Concourse CI

Learn about configurations >

• compute-runtime | string

  Default: none

  GPU compute runtime to enable: 'none', 'cuda', or 'rocm'.

  • 'none': No GPU support (default)
  • 'cuda': Enable NVIDIA CUDA GPU support
  • 'rocm': Enable AMD ROCm GPU support When enabled, automatically installs container toolkit and configures GPU passthrough. Worker will be tagged with GPU capabilities for job targeting. Default: none

• container-placement-strategy | string

  Default: volume-locality

  Container placement strategy (volume-locality, random, fewest-build-containers). Default: volume-locality

• containerd-dns-proxy-enable | boolean

  Enable containerd DNS proxy for container name resolution. Set to false to use external DNS servers directly. Default: false

• containerd-dns-server | string

  Default: 1.1.1.1,8.8.8.8

  DNS servers for containerd containers (comma-separated). Used when containerd-dns-proxy-enable is false. Default: 1.1.1.1,8.8.8.8

• default-build-logs-to-retain | int

  Default number of build logs to retain per job. 0 means unlimited. Maps to CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN.

• default-days-to-retain-build-logs | int

  Default number of days to retain build logs. 0 means unlimited. Maps to CONCOURSE_DEFAULT_DAYS_TO_RETAIN_BUILD_LOGS.

• enable-metrics | boolean

  Enable Prometheus metrics endpoint on port 9391 and per-job status exporter on port 9358. When enabled, installs and runs concourse-exporter service that exposes job-level metrics. Default: false

• encryption-key | string

  Encryption key for Concourse database at-rest encryption. Required when migrating from an existing encrypted deployment. Maps to CONCOURSE_ENCRYPTION_KEY.

• external-url | string

  External URL for Concourse web UI (used for redirects and webhooks). If not set, automatically detects and uses http://<unit-ip>:<web-port> Important: Set this to your actual external URL if behind a proxy/NAT.

• extra-local-users | string

  Additional local users beyond the admin user, as comma-separated user:password-hash pairs. These are appended to CONCOURSE_ADD_LOCAL_USER alongside the admin user. Example: "oem:{BCRYPT_HASH},ci-bot:{BCRYPT_HASH}"

• extra-web-flags | string

  Extra CLI flags for 'concourse web', space-separated. Appended to the ExecStart command in the systemd service. Example: "--enable-across-step --enable-resource-causality"

• gc-failed-grace-period | string

  Grace period before cleaning up failed containers and volumes. Example: "1h", "30m". Empty means Concourse default. Maps to CONCOURSE_GC_FAILED_GRACE_PERIOD.

• gpu-device-ids | string

  Default: all

  GPU device IDs to expose to worker (comma-separated). Use "all" to expose all GPUs, or specify devices like "0,1". Only used when compute-runtime is set to 'cuda' or 'rocm'. Default: all

• initial-admin-username | string

  Default: admin

  Initial admin user for Concourse authentication. Default: admin

• ldap-bind-dn | string

  LDAP bind DN for authentication (e.g., cn=admin,dc=example,dc=com). Maps to CONCOURSE_LDAP_BIND_DN.

• ldap-bind-pw | string

  LDAP bind password. Maps to CONCOURSE_LDAP_BIND_PW.

• ldap-display-name | string

  Display name for LDAP authentication provider. Maps to CONCOURSE_LDAP_DISPLAY_NAME.

• ldap-group-search-base-dn | string

  Base DN for LDAP group searches. Maps to CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN.

• ldap-group-search-filter | string

  LDAP search filter for groups (e.g., '(objectClass=group)'). Maps to CONCOURSE_LDAP_GROUP_SEARCH_FILTER.

• ldap-group-search-group-attr | string

  LDAP attribute on group entries for member matching. Maps to CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR.

• ldap-group-search-name-attr | string

  LDAP attribute for group name. Maps to CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR.

• ldap-group-search-user-attr | string

  LDAP attribute on user entries for group matching. Maps to CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR.

• ldap-host | string

  LDAP server hostname (e.g., ldap.example.com). Maps to CONCOURSE_LDAP_HOST.

