Skip to content

Concourse Release Notes

Release Notes for Concourse v3.13.0

Release Date: June 4, 2018


To protect against clickjacking, set the x_frame_options property for the atc job to deny or sameorigin instead of allow-from.

For more information, see X-Frame-Optionsin the Mozilla documentation.

Security Fix: Action Required

To protect against the runC container breakout CVE, you must do the following:

  • Update Garden RunC to v1.18.2. For more information, see garden-runc/1.18.2 in the BOSH documentation.

  • Update your stemcell to Xenial v250.x. For more information, see Stemcells and Uploading Stemcells in the BOSH documentation.

For more information about this CVE, see CVE 2019-5736: runC container breakout.

BOSH Release

  • The groundcrew job has been renamed to worker in this release of Concourse. Update your BOSH manifest.

For more information, see worker job from concourse/3.13.0 in the BOSH documentation.

For additional usage information and sample manifests, see the operations directory in the Concourse BOSH deployment GitHub repository.

Known Issues in v3.13.0


A bug in Chrome 67 causes it to crash when loading the Concourse UI. At the time of this notice (June 4, 2018), Chrome Dev and Chrome Canary versions probably work as well as other browsers like Firefox and Safari. You can follow issue #2236 in GitHub.

  • This release involves a worker protocol version bump, from v1.3 to v2.0, and it switches the default BaggageClaim driver back to btrfs.

    Pivotal recommends spinning up a new pool of worker nodes, upgrading your web nodes, and then removing the old workers.

    Otherwise your workers might get swarmed with containers, because only one 2.0 worker is added at a time with the web nodes already upgraded.

  • Concourse now defaults the worker registration_mode to direct. If your Concourse installation uses external workers, verify that your worker manifest explicitly specifies registration_mode:forward. For information about this new parameter, see registration_mode in the BOSH documentation.

Features in v3.13.0

  • Added a new authentication provider for teams using OpenID Connect (OIDC) (PR #2)
  • Concourse can now emit to Datadog using statsd agent
  • The semver resource now supports an optional commit_messge parameter
  • The dashboard now supports the "not" operator for searches. This can be used on pipeline name searches, team searches, and status searches. Here are some examples:
  • -main gives you every pipeline other than the one called main
  • team:-main gives you every team's pipeline other than the ones belonging to main
  • status:-paused gives you all pipelines that are not paused
  • The ATC will now batch-delete containers and volumes, rather than making individual calls out to the worker
  • The ATC can now be configured with a global default build_logs_to_retain. This is useful for operators who want more control over their database usage. A maximum value can also be configured to ensure users don't set an unreasonable value. The flags are --default-build-logs-to-retain and --max-build-logs-to-retain.
  • The fly set-pipeline command will no longer prompt apply configuration? if there are no changes to apply.
  • There's a fly order-pipelines command now, which allows you to set the order of pipelines in the web UI.
  • A fly status command has been added for checking whether or not you're logged in to the given target.
  • When fly check-resource fails, it'll bubble up the error message rather than just saying error code 500.
  • When a previously-created volume disappears from a worker and the ATC tries to use it, the error message will now include the worker name and the volume handle
  • git-resource can be configured to disable the fetching of tags; you can do this by configuring clean_tags: true in params
  • The /dashboard page is mobile responsive and looks better on small screens
  • The /dashboard page makes way fewer requests now, so it's a lot faster to load and more efficient to periodically refresh.
  • The fly builds command can now filter by team (-t) or pipeline (-p)
  • Concourse now supports AWS Secrets Manager for credential management. Please refer to our docs on Using Amazon SSM
  • The Vault credential manager can now be configured with a --vault-auth-backend-max-ttl, after which it will force a re-login
  • The Vault credential manager will now retry with exponential backoff when logging in, rather than retrying every second.
  • The Git resource will now make the commit message accessible under .git/commit_message
  • The web node can now be configured with --cookie-secure to force secure: true on its cookies.
  • The Github Release resource now supports a tag_filter configuration for matching arbitrary semver tags
  • The Docker Image resource now supports configuring aws_session_token
  • The Docker Image resource now has a new param, cache_from. This new param is like load_bases except everything loaded will also be used as a cache during the build.
  • fly validate-pipeline with --strict will now be more strict with your YAML
  • The CF resource now supports verbose: true, which will tell the CLI to dump trace logs to the output.
  • The Docker Image resource now supports a target_name param for specifying the target to build in a multi-stage Dockerfile.
  • The BOSH release now bakes in the glue code for use with BOSH Backup and Restore. Caveats apply, see PR #1975
  • The fly set-pipeline command can now be given --no-color flag to strip out the color from the diffs. Instead of using color, + and - will be at the start of added and removed lines.
  • Now that we're building with Go 1.10+, fly will respect socks5 proxies configured via the "standard" http_proxy/https_proxy env vars.
  • The concourse worker commands can now be pointed at multiple TSA addresses, rather than one, so that it can retry against a random node each time. As part of this, we've removed the --tsa-port flag and changed --tsa-host to instead take a host:port.
  • We've revamped how fly execute gets its inputs and outputs to/from the build, so that configuring the ATC with an external URL is no longer required. See #2069 for the nitty-gritty.
  • We've switched back to btrfs as the default driver. This resolves a long-standing performance issue when using privileged tasks or resource types (like the Docker Image resource). For more information, see #1404 and #1966. Be sure to use the latest supported stemcell version so that you have a btrfs with the latest fixes. We suspect that this will still be an occasional issue, though far less frequent.
  • The Docker Image resource now supports pushing multiple tags
  • When the ATC is streaming data between workers, the stream will now be gzip-compressed, which should speed things up quite a bit.
  • The ATC now requires TLS v1.2+ and a stricter set of cipher suites.

