Upgrading dependency versions for Cloud Foundry
Page last updated:
This topic tells you how to upgrade a dependency version in a custom buildpack. These procedures enable Cloud Foundry (CF) operators to maintain custom buildpacks that contain dependencies outside of the dependencies in the CF system buildpacks.
Cloud Foundry buildpacks team process
The procedures in this topic refer to the tools used by the CF buildpacks team, but they do not require the following specific tools. You can use any continuous integration (CI) system and workflow management tool to update dependencies in custom buildpacks.
The CF buildpacks team uses the following tools to update dependencies:
- Concourse deployment of the buildpacks-ci pipelines.
- public-buildpacks-ci-robots GitHub repository.
- Pivotal Tracker for workflow management.
When the New Releases job in the notifications pipeline
detects a new version of a tracked dependency in a buildpack, it creates a Tracker story about building and including the new version of the dependency in the buildpack manifests. It also posts a message as the dependency-notifier
to the #buildpacks channel in the Cloud Foundry Slack channel.
Building binaries
For all dependencies, you must build the binary from source or acquire the binary as a tarball from a trusted source. For most dependencies, the CF buildpacks team builds the binaries from source.
The following steps assume you are using a Concourse deployment of the buildpacks-ci
pipelines and Pivotal Tracker.
To build the binary for a dependency:
- Go to the
public-buildpacks-ci-robots
directory and verify no uncommitted changes exist.
$ cd ~/workspace/public-buildpacks-ci-robots $ git status
- Run the
git pull
command in the directory to ensure it contains the most recent version of the contents.
$ git pull -r
- Go to the
binary-builds
directory.
$ cd binary-builds
Locate the YAML file for the buildpack that you want to build a binary. The directory contains YAML files for all the packages and dependencies tracked by the CF buildpacks team. Each YAML file correlates to the build queue for one dependency or package, and uses the naming format
DEPENDENCY-NAME.yml
. For example, the YAML file tracking the build queue for Ruby is namedruby-builds.yml
and contains the following contents:--- ruby: []
Different buildpacks use different signatures for verification. Determine which signature your buildpack requires by consulting the list in the buildpacks section of this topic and follow the instructions to locate the SHA256, MD5, or GPG signature for the binary:
- For the SHA256 of a file, run
shasum -a 256 FILE-NAME
. - For the MD5 of a file, run
md5 FILE-NAME
. - For the GPG signature (for Nginx), see the Nginx Downloads page.
Add the version and verification for the new binary to the YAML file as attributes of an element under the dependency name. For example, to build the Ruby 2.3.0 binary verified with SHA256, add the following to the YAML file:
--- ruby: - version: 2.3.0 sha256: ba5ba60e5f1aa21b4ef8e9bf35b9ddb57286cb546aac4b5a28c71f459467e507
Do not preface the version number with the name of the binary or language. For example, specify
2.3.0
forversion
instead ofruby-2.3.0
.You can enqueue builds for multiple versions at the same time. For example, to build both the Ruby 2.3.0 binary and the Ruby 2.3.1 binary, add the following to the YAML file:
--- ruby: - version: 2.3.0 sha256: ba5ba60e5f1aa21b4ef8e9bf35b9ddb57286cb546aac4b5a28c71f459467e507 - version: 2.3.1 sha256: b87c738cb2032bf4920fef8e3864dc5cf8eae9d89d8d523ce0236945c5797dcd
Use the
git add
command to stage your changes:$ git add .
Use the
git commit -m "YOUR-COMMIT-MESSAGE [#STORY-NUMBER]"
command to commit your changes using the Tracker story number. ReplaceYOUR-COMMIT-MESSAGE
with your commit message, andSTORY-NUMBER
with the number of your Tracker story.$ git commit -m "make that change [#1234567890]"
Run
git push
to push your changes to the remote origin.$ git push
Pushing your changes initiates the binary building process, which you can monitor at the binary-builder pipeline of your own
buildpacks-ci
Concourse deployment. When the build completes, it adds a link to the Concourse build run to the Tracker story specified in the commit message for the new release.Binary builds are run by the Cloud Foundry Binary Builder and the dependency-builds pipeline.
Updating buildpack manifests
After you build the binary for a dependency that you want to access and download from a URL, follow the instructions to add the dependency version to the buildpack manifest
The following steps assume you are using a Concourse deployment of the buildpacks-ci
pipelines and Pivotal Tracker.
To add the dependency version to the buildpack manifest, use these steps:
Go to the directory of the buildpack for which you want to update dependencies and run
git checkout develop
to check out thedevelop
branch.$ cd ~/workspace/ruby-buildpack $ git checkout develop
Edit the
manifest.yml
file for the buildpack to add or remove dependencies.dependencies: - name: ruby version: 2.3.0 md5: 535342030a11abeb11497824bf642bf2 uri: https://pivotal-buildpacks.s3.amazonaws.com/concourse-binaries/ruby/ruby-2.3.0-linux-x64.tgz cf_stacks: - cflinuxfs4
* Follow the current structure of the manifest. For example, if the manifest includes the two most recent patch versions for each minor version of the language, you can also include the two most recent patch versions for each minor version of the language, such as both `ruby-2.1.9` and `ruby-2.1.8`.
* Copy the `uri` and the `md5` from the `build-BINARY-NAME` job that ran in the Concourse dependency-builds pipeline and add them to the manifest.
