Skip to content

Releases: hashicorp/nomad

v1.8.4

17 Sep 23:52
@hc-github-team-es-release-engineering hc-github-team-es-release-engineering
v1.8.4
22ab32e
Compare
Choose a tag to compare
v1.8.4

1.8.4 (September 17, 2024)

BREAKING CHANGES:

  • docker: The default infra_image for pause containers is now registry.k8s.io/pause [GH-23927]

IMPROVEMENTS:

  • build: update to go1.22.6 [GH-23805]
  • cgroups: Allow clients with delegated cgroups check that required cgroup v2 controllers exist [GH-23803]
  • docker: Disable cpuset management for non-root clients [GH-23804]
  • identity: Added support for server-configured additional claims on the Vault default_identity block [GH-23675]
  • namespaces: Allow enabling/disabling allowed network modes per namespace [GH-23813]
  • ui: Badge added for Scaled Down jobs [GH-23829]

DEPRECATIONS:

  • api: the JobParseRequest.HCLv1 field will be removed in Nomad 1.9.0 [GH-23913]
  • jobspec: using the -hcl1 flag for HCLv1 job specifications will now emit a warning at the command line. This feature will be removed in Nomad 1.9.0 [GH-23913]

BUG FIXES:

  • identity: Fixed a bug where dispatch and periodic jobs would have their job ID and not parent job ID used when creating the subject claim [GH-23902]
  • identity: Fixed a bug where dispatch and periodic jobs would have their job ID and not parent job ID used when interpolating vault.default_identity.extra_claims [GH-23817]
  • node: Fixed bug where sysbatch allocations were started prematurely [GH-23858]
  • ui: Fix an issue where cmd+click or ctrl+click would double-open a job [GH-23832]
Loading

v1.8.3

13 Aug 09:46
@hc-github-team-es-release-engineering hc-github-team-es-release-engineering
v1.8.3
63b636e
Compare
Choose a tag to compare
v1.8.3

1.8.3 (August 13, 2024)

SECURITY:

  • security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

  • acl: Submitting a policy with a leading / in a variable path will now return an error to prevent improperly working policies. [GH-23757]
  • cli: Added option to return original HCL in job inspect command [GH-23699]
  • cli: Added support for updating the roles for an ACL token [GH-18532]
  • cli: acl token create will now emit a warning if the token has a policy that does not yet exist [GH-16437]
  • keyring: Added support for encrypting the keyring via Vault transit or external KMS [GH-23580]
  • keyring: Added support for prepublishing keys [GH-23577]
  • metrics: Added client.tasks metrics to track task states [GH-23773]
  • resources: Added resources.secrets field to configure size of secrets directory on Linux [GH-23696]
  • tls: Allow setting the tls_min_version field to "tls13" [GH-23713]
  • ui: added a Pack badge to the jobs index page for jobs run via Nomad Pack [GH-23404]

BUG FIXES:

  • api: Fixed a bug where an api.Config targeting a unix domain socket could not be reused between clients [GH-23785]
  • cni: .conf and .json config files are now parsed properly [GH-23629]
  • cni: network.cni jobspec updates now replace allocs to apply the new network config [GH-23764]
  • docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
  • identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
  • keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
  • keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
  • keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
  • networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
  • scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
  • template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
  • ui: Fixed storage/plugin 404s by unescaping a slash character in the request URL [GH-23625]
  • windows: Fix bug with containers capabilities on Docker CE [GH-23599]
Loading

v1.7.11 (Enterprise)

13 Aug 10:10
@pkazmierczak pkazmierczak
ent-changelog-1.7.11
60a7e4a
Compare
Choose a tag to compare
v1.7.11 (Enterprise)

SECURITY:

  • security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

  • keyring: Added support for prepublishing keys [GH-23577]

BUG FIXES:

  • api: Fixed a bug where an api.Config targeting a unix domain socket could not be reused between clients [GH-23785]
  • cni: .conf and .json config files are now parsed properly [GH-23629]
  • docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
  • identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
  • keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
  • keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
  • keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
  • networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
  • scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
  • template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
  • windows: Fix bug with containers capabilities on Docker CE [GH-23599]
Loading

v1.6.14 (Enterprise)

