Releases: hashicorp/nomad
Releases · hashicorp/nomad
v1.9.6
1.9.6 (February 11, 2025)
BREAKING CHANGES:
- fingerprint: Consul and Vault fingerprints no longer reload periodically [GH-24526]
SECURITY:
- api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
- build: Updated Go to 1.23.6 [GH-25041]
- event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]
IMPROVEMENTS:
- auth: adds
VerboseLogging
option to auth-method config for debugging SSO [GH-24892] - cli: Added actions available to a job when running nomad job status command [GH-24959]
- event stream: adds ability to authenticate using workload identities [GH-24849]
- services: Nomad service checks now support the
tls_skip_verify
parameter [GH-24781] - task schedule: The task being paused no longer impacts restart attempts [GH-25085]
- ui: Contextualizes the Start Job button on whether it is startable, revertable, or not [GH-24985]
BUG FIXES:
- agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
- agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
- client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
- csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
- docker: Fixed a bug that prevented image_pull_timeout from being applied [GH-24991]
- docker: Fixed a bug where "error reading image pull progress" caused the allocation to get stuck pending [GH-24981]
- reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
- state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
- taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
- ui: Ensure pending service check blocks are filled [GH-24818]
- ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
- vault: Fixed a bug where successful renewal was logged as an error [GH-25040]
v1.8.10 (Enterprise)
SECURITY:
- api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
- build: Updated Go to 1.23.6 [GH-25041]
- event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]
IMPROVEMENTS:
- auth: adds
VerboseLogging
option to auth-method config for debugging SSO [GH-24892] - event stream: adds ability to authenticate using workload identities [GH-24849]
BUG FIXES:
- agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
- agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
- client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
- csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
- networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
- reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
- state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
- taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
- ui: Ensure pending service check blocks are filled [GH-24818]
- ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
- vault: Fixed a bug where successful renewal was logged as an error [GH-25040]
v1.7.18 (Enterprise)
SECURITY:
- api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
- build: Updated Go to 1.23.6 [GH-25041]
- event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]
IMPROVEMENTS:
- auth: adds
VerboseLogging
option to auth-method config for debugging SSO [GH-24892] - event stream: adds ability to authenticate using workload identities [GH-24849]
BUG FIXES:
- agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
- agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
- client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
- csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
- networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
- reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
- state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
- ui: Ensure pending service check blocks are filled [GH-24818]
- ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
- vault: Fixed a bug where successful renewal was logged as an error [GH-25040]
v1.9.5
1.9.5 (January 14, 2025)
IMPROVEMENTS:
- client: Add noswap mount option to secrets directory where supported on Linux [GH-24645]
- deps: Upgraded aws-sdk-go from v1 to v2 [GH-24720]
- keyring: Warn if deleting a key previously used to encrypt an existing variable [GH-24766]
- ui: Added possibility to supply HCL variable values on job submission [GH-24622]
- ui: add leadership status for servers in other regions [GH-24723]
BUG FIXES:
- docker: Fix a bug where images with port number and no tags weren't parsed correctly [GH-24547]
- driver/docker: Fix container CPU stats collection where previous CPU stats were missing and causing incorrect calculations [GH-24768]
- drivers: validate logmon plugin during reattach [GH-24798]
- networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
v1.8.9 (Enterprise)
v1.7.17 (Enterprise)
v1.7.16 (Enterprise)
SECURITY:
- api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
- security: Added more host environment variables to the default deny list for tasks [GH-24540]
- security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
- security: add executeTemplate to default template function_denylist [GH-24541]
BUG FIXES:
- agent: Fixed a bug where
retry_join
gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561] - cli: Ensure the
operator autopilot health
command only outputs JSON when thejson
flag is supplied [GH-24655] - consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
- consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
- csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
- csi: Removed redundant namespace output from volume status command [GH-24432]
- discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
- drivers: fix executor leak when drivers error starting tasks [GH-24495]
- executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
- fix: handles consul template re-renders on client restart [GH-24399]
- networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
- scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
- vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
- windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]
v1.9.4
1.9.4 (December 18, 2024)
SECURITY:
- api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
- security: Added more host environment variables to the default deny list for tasks [GH-24540]
- security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
- security: add executeTemplate to default template function_denylist [GH-24541]
IMPROVEMENTS:
- actions: Nomad Actions names now accept a wider range of names [GH-24642]
- api: Sanitise hcl variables before storage on JobSubmission [GH-24423]
- client: Emit telemetry from prerun and prestart hooks for monitoring and alerting [GH-24556]
- cni: Add Nomad specific workload information to CNI_ARGS [GH-24319]
- core: add the possibility to scale system jobs between 0 and 1 [GH-24363]
- ui: Add an Edit From Version button as an option when reverting from an older job version [GH-24168]
- ui: Adds metadata tables to Task Group and Task pages [GH-24594]
BUG FIXES:
- agent: Fixed a bug where
retry_join
gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561] - api: Fixed a bug where alloc exec/logs/fs APIs would return errors for non-global regions [GH-24644]
- cli: Ensure the
operator autopilot health
command only outputs JSON when thejson
flag is supplied [GH-24655] - consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
- consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
- csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
- csi: Removed redundant namespace output from volume status command [GH-24432]
- discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
- drivers: fix executor leak when drivers error starting tasks [GH-24495]
- executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
- keyring: Fixed a bug when decrypting aead with an empty RSA block on state upserts [GH-24442]
- networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
- scheduler: Fix bug where forced garbage collection does not ignore GC thresholds [GH-24456]
- scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
- ui: Fix a bug where namespaced jobs wouldn't show diffs on the versions page [GH-24466]
- ui: Fix an issue where 2 parent jobs would see the others dispatches if it were otherwise empty [GH-24668]
- ui: Fix an issue where cmd+click or ctrl+click would double-open a var [GH-24316]
- ui: Fix an issue where system jobs with garbage-collected allocations were showing as Scaled Down [GH-24620]
- ui: Fix an issue where volumes weren't navigable [GH-24542]
- vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
- windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]
v1.8.8 (Enterprise)
SECURITY:
- api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
- security: Added more host environment variables to the default deny list for tasks [GH-24540]
- security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
- security: add executeTemplate to default template function_denylist [GH-24541]
BUG FIXES:
- agent: Fixed a bug where
retry_join
gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561] - api: Fixed a bug where alloc exec/logs/fs APIs would return errors for non-global regions [GH-24644]
- cli: Ensure the
operator autopilot health
command only outputs JSON when thejson
flag is supplied [GH-24655] - consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
- consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
- csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
- csi: Removed redundant namespace output from volume status command [GH-24432]
- discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
- drivers: fix executor leak when drivers error starting tasks [GH-24495]
- executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
- fix: handles consul template re-renders on client restart [GH-24399]
- networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
- scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
- vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]