Bug Fixes

  • Work around an apparent regression/behavior change in recent versions of Chrome that prevented the pipeline UI jobs from being clickable.
  • Fixed a corner case in error handling that could cause a lock to be held forever when detecting new versions of resource types. This could lead to things like builds stuck in "pending" state.
  • When directed to the login page from the resource page, you will now be redirected back to where you were
  • The concourse web command is now capable of running the migration flags (--current-db-version)
  • The fly check-resource command will now fail more clearly when the resource's type is not found.
  • fly will once again helpfully instruct you to log in rather than just saying error: forbidden.
  • The Time resource will now correctly handle a tricky configurations that span multiple days (e.g. 10AM - 5AM),
  • Added a missing property to the BOSH release for configuring the Generic oAuth provider's CA cert.
  • The Git resource will now recover from a deleted tag when configured with tag_filter
  • Previously, tags on a resource type didn't get respected, that's been addressed now.
  • Fixed an ATC crash that would occurn when a task step errored with the next step using an attempts step modifier
  • Concourse now supports the newer umask-hardened BOSH stemcells (v3541.x).
  • Fixed a botched bashism that led to the Docker Image resource to exit early on certain environments (more info here).
  • Cleaned up a noisy PostgreSQL error that would occur on start when checking for the legacy migration_version table.
  • Fixed a UI glitch that caused the last line to be misaligned with the timestamps if it had no trailing linebreak.
  • Fixed a couple migrations that assumed a public schema
  • fly will no longer repeatedly error when given an invalid token during fly login.

