|
2 | 2 | title: Global Resources |
3 | 3 | --- |
4 | 4 |
|
| 5 | +!!! warning "Experimental Feature" |
| 6 | + |
| 7 | + Global Resources is an experimental feature introduced in Concourse v5.0 . It is enabled by passing the |
| 8 | + `--enable-global-resources` flag to the `concourse web` command. |
| 9 | + |
| 10 | +The basic concept of global resources is to share detected resource versions between all resources that have the same |
| 11 | +`resource.type` and `resource.source` configuration. |
| 12 | + |
| 13 | +Before v5.0.0, each pipeline resource had its own version history, associated to the resource by name. This meant that |
| 14 | +multiple pipelines with the same resource configs would redundantly collect the same version and metadata information. |
| 15 | + |
| 16 | +With v5.0.0's experimental 'global resources' feature, resource versions are instead associated to an |
| 17 | +anonymous '[resource config](../resources/index.md#resource-schema)' i.e. its `resource.type` and `resource.source`. |
| 18 | + |
5 | 19 | ## Benefits of Global Resources |
6 | 20 |
|
7 | 21 | ### Fewer resource `check`s to perform |
8 | 22 |
|
| 23 | +With global resources, all resources that have the same configuration will share the same version history and share only |
| 24 | +one checking interval. This reduces load on the worker and on the external services that the resources point to. |
| 25 | + |
| 26 | +For example, prior to global resources if there were three resources with the same configuration between three team's |
| 27 | +pipelines it would result in three check containers performing three resource checks every minute to fetch the versions. |
| 28 | + |
| 29 | +With global resources, this configuration will result in only one check container and one resource check every minute to |
| 30 | +fetch versions for all the resources. |
| 31 | + |
| 32 | +Since there will be only one resource check for all resources that have the same configuration, the resource that has |
| 33 | +the shortest [`resource.check_every`](../resources/index.md#resource-schema) configured will result in its pipeline |
| 34 | +running the checks for that resource configuration. |
| 35 | + |
9 | 36 | #### Complications with reusing containers |
10 | 37 |
|
| 38 | +There is an exception to sharing check containers within a deployment, which is workers belonging to a team and workers |
| 39 | +with tags. |
| 40 | + |
| 41 | +If a resource has [`resource.tags`](../resources/index.md#resource-schema) configured, and the resource's check interval |
| 42 | +ends up acquiring the checking lock, if a check container already exists with the same resource config elsewhere, it |
| 43 | +will reuse the container, otherwise a container will be created on a worker matching the appropriate tags. |
| 44 | + |
| 45 | +Similarly, if a team has its own workers, and their check interval ended up acquiring the lock, it will try to re-use a |
| 46 | +container with the same resource config from the shared worker pool, rather than creating a new container on the team's |
| 47 | +workers. |
| 48 | + |
| 49 | +This is a bit complicated to reason about, and we plan to stop re-using `check` containers to simplify all of this. |
| 50 | +See [concourse/concourse#3079](https://github.com/concourse/concourse/issues/3079) for more information. |
| 51 | + |
11 | 52 | ### Reducing redundant data |
12 | 53 |
|
| 54 | +The majority of Concourse resources will benefit from having versions shared globally because most resource versions |
| 55 | +have an external source of truth. |
| 56 | + |
| 57 | +For example, a `check` for the [`git` resource](https://github.com/concourse/git-resource) that pulls in the |
| 58 | +`concourse/concourse` repository will always return the same set of versions as an equivalent resource pointing to the |
| 59 | +same repository. By consolidating the `check`s and the versions, there will essentially only be one set of versions |
| 60 | +collected from the repository and saved into the database. |
| 61 | + |
13 | 62 | ### Reliable Resource Version History |
14 | 63 |
|
| 64 | +Prior to global resources, a resource's version history was directly associated to the resource name. This meant that |
| 65 | +any changes to a resource's configuration without changing its name would basically append the versions from the new |
| 66 | +configuration after the old versions, which are no longer accurate to the current configuration. |
| 67 | + |
| 68 | +Global resources instead associates the resource versions to the resource's `resource.type` and `resource.source`. |
| 69 | +Therefore, whenever a resource definition changes, the versions will "reset" and change along with it, resulting in |
| 70 | +truthful and reliable version histories. |
| 71 | + |
15 | 72 | ## Risks and Side Effects |
16 | 73 |
|
17 | 74 | ### Sharing versions doesn't work well for all resource types |
18 | 75 |
|
19 | | -### Intercepting check containers is no longer safe |
| 76 | +Sharing versions isn't always a good idea. For example, the [ |
| 77 | +`time` resource](https://github.com/concourse/time-resource) is often used to generate versions on an interval so that |
| 78 | +jobs can fire periodically. If version history were to be shared for all users with e.g. a 10-minute interval, that |
| 79 | +would lead to a thundering herd of builds storming your workers, leading to load spikes and a lot of unhappy builds. |
| 80 | + |
| 81 | +We are working toward a solution to the [`time` resource](https://github.com/concourse/time-resource)'s thundering herd |
| 82 | +problem - namely, to not model time as a resource, and instead model it as a [ |
| 83 | +`var_source`](../vars.md#var_source-schema). We are tracking progress toward this goal |
| 84 | +in [concourse/concourse#5815](https://github.com/concourse/concourse/issues/5815). |
| 85 | + |
| 86 | +Another case where version history shouldn't be shared is when resources "automagically" learn their auth credentials |
| 87 | +using things like IAM roles. In these cases, the credentials aren't in the `resource.source`. If version history were to |
| 88 | +be shared, anyone could configure the same `source:`, not specifying any credentials, and see the version history |
| 89 | +discovered by some other pipeline that ran its checks on workers that had access via IAM roles. |
| 90 | + |
| 91 | +For this reason, any resource types that acquire credentials outside of `source:` should not share version history. |
| 92 | +Granted, the user won't be able to fetch these versions, but it's still an information leak. |
| 93 | + |
| 94 | +IAM roles are a bit of a thorn in our side when it comes to designing features like this. We're planning on introducing |
| 95 | +support for them in a way that doesn't have this problem |
| 96 | +in [concourse/concourse#3023](https://github.com/concourse/concourse/issues/3023). |
| 97 | + |
| 98 | +### Intercepting check containers is no longer safe |
| 99 | + |
| 100 | +Now that `check` containers are shared across teams, it would be dangerous to allow anyone |
| 101 | +to [`fly intercept`](../builds.md#fly-intercept) to `check` containers. For this reason, this capability is limited |
| 102 | +to [admin users](../auth-and-teams/user-roles.md#concourse-admin). |
| 103 | + |
| 104 | +We recognize that this will make it a bit more difficult for end users to debug things like failing checks. We plan to |
| 105 | +improve this by introducing a way to provision a _new_ `check` container to facilitate debugging. |
| 106 | +See [concourse/concourse#3344](https://github.com/concourse/concourse/issues/3344) for more information. |
0 commit comments