v1.4.11

1.4.11 (July 18, 2023)

SECURITY:

• acl: Fixed a bug where a namespace ACL policy without label was applied to an unexpected namespace. CVE-2023-3072 [GH-17908]
• search: Fixed a bug where ACL did not filter plugin and variable names in search endpoint. CVE-2023-3300 [GH-17906]
• sentinel (Enterprise): Fixed a bug where ACL tokens could be exfiltrated via Sentinel logs CVE-2023-3299 [GH-17907]

IMPROVEMENTS:

• cli: Add -quiet flag to nomad var init command [GH-17526]
• cni: Ensure to setup CNI addresses in deterministic order [GH-17766]
• deps: Updated Vault SDK to 0.9.0 [GH-17281]
• deps: update docker to 23.0.3 [GH-16862]

BUG FIXES:

• api: Fixed a bug that caused a panic when calling the Jobs().Plan() function with a job missing an ID [GH-17689]
• api: add missing constant for unknown allocation status [GH-17726]
• api: add missing field NetworkStatus for Allocation [GH-17280]
• cgroups: Fixed a bug removing all DevicesSets when alloc is created/removed [GH-17535]
• cli: Output error messages during deployment monitoring [GH-17348]
• client: Fixed a bug where Nomad incorrectly wrote to memory swappiness cgroup on old kernels [GH-17625]
• client: fixed a bug that prevented Nomad from fingerprinting Consul 1.13.8 correctly [GH-17349]
• consul: Fixed a bug where Nomad would repeatedly try to revoke successfully revoked SI tokens [GH-17847]
• core: Fix panic around client deregistration and pending heartbeats [GH-17316]
• core: fixed a bug that caused job validation to fail when a task with kill_timeout was placed inside a group with update.progress_deadline set to 0 [GH-17342]
• csi: Fixed a bug where CSI volumes would fail to restore during client restarts [GH-17840]
• drivers/docker: Fixed a bug where long-running docker operations would incorrectly timeout [GH-17731]
• identity: Fixed a bug where workload identities for periodic and dispatch jobs would not have access to their parent job's ACL policy [GH-17018]
• replication: Fix a potential panic when a non-authoritative region is upgraded and a server with the new version becomes the leader. [GH-17476]
• scheduler: Fixed a bug that could cause replacements for failed allocations to be placed in the wrong datacenter during a canary deployment [GH-17653]
• scheduler: Fixed a panic when a node has only one configured dynamic port [GH-17619]
• ui: dont show a service as healthy when its parent allocation stops running [GH-17465]

v1.6.0-rc.1

FEATURES:

• Node Pools: Allow cluster operators to partition Nomad clients and control which jobs are allowed to run in each pool. [GH-11041]

BREAKING CHANGES:

• acl: Job evaluate endpoit now requires submit-job instead of read-job capability [GH-16463]

IMPROVEMENTS:

• agent: Display server node ID in agent configuration at startup [GH-17084]
• api: enable support for storing original job source [GH-16763]
• api: return a structured error for unexpected responses [GH-16743]
• build: Publish official Docker images with the Nomad CLI [GH-17017]
• checks: Added support for Consul check field tls_server_name [GH-17334]
• cli: Add -quiet flag to nomad var init command [GH-17526]
• cli: Add check for missing host volume path in nomad config validate command [GH-17393]
• cli: Add leader status to output of nomad server members -json [GH-17138]
• cli: Sort output by Node name of the command nomad operator raft list-peers [GH-16221]
• cli: job plan help text for running the plan now includes the -namespace flag [GH-16243]
• client: check kernel module in /sys/module to help with WSL2 bridge networking [GH-17306]
• client: de-duplicate allocation client status updates and prevent allocation client status updates from being sent until clients have first synchronized with the server [GH-17074]
• client: prioritize allocation updates to reduce Raft and RPC load [GH-17354]
• connect: Auto detect when to use podman for connect sidecar proxies [GH-17065]
• connect: do not restrict automatic envoy versioning to docker driver [GH-17041]
• connect: use full docker.io prefixed name for envoy image references [GH-17045]
• deploymentwatcher: Allow deployments to fail early when running out of reschedule attempts [GH-17341]
• deps: Updated Vault SDK to 0.9.0 [GH-17281]
• deps: Updated consul-template to v0.31.0 [GH-16908]
• deps: update docker to 23.0.3 [GH-16862]
• deps: update github.com/hashicorp/raft from 1.3.11 to 1.5.0 [GH-17421]
• deps: update go.etcd.io/bbolt from 1.3.6 to 1.3.7 [GH-16228]
• docker: Add group_add configuration [GH-17313]
• drivers: Add DisableLogCollection to task driver capabilities interface [GH-17196]
• runtime: Added 'os.build' attribute to node fingerprint on windows os [GH-17576]
• ui: Added a new Job Status Panel that helps show allocation status throughout a deployment and in steady state [GH-16134]
• ui: Job status and deployment redesign [GH-16932]
• ui: Restyles "toast" notifications in the web UI with the Helios Design System [GH-16099]
• ui: add tooltips to the node and datacenter labels in the Topology page [GH-17647]
• ui: adds keyboard nav for switching between regions by pressing "r 1", "r 2", etc. [GH-17169]
• ui: change token input type from text to password [GH-17345]
• ui: remove namespace, type, and priority columns from child job table [GH-17645]
• vault: Add new configuration disable_file to prevent access to the Vault token by tasks that use image filesystem isolation [GH-13343]