In the PHP buildpack, you might see a <code>modules</code> line for each PHP dependency in
the manifest. Do not include this <code>modules</code> line in your new PHP dependency
entry. The <code>modules</code> line is added to the manifest by the <code>ensure-manifest-has-modules</code> Concourse job in the <code>php-buildpack</code> when you commit and push your changes. You can see this in the output logs of the <code>build-out</code> task.
Replace any other mentions of the old version number in the buildpack repository with the new version number. The CF buildpack team uses Ag for text searching.
$ ag OLD-VERSION
Run the following command to package and upload the buildpack, set up the org and space for tests in the specified CF deployment, and run the CF buildpack tests:
$ BUNDLE_GEMFILE=cf.Gemfile buildpack-build
If the command fails, you might need to fix or change the tests, fixtures, or other parts of the buildpack.
Once the test suite completely passes, use git commands to stage, commit, and push your changes:
$ git add . $ git commit -m "YOUR-MESSAGE[#TRACKER-STORY-ID]" $ git push
Monitor the
LANGUAGE-buildpack
pipeline in Concourse. Once the test suite builds, thespecs-lts-develop
job andspecs-edge-develop
job, pass for the buildpack, you can deliver the Tracker story for the new Dependency release. Copy and paste links for the successful test suite builds into the Tracker story.
Buildpacks
The following list contains information about the buildpacks maintained by the CF buildpacks team:
Go:
- Built from: A tarred binary,
GO-VERSION.linux-amd64.tar.gz
, provided by Google on the Go Downloads page. - Verified with: The MD5 of the tarred binary.
- Example: Using the Google Tarred Binary for Go 1.6.2.
Godep:
- Built from: A source code
.tar.gz
file from the Godep GitHub releases page. Verified with: The SHA256 of the source Example: Automated enqueuing of binary build for Godep 72.
The buildpacks-ci dependency-builds pipeline automates the process of detecting, uploading, and updating Godep in the manifest.
Node.js buildpack
Node:
- Verified with: The SHA256 of the
node-vVERSION.tar.gz
file listed onhttps://nodejs.org/dist/vVERSION/SHASUMS256.txt
For example, for Node version 4.4.6, the CF buildpacks team verifies with the SHA256 fornode-v4.4.6.tar.gz
on its SHASUMS256 page. - Example: Enqueuing binary builds for Node 4.4.5 and 6.2.0.
Python buildpack
Python:
- Verified with: The MD5 of the
Gzipped source tarball
, listed onhttps://www.python.org/downloads/release/python-VERSION/
, whereVERSION
has no periods. For example, for Python version2.7.12
, use the MD5 for theGzipped source tarball
on its downloads page. - Example: Enqueuing binary build for Python 2.7.12.
Java buildpack
OpenJDK:
- Built from: The tarred OpenJDK files managed by the CF Java Buildpack team.
- Verified with: The MD5 of the tarred OpenJDK files.
Ruby buildpack
JRuby:
- Verified with: The MD5 of the Source
.tar.gz
file from the JRuby Downloads page. - Example: Enqueuing binary build for JRuby 9.1.2.0.
Ruby:
- Verified with: The SHA256 of the source from the Ruby Downloads page.
- Example: Enqueuing binary builds for Ruby 2.2.5 and 2.3.1.
Bundler:
- Verified with: The SHA256 of the
.gem
file from Rubygems. - Example: Enqueuing binary build for Bundler 1.12.5.
PHP buildpack
PHP:
- Verified with: The SHA256 of the
.tar.gz
file from the PHP Downloads page. - To enqueue builds for PHP, you need to edit a file in the
public-buildpacks-ci-robots
repository. For PHP5 versions, the CF buildpacks team enqueues builds in thebinary-builds/php-builds.yml
file. For PHP7 versions, the CF buildpacks team enqueues builds in thebinary-builds/php7-builds.yml
file. - Example: Enqueuing binary builds for PHP 7.2.5 and 7.0.30.
Nginx:
- Verified with: The
gpg-rsa-key-id
andgpg-signature
of the version. Thegpg-rsa-key-id
is the same for each version/build, but thegpg-signature
is different. This information is located on the Nginx Downloads page. - Example: Enqueuing binary build for Nginx 1.11.0.
HTTPD:
- Verified with: The MD5 of the
.tar.bz2
file from the HTTPD Downloads page. - Example: Enqueuing binary build for HTTPD 2.4.20.
Composer:
- Verified with: The SHA256 of the
composer.phar
file from the Composer Downloads page. - For Composer, there is no build process as the
composer.phar
file is the binary. In the manual process, connect to the appropriate S3 bucket using the correct AWS credentials. Create a new directory with the name of the composer version, for example1.0.2
, and put the appropriatecomposer.phar
file into that directory.
For Composer v1.0.2
, connect and create the php/binaries/trusty/composer/1.0.2
directory. Then place the composer.phar
file into that directory so the binary is available at php/binaries/trusty/composer/1.0.2/composer.phar
.
The buildpacks-ci dependency-builds pipeline automates the process of detecting, uploading, and updating Composer in the manifest.
Staticfile buildpack
Nginx:
- Verified with: The
gpg-rsa-key-id
andgpg-signature
of the version. Thegpg-rsa-key-id
is the same for each version/build, but thegpg-signature
is different. This information is located on the Nginx Downloads page. - Example: Enqueuing binary build for Nginx 1.11.0.
Binary buildpack
The Binary buildpack has no dependencies.
View the source for this page in GitHub