Concourse Release Notes

Release Notes for Concourse v3.8.0

February 1, 2018


If you are currently running a version of Concourse that is older than v3.6.0 and are planning to upgrade to v3.8.0, you must first upgrade to v3.6.0 before upgrading past it!

Known Issues

  • When configuring CredHub to Concourse, you may encounter a certificate signed by unkown authority error. Please see GH Issue #1873 for more details


  • Concourse now support both up and down migrations. In the future, this will allow you to back out of an upgrade and revert back to a previous version of Concourse. However, this work required us to squash our migrations, so you will need to first upgrade to Concourse v3.6.0 before upgrading to v3.8.0
  • If you are upgrading from v3.6.0 you will be required to execute certain changes to your Concourse BOSH manifest.:
    • New required atc property, token_signing_key
    • New required tsa property, token_signing_key
    • New required groundcrew property, tsa.worker_key, type ssh
    • Removed groundcrew property, tsa.private_key, which was just the private key portion
    • Replaced tsa property, host_key, which is now of type ssh, containing both the public and private portion.
    • Removed tsa property, host_public_key; superseded by the above property
    • Removed tsa property, authorize_generated_worker_key; no longer means anything
    • The tsa authorized_keys property must now be specified. No workers are automatically authorized anymore.

You can consult our canges to manifests/single-vm.yml as a reference

Please also refer to Concourse BOSH release documentation on


  • The ATC can now be configured with an idle timeout for intercept sessions
  • The Generic oAuth provider can now be configured with a CA certificate
  • The Concourse Dashboard has been updated and has a new home under beta/dashboard. Tell us what you think about the new dashboard by commenting on our GitHub issue #1829
  • The execute command will now default to -x, which has been replaced with a new flag, --include-ignored, to rever to the old behavior. In addition, fly will gracefully handle executions with an input that doesn’t have a .gitignore. It will also gracefully handle inputs that are files and not directories.
  • The ATC will now use a separate database connection pool for the API and the pipeline scheduling work. This will make it so that slow API requests won’t starve critical functionality.
  • Pipeline-provided resource types will no longer fail for the first two mintues after configuration
  • Jobs and steps now support on_abort
  • ATC can be configured with a pure-random worker selection strategy. This can be configured by passing --container-placement-strategy=random through the web command
  • The jobs command now has a column indicating whether any builds are pending or started for each job
  • The S3 resource now supports being configured with a session token
  • Git repos encrypted with git-crypt will now be automatically decrypted by the Git resource
  • The ATC can now be configured to serve a metrics endpoint for Prometheus
  • Teams now support BitBucked-based auth
  • The Git resource can now be configured with a HTTPS proxy
  • Inline task configs are now validated as part of pipeline validation
  • The CF resource can now be configured with a Docker username/password for pushing an app using a private repository
  • The Github Release resource now supports being configured with insecure: true to support private GitHub Enterprise installations
  • The Semver resource now supports being configured with skip_ssl_verification: true to support private S3-compatible blobstores
  • ATC now has a flag for using k8s secrets when running in a cluster. This change makes using the k8s credential manager an explicit choice when running inside k8s, and also allows you to use a different credential manager when running in a cluster

Bug Fixes

  • When the ATC is configured with multiple metrics emitters, it will now error, rather than silently picking one
  • Fixed an issue where selecting/copying the build output would also select the timestamp on the left.
  • fly login will now error if arguments are mistakenly given to it
  • Turns out you could easily spam the build page by holding T to trigger multiple builds. We’ve fixed that now so it only triggers a build once.
  • Fixed the web UI so that it appropriately shows that you are logged out when your session expires.
  • The deprecated Bosh Deployment resource resource contains the bosh CLI again
  • Fixed an issue with the CredHub integration that made it necessary to configure --insecure-skip-verify

Release Notes for Concourse v3.6.0

November 9, 2017



Concourse 3.6.0 now requires you to install and manage an external PostgreSQL database (v9.5+). We have enabled an upgrade path to the CloudFoundry Postgres BOSH release for your convenience.

Note: You do not need to follow these instructions if your Concourse deployment already connects to an external PostgreSQL database (v9.5+).

Migration Instructions:

  1. If you have not done so already, upgrade your Concourse to 3.5.0. Concourse 3.5.0 includes a change to the postgres job that moves its data to a new location where the Cloud Foundry Postgres release will detect and upgrade from.

  2. Upload the Cloud Foundry Postgres release to your BOSH Director. Pivotal tested this upgrade path with version 20, currently available on

  3. Once the release is uploaded, add a reference to the job in your Concourse deployment manifest. You can do this by swapping out the concourse/postgresql job for postgres/postgres.

