v1.5.14

1.5.14 (February 08, 2024)

SECURITY:

• deps: Updated runc to 1.1.12 to address CVE-2024-21626 [GH-19851]
• migration: Fixed a bug where archives used for migration were not checked for symlinks that escaped the allocation directory [GH-19887]
• template: Fixed a bug where symlinks could force templates to read and write to arbitrary locations (CVE-2024-1329) [GH-19888]

v1.7.3

1.7.3 (January 15, 2024)

IMPROVEMENTS:

• build: update to go 1.21.6 [GH-19709]
• cgroupslib: Consider CGroups OFF when essential controllers are missing [GH-19176]
• cli: Add new option nomad setup vault -check to help cluster operators migrate to workload identities for Vault [GH-19720]
• consul: Add fingerprint for Consul Enterprise admin partitions [GH-19485]
• consul: Added support for Consul Enterprise admin partitions [GH-19665]
• consul: Added support for failures_before_warning and failures_before_critical in Nomad agent services [GH-19336]
• consul: Added support for failures_before_warning in Consul service checks [GH-19336]
• drivers/exec: Added support for OOM detection in exec driver [GH-19563]
• drivers: Enable configuring a raw_exec task to not have an upper memory limit [GH-19670]
• identity: Added vault_role to JWT workload identity claims if specified in jobspec [GH-19535]
• ui: Added group name to allocation tooltips on job status panel [GH-19601]
• ui: Adds a warning message to pages in the Web UI when logs are disabled [GH-18823]
• ui: Hide token secret upon successful login [GH-19529]
• ui: when an Action has long output, anchor to the latest messages [GH-19452]
• vault: Add allow_token_expiration field to allow Vault tokens to expire without renewal for short-lived tasks [GH-19691]
• vault: Nomad clients will no longer attempt to renew Vault tokens that cannot be renewed [GH-19691]

BUG FIXES:

• acl: Fixed a bug where 1.5 and 1.6 clients could not access Nomad Variables and Services via templates [GH-19578]
• acl: Fixed auth method hashing which meant changing some fields would be silently ignored [GH-19677]
• auth: Added new optional OIDCDisableUserInfo setting for OIDC auth provider [GH-19566]
• client: Fixed a bug where where the environment variable / file for the Consul token weren't written. [GH-19490]
• consul (Enterprise): Fixed a bug where the group/task Consul cluster was assigned "default" when unset instead of the namespace-governed value
• core: Ensure job HCL submission data is persisted and restored during the FSM snapshot process [GH-19605]
• namespaces: Failed delete calls no longer return success codes [GH-19483]
• rawexec: Fixed a bug where oom_score_adj would be inherited from Nomad client [GH-19515]
• server: Fix panic when validating non-service reschedule block [GH-19652]
• server: Fix server not waiting for workers to submit nacks for dequeued evaluations before shutting down [GH-19560]
• state: Fixed a bug where purged jobs would not get new deployments [GH-19609]
• ui: Fix rendering of allocations table for jobs that don't have actions [GH-19505]
• vault: Fixed a bug that could cause errors during leadership transition when migrating to the new JWT and workload identity authentication workflow [GH-19689]
• vault: Fixed a bug where allow_unauthenticated was enforced when a default_identity was set [GH-19585]

v1.6.6

1.6.6 (January 15, 2024)

IMPROVEMENTS:

• build: update to go 1.21.6 [GH-19709]

BUG FIXES:

• acl: Fixed auth method hashing which meant changing some fields would be silently ignored [GH-19677]
• auth: Added new optional OIDCDisableUserInfo setting for OIDC auth provider [GH-19566]
• core: Ensure job HCL submission data is persisted and restored during the FSM snapshot process [GH-19605]
• namespaces: Failed delete calls no longer return success codes [GH-19483]
• server: Fix server not waiting for workers to submit nacks for dequeued evaluations before shutting down [GH-19560]
• state: Fixed a bug where purged jobs would not get new deployments [GH-19609]

v1.5.13

1.5.13 (January 15, 2024)

IMPROVEMENTS:

• build: update to go 1.21.6 [GH-19709]

BUG FIXES:

• acl: Fixed auth method hashing which meant changing some fields would be silently ignored [GH-19677]
• auth: Added new optional OIDCDisableUserInfo setting for OIDC auth provider [GH-19566]
• namespaces: Failed delete calls no longer return success codes [GH-19483]
• server: Fix server not waiting for workers to submit nacks for dequeued evaluations before shutting down [GH-19560]
• state: Fixed a bug where purged jobs would not get new deployments [GH-19609]

v1.7.2

1.7.2 (December 13, 2023)

FEATURES:

• Reschedule on Lost: Adds the ability to prevent tasks on down nodes from being rescheduled [GH-16867]

IMPROVEMENTS:

• audit (Enterprise): Added ACL token role links to audit log auth objects [GH-19415]
• ui: Added a new example template with Task Actions [GH-19153]
• ui: dont allow new jobspec download until template is populated, and remove group count from jobs index [GH-19377]
• ui: make the exec window look nicer on mobile screens [GH-19332]

BUG FIXES:

• auth: Fixed a bug where tls.verify_server_hostname=false was not respected, leading to authentication failures between Nomad agents [GH-19425]
• cli: Fix a bug in the var put command which prevented combining items as CLI arguments and other parameters as flags [GH-19423]
• client: Fix a panic in building CPU topology when inaccurate CPU data is provided [GH-19383]
• client: Fixed a bug where clients are unable to detect CPU topology in certain conditions [GH-19457]
• consul (Enterprise): Fixed a bug where implicit Consul constraints were not specific to non-default Consul clusters [GH-19449]
• consul: uses token namespace to fetch policies for verification [GH-18516]
• core: Fixed a bug where linux nodes with no reservable cores would panic the scheduler [GH-19458]
• csi: Added validation to csi_plugin blocks to prevent stage_publish_base_dir from being a subdirectory of mount_dir [GH-19441]
• metrics: Revert upgrade of go-metrics to fix an issue where metrics from dependencies, such as raft, were no longer emitted [GH-19374]
• ui: Fixed an issue where Accessor ID was masked by default when editing a token [GH-19432]
• vault: Fixed a bug that caused template blocks to ignore Nomad configuration for Vault and use the default address of https://127.0.0.1:8200 when the job does not have a vault block defined [GH-19439]

v1.6.5

1.6.5 (December 13, 2023)

BUG FIXES:

• cli: Fix a bug in the var put command which prevented combining items as CLI arguments and other parameters as flags [GH-19423]
• client: remove incomplete allocation entries from client state database during client restarts [GH-16638]
• connect: Fixed a bug where deployments would not wait for Connect sidecar task health checks to pass [GH-19334]
• consul: uses token namespace to fetch policies for verification [GH-18516]
• csi: Added validation to csi_plugin blocks to prevent stage_publish_base_dir from being a subdirectory of mount_dir [GH-19441]
• metrics: Revert upgrade of go-metrics to fix an issue where metrics from dependencies, such as raft, were no longer emitted [GH-19375]

v1.5.12

1.5.12 (December 13, 2023)

BUG FIXES:

• cli: Fix a bug in the var put command which prevented combining items as CLI arguments and other parameters as flags [GH-19423]
• client: remove incomplete allocation entries from client state database during client restarts [GH-16638]
• connect: Fixed a bug where deployments would not wait for Connect sidecar task health checks to pass [GH-19334]
• consul: uses token namespace to fetch policies for verification [GH-18516]
• csi: Added validation to csi_plugin blocks to prevent stage_publish_base_dir from being a subdirectory of mount_dir [GH-19441]
• metrics: Revert upgrade of go-metrics to fix an issue where metrics from dependencies, such as raft, were no longer emitted [GH-19376]

v1.7.1

1.7.1 (December 08, 2023)

BUG FIXES:

• cli: Fixed a bug that caused the nomad agent command to ignore the VAULT_TOKEN and VAULT_NAMESPACE environment variables [GH-19349]
• client: remove incomplete allocation entries from client state database during client restarts [GH-16638]
• connect: Fixed a bug where deployments would not wait for Connect sidecar task health checks to pass [GH-19334]
• keyring: Fixed a bug where RSA keys were not replicated to followers [GH-19350]

v1.7.0

1.7.0 (December 07, 2023)

FEATURES:

• Job Actions: Introduces the action concept to jobspecs, the web UI, CLI and API. Operators can now define actions that Nomad users can execute against running allocations. [GH-18794]
• Multiple Vault and Consul Clusters: Nomad Enterprise can now use multiple Vault or Consul clusters. Each task or service can be registered with a different Consul cluster and each task can obtain secrets from a different Vault cluster. [GH-5311]
• NUMA aware scheduling: Nomad Enterprise now supports optimized scheduling on NUMA hardware [GH-18681]
• Workload Identity IDP: Nomad's workload identities may now be used with third parties that support JWT or OIDC IDPs such as the AWS IAM OIDC Provider. [GH-18691]
• Workload Identity for Consul: Jobs can now use workload identity to authenticate to Consul. [GH-15618]
• Workload Identity for Vault: Jobs can now use workload identity to authenticate to Vault. [GH-15617]

BREAKING CHANGES:

• client/fingerprint: The cpu.numcores.power node attribute has been renamed to cpu.numcores.performance on Apple Silicon nodes [GH-18843]
• client: the unique.cgroup.mountpoint node attribute has been removed [GH-18371]
• client: the unique.cgroup.version node attribute has been renamed to os.cgroups.version [GH-18371]
• core: Honor job's namespace when checking distinct_hosts feasibility [GH-19004]

SECURITY:

• build: Update to go1.21.4 to resolve Windows path validation CVE in Go [GH-19013]
• build: Update to go1.21.5 to resolve Windows path validation CVE in Go [GH-19320]

IMPROVEMENTS:

• api: Add JWKS HTTP API endpoint [GH-18035]
• api: Added support for Unix domain sockets [GH-16872]
• build (Enterprise): Support building s390x binaries. [GH-18069]
• cli: Add file prediction for operator raft/snapshot commands [GH-18901]
• cli: Added help text to acl bootstrap about reading the initial token from a file [GH-18961]
• cli: Added identities, networks, and volumes to the output of the operator client-state command [GH-18996]
• cli: Added support for prefix ID matching and wildcard namespaces to service info command [GH-18836]
• client: add support for NetBSD clients [GH-18562]
• client: enable detection of numa topology [GH-18146]
• config: Add go-netaddrs support to server_join.retry_join [GH-18745]
• consul: constraint for minimum version of Consul increased to 1.8.0 [GH-19104]
• deps: bumped shirou/gopsutil to v3.23.9 [GH-18562]
• fingerprint: clients now backoff after successfully fingerprinting Consul [GH-18426]
• identity: Add support for multiple workload identities [GH-18123]
• identity: Implement change_mode and change_signal for workload identities [GH-18943]
• identity: Support jwt expiration and rotation [GH-18262]
• identity: default to RS256 for new workload ids [GH-18882]
• sentinel (Enterprise): Add existing job information to Sentinel when available. [GH-18553]
• server: Added transfer-leadership API and CLI [GH-17383]
• sso: Allow adding a token name format to auth methods which can be used to generate token names when signing in via SSO [GH-19135]
• ui: color-code node and server status cells [GH-18318]
• ui: for system and sysbatch jobs, now show client name on hover in job panel [GH-19051]
• ui: nicer comment styles in UI example jobs [GH-19037]
• ui: show plan output warnings alongside placement failures and dry-run info when running a job through the web ui [GH-19225]
• ui: simplify presentation of task event times (10m2.230948s bceomes 10m2s etc.) [GH-18595]
• vars: Added a locking feature for Nomad Variables [GH-18520]

DEPRECATIONS:

• config: Loading plugins from plugin_dir without a plugin configuration block is deprecated [GH-19189]

BUG FIXES:

• agent: Correct websocket status code handling [GH-19172]
• api: Fix panic in Allocation.Stub method when Job is unset [GH-19115]
• cli: Fixed a bug that caused the nomad job restart command to miscount the allocations to restart [GH-19155]
• cli: Fixed a bug where the operator client-state command would crash if it reads an allocation without a task state [GH-18996]
• cli: Fixed a panic when the nomad job restart command received an interrupt signal while waiting for an answer [GH-19154]
• cli: Fixed the nomad job restart command to create replacements for batch and system jobs and to prevent sysbatch jobs from being rescheduled since they never create replacements [GH-19147]
• client: Fixed a bug where client API calls would fail incorrectly with permission denied errors when using ACL tokens with dangling policies [GH-18972]
• core: Fix incorrect submit time for stopped jobs [GH-18967]
• ui: Fixed an issue where purging a job with a namespace did not process correctly [GH-19139]
• ui: fix an issue where starting a stopped job with default-less variables would not retain those variables when done via the job page start button in the web ui [GH-19220]
• ui: fix the job auto-linked variable path name when user lacks variable write permissions [GH-18598]
• variables: Fixed a bug where poststop tasks were not allowed access to Variables [GH-18754]
• vault: Fixed a bug where poststop tasks would not get a Vault token [GH-19268]
• vault: Fixed an issue that could cause Nomad to attempt to renew a Vault token that is already expired [GH-18985]

v1.6.4

1.6.4 (December 07, 2023)

BREAKING CHANGES:

• core: Honor job's namespace when checking distinct_hosts feasibility [GH-19004]

SECURITY:

• build: Update to go1.21.4 to resolve Windows path validation CVE in Go [GH-19013]
• build: Update to go1.21.5 to resolve Windows path validation CVE in Go [GH-19320]

IMPROVEMENTS:

• cli: Add file prediction for operator raft/snapshot commands [GH-18901]
• ui: color-code node and server status cells [GH-18318]
• ui: show plan output warnings alongside placement failures and dry-run info when running a job through the web ui [GH-19225]

BUG FIXES:

• agent: Correct websocket status code handling [GH-19172]
• api: Fix panic in Allocation.Stub method when Job is unset [GH-19115]
• cli: Fixed a bug that caused the nomad job restart command to miscount the allocations to restart [GH-19155]
• cli: Fixed a panic when the nomad job restart command received an interrupt signal while waiting for an answer [GH-19154]
• cli: Fixed the nomad job restart command to create replacements for batch and system jobs and to prevent sysbatch jobs from being rescheduled since they never create replacements [GH-19147]
• client: Fixed a bug where client API calls would fail incorrectly with permission denied errors when using ACL tokens with dangling policies [GH-18972]
• core: Fix incorrect submit time for stopped jobs [GH-18967]
• ui: Fixed an issue where purging a job with a namespace did not process correctly [GH-19139]
• ui: fix an issue where starting a stopped job with default-less variables would not retain those variables when done via the job page start button in the web ui [GH-19220]
• ui: fix the job auto-linked variable path name when user lacks variable write permissions [GH-18598]
• variables: Fixed a bug where poststop tasks were not allowed access to Variables [GH-19270]
• vault: Fixed a bug where poststop tasks would not get a Vault token [GH-19268]
• vault: Fixed an issue that could cause Nomad to attempt to renew a Vault token that is already expired [GH-18985]