Compare releases

Compare releases and check for compatibility between your existing Octopus Server and new releases.

What's new

These are the most important features you'll get by upgrading from 2018.12.1 to 2019.1.9

Octopus 2019.1

Highlights

Spaces

To bring in the new year, we are shipping our latest feature. Spaces is a comprehensive set of user interface, API and permission system changes designed to make it easier to configure deployments in busy organizations.

From our documentation:

Spaces let you partition your Octopus server so that different teams can only access the projects, environments, and infrastructure they work with from the spaces they are members of.

Teams & Permissions

We have re-designed the way permissions are assigned to Teams, making it easier than ever to configure and manage permissions for your users. As part of this we have rewritten much of the code that enforces these permissions so that we can make sure Octopus keeps your data safe. There are a few breaking changes involved here, so customers with complex permission configurations may want to pay careful attention to the release notes.

Breaking Changes

Before upgrading to this release, there are some breaking changes in behaviour that you need to be aware of.

Tentacle

Some tentacle operations now necessarily act within a space and the CLI commands accept an optional spaceName parameter. These commands are the register-with, register-worker, deregister-from, deregister-worker and show-configuration commands. Since the deregister-* commands act within a single space, and a single Tentacle can register machines in multiple spaces, these commands no longer remove trust for the Octopus Server. To remove trust, the command Tentacle.exe configure --remove-trust=... must instead be used.

API Changes

A number of API route changes were made in this release. Most routes now include a segment that represents the target Space. We provide a Default Space for backwards compatibility with the old routes.

Disabling the Default Space will turn off backwards compatibility. Anything that leans on the old API routes, integrations, extensions and tools may break when the default spaces is disabled. More information here

Many of these changes are also reflected in Octopus.Client, so it is recommended your integrations update to the latest version of Octopus.Client (at least 5.0.0).

IsMultiTenancyEnabled

The property representing whether multi-tenancy was enabled is no longer exposed through the features endpoint (/api/featuresconfiguration) but is now exposed through the tenancy status endpoint (/api/tenants/status or /api/{spaceId}/tenants/status).

Built in Repository & Feeds

The endpoint responsible for fetching and configuring settings related to the built in package repository (/api/repository/configuration) has been removed. Instead, the built in package repository settings are managed the same way as other feed types, through the feeds api (/api/feeds/{feedId}), where the {feedId} is the Id of the built in package repository. The built in package repository endpoint has moved from /api/serverstatus/nuget to /api/feeds/stats or /api/{spaceId}/feeds/stats

ServerTask links

The Links collection on Tasks (TaskResource) no longer contains Artifacts and Interruptions links for the subset of task types for which they do not apply (i.e. “System” tasks).

UserRoles

UserRoles (UserRoleResource) used to contain a single collection of GrantedPermissions, but now instead contains separate collections for permissions that apply within a space (GrantedSpacePermissions), and permissions that apply at the system level (GrantedSystemPermissions). Similarly, PermissionDescriptions has been replaced by SpacePermissionDescriptions and SystemPermissionDescriptions

Teams

Teams no longer contain scope properties (ProjectGroups, Projects, Environments and Tenants), nor do they reference UserRole. These concepts have been replaced by the new entity type ScopedUserRole.

ScopedUserRoles

This new entity type exists at /api/scopeduserroles. It represents an application of a UserRole to a Team. It also includes the scope properties (ProjectGroups, Project, Environment and Tenants) that apply for that UserRole. This enables UserRoles with different scoped applied to the same Team (i.e. the same group of Users), and also allows the same Team to have access to different Spaces.

Artifacts

Artifacts (Artifactresource) no longer contains RelatedDocumentIds. Instead there is a new property called ServerTaskId to indicate which ServerTask the Artifact was collected from. Artifacts can only be associated with AdHoc Script tasks and Deployment tasks.

Permission changes

The implementation of our permissions system was changed in order to support Spaces. At the same time, we took the opportunity to apply permissions more consistently, so that we could reduce confusion while also making things more secure.

This resulted in some breaking changes to permissions where the old system was not consistent. In most cases, the new system is more restrictive than the old system, so upon upgrade most users should not have more access than they previously had.

Some of these changes require additional permissions to do certain tasks. For users that tend to use built in User Roles, Octopus should continue to behave as it did before and no action is required.

