Skip to content

Releases: hashicorp/nomad

v1.9.6

11 Feb 21:46
Compare
Choose a tag to compare

1.9.6 (February 11, 2025)

BREAKING CHANGES:

  • fingerprint: Consul and Vault fingerprints no longer reload periodically [GH-24526]

SECURITY:

  • api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
  • build: Updated Go to 1.23.6 [GH-25041]
  • event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

  • auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
  • cli: Added actions available to a job when running nomad job status command [GH-24959]
  • event stream: adds ability to authenticate using workload identities [GH-24849]
  • services: Nomad service checks now support the tls_skip_verify parameter [GH-24781]
  • task schedule: The task being paused no longer impacts restart attempts [GH-25085]
  • ui: Contextualizes the Start Job button on whether it is startable, revertable, or not [GH-24985]

BUG FIXES:

  • agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
  • agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
  • client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
  • csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
  • docker: Fixed a bug that prevented image_pull_timeout from being applied [GH-24991]
  • docker: Fixed a bug where "error reading image pull progress" caused the allocation to get stuck pending [GH-24981]
  • reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
  • state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
  • taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
  • ui: Ensure pending service check blocks are filled [GH-24818]
  • ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
  • vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.8.10 (Enterprise)

11 Feb 22:43
Compare
Choose a tag to compare

SECURITY:

  • api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
  • build: Updated Go to 1.23.6 [GH-25041]
  • event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

  • auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
  • event stream: adds ability to authenticate using workload identities [GH-24849]

BUG FIXES:

  • agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
  • agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
  • client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
  • csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
  • networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
  • reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
  • state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
  • taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
  • ui: Ensure pending service check blocks are filled [GH-24818]
  • ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
  • vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.7.18 (Enterprise)

11 Feb 22:53
Compare
Choose a tag to compare

SECURITY:

  • api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
  • build: Updated Go to 1.23.6 [GH-25041]
  • event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

  • auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
  • event stream: adds ability to authenticate using workload identities [GH-24849]

BUG FIXES:

  • agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
  • agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
  • client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
  • csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
  • networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
  • reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
  • state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
  • ui: Ensure pending service check blocks are filled [GH-24818]
  • ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
  • vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.9.5

14 Jan 20:15
Compare
Choose a tag to compare

1.9.5 (January 14, 2025)

IMPROVEMENTS:

  • client: Add noswap mount option to secrets directory where supported on Linux [GH-24645]
  • deps: Upgraded aws-sdk-go from v1 to v2 [GH-24720]
  • keyring: Warn if deleting a key previously used to encrypt an existing variable [GH-24766]
  • ui: Added possibility to supply HCL variable values on job submission [GH-24622]
  • ui: add leadership status for servers in other regions [GH-24723]

BUG FIXES:

  • docker: Fix a bug where images with port number and no tags weren't parsed correctly [GH-24547]
  • driver/docker: Fix container CPU stats collection where previous CPU stats were missing and causing incorrect calculations [GH-24768]
  • drivers: validate logmon plugin during reattach [GH-24798]
  • networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]

v1.8.9 (Enterprise)

14 Jan 21:28
d082d0c
Compare
Choose a tag to compare

IMPROVEMENTS:

  • api: Sanitise hcl variables before storage on JobSubmission [GH-24423]
  • deps: Upgraded aws-sdk-go from v1 to v2 [GH-24720]

BUG FIXES:

  • drivers: validate logmon plugin during reattach [GH-24798]

v1.7.17 (Enterprise)

14 Jan 21:23
4838b8f
Compare
Choose a tag to compare

IMPROVEMENTS:

  • deps: Upgraded aws-sdk-go from v1 to v2 [GH-24720]

BUG FIXES:

  • drivers: validate logmon plugin during reattach [GH-24798]

v1.7.16 (Enterprise)

19 Dec 18:12
Compare
Choose a tag to compare

SECURITY:

  • api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
  • security: Added more host environment variables to the default deny list for tasks [GH-24540]
  • security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
  • security: add executeTemplate to default template function_denylist [GH-24541]

