v1.9.0-beta.2

SECURITY:

• security: Fixed a bug in client FS API where the check to prevent reads from the secrets dir could be bypassed on case-insensitive file systems [GH-24125]

IMPROVEMENTS:

• metrics: introduce client config to include alloc metadata as part of the base labels [GH-23964]

BUG FIXES:

• bug: Allow client template config block to be parsed when using json config [GH-24007]
• scaling: Fixed a bug where scaling policies would not get created during job submission unless namespace field was set in jobspec [GH-24065]
• state: Fixed a bug where compatibility updates for node topology for nodes older than 1.7.0 were not being correctly applied [GH-24127]
• ui: Fixes an issue where variables paths would not let namespaced users write variables unless they also had wildcard namespace variable write permissions [GH-24073]

v1.9.0-beta.1

BREAKING CHANGES:

• heartbeats: clients older than 1.6.0 will fail heartbeats to 1.9.0+ servers [GH-23838]
• jobspec: Removed support for HCLv1 [GH-23912]
• services: Clients older than 1.5.0 will fail to read Nomad native services via template blocks [GH-23910]
• tls: Removed deprecated tls.prefer_server_cipher_suites field from agent configuration [GH-23712]

IMPROVEMENTS:

• cli: Added redaction options to operator snapshot commands [GH-24023]
• cli: Increase default log level and duration when capturing logs with operator debug [GH-23850]
• deps: Upgraded yamux to v0.1.2 to fix a bug where RPC connections could deadlock [GH-24058]
• docker: Use official docker SDK instead of a 3rd party client [GH-23966]
• identity: Added filepath parameter to identity block for persisting workload identities [GH-24038]
• jobs: Added Version Tags to job versions, to prevent them from being garbage collected and allow for diffs (GH-24055)
• keyring: Stored wrapped data encryption keys in Raft [GH-23977]
• networking: Added an option to ignore static port collisions when scheduling, for programs that use the SO_REUSEPORT unix socket option [GH-23956]
• networking: IPv6 can now be enabled on the Nomad bridge network mode [GH-23882]
• quotas (Enterprise): Added the possibility to set device count limits [GH-23894]
• raft: Bump raft to v1.7.1 which includes pre-vote. This should make servers more stable after network partitions [GH-24029]

BUG FIXES:

• cli: Fixed a bug in job status command where -t would act as though -json was also set [GH-24054]
• task: adds node.pool attribute to interpretable values in task env [GH-24052]
• template: Fixed a panic on client restart when using change_mode=script [GH-24057]

v1.7.12 (Enterprise)

BREAKING CHANGES:

• docker: The default infra_image for pause containers is now registry.k8s.io/pause [GH-23927]

IMPROVEMENTS:

• build: update to go1.22.6 [GH-23805]

BUG FIXES:

• node: Fixed bug where sysbatch allocations were started prematurely [GH-23858]

v1.6.15 (Enterprise)

BREAKING CHANGES:

• docker: The default infra_image for pause containers is now registry.k8s.io/pause [GH-23927]

IMPROVEMENTS:

• build: update to go1.22.6 [GH-23805]
• cli: Increase default log level and duration when capturing logs with operator debug [GH-23850]

BUG FIXES:

• node: Fixed bug where sysbatch allocations were started prematurely [GH-23858]

v1.8.4

1.8.4 (September 17, 2024)

BREAKING CHANGES:

• docker: The default infra_image for pause containers is now registry.k8s.io/pause [GH-23927]

IMPROVEMENTS:

• build: update to go1.22.6 [GH-23805]
• cgroups: Allow clients with delegated cgroups check that required cgroup v2 controllers exist [GH-23803]
• docker: Disable cpuset management for non-root clients [GH-23804]
• identity: Added support for server-configured additional claims on the Vault default_identity block [GH-23675]
• namespaces: Allow enabling/disabling allowed network modes per namespace [GH-23813]
• ui: Badge added for Scaled Down jobs [GH-23829]

DEPRECATIONS:

• api: the JobParseRequest.HCLv1 field will be removed in Nomad 1.9.0 [GH-23913]
• jobspec: using the -hcl1 flag for HCLv1 job specifications will now emit a warning at the command line. This feature will be removed in Nomad 1.9.0 [GH-23913]

BUG FIXES:

• identity: Fixed a bug where dispatch and periodic jobs would have their job ID and not parent job ID used when creating the subject claim [GH-23902]
• identity: Fixed a bug where dispatch and periodic jobs would have their job ID and not parent job ID used when interpolating vault.default_identity.extra_claims [GH-23817]
• node: Fixed bug where sysbatch allocations were started prematurely [GH-23858]
• ui: Fix an issue where cmd+click or ctrl+click would double-open a job [GH-23832]

v1.8.3

1.8.3 (August 13, 2024)

SECURITY:

• security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

• acl: Submitting a policy with a leading / in a variable path will now return an error to prevent improperly working policies. [GH-23757]
• cli: Added option to return original HCL in job inspect command [GH-23699]
• cli: Added support for updating the roles for an ACL token [GH-18532]
• cli: acl token create will now emit a warning if the token has a policy that does not yet exist [GH-16437]
• keyring: Added support for encrypting the keyring via Vault transit or external KMS [GH-23580]
• keyring: Added support for prepublishing keys [GH-23577]
• metrics: Added client.tasks metrics to track task states [GH-23773]
• resources: Added resources.secrets field to configure size of secrets directory on Linux [GH-23696]
• tls: Allow setting the tls_min_version field to "tls13" [GH-23713]
• ui: added a Pack badge to the jobs index page for jobs run via Nomad Pack [GH-23404]

BUG FIXES:

• api: Fixed a bug where an api.Config targeting a unix domain socket could not be reused between clients [GH-23785]
• cni: .conf and .json config files are now parsed properly [GH-23629]
• cni: network.cni jobspec updates now replace allocs to apply the new network config [GH-23764]
• docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
• identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
• keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
• keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
• keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
• networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
• scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
• template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
• ui: Fixed storage/plugin 404s by unescaping a slash character in the request URL [GH-23625]
• windows: Fix bug with containers capabilities on Docker CE [GH-23599]

v1.7.11 (Enterprise)

SECURITY:

• security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

• keyring: Added support for prepublishing keys [GH-23577]

BUG FIXES:

• api: Fixed a bug where an api.Config targeting a unix domain socket could not be reused between clients [GH-23785]
• cni: .conf and .json config files are now parsed properly [GH-23629]
• docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
• identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
• keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
• keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
• keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
• networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
• scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
• template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
• windows: Fix bug with containers capabilities on Docker CE [GH-23599]

v1.6.14 (Enterprise)

SECURITY:

• security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

• keyring: Added support for prepublishing keys [GH-23577]

BUG FIXES:

• cni: .conf and .json config files are now parsed properly [GH-23629]
• docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
• keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
• keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
• keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
• networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
• scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
• template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
• windows: Fix bug with containers capabilities on Docker CE [GH-23599]

v1.7.10 (Enterprise)

BREAKING CHANGES:

• docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

• build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
• migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
• security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

• deps: Updated Consul API to 1.29.1. [GH-23436]
• deps: Updated consul-template to 0.39 to allow admin partition and sameness groups queries. [GH-23436]
• docker: Validate that unprivileged containers aren't running as ContainerAdmin on Windows [GH-23443]

BUG FIXES:

• api: Fixed bug where newlines in JobSubmission vars weren't encoded correctly [GH-23560]
• cli: Fixed bug where the plugin status command would fail if the plugin ID was a prefix of another plugin ID [GH-23502]
• cli: Fixed bug where the quota status and quota inspect commands would fail if the quota name was a prefix of another quota name [GH-23502]
• cli: Fixed bug where the scaling policy info command would fail if the policy ID was a prefix of another policy ID [GH-23502]
• cli: Fixed bug where the service info command would fail if the service name was a prefix of another service name in the same namespace [GH-23502]
• cli: Fixed bug where the volume deregister, volume detach, and volume status commands would fail if the volume ID was a prefix of another volume ID in the same namespace [GH-23502]
• consul: Fixed a bug where service registration and Envoy bootstrap would not wait for Consul ACL tokens and services to be replicated to the local agent [GH-23381]
• qemu: Fixed a bug that prevented qemu tasks from running on Linux [GH-23466]
• quota (Enterprise): Fixed a bug where a task's resource core count was not translated to CPU MHz and checked against its quota when performing a job plan [GH-18876]
• scheduler: Fix a bug where reserved resources are not calculated correctly [GH-23386]
• server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [GH-23383]
• template: Fix template rendering on Windows [GH-23432]

v1.6.13 (Enterprise)

BREAKING CHANGES:

• docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

• build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
• migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
• security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

• deps: Updated Consul API to 1.29.1. [GH-23436]
• deps: Updated consul-template to 0.39 to allow admin partition and sameness groups queries. [GH-23436]
• docker: Validate that unprivileged containers aren't running as ContainerAdmin on Windows [GH-23443]

BUG FIXES:

• api: Fixed bug where newlines in JobSubmission vars weren't encoded correctly [GH-23560]
• cli: Fixed bug where the plugin status command would fail if the plugin ID was a prefix of another plugin ID [GH-23502]
• cli: Fixed bug where the quota status and quota inspect commands would fail if the quota name was a prefix of another quota name [GH-23502]
• cli: Fixed bug where the scaling policy info command would fail if the policy ID was a prefix of another policy ID [GH-23502]
• cli: Fixed bug where the service info command would fail if the service name was a prefix of another service name in the same namespace [GH-23502]
• cli: Fixed bug where the volume deregister, volume detach, and volume status commands would fail if the volume ID was a prefix of another volume ID in the same namespace [GH-23502]
• quota (Enterprise): Fixed a bug where a task's resource core count was not translated to CPU MHz and checked against its quota when performing a job plan [GH-18876]
• scheduler: Fix a bug where reserved resources are not calculated correctly [GH-23386]
• server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [GH-23383]
• template: Fix template rendering on Windows [GH-23432]