Public | Automated Build

Last pushed: 2 months ago
Short Description
A docker image for concourse using the standalone binaries.
Full Description


The fine folks at concourse finally got around to to maintain a
docker image on their own. And
it seems they've taken into account a few learnings from here. :)

This makes this repository obsolete, please migrate to the official image.
To ease transition this repository will follow upstream releases a bit further
before ending maintenance.

It was fun, thanks everyone.

Concourse CI docker image

A docker image for concourse using
the standalone distribution.

It provides entry points for concourse web as well as for concourse worker.

Table of content



Just run

docker build -t <image tag> .


Run concourse web

For the default configuration just run

docker run --entrypoint / meteogroup/concourse-ci

By default all keys are generated. The public key for TSA is printed to
stdout as well as the private key workers may use to register with TSA!

It is possible to mount a directory containing required keys for TSA into
/var/lib/concourse/keys. The following files are looked up there:

  • tsa_key will be used as private TSA host key
  • authorized_worker_keys will be used to verify
    workers. It will be reread each time a worker connects to the TSA.
docker run --entrypoint / \
  -v /path/to/dir/containing/keys:/var/lib/concourse/keys \

To allow sharing /var/lib/concourse/keys between concourse web and
concourse worker, private keys may be accessible by root only. They are
copied and made accessible to concourse web which will be run as non-root

A single public key can be passed in the CONCOURSE_WORKER_PUBKEY environment
variable. If /var/lib/concourse/keys is writable by the container
authorized_worker_keys will be created from that key and used instead.
Otherwise the key in CONCOURSE_WORKER_PUBKEY is used as sole key to verify

If concourse web is firewalled or run behind a proxy the external visible URL
can be configured by setting the CONCOURSE_URL environment variable.

docker run --entrypoint / \
  --env CONCOURSE_URL= \

The default login is concourse with password ci . This can be changed by
setting the CONCOURSE_LOGIN and CONCOURSE_PASSWORD environment variables.

docker run --entrypoint / \
  --env CONCOURSE_LOGIN=ci-user \
  --env CONCOURSE_PASSWORD=rumpelstiltskin \

Alternatively, you can configure GitHub OAuth authenticaion by setting the
environment variables, along with one or more of the
CONCOURSE_GITHUB_AUTH_USER variables. Setting these variables will cause the
container to ignore the CONCOURSE_LOGIN and CONCOURSE_PASSWORD variables.

docker run --entrypoint / \
  --env CONCOURSE_GITHUB_AUTH_CLIENT_ID=b9c1a7f3895bd045b945 \
  --env CONCOURSE_GITHUB_AUTH_CLIENT_SECRET=1d9c379fcdfa6e1010293ed955274da27c3904c2 \

If you want to expose a safe view of your pipelines to unauthenticated users,
set the CONCOURSE_PUBLICLY_VIEWABLE environment variable. This is convenient
for open source projects.

docker run --entrypoint / \

The image comes with an internal postgres database (which will be lost when the
container is removed). To use an external postgres database set the
CONCOURSE_DATA_SOURCE environment variable.

docker run --entrypoint / \
  --env CONCOURSE_DATA_SOURCE=postgres://pg-user:pg-password@ \

The TSA private key may be passed in the CONCOURSE_TSA_KEY environment
variable. In that case /var/lib/concourse/keys/tsa_key is ignored

The session signing key may be passed in the CONCOURSE_SESSION_SIGNING_KEY
environment variable. In that case /var/lib/concourse/keys/session_signing_key
is ignored

docker run --entrypoint / \
  --env CONCOURSE_TSA_KEY="<private TSA key>" \
  --env CONCOURSE_SESSION_SIGNING_KEY="<session signing key>" \

Run a concourse worker

To run a worker use

docker run --entrypoint / --privileged \

As concourse worker is running containers for builds it is essential to run it
in privileged mode and have a none layering filesystem mounted to
/var/lib/concourse/work. Your builds will break and/or hang indefinitely

By default the TSA public key will be fetched from the TSA server during
startup and a key pair is generated for the worker. The public worker key is
then printed to stdout and has to be added to the authorized worker keys for

The TSA host and port can be configured by setting the CONCOURSE_TSA_HOST and
CONCOURSE_TSA_PORT environment variables. By default the worker tries to
register at

docker run --entrypoint / \
  --privileged --v /var/lib/concourse/work \
  --env CONCOURSE_TSA_PORT=2222 \

It is possible to mount a directory containing required keys for the worker
into /var/lib/concourse/keys. The following files are looked up there:

  • will be used as public TSA host key
  • worker_key will be used as the workers private
    host key.

If /var/lib/concourse/keys is writable by the container the workers public
key is appended authorized_worker_keys (which will be created if it not
exists). After keys are setup /var/lib/concourse/keys will be unmounted from
the container to protect private keys.

docker run --entrypoint / \
  --privileged --v /var/lib/concourse/work \
  -v /path/to/dir/containing/keys:/var/lib/concourse/keys \

The workers private key may be passed in the CONCOURSE_WORKER_KEY environment
variable. In that case /var/lib/concourse/keys/worker_key is ignored.

The public TSA host key can be passed in the CONCOURSE_TSA_PUBKEY environment
variable. In that case /var/lib/concourse/keys/ is ignored.

docker run --entrypoint / \
  --privileged --v /var/lib/concourse/work \
  --env CONCOURSE_WORKER_KEY="<worker's private key>" \
  --env CONCOURSE_TSA_PUBKEY="<public TSA key>" \

Run single node concourse web/worker

For your convenience there is a docker-compose.yml file to stand up a ready
to use concourse web/worker deployment, no key management involved. Just run

docker-compose up

If concourse web is firewalled or run behind a proxy the external visible URL
can be configured by setting the CONCOURSE_URL environment variable.

CONCOURSE_URL= docker-compose up

All authentication related options can be set as well using the respective
concourse web
for further details.


To test worker and CI server just run


This will start a busybox docker container, download fly and goes through the
following steps:

  • create a pipeline using a slightly modified version of the
    Hello, world! example.
  • Unpause the pipeline.
  • Trigger the job.
  • Wait for the job to complete.
  • Delete the pipeline.
  • Check the job output against the expected Hello, world! output.

By default the script tries to connect to using
concourse/ci as username/password. That can be changed by setting the
environment variables for the script.

Be aware that username and password will be echoed in the script output!

If concourse web is running behind a proxy and is not reachable at the hosts
root path you have to set the CONCOURSE_URL environment variable to the
externally reachable URL of concourse web. In that case username and password
have to be repeated in the authority part of that URL, otherwise the
test script will not be able to download the fly binary.

Connecting to custom host/port:


Using custom username/password:


Connecting to concourse behind a proxy:

CONCOURSE_URL=https://ci-user:rumpelstiltskin@my-ci/concourse \



Concourse – Copyright © 2014-2016 Alex Suraci & Chris Brown, licensed under
Apache License 2.0

Copyright © 2016 MeteoGroup Deutschland GmbH

Licensed under the Apache License, Version 2.0 (the "License"); you may not use
any file from this repository except in compliance with the License. You may
obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed
under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.

Docker Pull Command
Source Repository