BUG FIXES:

  • agent: Fixed a bug where retry_join gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561]
  • cli: Ensure the operator autopilot health command only outputs JSON when the json flag is supplied [GH-24655]
  • consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
  • consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
  • csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
  • csi: Removed redundant namespace output from volume status command [GH-24432]
  • discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
  • drivers: fix executor leak when drivers error starting tasks [GH-24495]
  • executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
  • fix: handles consul template re-renders on client restart [GH-24399]
  • networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
  • scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
  • vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
  • windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]

v1.9.4

18 Dec 20:45
Compare
Choose a tag to compare

1.9.4 (December 18, 2024)

SECURITY:

  • api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
  • security: Added more host environment variables to the default deny list for tasks [GH-24540]
  • security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
  • security: add executeTemplate to default template function_denylist [GH-24541]

IMPROVEMENTS:

  • actions: Nomad Actions names now accept a wider range of names [GH-24642]
  • api: Sanitise hcl variables before storage on JobSubmission [GH-24423]
  • client: Emit telemetry from prerun and prestart hooks for monitoring and alerting [GH-24556]
  • cni: Add Nomad specific workload information to CNI_ARGS [GH-24319]
  • core: add the possibility to scale system jobs between 0 and 1 [GH-24363]
  • ui: Add an Edit From Version button as an option when reverting from an older job version [GH-24168]
  • ui: Adds metadata tables to Task Group and Task pages [GH-24594]

BUG FIXES:

  • agent: Fixed a bug where retry_join gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561]
  • api: Fixed a bug where alloc exec/logs/fs APIs would return errors for non-global regions [GH-24644]
  • cli: Ensure the operator autopilot health command only outputs JSON when the json flag is supplied [GH-24655]
  • consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
  • consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
  • csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
  • csi: Removed redundant namespace output from volume status command [GH-24432]
  • discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
  • drivers: fix executor leak when drivers error starting tasks [GH-24495]
  • executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
  • keyring: Fixed a bug when decrypting aead with an empty RSA block on state upserts [GH-24442]
  • networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
  • scheduler: Fix bug where forced garbage collection does not ignore GC thresholds [GH-24456]
  • scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
  • ui: Fix a bug where namespaced jobs wouldn't show diffs on the versions page [GH-24466]
  • ui: Fix an issue where 2 parent jobs would see the others dispatches if it were otherwise empty [GH-24668]
  • ui: Fix an issue where cmd+click or ctrl+click would double-open a var [GH-24316]
  • ui: Fix an issue where system jobs with garbage-collected allocations were showing as Scaled Down [GH-24620]
  • ui: Fix an issue where volumes weren't navigable [GH-24542]
  • vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
  • windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]

v1.8.8 (Enterprise)

19 Dec 15:21
Compare
Choose a tag to compare

SECURITY:

  • api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
  • security: Added more host environment variables to the default deny list for tasks [GH-24540]
  • security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
  • security: add executeTemplate to default template function_denylist [GH-24541]

BUG FIXES:

  • agent: Fixed a bug where retry_join gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561]
  • api: Fixed a bug where alloc exec/logs/fs APIs would return errors for non-global regions [GH-24644]
  • cli: Ensure the operator autopilot health command only outputs JSON when the json flag is supplied [GH-24655]
  • consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
  • consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
  • csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
  • csi: Removed redundant namespace output from volume status command [GH-24432]
  • discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
  • drivers: fix executor leak when drivers error starting tasks [GH-24495]
  • executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
  • fix: handles consul template re-renders on client restart [GH-24399]
  • networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
  • scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
  • vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]

v1.9.3

11 Nov 18:35
Compare
Choose a tag to compare

1.9.3 (November 11, 2024)

BUG FIXES:

  • fix: handles consul template re-renders on client restart [GH-24399]
  • fsm: Fix bug in snapshot restore that could partially wipe state [GH-24412]