-
Notifications
You must be signed in to change notification settings - Fork 108
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
adaefb7
commit f1ace6b
Showing
1 changed file
with
113 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
This release is a maintenance and bug-fix release, although there are two __possibly breaking__ changes to be aware of. | ||
|
||
<h4>Java 17 is now the minimum supported version</h4> | ||
|
||
Java 17 was released in September 2021, and has had support within GoCD since version 22.1.0, released two years ago | ||
when it was packaged with both GoCD container images & installers (RPM, Debian, Windows, MacOS) by default. | ||
|
||
This has proven to be be very stable with no known issues. As such, we are now making Java 17 the minimum supported | ||
version to reduce maintenance overhead. Note that as of early 2024 GoCD has not been officially validated against Java | ||
21 LTS (or intermediary versions 18-20). | ||
|
||
The suggested upgrade path depends on the current versions of GoCD you are running. To ensure no downtime for your agents | ||
other than the time to bounce/upgrade your GoCD server | ||
|
||
* Ensure your agents are running with Java 17 | ||
* If you are running GoCD | ||
|
||
* If you are running agents on GoCD 22.1.0+ with Java 17 | ||
* No special instructions, upgrade server and agent environments in any order. | ||
* If you are running agents with Java < 17, and agent < 22.1.0 (21.4.0?) | ||
* Server < 22.1.0 ? | ||
* Server >= 22.1.0 ? | ||
* If you are running agents with Java < 17, and/or server < 22.1.0 (21.4.0?) | ||
* Server < 22.1.0 ? | ||
* Server >= 22.1.0 ? | ||
* If yo | ||
|
||
<h4>Server Container image is now based on Wolfi OS</h4> | ||
|
||
The GoCD server container has always been based on a minimal Linux distribution, previously [Alpine Linux](https://alpinelinux.org/), | ||
but from 24.1.0 has been switched to [Wolfi OS](https://github.com/wolfi-dev). Wolfi OS is a similarly minimal, | ||
security-oriented (un)distro from the folks at [Chainguard](https://www.chainguard.dev/) which is | ||
[optimized for supply-chain security](https://www.chainguard.dev/unchained/introducing-wolfi-the-first-linux-un-distro) - | ||
and uses _glibc_, similar to most other distributions unlike the musl-based Alpine. | ||
|
||
Unfortunately, the use of Alpine has always posed difficulties due to its musl libc base. Most of the time this is an | ||
irrelevant detail to users, however it has posed issues for GoCD packaging of Java runtime environments & providing aarch64 | ||
availability for a variety of reasons stemming from GoCD's dependencies. While GoCD has applied relatively stable | ||
workarounds to support Alpine, these are not recommended and have prevented providing a default GoCD server container | ||
image for _aarch64_/_arm64_ architectures off-the-shelf. | ||
|
||
Wolfi uses the same `apk` package manager as Alpine, with conventional package names, and although packages cannot be | ||
used across the two OSes, the transition should be easy for most folks. The image is now multi-architecture (`amd64`/`x64` and `aarch64`/`arm64`) | ||
making it usable out-of-the-box within arm64 cloud instances and Apple Silicon Macs. | ||
|
||
If you build a child container from the [gocd-server container](https://hub.docker.com/r/gocd/gocd-server), from 24.1.0 | ||
you will need to review your `Dockerfile` to check that | ||
- any additional packages you need to install are [available for Wolfi](https://github.com/wolfi-dev/os). | ||
- any pre-compiled binaries specifically compiled for musl are switched to glibc variants | ||
packages will work just fine. | ||
|
||
There has previously been a non-officially documented multi-arch [server image based on CentOS Stream](https://hub.docker.com/r/gocd/gocd-server-centos-9), | ||
which was the only option on `aarch64`. This will be __removed__, as it is unnecessary now we have a glibc-based image. | ||
If you were using this, please switch back to `gocd/gocd-server` rather than `gocd/gocd-server-centos-*`. | ||
|
||
<h4>Agent container image changes</h4> | ||
|
||
Matching the server change, a [Wolfi-based agent image](https://hub.docker.com/r/gocdexperimental/gocd-agent-wolfi/tags) is | ||
now available. This will become the default recommended agent image for container-based elastic agents. | ||
|
||
The GoCD Alpine agent images will now become a _rolling_ distribution within the [gocd-agent-alpine](https://hub.docker.com/r/gocd/gocd-agent-alpine) | ||
repository. This means that the repository will not change for each Alpine release (3.18, 3.19 etc) any longer. Alpine releases new | ||
versions each 6 months while maintaining very good compatibility, and maintaining different repositories added unnecessary | ||
maintenance overhead. Each GoCD release will be based on the latest compatible Alpine release, mirroring how [gocd-agent-docker-dind](https://hub.docker.com/r/gocd/gocd-agent-docker-dind) | ||
has always been released. | ||
|
||
<h4>Enhancements</h4> | ||
|
||
* <%= link_to_issue 12415, 'Change baseline to require Java 17 minimum' %>. | ||
* <%= link_to_issue 12500, 'Replace Alpine with Wolfi as primary server container image, consolidating Alpine agent images' %>. | ||
* <%= link_to_issue 12710, 'Bundle latest Java 17.0.11 release with non-Linux installers & containers' %> | ||
|
||
<h4>Bug fixes</h4> | ||
|
||
* <%= link_to_issue 4011, 'RPM packages do not install on RHEL unless SELinux is disabled' %> | ||
* <%= link_to_issue 12440, 'Installing Chromium on Alpine 3.18 gocd docker agent causes agent crash loop' %> | ||
* <%= link_to_issue 12535, 'Improve performance of agents API responses and dashboard stage modal' %> | ||
* <%= link_to_issue 12616, 'Improve performance when working with large numbers of server health warnings/errors' %> | ||
|
||
<h4>Security fixes</h4> | ||
|
||
This release fixes [CVE-2024-28866](https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh), a theoretical | ||
vulnerability which has not shown to be practically exploitable. Thank you to Aviv Keller ([RedYetiDev](https://github.com/RedYetiDev)) for | ||
discovering and responsibly disclosing this issue. | ||
|
||
We regularly upgrade dependencies to mitigate known vulnerabilities from third party software (regardless of | ||
whether they are known to affect GoCD), so upgrading to the latest release is always recommended from a security perspective. | ||
|
||
<h4>APIs</h4> | ||
|
||
Improvements, deprecations and breaking changes in the API and plugin API have been moved to their respective changelogs | ||
- <%= link_to_versioned_api '24.1.0','changes-in-24-1-0', 'API changelog for 24.1.0' %> and | ||
<%= link_to_versioned_plugin_api '24.1.0','changes-in-gocd-24-1-0', 'Plugin API changelog for 24.1.0' %>. | ||
|
||
<h4>Contributors</h4> | ||
|
||
<%= [ | ||
"Aravind SV", | ||
"Aviv Keller / RedYetiDev", | ||
"Chad Wilson", | ||
"brewpark", | ||
"Matthias Kraaz", | ||
"Tim Borrowdale", | ||
].sort.uniq.join(', ') | ||
%> | ||
|
||
<h4>Note</h4> | ||
|
||
A more comprehensive list of changes for this release can be found <%= link_to_full_changelog 'here.', 'Release 24.1.0' %> | ||
|
||
Found a security issue that needs fixing? Please report it to <%= link_to 'https://hackerone.com/gocd', 'https://hackerone.com/gocd' %> | ||
|
||
Please report any issues that you observe on [GitHub issues](https://github.com/gocd/gocd/issues). |