v1.8.12 (Enterprise)

IMPROVEMENTS:

• build: Updated Go to 1.24.2 [GH-25623]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]

BUG FIXES:

• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

v1.10.0

1.10.0 (April 09, 2025)

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API [GH-24479]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block.
  Please see Nomad's upgrade guide
  for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please
  see Nomad's upgrade guide for
  more detail. [GH-25155]

IMPROVEMENTS:

• cli: Add -group option to alloc exec, alloc logs, alloc fs commands [GH-25568]
• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• client: Fixed a bug where JSON formatted logs would not show the requested and overlapping cores when failing to reserve cores [GH-25523]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• drivers/docker: adds image_pull_timeout to plugin config options [GH-25489]
• drivers/rawexec: adds denied_envvars to driver and task config options [GH-25511]
• rawexec: add support for setting the task user on windows platform [GH-25496]
• rpc: Added ability to configure yamux session parameters [GH-25466]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]
• ui: Added a scope selector for sentinel policy page [GH-25390]
• ui: Makes jobs list filtering case-insensitive [GH-25378]
• ui: Updated icons to the newest design system [GH-25353]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

v1.10.0-rc.1

1.10.0-rc.1 (April 3, 2025)

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API [GH-24479]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block.
  Please see Nomad's upgrade guide
  for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please
  see Nomad's upgrade guide for
  more detail. [GH-25155]

IMPROVEMENTS:

• cli: Add -group option to alloc exec, alloc logs, alloc fs commands [GH-25568]
• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• client: Fixed a bug where JSON formatted logs would not show the requested and overlapping cores when failing to reserve cores [GH-25523]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• drivers/docker: adds image_pull_timeout to plugin config options [GH-25489]
• drivers/rawexec: adds denied_envvars to driver and task config options [GH-25511]
• rawexec: add support for setting the task user on windows platform [GH-25496]
• rpc: Added ability to configure yamux session parameters [GH-25466]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]
• ui: Added a scope selector for sentinel policy page [GH-25390]
• ui: Makes jobs list filtering case-insensitive [GH-25378]
• ui: Updated icons to the newest design system [GH-25353]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

v1.10.0-beta.1

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API. [GH-24479]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block.
  Please see Nomad's upgrade guide
  for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please
  see Nomad's upgrade guide for
  more detail. [GH-25155]

IMPROVEMENTS:

• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]

v1.9.7

1.9.7 (March 11, 2025)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• config: Allow disabling wait in client config [GH-25255]
• cpustats: Add config "cpu_disable_dmidecode" to disable cpu detection using dmidecode [GH-25108]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]
• ui: System, Batch and Sysbatch jobs get a "Revert to prev version" button on their main pages [GH-25104]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• fingerprint: Fixed a bug where Consul/Vault would never be fingerprinted if not available on agent start [GH-25102]
• hcl: Avoid panics by checking null values on durations [GH-25294]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the
  quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or
  more template blocks. [GH-25140]

v1.8.11 (Enterprise)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or more template blocks. [GH-25140]

v1.7.19 (Enterprise)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• hcl: Avoid panics by checking null values on durations [GH-25294]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or more template blocks. [GH-25140]

v1.9.6

1.9.6 (February 11, 2025)

BREAKING CHANGES:

• fingerprint: Consul and Vault fingerprints no longer reload periodically [GH-24526]

SECURITY:

• api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
• build: Updated Go to 1.23.6 [GH-25041]
• event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

• auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
• cli: Added actions available to a job when running nomad job status command [GH-24959]
• event stream: adds ability to authenticate using workload identities [GH-24849]
• services: Nomad service checks now support the tls_skip_verify parameter [GH-24781]
• task schedule: The task being paused no longer impacts restart attempts [GH-25085]
• ui: Contextualizes the Start Job button on whether it is startable, revertable, or not [GH-24985]

BUG FIXES:

• agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
• agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
• client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
• csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
• docker: Fixed a bug that prevented image_pull_timeout from being applied [GH-24991]
• docker: Fixed a bug where "error reading image pull progress" caused the allocation to get stuck pending [GH-24981]
• reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
• state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
• taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
• ui: Ensure pending service check blocks are filled [GH-24818]
• ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
• vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.8.10 (Enterprise)

SECURITY:

• api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
• build: Updated Go to 1.23.6 [GH-25041]
• event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

• auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
• event stream: adds ability to authenticate using workload identities [GH-24849]

BUG FIXES:

• agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
• agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
• client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
• csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
• networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
• reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
• state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
• taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
• ui: Ensure pending service check blocks are filled [GH-24818]
• ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
• vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.7.18 (Enterprise)

SECURITY:

• api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
• build: Updated Go to 1.23.6 [GH-25041]
• event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

• auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
• event stream: adds ability to authenticate using workload identities [GH-24849]

BUG FIXES:

• agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
• agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
• client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
• csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
• networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
• reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
• state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
• ui: Ensure pending service check blocks are filled [GH-24818]
• ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
• vault: Fixed a bug where successful renewal was logged as an error [GH-25040]