Release Notes for Concourse v3.9.2

Release Date: May 8, 2018

Known Issues in v3.9.2

  • Certificate propogation breaks Alpine OpenJDK images. See GitHub issue #2042

Features in v3.9.2

  • Certificates can now be automatically propagated from the worker machine into resource containers. This resolves GitHub issue #1027. This feature is enabled when you install Concourse v3.9.2. Please refer to the OSS documentation on Certificate Propagation for more details.
  • Concourse Dashboard has been graduated out of beta and can now be found under dashboard/
  • Tasks now support inputs.optional
  • CredHub credential manager integration can now be configured with mutal TLS based Authentication
  • Teams can now be renamed via the fly command rename-team
  • fly target will no longer be deted when running fly logout, just the token
  • Resource page on the web UI will now show when it last checked
  • Docker Image resource supports loading multiple images at the start via load_bases for use in multi-part Dockerfiles
  • When using fly intercept with --url, the appropriate target will now be auto-detected based on the URL
  • The Prometheus metrics endpoint now includes scheduling and database metrics
  • Added support for NewRelic Insights metric emitter
  • Added support for using AWS SSM for credential management
  • The CF resource now has a show_app_log config for tailing the app logs while starting it up
  • The Docker Image resource will now propagate http_proxy and https_proxy when building docker images
  • The Docker Image resource can now be configured with max_concurrent_downloads and max_concurrent_uploads
  • The Github Release resource will now produce a commit_sha file containing the commit sha that the release's tag points to
  • Thet build page on the web UI can now render exotic ANSI text modes (e.g. faint text, framed text, Fraktur)

Bug Fixes in v3.9.2

  • Modified a configuration on the btrfs volume driver, making it much more stable to use
  • Docker Image resource now correctly handles complicated build arguments
  • s3-resource will now auto-adjust the part size so it can upload files over 50GB
  • Multi-part Dockerfiles with multiple ECR images will now correctly pull each with ECR login support
  • Reduced the throttling when talking to k8s for credential management
  • The Prometheus metrics endpoint no longer breaks HTTP metrics down by path
  • When contacting CredHub, the configured CA cert is now respected. It was ignored in previous releases
  • Fixed HTTP 500 errors when running fly volumes as a result of volumes disappearing while the API walks through and gets their info.
  • Fixed missing validation for on_success, on_failure, and ensure when configured on a job
  • Fixed a subtle timing issue that could result in fly watch not finding any builds to watch when given a job.
  • We've optimized the rendering of the build page, which got quite a bit slower with the introduction of timestamps in v3.6.0
  • Fixed a crash that would occur when a task step configured image but no config or file\
  • The fly CLI will now buffer output when rendering tables, which should make things a bit faster on Windows.
  • Removed a database constraint cannot_invalidate_during_initialization
  • Fixed an issue where builds would occasionally fail with http2: no cached connection was available when interacting with Vault
  • Certain ANSI cursor movement escape sequences would wreak havoc on the Concourse build output page because there was no window size set on the TTY, thus defaulting it to 80x24. We've set it to 500x500
  • Fixed an issue where Firefox users couldn't click around on the build page.

Release Notes for Concourse v3.8.0

Release Date: February 1, 2018


If you are currently running a version of Concourse that is older than v3.6.0 and are planning to upgrade to v3.8.0, you must rade to v3.6.0 before upgrading past it!

Known Issues in v3.8.0

  • When configuring CredHub to Concourse, you may encounter a certificate signed by unkown authority error. Please see GH Issue #1873 for more details

Breaking Changes in v3.8.0

  • Concourse now support both up and down migrations. In the future, this will allow you to back out of an upgrade and revert back to a previous version of Concourse. However, this work required us to squash our migrations, so you will need to first upgrade to Concourse v3.6.0 before upgrading to v3.8.0
  • If you are upgrading from v3.6.0 you will be required to execute certain changes to your Concourse BOSH manifest.:
  • New required atc property, token_signing_key
  • New required tsa property, token_signing_key
  • New required groundcrew property, tsa.worker_key, type ssh
  • Removed groundcrew property, tsa.private_key, which was just the private key portion
  • Replaced tsa property, host_key, which is now of type ssh, containing both the public and private portion.
  • Removed tsa property, host_public_key; superseded by the above property
  • Removed tsa property, authorize_generated_worker_key; no longer means anything
  • The tsa authorized_keys property must now be specified. No workers are automatically authorized anymore.

