now validated to ensure that they contain at least one job. Pipeline configurations with no jobs will be rejected.

🐞 Bug Fixes

• Remove any existing guardian assets on worker startup (#6257) @taylorsilva _^🔗
  The guardian runtime executable contains some other executables as dependencies, such as runc. Interestingly, it writes them to disk (/var/gdn/assets) at startup, and proceeds to run them from there. If the dependencies already exist from a previous version of guardian then they're not overwritten preventing the updated dependencies from being used. The worker will now clear out any preexisting guardian assets every time it starts. This fixes in-place upgrade scenarios on BOSH deployments where guardian kept using older versions of runc.

• Abort a rerun build if input version is gone (#6265) @xtremerui _^🔗
  Sometimes a rerun of a build can get stuck in the pending state forever. This can happen if the resource version used for the original build no longer exists. For example, an older commit disappears when a user force pushes to a git repository. Builds will now abort instead of getting stuck when the resource version no longer exists.

• Fix regression preventing the use of nested fields with fly set-pipeline --var (#6280) @aoldershaw _^🔗

  • A regression was introduced in 6.5.0 that prevented the use of nested fields when setting a pipeline variable via fly set-pipeline --var
    • For instance, pre 6.5.0, fly set-pipeline --var foo.bar=123 --var foo.baz=456 would create the variable foo with value {bar: 123, baz: 456} (that can be referenced in the pipeline config as ((foo.bar)), ((foo.baz)))
    • In 6.5.x/6.6.x, the same command would create variables "foo.bar" = 123 and "foo.baz" = 456 (that would have to be referenced in the pipeline config as (("foo.bar")) and (("foo.baz")), respectively)
    • If you want to set a variable with a . in it, you can now quote the flag: e.g. fly set-pipeline --var '"foo.bar"=123' (note that this requires quoting the entire flag in '...' to avoid shell expansion)

• Only increment checks-enqueued when a check is created. (#6282) @evanchaoli _^🔗
  There was a metrics bug where checks-enqueued would get incremented even if a check already exists. This gave it a higher value than checks that have just been created.

• Prevent set_pipeline runtime error (#6307) @evanchaoli _^🔗
  set_pipeline of a YML pipeline configuration file with no jobs: or resources: no longer causes a runtime error: invalid memory address or nil pointer dereference. This is a backport #6116.

🤷 Miscellaneous

• Optimize fly tests (#6299) @muntac _^🔗

v6.7.1

This release bumps the docker-image resource type to v1.5.1 which contains a fix for the HEAD => GET request flow.

NOTE: the docker-image resource type does not support configuring credentials in registry_mirror. This issue is somewhat fundamental, as the the docker CLI which the resource type uses doesn't support it either. If your registry mirror requires credentials, we recommend using the registry-image resource type instead - it's much more efficient, and it will replace the docker-image resource type entirely once it's ready.

v6.7.0

The primary focus of this release is to adapt to Docker Hub's upcoming rate limits for free users, which will take effect November 2.

We recommend that anyone who uses images hosted on Docker Hub - either without authentication or with a free account - to upgrade to this release, which includes the following:

• registry-image resource type v0.14.0 and docker-image resource type v1.5.0
  • Both resource types now use a HEAD request rather than GET during the check operation so that they don't count towards the rate limit. This was shipped in v6.6.0, but registries which do not support HEAD broke - now they'll fall back on GET.
• Ability to configure defaults for resource types (#6079).
  • The check fix is not enough in isolation - a large enough Concourse cluster might still run into rate limits when it comes time to fetch the image.
  • With resource type defaults, a cluster-wide pull-through cache may be configured by setting a default registry_mirror config for the registry-image resource type and the docker-image resource type. (Note that their configuration is slightly different.)

More details follow!

✈️ Features

• Allow configuring source "defaults" for resource types (#6079) @evanchaoli _^🔗

  • With this feature, a cluster admin may configure default source configuration for core resource types on the web node. For example, when the following file is specified to ATC --base-resource-type-defaults=brt_default.yml:

    registry-image:
      registry_mirror:
        host: 192.168.1.12:5000

    then all registry-image will pull images from the mirror 192.168.1.12:5000.