Customers with complex permission configurations may want to pay careful attention to the release notes, as there may be action required after upgrade. While most of these changes affect edge cases that normal users won’t encounter, we recommend testing your permissions after upgrade to ensure they behave as you intend.

In general *Edit and *Delete permissions, now strictly requires the corresponding *View permission.

For example: AccountDelete now also requires AccountView MachinePolicyEdit now also requires MachinePolicyView And so on

Accounts

Retrieving accounts by ID is more restrictive now (to be consistent with the Index endpoint). It used to allow you to see documents with partial scoping (eg. no tenants) when your permissions were scoped, which is no longer the case. Getting the usage of accounts may require ProjectView

Certificates

Retrieving certificates by ID is more restrictive now (to be consistent with the Index endpoint). It used to allow you to see documents with partial scoping (eg. no tenants) when your permissions were scoped, which is no longer the case. Getting the usage of certificates may require ProjectView Viewing the public Octopus Server certificate no longer requires the MachineEdit permission. It is accessible by any authenticated user.

Action Templates

Search and logo retrieval requires ActionTemplateView Get usages of the action template requires ProjectView Updating deployment actions will skip actions that are inaccessible rather than failing Updating deployment actions additionally requires the ProjectView permission

Artifacts

Users with could not view/edit or create a completely unscoped artifact if their permissions were scoped, but now they can.

Audit

AuditView permission has been removed because it is no longer applicable, as you always needed EventView to actually see events via the Audit screen. There is no migration required for this, e.g. if you had AuditView without EventView previously, then you could not see any events anyway.

Cloud Template

The cloud template endpoint no longer requires the ProcessEdit permission. It is accessible by any authenticated user.

Deployment

Creating a deployment additionally requires ReleaseView, ProcessView, ProjectView, EnvironmentView, DeploymentView Modifying a deployment additionally requires EnvironmentView Tenanted deployments additionally require TenantView

Deployment Process

Getting a template requires ReleaseView Getting a list of Deployment processes now requires ProcessView

Events

Events that are scoped to multiple of the same type of document, and your EventView permission are scoped to the same documents then you can now see that event. You can see events that partially match your permissions scopes, instead of needing to match all of your permission scopes.

Feeds

Downloading packages or viewing the delta signature for the built in feed additionally requires the FeedView permission Searching for packages in the built in release feed requires ReleaseView and ProjectView. Modifying configuration for the built in feed now requires the BuiltInFeedAdminister instead of the ConfigureServer permission.

Interruptions

InterruptionViewSubmitResponsible is the only permission required to take responsibility and submit and interruption when that interruption has assigned responsible teams. To view an assigned interruption you may require UserView

Library Variable Sets

LibraryVariableSetView is now consistently checked in all scenarios where a variable set is accessed.

Lifecycles

Lifecycles can be created or edited only when the user has EnvironmentView access to all environments used by that lifecycle EnvironmentView is required to preview a lifecycle ‘ProcessView’ and ‘ProjectView’ are required to view projects connected to a lifecycle The lifecycle progression API now requires ProcessView, DeploymentView, TenantView, EnvironmentView and LifecycleView

Projects & Project Groups

Creating a project group and adding a project no longer requires ProcessView

Packages

When replacing an existing package, the BuiltInFeedPush permission check will take into account the project scopes applied to that permission You can no longer get the delta signature of a package scoped to a project, while your BuiltInFeedDownload permission was scoped to a different project

Releases

Editing a release requires ProcessView and ProjectView Updating release variables requires ProjectView Viewing a release requires ProjectView Getting a release template requires ProcessView and LifecycleView Getting the release progression requires ProcessView and LifecycleView

Server Nodes

Octopus Server Nodes GET endpoints are accessible to authenticated users - they don’t require administrator access. Any modifications still required administrator access.

Tasks

Cancelling a task requires TaskView, and any permissions that would be required to create that type of task (for example, EnvironmentView or MachineEdit for AdHoc Script tasks) Re-running a task requires the same permissions as creating that task. You can now always view the raw task log if you have TaskView for that task and also TaskViewLog. Modifying a task’s state when that task is not a Deployment task now requires TaskEdit scoped to that task, instead of requiring unscoped TaskEdit

Tenants

Getting tenant variables requires ProjectView Getting missing variables for tenants requires LibraryVariableSetView Updating the sort order for tag sets requires TagSetEdit instead of TenantEdit

Users

Getting a list of users will always return at least one result (yourself), even if you lack the UserView permission

Octopus 2018.12

This release consists of a few important bug fixes and enhancements. Most notable is updating our Azure support to handle deprecated management certificate better.

