v6.11.0

v6.11.0 (2023-12-07)

Full Changelog

Added

• BuildkiteAgentCancelGracePeriod option to linux stack #1258 (@njgrisafi)
• RootVolumeIops parameter to allow io1 and io2 RootVolumeTypes #1269 (@triarius)

Fixed

• Allow hyphens in all InstanceTypes values #1266 (@pH14)

Dependencies

• Bump agent to v3.60.1 #1260 (@DrJosh9000) #1265 (@moskyb) #1271 (@triarius)
• Bump buildx to v0.12.0 #1262 (@triarius)
• Bump docker-compose to v2.23.3 #1272 (@triarius)

Internal

• Launch test elastic stacks using templates from S3 #1267 (@moskyb)
• Ensure tag builds have the tag #1259 (@triarius)

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.11.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v6.10.0

v6.10.0 (2023-11-02)

Full Changelog

Added

• Enable optionally changing EC2 Instance Types used for AMI Creation #1252 (@tomowatt)
• Add support for graviton3 with local nvme #1253 (@joemiller)

Fixed

• Build fix-perms in Makefile #1254 (@DrJosh9000)

Changed

• Bump agent version to v3.58.0 #1256 (@DrJosh9000)

Internal

• Mention docker 20.10.25 to 24.0.5 upgrade in v6.8.0 changelog #1249 (@yob)

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.10.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v6.9.0

v6.9.0 (2023-10-23)

Full Changelog

Fixed

• Instances in ASGs at their minimum capacity will now be correctly terminated when BuildkiteTerminateInstanceAfterJob is enabled #1245 (@triarius)
• Fix ScalerEventSchedulePeriod was missing from interface #1243 (@triarius)

Changed

• Update buildkite-agent to v3.57.0 #1247 (@moskyb)
• Add more missing service role IAM permissions #1244 (@triarius)

Internal

• Update README to show we are on Amazon Linux 2023 now #1246 (@triarius)

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.9.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v6.8.0

v6.8.0 (2023-10-19)

Full Changelog

Changed

• Bump Agent Scaler version to v1.7.0. This updates the lambda runtime to provided.al2 from the deprecated go1.x #1236 (@HugeIRL)
  Note: depending on how you upgrade existing stacks, you may not automatically be upgraded to v1.7.0 of Buildkite Agent Scaler. See here for a work around to this known issue.
• Bump buildkite-agent to v3.56.0 #1237 (@triarius)
• Bump docker-compose to v2.22.0 #1234 (@jkburges)
• Improve logging for startup scripts on linux #1230 (@triarius)
• Wrap quotes around AWS::StackName #1238 (@n-tucker)

Fixed

• Fix rsyslog was missing from base AMI #1240 (@peter-svensson)
• Fix Service Role was missing some permissions #1192 (@philnielsen) #1233 (@triarius)
• Fix hyphens were not allowed in InstanceTypes #1228 (@nitrocode)
• Fix qemu binfmt image is pulled during instance startup #1231 (@triarius)

Internal

• Fix Windows AMI build failed #1239 (@triarius)
• Add test stack remover script #1226 (@moskyb)
• Add a step to CI to check files have been formatted with shfmt #1232 (@triarius)

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.8.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v6.7.1

v6.7.1 (2023-09-20)

Full Changelog

Security

⚠️ This release fixes a medium-severity security vulnerability. We recommend upgrading to v6.7.1 or v5.22.5.

• Affected versions: All prior versions of Elastic CI Stack (except v5.22.5). v6.7.0 and v5.22.4 contained a partial fix.
• Impact: Privilege escalation to root on Linux agent instances
• Required privileges: Users that can run user-controlled commands on agents (e.g. by pushing a branch to a repo that triggers a build with those changes)
• Attack vector: A specially crafted build can abuse the fix-buildkite-agent-builds-permissions script to run commands as root on subsequent builds
• Fix: Improved input validation and file handling #1219, #1221 (@DrJosh9000)
• Alternative workarounds: Deploy a pre-bootstrap hook to prevent execution of fix-buildkite-agent-builds-permissions during a build

Thanks to Nick Nam of Atredis Partners for reporting the vulnerability.