    At pipeline level, defaults can be defined with resource types, for example:

    resource_types:
    - name: rt-gitlab
      type: registry-image
      source:
        repository: <uri of a gitlab resource type>
      defaults:
        url: <gitlab url>
        project: <project-id>
    
    resources:
    - name: gitlab-mr
      type: rt-gitlab
      source:
        kind: MergeRequest
    
    - name: gitlab-release
      type: rt-gitlab
      source:
        kind: Release

    In this sample, when defines the gitlab resource-type, GitLab url and project-id are defined as defaults of the resource type, so that all resources of the type will inherit those defaults.

🐞 Bug Fixes

• containerd does not grant access to /dev/console (#6181) @jamieklassen _^🔗
  • If you are running concourse with the containerd backend inside a runc-managed process and your version of runc is v1.0.0-rc91 or above, creating privileged containers no longer fails with EPERM.

v6.6.0

🚨 Breaking

• The concourse worker process now depends, via gdn v1.19.16, on runc v1.0.0-rc91. There is a known issue with using BPM to manage newer versions of runc, which has been resolved in bpm-release v1.1.9. So if your concourse is deployed using BOSH, you will also need to use at least BPM 1.1.9. After upgrading, if you start to see build steps erroring with a message like:

  runc run: exit status 1: container_linux.go:349: starting container process caused "process_linux.go:439: container init caused \"process_linux.go:405: setting cgroup config for procHooks process caused \\\"failed to write \\\\\\\"c 5:1 rwm\\\\\\\" to \\\\\\\"/sys/fs/cgroup/devices/system.slice/concourse.service/garden/a206550f-f6dd-4609-4f13-0a11afd3fd93/devices.allow\\\\\\\": write /sys/fs/cgroup/devices/system.slice/concourse.service/garden/a206550f-f6dd-4609-4f13-0a11afd3fd93/devices.allow: operation not permitted\\\"\""
  

  then you probably need to upgrade BPM. Thanks @tlwr for investigating this!

If you still see this issue it is because BOSH did not upgrade the assets under /var/gdn on the worker. Recreating the worker VMs using either bosh recreate, or the --recreate flag on bosh deploy will pull in the intended gdn assets.

✈️ Features

• Allow rotating the encryption key via concourse migrate (#5980) @aoldershaw _^🔗

  • concourse migrate can be called with --old-encryption-key to rotate the database encryption key as a one-time operation
  • concourse web still accepts --old-encryption-key
  • You should stop any ATCs prior to running this command

• Support SAML 2.0 as an auth backend (#5998) @adnankobir _^🔗

• Use the configured resolv.conf for containerd (#6001) @YoussB _^🔗

• set_pipeline step header indicates whether changes were applied (#6011) @andy-paine _^🔗

  • If a set_pipeline step made any changes, it will indicate by highlighting in yellow and displaying pipeline config changed message when hovered over the step.

• Allow the fly http transport to use client certificates (#6017) @avanier _^🔗

  • Adds new --client-cert and --client-key flags to the fly login command. The provided client certificates will then be used by fly's http transport.

• Add new default values to the Guardian flags network-pool and max-containers (#6031) @muntac _^🔗

• Allow statx in containerd (#6045) @muntac _^🔗

  • Update containerd's seccomp profile to allow the statx system call. This lets basic commands like ls -l to be executed.

• Enable secret caching for var_sources. (#6046) @evanchaoli _^🔗

• Custom background image (#6053) @andy-paine _^🔗

  • Pipeline authors can now include a custom background_image under the display key in pipeline config e.g:

    display:
      background_image: https://avatars1.githubusercontent.com/u/7809479?s=400&v=4

🐞 Bug Fixes

• Return real JSON from fly get-team --json (#5996) @agurney _^🔗

  • The --json flag on fly get-team is meant to yield a structured JSON representation of the team data, including auth details, but instead just gave {}. Now it works as intended.

• Admins can only login to teams that exist (#6021) @izabelacg _^🔗

  • Previously admins could log into any team, even if the team did not exist. Admins can still log into any team but now fly verifies that the team exists before saving the target to .flyrc.

• Request schedule when cancelling a pending build (#6023) @xtremerui _^🔗

  • Fix a bug that a build can't be cancelled if it is in pending state because of unsatisfiable inputs

• Enable fly validate-pipeline to accept --enable-across-step (#6027) @flavorjones _^🔗

  • Enable fly validate-pipeline to accept --enable-across-step and recognize across as a valid step.