Release notes

These are the features and fixes you'll get by upgrading from 2018.12.1 to 2019.1.9.

Changes in Octopus Server 2019.1.9

  • 4515 - Certificate filter doesn't work when there is more than 1 page or results
  • 5307 - Run Condition and Start Trigger sections no longer disappear when a validation error happens when saving a step
  • 5308 - Fix for audit screen and audit shortcuts reporting incorrect lack of permission for users who have EventView scoped
  • 5309 - Expose the K8S Pod termination grace period field
  • 5310 - Allow K8S TLS certificate to be empty
  • 5316 - UI fixing route issues that were causing pages to re-render when filtering
  • 5317 - Fix for server startup error (Error converting value “TaskViewLog”)
  • 5319 - Can't save previously created K8S container definitions

Changes in 2019.1.8 (release was disabled/hidden due to a bug found)

  • 4392 - Fixed the variable preview grid to expand columns to all available space
  • 5295 - Prevent SQL timeouts for auto-deploy triggers
  • 5298 - Fixed "Unbound variable" error when using set_octopusvariable with set -euo pipefail
  • 5305 - Rename "machine name" field on deployment targets to "display name"
  • 5306 - Show type (Polling Tentacle/Listening Tentacle/Cloud Region/etc) when viewing a deployment target
  • 5311 - Removed extraneous slashes in placeholder text for offline drop targets
  • 5313 - Outdated OctopusClient warnings now include user and agent type
  • 5315 - Save terraform sensitive values as Octopus sensitive values (CVE-2019-8944)
  • 4873 - Fix an escaping issue causing Authentication issues with Azure CLI when an Azure Service Principal Account key contains special characters such as those generated by the new Azure App registrations preview blade.

Changes in 2019.1.7 (release was disabled/hidden due to a bug found)

  • 5261 - Fix for Tenant scoped users who were incorrectly blocked from exporting certificates
  • 5280 - "Deploy a Release" steps now collect output variables from failed child deployments
  • 5289 - Fixed a bug where Project Viewers could not assign and submit interruptions
  • 5290 - Fixed error "This SqlTransaction has completed; it is no longer usable"
  • 5291 - Added warning logs for situations where an IIS web site deployment will fail to start the web site
  • 5293 - The built-in repository settings are now retained correctly when upgrading from versions prior to 2019.1.x
  • 5294 - Fixed a bug where Packages could be cleaned up by retention policies while still in use by Releases
  • 5296 - No longer leaving orphaned DeploymentActionId when deleting a step as part of deleting a channel
  • 5297 - Resolved performance problem writing to log files introduced in 2019.1.2
  • 5304 - Breaking change Removed the TaskViewLog permission. Any user that has been granted access to a Task through the TaskView permission can also view that Task's logs

Changes in Octopus Server 2019.1.6

  • 3198 - Added support for variable substitution in ARM templates for complex types including array types
  • 4469 - Links in AWS error messages are now rendered as proper links
  • 4618 - Better error handling for Azure steps that display information from Azure
  • 5207 - Prevented infinite polling loop when navigation happens while request is in flight
  • 5243 - Add CAPABILITYAUTOEXPAND to CloudFormation step and ability to choose multiple IAM capabilities
  • 5265 - The correct artifacts now show on the release screen, fixing a bug introduced in 2019.1.0
  • 5269 - Fixed a bug where members of teams with no permissions could not assign interruption to themselves, even if that team was designated the responsible team for the interruption
  • 5271 - Fix an issue where deleting a CloudFormation stack would not wait until completion
  • 5278 - Allow ingress rules to be reordered
  • 5279 - Support Downward API for environment variables in Deploy Kubernetes Containers step
  • 5282 - Create release via Client API now works for .net standard
  • 5283 - Fix for Task screen incorrectly reporting lack of TaskView permission when it was granted only at the Space level
  • 5284 - Fixed various issues around permissions that allows access to projects through connected tenants