13 Aug 10:05
@pkazmierczak pkazmierczak
ent-changelog-1.6.14
25ae681
Compare
Choose a tag to compare
v1.6.14 (Enterprise)

SECURITY:

  • security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

  • keyring: Added support for prepublishing keys [GH-23577]

BUG FIXES:

  • cni: .conf and .json config files are now parsed properly [GH-23629]
  • docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
  • keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
  • keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
  • keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
  • networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
  • scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
  • template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
  • windows: Fix bug with containers capabilities on Docker CE [GH-23599]
Loading

v1.7.10 (Enterprise)

19 Jul 11:10
@Juanadelacuesta Juanadelacuesta
ent-changelog-1.7.10
de10efa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.7.10 (Enterprise)

BREAKING CHANGES:

  • docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

  • build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
  • migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
  • security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

  • deps: Updated Consul API to 1.29.1. [GH-23436]
  • deps: Updated consul-template to 0.39 to allow admin partition and sameness groups queries. [GH-23436]
  • docker: Validate that unprivileged containers aren't running as ContainerAdmin on Windows [GH-23443]

BUG FIXES:

  • api: Fixed bug where newlines in JobSubmission vars weren't encoded correctly [GH-23560]
  • cli: Fixed bug where the plugin status command would fail if the plugin ID was a prefix of another plugin ID [GH-23502]
  • cli: Fixed bug where the quota status and quota inspect commands would fail if the quota name was a prefix of another quota name [GH-23502]
  • cli: Fixed bug where the scaling policy info command would fail if the policy ID was a prefix of another policy ID [GH-23502]
  • cli: Fixed bug where the service info command would fail if the service name was a prefix of another service name in the same namespace [GH-23502]
  • cli: Fixed bug where the volume deregister, volume detach, and volume status commands would fail if the volume ID was a prefix of another volume ID in the same namespace [GH-23502]
  • consul: Fixed a bug where service registration and Envoy bootstrap would not wait for Consul ACL tokens and services to be replicated to the local agent [GH-23381]
  • qemu: Fixed a bug that prevented qemu tasks from running on Linux [GH-23466]
  • quota (Enterprise): Fixed a bug where a task's resource core count was not translated to CPU MHz and checked against its quota when performing a job plan [GH-18876]
  • scheduler: Fix a bug where reserved resources are not calculated correctly [GH-23386]
  • server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [GH-23383]
  • template: Fix template rendering on Windows [GH-23432]
Loading

v1.6.13 (Enterprise)

19 Jul 11:09
@Juanadelacuesta Juanadelacuesta
ent-changelog-1.6.13
de10efa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.6.13 (Enterprise)

BREAKING CHANGES:

  • docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

  • build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
  • migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
  • security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

  • deps: Updated Consul API to 1.29.1. [GH-23436]
  • deps: Updated consul-template to 0.39 to allow admin partition and sameness groups queries. [GH-23436]
  • docker: Validate that unprivileged containers aren't running as ContainerAdmin on Windows [GH-23443]

BUG FIXES:

  • api: Fixed bug where newlines in JobSubmission vars weren't encoded correctly [GH-23560]
  • cli: Fixed bug where the plugin status command would fail if the plugin ID was a prefix of another plugin ID [GH-23502]
  • cli: Fixed bug where the quota status and quota inspect commands would fail if the quota name was a prefix of another quota name [GH-23502]
  • cli: Fixed bug where the scaling policy info command would fail if the policy ID was a prefix of another policy ID [GH-23502]
  • cli: Fixed bug where the service info command would fail if the service name was a prefix of another service name in the same namespace [GH-23502]
  • cli: Fixed bug where the volume deregister, volume detach, and volume status commands would fail if the volume ID was a prefix of another volume ID in the same namespace [GH-23502]
  • quota (Enterprise): Fixed a bug where a task's resource core count was not translated to CPU MHz and checked against its quota when performing a job plan [GH-18876]
  • scheduler: Fix a bug where reserved resources are not calculated correctly [GH-23386]
  • server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [GH-23383]
  • template: Fix template rendering on Windows [GH-23432]
Loading

v1.8.2

16 Jul 18:36
@hc-github-team-es-release-engineering hc-github-team-es-release-engineering
v1.8.2
7f0822c
Compare
Choose a tag to compare
v1.8.2