  4. In the same Concourse deployment manifest, update the ATC properties to explicilty configure the database name and role. These values will vary based on your deployment preferences. You can refer to our changes on the single-vm Concourse manifest as a reference point.

  5. Note that the Postgres DB upgrade must not be combined in the same deployment operation as a stemcell update

Garden runC

Concourse 3.6.0 now requires Garden runC 1.9.0. Make sure you download the appropriate version of Garden runC and recreate your workers.


  • fly validate-pipeline will now validate the config field on embedded tasks. As a part of this change we have removed support for configuring both config and file, which has been depracated.
  • Build logs now have timestamps. You can find more about it on the feature post here
  • Build page now supports keyboard shortcuts. You can find more about it on the feature post here. There is a known issue where keyboard shortcuts are non-functional on Firefox browsers. This should be fixed in a subsequent release.

Bug Fixes

  • Fixed an issue with pipeline scheduling that would result in high database connection usage.
  • Fixed an issue where clicking and dragging on the pipeline view would send you to the job details page.

Release Notes for Concourse v3.5.0

September 25, 2017


  • Support for CredHub for external credential management
  • BaggageClaim volume creation APIs are now asynchronous
  • Parallelized garbage collection. This should make things more durable to a slow worker, and make it harder for containers and volumes to “pile up” when the ATC is out of service briefly (i.e. during a deploy)
  • BaggageClaim’s response header timeout is now configurable, which should help those with large images that they’re using for privileged tasks.


  • When using groups in pipelines, fly will now let you know when you forgot to assign a job to a group
  • fly now prints a URL to your build page when you run execute
  • The fly command for set-team and destroy-team now lets you supply the flag --non-interactive
  • Jobs with a pending build now have a static halo to better represent its waiting state
  • The fly CLI can now format a pipeline configuration into its ‘canonical form’ using the new format-pipeline command
  • The abort-build command can now abort by build ID


Web UI

  • The legend on the pipeline page will now auto-hide after 10 seconds.
  • When switiching between pipelines, the UI will now fit the pipeline in view.
  • You can also press 'F’ center a pipeline in view.

Bug Fixes

  • Jobs and resources with a forward slash in their name no longer error out when loading their details.
  • Fixed a leak with goroutines that happens from fly intercept
  • Check containers will no longer be brutally destroyed if they’re used too close to their expiration time.
  • Previously, if a resource or resource type was parameterized via a credential manager, its check containers and caches would be mistakenly garbage-collected. They will now be kept around.
  • Fixed an issue where the pipeline view will reset after a state change on the pipeline.
  • Added the appropriate headers to stop GitHub from caching badges
  • Fixed an issue with the garbage collector that happens when deleting teams
  • Files with the setuid and setgid permissions set on them will no longer have them removed. This used to be lost with the chown performed for namespacing the files. We’ll now restore it after the chown.
  • The flags for configuring GitLab oAuth are now present in set-team
  • Fixed an underflow in BaggageClaim’s volume size detection
  • The unpack parameter in S3 resource will no longer load the entire archive into memory, so it can be used for larger archives

Known Issues

  • A migration introduced in v3.3.0 would load all the builds into memory and then process them, causing a lot of issues when upgrading. We optimized this migration to migrate build plans in batches, rather than all at once.

Release Notes for Concourse v3.3.3

July 31, 2017

Concourse for PCF is the first version of Concourse that is eligible for Pivotal Support. Concourse v3.3.3 was selected for this release because it addresses crucial issues from the Concourse for PCF tile beta program. Some of the new features in this version are:


  • Major changes to the lifecycle management of workers, containers and volumes. For more details please refer to issue #629
  • Support for web hooks
  • Pipeline config and team auth settings can now be encrypted in the database. See Encrypting Concourse Databases
  • Workers now use overlay instead of btrfs for their filesystems. For more details please refer to issue #1045
  • New templating syntax for pipeline parameterization. See Using ((parameters))
  • Performance and stability enhancements from schema optimizations, and parallelized ATC garbage collection
  • Credential Management with Vault
  • Support for GitLab oAuth configurations
  • …and so much more! For a full history of features please visit the official Concourse Release Notes

Bug Fixes

  • Misc bug fixes and stability improvements
  • For a full history of bug fixes and known issues please visit the official Concourse Release Notes

Known Issues

  • Operators may encounter memory issues on the ATC while upgrading from a version of Concourse older than 3.3.0.
Create a pull request or raise an issue on the source for this page in GitHub