Changes in Octopus Server 2019.1.5

  • 5267 - Resolved error when cloning a channel-scoped step to another project
  • 5273 - Fix a bug when navigating to a community action template
  • 5275 - Fix for scheduled deployments that contain a deploy a release step failing with a permission exception

Changes in Octopus Server 2019.1.4

  • 5266 - Fixed error when health checking Tenant scoped targets in 2019.1.0 and later
  • 5268 - Fixed UI bug with exclude unhealthy targets setting

Changes in Octopus Server 2019.1.3

  • 5258 - Fix for update deployment process returning incorrect error for missing ProcessEdit permission when it's Tenant scoped
  • 5259 - Resolved migrator issue where attachments were causing '$' to be left in IDs
  • 5260 - Fix for Tenant scoped ProcessEdit permission warning when updating Action Templates
  • 5262 - Fixes errors during upgrade for instances that cannot access the package roots parent directory

Changes in Octopus Server 2019.1.2

  • 5247 - Fixed a bug where the Feeds endpoints would not return a backwards compatible FeedResource for old versions of octo.exe
  • 5253 - AWS now correctly uses the EC2 instance role metadata
  • 5254 - Package upload dates are now shown again (when available) on the previous versions dialog
  • 5255 - The refresh feed list button on the Run a Helm Update step no longer crashes
  • 5256 - Stopped showing the (unsupported) built in feed for the Run a Helm Update step
  • 5257 - Fix for permission error on Releases screen when user had valid Tenant scoped ReleaseView and ProcessView permissions

Changes in Octopus Server 2019.1.1

  • 4562 - Added option to exclude unhealthy targets at the beginning of a deployment
  • 5141 - Allow overriding namespace in Helm Upgrade step
  • 5234 - Added Python 3 support for script steps, ad-hoc scripts and custom deployment scripts
  • 5238 - Steps that are skipped due to not finding any deployment targets to run on are now marked as skipped rather than successful, resolving an issue where the incorrect run time was shown
  • 5240 - UI fix for package version rendering issues on Create Release screen
  • 5241 - Octopus.Migrator.exe now uses the ID to name exported certificate files to ensure all certifcates are exported correctly, even superseded certificates
  • 5244 - New-OctopusAzureWebAppTarget command slot name parameter is now honoured
  • 5245 - Variable expressions that reference a non existent JSON property now evaluate to an empty string
  • 5248 - The server now completes it startup sequence before processing a shutdown request
  • 5249 - Fix for a user with Tenant scoped ProcessEdit would prevent UI from showing Create Release action
  • 5250 - Fix for ProcessEdit permission correctly operating with Tenant dimension to show add channel button
  • 5251 - Fix for ProjectEdit permission correctly operating with Project Group dimension to allow settings editing and tenant linking
  • 5252 - Fix to ensure post installation scripts correctly refresh views

Changes in Octopus Server 2019.1.0

  • 5226 - Breaking change Increased the speed of artifact retrieval and cascade deletion when there are many artifacts
  • 6084 - Breaking change TeamResource structure change - improved scoping ability per team
  • 5239 - Added Tentacle support for spaces. Breaking change Deregister commands no longer remove trust for the server
  • 3055 - Fix for inconsistencies in EventView permission calculations.
  • 4362 - Tentacle Manager no longer overwrites Tentacle instances with the same name.
  • 4831 - Tentacle Manager now properly handles selecting and creating of Roles that include spaces

Changes in Octopus Server 2018.12.1

  • 2521 - Polling Tentacle timeout can now be configured via the machine policy, replacing the Octopus.Server.exe.config settings. If you are using those settings, open each machine policy, check the settings and save the policy
  • 5124 - Added support for touch screens when reordering lists (e.g. when re-ordering steps)
  • 5174 - Attempt to cancel any running tasks when shutting down the Octopus service
  • 5204 - SSH and Tentacle connection timeouts and limits can now be configured via the machine policy
  • 5229 - External feed URLs are now trimmed to prevent validation errors
  • 5231 - Squashed null reference error in Deploy Kubernetes Containers step when secret has no data
  • 5233 - Added support for AWS S3 and CloudFormation steps to run on ssh Linux targets
  • 5237 - Fix for incorrect permission warning on Project overview screen if user only had ProjectView scoped on group dimension