• Fix build reaper missing builds due to pagination (#6051) @chenbh _^🔗

  • Fixed the build reaper missing builds
  • Fixed pagination bugs on the resource version and job builds pages

• Fix a bug where running fly execute fails in an environment when all workers are tagged. (#6059) @aledeganopix4d _^🔗

• Fix horizontal scrolling on build page (#6083) @zoetian _^🔗

• Only set Guardian flag default when flag not provided by user (#6087) @muntac _^🔗

  • Only pass garden the configured defaults within Concourse for the guardian flags max-containers and network-pool if it is not set through the garden config file, environment variables or flags.

• Revert "skip resource check for put-only resources" (#5905) @chenbh _^🔗

  • While this was a useful optimization, it caused a regression where Concourse failed to detect newer versions (images) of custom resource types for put-only resources under certain circumstances

🤷 No Impact

• Deflake k8s topgun (#6030) @jamieklassen _^🔗

• build(deps): bump yargs-parser from 13.1.1 to 13.1.2 (#6047) @dependabot _^🔗

• Remind people they need JS to run the browser app (#6065) @steadysupply _^🔗

• Use atc.TaskEnv type in task step (#6066) @vito _^🔗

• Make --client-cert flag name consistent between fly login and fly sync (#6068) @aoldershaw _^🔗

• Skip yarn benchmark until dependency is fixed (#6078) @clarafu _^🔗

v6.5.1

🐞 Bug Fixes

• Make claims LRU cache safe for concurrent use (#6019) @chrisfarms _^🔗

  • Avoid a potential race in access token caching, causing the ATC to panic

v6.5.0

🚨 Breaking

• Generate opaque OAuth2 access tokens (#5897) @aoldershaw _^🔗

  • There were several issues that users encountered (particularly after v6.1.0) as a result of long access tokens. Concourse now generates much shorter access tokens rather than using the raw user data.
  • Users' last activity is now tracked on login rather than on every request. Updating the last activity on every request caused database problems at scale. Note: last activity is only relevant to fly active-users
  • This is only a breaking change for any custom automation built around Concourse that authenticates with the Concourse API

• Fix Gitlab auth to reference a user's username instead of their full name (#5925) @chenbh _^🔗

  • If a team was configured for Gitlab auth with the --gitlab-user flag, you must ensure the user referenced is a valid Gitlab username, rather than a user's full name. If not, you must reconfigure the team with fly set-team to reference the username. Teams configured with --gitlab-group are unaffected.

• Add format: trim to load_var step and make it the default (#5894) @evanchaoli _^🔗

  • format: trim removes all trailing and leading whitespace from the input file
  • The prior behavior of keeping all whitespace can be used by specifying format: raw (see load_var.format)

• Prefix containerd specific flags with CONCOURSE_CONTAINERD (#5911) @muntac _^🔗

  • This is only a breaking change if you were using the experimental containerd backend. The default guardian backend remains unaffected and is still configured with CONCOURSE_GARDEN environment variables

✈️ Features

• Display favorite pipelines section at the top of the dashboard (#5922) @zoetian _^🔗

• Pipelines can be favorited from the sidebar (#5860) @zoetian _^🔗

• Pipelines can be favorited from the dashboard (#5904) @zoetian _^🔗

• Pipelines can be favorited from the pipeline page (#5979) @zoetian _^🔗

• Automatically archive abandoned pipelines (#5854) @taylorsilva _^🔗

  • An abandoned pipeline is one that was once set by a set_pipeline step but no longer is. See the set_pipeline docs for more information
  • The temporary feature flag --enable-archive-pipeline was removed as the archiving pipelines feature is complete

• Add experimental across step for running build plans across a matrix of values (#5887) @aoldershaw _^🔗

  • This feature must be enabled using --enable-across-step as it is subject to change - don't be alarmed if your pipelines with across stop working in a future release!
  • There's no official documentation yet, but there are some examples of usage patterns in the RFC

• Allow dot and colon in variable path (#5898) @xtremerui _^🔗

  • You can now interpolate variables with special characters . and : in the name by wrapping them in double quotes
  • e.g. (("some.secret".field1)) accesses field1 of the secret some.secret

• Emit warnings for invalid identifiers (#5864) @mouellet _^🔗

  • A warning will be emitted for every identifier that doesn't match the validation rules described in the identifier schema
  • After 1 year, we will error when identifiers don't match the validation rules - so, we recommend adhering to the new validation as soon as possible!