You can consult our canges to manifests/single-vm.yml as a reference

Please also refer to Concourse BOSH release documentation on

Features in v3.8.0

  • The ATC can now be configured with an idle timeout for intercept sessions
  • The Generic oAuth provider can now be configured with a CA certificate
  • The Concourse Dashboard has been updated and has a new home under beta/dashboard. Tell us what you think about the new dashboard by commenting on our GitHub issue #1829
  • The execute command will now default to -x, which has been replaced with a new flag, --include-ignored, to rever to the old behavior. In addition, fly will gracefully handle executions with an input that doesn't have a .gitignore. It will also gracefully handle inputs that are files and not directories.
  • The ATC will now use a separate database connection pool for the API and the pipeline scheduling work. This will make it so that slow API requests won't starve critical functionality.
  • Pipeline-provided resource types will no longer fail for the first two mintues after configuration
  • Jobs and steps now support on_abort
  • ATC can be configured with a pure-random worker selection strategy. This can be configured by passing --container-placement-strategy=random through the web command
  • The jobs command now has a column indicating whether any builds are pending or started for each job
  • The S3 resource now supports being configured with a session token
  • Git repos encrypted with git-crypt will now be automatically decrypted by the Git resource
  • The ATC can now be configured to serve a metrics endpoint for Prometheus
  • Teams now support BitBucked-based auth
  • The Git resource can now be configured with a HTTPS proxy
  • Inline task configs are now validated as part of pipeline validation
  • The CF resource can now be configured with a Docker username/password for pushing an app using a private repository
  • The Github Release resource now supports being configured with insecure: true to support private GitHub Enterprise installations
  • The Semver resource now supports being configured with skip_ssl_verification: true to support private S3-compatible blobstores
  • ATC now has a flag for using k8s secrets when running in a cluster. This change makes using the k8s credential manager an explicit choice when running inside k8s, and also allows you to use a different credential manager when running in a cluster

Bug Fixes in v3.8.0

  • When the ATC is configured with multiple metrics emitters, it will now error, rather than silently picking one
  • Fixed an issue where selecting/copying the build output would also select the timestamp on the left.
  • fly login will now error if arguments are mistakenly given to it
  • Turns out you could easily spam the build page by holding T to trigger multiple builds. We've fixed that now so it only triggers a build once.
  • Fixed the web UI so that it appropriately shows that you are logged out when your session expires.
  • The deprecated Bosh Deployment resource resource contains the bosh CLI again
  • Fixed an issue with the CredHub integration that made it necessary to configure --insecure-skip-verify

Release Notes for Concourse v3.6.0

Release Date: November 9, 2017

Breaking Changes in v3.6.0


Concourse 3.6.0 now requires you to install and manage an external PostgreSQL database (v9.5+). We have enabled an upgrade path to the CloudFoundry Postgres BOSH release for your convenience.


Do not to follow these instructions if your Concourse deployment already connects to an external PostgreSQL database (v9.5+).

Migration Instructions:

  1. If you have not done so already, upgrade your Concourse to 3.5.0. Concourse 3.5.0 includes a change to the postgres job that moves its data to a new location where the Cloud Foundry Postgres release will detect and upgrade from.

  2. Upload the Cloud Foundry Postgres release to your BOSH Director. Pivotal tested this upgrade path with version 20, currently available on

  3. Once the release is uploaded, add a reference to the job in your Concourse deployment manifest. You can do this by swapping out the concourse/postgresql job for postgres/postgres.

  4. In the same Concourse deployment manifest, update the ATC properties to explicilty configure the database name and role. These values will vary based on your deployment preferences. You can refer to our changes on the single-vm Concourse manifest as a reference point.

  5. Note that the Postgres DB upgrade must not be combined in the same deployment operation as a stemcell update

Garden runC

Concourse 3.6.0 now requires Garden runC 1.9.0. Make sure you download the appropriate version of Garden runC and recreate your workers.

Features in v3.6.0

  • fly validate-pipeline will now validate the config field on embedded tasks. As a part of this change we have removed support for configuring both config and file, which has been depracated.
  • Build logs now have timestamps. You can find more about it on the feature post here
  • Build page now supports keyboard shortcuts. You can find more about it on the feature post here. There is a known issue where keyboard shortcuts are non-functional on Firefox browsers. This should be fixed in a subsequent release.