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.7.1/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v5.22.5

v5.22.5 (2023-09-14)

Full Changelog

Security

⚠️ This release fixes a medium-severity security vulnerability. We recommend upgrading to v6.7.1 or v5.22.5.

• Affected versions: All prior versions of Elastic CI Stack (except v5.22.5). v6.7.0 and v5.22.4 contained a partial fix.
• Impact: Privilege escalation to root on Linux agent instances
• Required privileges: Users that can run user-controlled commands on agents (e.g. by pushing a branch to a repo that triggers a build with those changes)
• Attack vector: A specially crafted build can abuse the fix-buildkite-agent-builds-permissions script to run commands as root on subsequent builds
• Fix: Improved input validation and file handling #1220 (@DrJosh9000)
• Alternative workarounds: Deploy a pre-bootstrap hook to prevent execution of fix-buildkite-agent-builds-permissions during a build

Thanks to Nick Nam of Atredis Partners for reporting the vulnerability.

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v5.22.5/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v6.7.0

v6.7.0 (2023-09-14)

Full Changelog

Security

⚠️ This release partially fixes a medium-severity security vulnerability. We recommend upgrading to v6.7.1 or v5.22.5.

• Affected versions: All prior versions of Elastic CI Stack
• Impact: Privilege escalation to root on Linux agent instances
• Required privileges: Users that can run user-controlled commands on agents (e.g. by pushing a branch to a repo that triggers a build with those changes)
• Attack vector: A specially crafted build can abuse the fix-buildkite-agent-builds-permissions script to run commands as root on subsequent builds
• Fix: Improved input validation in fix-buildkite-agent-builds-permissions #1212 (@DrJosh9000)
• Alternative workarounds: Deploy a pre-bootstrap hook to prevent execution of fix-buildkite-agent-builds-permissions during a build

Thanks to Nick Nam of Atredis Partners for reporting the vulnerability.

Changed

• Update to scaler v1.6.0 #1213 (@DrJosh9000)
• Bump buildkite-agent to v3.55.0 #1214 (@DrJosh9000)

Internal

• Fix ami_source_filter #1211 (@DrJosh9000)

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.7.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v5.22.4

v5.22.4 (2023-09-14)

Full Changelog

Security

⚠️ This release partially fixes a medium-severity security vulnerability. We recommend upgrading to v6.7.1 or v5.22.5.

• Affected versions: All prior versions of Elastic CI Stack
• Impact: Privilege escalation to root on Linux agent instances
• Required privileges: Users that can run user-controlled commands on agents (e.g. by pushing a branch to a repo that triggers a build with those changes)
• Attack vector: A specially crafted build can abuse the fix-buildkite-agent-builds-permissions script to run commands as root on subsequent builds
• Fix: Improved input validation in fix-buildkite-agent-builds-permissions #1215 (@DrJosh9000)
• Alternative workarounds: Deploy a pre-bootstrap hook to prevent execution of fix-buildkite-agent-builds-permissions during a build

Thanks to Nick Nam of Atredis Partners for reporting the vulnerability.

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v5.22.4/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v6.6.0

v6.6.0 (2023-09-07)

Full Changelog

Fixed

• Fix instance storage mount script fails when instance storage not available #1206 (@triarius)

Changed

• Bump buildkite-agent to v3.54.0 #1207 (@DrJosh9000)

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.6.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.

v6.5.0

v6.5.0 (2023-08-31)

Full Changelog

Changed

• Bump buildkite-agent to v3.53.0 #1204 (@DrJosh9000)

Upgrading

Perform a CloudFormation stack update with the following URL:
https://s3.amazonaws.com/buildkite-aws-stack/v6.5.0/aws-stack.yml

If you want to launch a new stack, you can use this link (make sure not to use your production AWS account, create a new one for CI):

Documentation

See the README for this release.