• Support set-pipeline: self for configuring current pipeline (#5737) @evanchaoli _^🔗

  • This feature is experimental, and may be removed a future version

• Rerun builds with baggageclaim network errors (#5958) @kirillbilchenko _^🔗

  • The --enable-rerun-when-worker-disappears flag now supports rerunning builds after any network error from the ATC to the worker's baggageclaim. Such network errors are common when the worker disappears.
  • Builds will now be rerun when this flag is enabled and the failing step is a nested step (e.g. within an in_parallel)

• Mount Btrfs loopback with discard option (#5916) @muntac _^🔗

  • This punches holes in the underlying loop file making it sparse, and will potentially result in better disk utilization

• Speed up querying for unencrypted builds (#5902) @clarafu _^🔗

  • If your environment had a large number of builds and an encrypted database, you might have noticed your web node being slow to start up. An index was added to help speed up the querying of unencrypted builds which is run during the web startup.

• Support reloading TSA worker keys via SIGHUP signal (#5652) @gaelL _^🔗

• get/put/task steps now emit the selected worker to the build log (#5846) @evanchaoli _^🔗

  • The build log page and fly watch now display the worker name for get/put/task steps

• Enhance TasksWaiting metric to include teamId, workerTags, and platform labels (#5981) @aledeganopix4d _^🔗

• Add the token text to the fly_success page (#4951) @jvshahid _^🔗

• TSA's garden client timeout can be configured using --tsa-garden-request-timeout (#5845) @xtreme-sameer-vohra _^🔗

• Allow fly set-pipeline to take configuration from stdin (#5861) @evanchaoli _^🔗

  • The --config flag of the fly set-pipeline command now supports - for reading pipeline config from stdin

• Add --team flag to fly pause-pipeline and fly hide-pipeline commands (#5917) @owenfarrell _^🔗

• Add --team flag to fly destroy-pipeline command (#5924) @khng _^🔗

• Always print warning after fly set-pipeline if pipeline is paused (#5883) @agurney _^🔗

• Add flag --ignore-event-parsing-errors to fly watch to ignore event parsing errors when an unknown event type or version is encountered. (#5957) @xtreme-sameer-vohra _^🔗

• Remove unnecessary updates to the resource's check_error value (#5990) @clarafu _^🔗

  • The query will only update the resource check error to NULL if it is not already NULL.

• Support max container limit with containerd backend (#5836) @xtreme-sameer-vohra _^🔗

🐞 Bug Fixes

• Prevent potential database deadlock after pipeline deletion (#5987) @aoldershaw _^🔗

• Allow usage of images from custom resource types in fly execute (#5866) @jvshahid _^🔗

• Save job.disable_manual_trigger to the database (#5908) @jamieklassen _^🔗

  • Fixed the disable_manual_trigger: field on jobs -- since v6.0.0 it had no effect and jobs with this setting could actually still be manually triggered.

• Return error when a step only contains modifiers (#5910) @taylorsilva _^🔗

• Bump baggageclaim to v1.8.0 to fix deeply-nested volumes with overlay driver (#5961) @vito _^🔗

🤷 No Impact

• Edit pr template to include new release note generation process (#5903) @clarafu _^🔗

• Fix flakey container sweeper test (#5923) @xtreme-vikram-yadav _^🔗

• Elm tests use Data module for identifiers (#5928) @aoldershaw _^🔗

• Remove ignored windows fly test case (#5946) @aoldershaw _^🔗

• Remove private_plan from index (#5950) @izabelacg _^🔗

• Prevent pipeline from getting GC'd in testflight (#5951) @aoldershaw _^🔗

• Fly commands don't assume tokens are JWTs (#5955) @aoldershaw _^🔗

• Use access token for Concourse API in topgun (#5965) @aoldershaw _^🔗

v6.4.1

_^🔗 security

• Fix Gitlab connector configuration using Full Name instead of Username
  • Any Concourse teams configured with Gitlab users may need to be updated. Previously a Gitlab users Full Name was used to add them to a Concourse team. Now the users Username in Gitlab is used by Concourse to verify team membership. If the Full Name and Username are the same then no change is necessary.