Bug Fixes in v3.6.0

  • Fixed an issue with pipeline scheduling that would result in high database connection usage.
  • Fixed an issue where clicking and dragging on the pipeline view would send you to the job details page.

Release Notes for Concourse v3.5.0

Release Date: September 25, 2017

Features in v3.5.0

  • Support for CredHub for external credential management
  • BaggageClaim volume creation APIs are now asynchronous
  • Parallelized garbage collection. This should make things more durable to a slow worker, and make it harder for containers and volumes to "pile up" when the ATC is out of service briefly (i.e. during a deploy)
  • BaggageClaim's response header timeout is now configurable, which should help those with large images that they're using for privileged tasks.


  • When using groups in pipelines, fly will now let you know when you forgot to assign a job to a group
  • fly now prints a URL to your build page when you run execute
  • The fly command for set-team and destroy-team now lets you supply the flag --non-interactive
  • Jobs with a pending build now have a static halo to better represent its waiting state
  • The fly CLI can now format a pipeline configuration into its 'canonical form' using the new format-pipeline command
  • The abort-build command can now abort by build ID


Web UI

  • The legend on the pipeline page will now auto-hide after 10 seconds.
  • When switiching between pipelines, the UI will now fit the pipeline in view.
  • You can also press 'F' center a pipeline in view.

Bug Fixes

  • Jobs and resources with a forward slash in their name no longer error out when loading their details.
  • Fixed a leak with goroutines that happens from fly intercept
  • Check containers will no longer be brutally destroyed if they're used too close to their expiration time.
  • Previously, if a resource or resource type was parameterized via a credential manager, its check containers and caches would be mistakenly garbage-collected. They will now be kept around.
  • Fixed an issue where the pipeline view will reset after a state change on the pipeline.
  • Added the appropriate headers to stop GitHub from caching badges
  • Fixed an issue with the garbage collector that happens when deleting teams
  • Files with the setuid and setgid permissions set on them will no longer have them removed. This used to be lost with the chown performed for namespacing the files. We'll now restore it after the chown.
  • The flags for configuring GitLab oAuth are now present in set-team
  • Fixed an underflow in BaggageClaim's volume size detection
  • The unpack parameter in S3 resource will no longer load the entire archive into memory, so it can be used for larger archives

Known Issues

  • A migration introduced in v3.3.0 would load all the builds into memory and then process them, causing a lot of issues when upgrading. We optimized this migration to migrate build plans in batches, rather than all at once.

Release Notes for Concourse v3.3.3

Release Date: July 31, 2017

Pivotal Concourse is the first version of Concourse that is eligible for Pivotal Support. Concourse v3.3.3 was selected for this release because it addresses crucial issues from the Pivotal Concourse tile beta program. Some of the new features in this version are:

Features in v3.3.3

  • Major changes to the lifecycle management of workers, containers and volumes. For more details please refer to issue #629
  • Support for web hooks
  • Pipeline config and team auth settings can now be encrypted in the database. See Encrypting Concourse Databases
  • Workers now use overlay instead of btrfs for their filesystems. For more details please refer to issue #1045
  • New templating syntax for pipeline parameterization. See Using ((parameters))
  • Performance and stability enhancements from schema optimizations, and parallelized ATC garbage collection
  • Credential Management with Vault
  • Support for GitLab oAuth configurations
  • ...and so much more! For a full history of features please visit the official Concourse Release Notes

Bug Fixes in v3.3.3

  • Misc bug fixes and stability improvements
  • For a full history of bug fixes and known issues please visit the official Concourse Release Notes

Known Issues in v3.3.3

  • Operators may encounter memory issues on the ATC while upgrading from a version of Concourse older than 3.3.0.

View Release Notes for Another Version

To view the release notes for another product version, select the version from the dropdown at the top of this page.