1.8.2 (July 16, 2024)

BREAKING CHANGES:

  • docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

  • build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
  • migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
  • security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

  • client: add a preferred_address_family config to prefer ipv4 or ipv6 when deducing IP from network interface [GH-23389]
  • cni: allow users to input CNI args in job specification [GH-23538]
  • deps: Updated Consul API to 1.29.1. [GH-23436]
  • deps: Updated consul-template to 0.39 to allow admin partition and sameness groups queries. [GH-23436]
  • docker: Validate that unprivileged containers aren't running as ContainerAdmin on Windows [GH-23443]
  • namespaces: Added warnings if deleting namespaces that have existing objects associated with them [GH-23499]
  • quota (Enterprise): Allow CPU cores to be configured within a quota [GH-23543]
  • scaling: Added -check-index support to job scale command [GH-23457]
  • ui: Allow users to create Global ACL tokens from the Administration UI [GH-23506]
  • ui: Update headers in the Admin section to use the HashiCorp Design System [GH-23366]
  • ui: allow for multiple namespaces in jobs index filters [GH-23468]

BUG FIXES:

  • api: Fixed bug where newlines in JobSubmission vars weren't encoded correctly [GH-23560]
  • cli: Fixed bug where the plugin status command would fail if the plugin ID was a prefix of another plugin ID [GH-23502]
  • cli: Fixed bug where the quota status and quota inspect commands would fail if the quota name was a prefix of another quota name [GH-23502]
  • cli: Fixed bug where the scaling policy info command would fail if the policy ID was a prefix of another policy ID [GH-23502]
  • cli: Fixed bug where the service info command would fail if the service name was a prefix of another service name in the same namespace [GH-23502]
  • cli: Fixed bug where the volume deregister, volume detach, and volume status commands would fail if the volume ID was a prefix of another volume ID in the same namespace [GH-23502]
  • consul: Fixed a bug where service registration and Envoy bootstrap would not wait for Consul ACL tokens and services to be replicated to the local agent [GH-23381]
  • plugins: Fix panic on systems that don't support NUMA [GH-23399]
  • qemu: Fixed a bug that prevented qemu tasks from running on Linux [GH-23466]
  • quota (Enterprise): Fixed a bug where a task's resource core count was not translated to CPU MHz and checked against its quota when performing a job plan [GH-18876]
  • scheduler: Fix a bug where reserved resources are not calculated correctly [GH-23386]
  • server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [GH-23383]
  • template: Fix template rendering on Windows [GH-23432]
  • ui: Actions run from jobs with explicit name properties now work from the web UI [GH-23553]
  • ui: Dont show keyboard nav hints when taking a screenshot [GH-23365]
  • ui: Fix an issue where a remotely purged job would prevent redirect from taking place in the web UI [GH-23492]
  • ui: Fix an issue where access to Job Templates in the UI was restricted to variable.write access [GH-23458]
  • ui: Fix the Upload Jobspec button on the Run Job page [GH-23548]
  • ui: Fixed support for namespace parameter on job statuses API [GH-23456]
  • ui: fix an issue where gateway timeouts would cause the jobs list to revert to null, gives users a Pause Fetch option [GH-23427]
  • vault: Fixed a bug where requests to derive or renew tokens could be sent to the wrong namespace [GH-23491]
Loading

v1.7.9 (Enterprise)

21 Jun 19:08
@tgross tgross
ent-changelog-1.7.9
277881f
Compare
Choose a tag to compare
v1.7.9 (Enterprise)

1.7.9 Enterprise (June 19, 2024)

SECURITY:

IMPROVEMENTS:

  • cli: operator snapshot inspect now includes details of data in snapshot [GH-18372]
  • docker: Added container_exists_attempts plugin configuration variable [GH-22419]
  • exec: Fixed a bug where exec driver tasks would fail on older versions of glibc [GH-23331]

BUG FIXES:

  • acl: Fix plugin policy validation when checking write permissions [GH-23274]
  • connect: fix validation with multiple socket paths [GH-22312]
  • consul: (Enterprise) Fixed a bug where gateway config entries were written before Sentinel policies were enforced [GH-22228]
  • consul: Fixed a bug where Consul admin partition was not used to login via Consul JWT auth method [GH-22226]
  • consul: Fixed a bug where gateway config entries were written to the Nomad server agent's Consul partition and not the client's partition [GH-22228]
  • driver: Fixed a bug where the exec, java, and raw_exec drivers would not configure cgroups to allow access to devices provided by device plugins [GH-22518]
  • scheduler: Fixed a bug where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-12319]
Loading

v1.7.8 (Enterprise)

21 Jun 19:07
@tgross tgross
ent-changelog-1.7.8
0cf57ba
Compare
Choose a tag to compare
v1.7.8 (Enterprise)

1.7.8 Enterprise (May 28, 2024)

SECURITY:

  • deps: Updated docker dependency to 25.0.5 [GH-20171]

IMPROVEMENTS:

  • auth: Add support for authenticating via Workload Identity to the quota and sentinel APIs
  • autopilot: Added operator autopilot health command to review Autopilot health data [GH-20156]
  • cli: Add -jwks-ca-file argument to setup consul/vault commands [GH-20518]
  • client/volumes: Add a mount volume level option for selinux tags on volumes [GH-19839]
  • consul: provide tasks that have Consul tokens the CONSUL_HTTP_TOKEN environment variable [GH-20519]
  • ui: Improve error and warning messages for invalid variable and job template paths/names [GH-19989]
  • ui: Prompt a user before they close an exec window to prevent accidental close-browser-tab shortcuts that overlap with terminal ones [GH-19985]

BUG FIXES:

  • cli: Fix handling of scaling jobs which don't generate evals [GH-20479]
  • client: Fix unallocated CPU metric calculation when client reserved CPU is set [GH-20543]
  • client: terminate old exec task processes before starting new ones, to avoid accidentally leaving running processes in case of an error [GH-20500]
  • config: Fixed a panic triggered by registering a job specifying a Vault cluster that has not been configured within the server [GH-22227]
  • core: Fix multiple incorrect type conversion for potential overflows [GH-20553]
  • csi: Fixed a bug where concurrent mount and unmount operations could unstage volumes needed by another allocation [GH-20550]
  • csi: Fixed a bug where plugins would not be deleted on GC if their job updated the plugin ID [GH-20555]
  • csi: Fixed a bug where volumes in different namespaces but the same ID would fail to stage on the same client [GH-20532]
  • job endpoint: fix implicit constraint mutation for task-level services [GH-22229]
  • quota (Enterprise): Fixed a bug where quota usage would not be freed if a job was purged
  • services: Added retry to Nomad service deregistration RPCs during alloc stop [GH-20596]
  • services: Fixed bug where Nomad services might not be deregistered when nodes are marked down or allocations are terminal [GH-20590]
  • structs: Fix job canonicalization for array type fields [GH-20522]
  • ui: Fix a bug where the UI would prompt a user to promote a deployment with unplaced canaries [GH-20408]
  • ui: Fixed an issue where keynav would not trigger evaluation sidebar expand [GH-20047]
  • ui: Show the namespace in the web UI exec command hint [GH-20218]
  • windows: Fixed a regression where scanning task processes was inefficient [GH-20619]
Loading

v1.6.12 (Enterprise)

21 Jun 19:11
@tgross tgross
ent-changelog-1.6.12
3f4057b
Compare
Choose a tag to compare
v1.6.12 (Enterprise)

1.6.12 Enterprise (June 19, 2024)

SECURITY:

IMPROVEMENTS:

  • cli: operator snapshot inspect now includes details of data in snapshot [GH-18372]
  • docker: Added container_exists_attempts plugin configuration variable [GH-22419]
  • exec: Fixed a bug where exec driver tasks would fail on older versions of glibc [GH-23331]

BUG FIXES:

  • acl: Fix plugin policy validation when checking write permissions [GH-23274]
  • connect: fix validation with multiple socket paths [GH-22312]
  • driver: Fixed a bug where the exec, java, and raw_exec drivers would not configure cgroups to allow access to devices provided by device plugins [GH-22518]
  • scheduler: Fixed a bug where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-12319]
Loading