• ldap-user-search-base-dn | string

  Base DN for LDAP user searches. Maps to CONCOURSE_LDAP_USER_SEARCH_BASE_DN.

• ldap-user-search-email-attr | string

  LDAP attribute for user email. Maps to CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR.

• ldap-user-search-filter | string

  LDAP search filter for users (e.g., '(objectClass=person)'). Maps to CONCOURSE_LDAP_USER_SEARCH_FILTER.

• ldap-user-search-id-attr | string

  LDAP attribute used as the user ID. Maps to CONCOURSE_LDAP_USER_SEARCH_ID_ATTR.

• ldap-user-search-name-attr | string

  LDAP attribute for user display name. Maps to CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR.

• ldap-user-search-username | string

  LDAP attribute to match against the username. Maps to CONCOURSE_LDAP_USER_SEARCH_USERNAME.

• log-level | string

  Default: info

  Logging level for Concourse components (debug, info, warn, error). Default: info

• main-team-ldap-group | string

  Comma-separated list of LDAP groups for the main team. Example: "group-a,group-b" Maps to CONCOURSE_MAIN_TEAM_LDAP_GROUP.

• max-build-logs-to-retain | int

  Maximum number of build logs to retain per job (overrides pipeline settings). 0 means unlimited. Maps to CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN.

• max-concurrent-downloads | int

  Default: 10

  Maximum number of concurrent resource downloads. Default: 10

• max-days-to-retain-build-logs | int

  Maximum days to retain build logs (overrides pipeline settings). 0 means unlimited. Maps to CONCOURSE_MAX_DAYS_TO_RETAIN_BUILD_LOGS.

• mode | string

  Default: auto

  Deployment mode for this unit:

  • 'auto': Leader runs web, non-leaders run workers (recommended for multi-unit)
  • 'all': Run both web and worker on this unit (default for single-unit)
  • 'web': Only run web server
  • 'worker': Only run worker Default: auto

• shared-storage | string

  Default: none

  Shared storage mode for LXC testing:

  • 'none': Disable shared storage, each unit downloads independently (default)
  • 'lxc': Enable LXC-mounted shared storage (requires .lxc_shared_storage marker) When set to 'lxc', units will wait for the marker file before proceeding. Default: none

• tag | string

  Comma-separated list of tags to assign to this worker. These are added to CONCOURSE_TAG and merged with any GPU-generated tags. Example: "gpu,high-mem,ssd"

• tls-enabled | boolean

  Enable TLS/HTTPS for Concourse web UI. Requires TLS certificate relation (future enhancement). Default: false

• vault-auth-backend | string

  Vault authentication backend (e.g., 'approle', 'token').

• vault-auth-backend-max-ttl | string

  Maximum TTL for the Vault authentication backend token. Example: '1h'

• vault-auth-param | string

  Comma-separated key-value pairs for the selected auth backend. Example: 'role_id:...,secret_id:...'

• vault-ca-cert | string

  Path to a PEM-encoded CA cert file to use for TLS to Vault.

• vault-client-cert | string

  Path to a PEM-encoded client certificate for TLS authentication to Vault.

• vault-client-key | string

  Path to an unencrypted, PEM-encoded private key for TLS authentication to Vault.

• vault-client-token | string

  Vault client token.

• vault-lookup-templates | string

  Vault lookup templates.

• vault-namespace | string

  Vault namespace.

• vault-path-prefix | string

  Prefix for all secret paths in Vault (e.g., '/concourse/my-team').

• vault-shared-path | string

  Shared path for Vault.

• vault-url | string

  URL of the Vault server. If set, enables Vault credential management. Example: https://vault.example.com:8200

• version | string

  Concourse CI version to deploy (e.g., 7.14.3). Leave empty to use the latest stable version.

• web-port | int

  Default: 8080

  Port for Concourse web UI and API server. Supports dynamic changes with automatic service restart. Privileged ports (< 1024) are supported via CAP_NET_BIND_SERVICE. Default: 8080

• worker-procs | int

  Default: 1

  Number of worker processes to spawn on this unit. Controls parallelism for job execution. Default: 1