DEPRECATIONS:

• envoy: remove support for envoy fallback image [GH-17044]

BUG FIXES:

• api: Fixed a bug that caused a panic when calling the Jobs().Plan() function with a job missing an ID [GH-17689]
• api: add missing constant for unknown allocation status [GH-17726]
• cgroups: Fixed a bug removing all DevicesSets when alloc is created/removed [GH-17535]
• cli: Fix a panic in the nomad job restart command when monitoring replacement allocations [GH-17346]
• cli: Output error messages during deployment monitoring [GH-17348]
• client: Fixed a bug where Nomad incorrectly wrote to memory swappiness cgroup on old kernels [GH-17625]
• client: Fixed a bug where agent would panic during drain incurred by shutdown [GH-17450]
• client: fixed a bug that prevented Nomad from fingerprinting Consul 1.13.8 correctly [GH-17349]
• core: Fix panic around client deregistration and pending heartbeats [GH-17316]
• core: fixed a bug that caused job validation to fail when a task with kill_timeout was placed inside a group with update.progress_deadline set to 0 [GH-17342]
• docker: Fixed a bug where network pause container would not be removed after node restart [GH-17455]
• drivers/docker: Fixed a bug where long-running docker operations would incorrectly timeout [GH-17731]
• identity: Fixed a bug where workload identities for periodic and dispatch jobs would not have access to their parent job's ACL policy [GH-17018]
• replication: Fix a potential panic when a non-authoritative region is upgraded and a server with the new version becomes the leader. [GH-17476]
• scheduler: Fixed a panic when a node has only one configured dynamic port [GH-17619]
• tls: Fixed a bug where the nomad tls cert command did not create certificates with the correct SANs for them to work with non default domain and region names. [GH-16959]
• ui: dont show a service as healthy when its parent allocation stops running [GH-17465]
• ui: fix a mirage-only issue where our mock token logs repeated unnecessarily [GH-17010]
• ui: fixed a handful of UX-related bugs during variable editing [GH-17319]
• ui: fixes an issue where the allocations table on child (periodic, parameterized) job pages wouldn't update when accessed via their parent [GH-17214]
• ui: preserve newlines when displaying shown variables in non-json mode [GH-17343]

v1.6.0-beta.1

FEATURES:

• Node Pools: Allow cluster operators to partition Nomad clients and control which jobs are allowed to run in each pool. [GH-11041]

BREAKING CHANGES:

• acl: Job evaluate endpoit now requires submit-job instead of read-job capability [GH-16463]

IMPROVEMENTS:

• agent: Display server node ID in agent configuration at startup [GH-17084]
• api: enable support for storing original job source [GH-16763]
• api: return a structured error for unexpected responses [GH-16743]
• build: Publish official Docker images with the Nomad CLI [GH-17017]
• checks: Added support for Consul check field tls_server_name [GH-17334]
• cli: Add -quiet flag to nomad var init command [GH-17526]
• cli: Add check for missing host volume path in nomad config validate command [GH-17393]
• cli: Add leader status to output of nomad server members -json [GH-17138]
• cli: Sort output by Node name of the command nomad operator raft list-peers [GH-16221]
• cli: job plan help text for running the plan now includes the -namespace flag [GH-16243]
• client: check kernel module in /sys/module to help with WSL2 bridge networking [GH-17306]
• client: de-duplicate allocation client status updates and prevent allocation client status updates from being sent until clients have first synchronized with the server [GH-17074]
• client: prioritize allocation updates to reduce Raft and RPC load [GH-17354]
• connect: Auto detect when to use podman for connect sidecar proxies [GH-17065]
• connect: do not restrict automatic envoy versioning to docker driver [GH-17041]
• connect: use full docker.io prefixed name for envoy image references [GH-17045]
• deploymentwatcher: Allow deployments to fail early when running out of reschedule attempts [GH-17341]
• deps: Updated Vault SDK to 0.9.0 [GH-17281]
• deps: Updated consul-template to v0.31.0 [GH-16908]
• deps: update docker to 23.0.3 [GH-16862]
• deps: update github.com/hashicorp/raft from 1.3.11 to 1.5.0 [GH-17421]
• deps: update go.etcd.io/bbolt from 1.3.6 to 1.3.7 [GH-16228]
• docker: Add group_add configuration [GH-17313]
• drivers: Add DisableLogCollection to task driver capabilities interface [GH-17196]
• runtime: Added 'os.build' attribute to node fingerprint on windows os [GH-17576]
• ui: Added a new Job Status Panel that helps show allocation status throughout a deployment and in steady state [GH-16134]
• ui: Job status and deployment redesign [GH-16932]
• ui: Restyles "toast" notifications in the web UI with the Helios Design System [GH-16099]
• ui: add tooltips to the node and datacenter labels in the Topology page [GH-17647]
• ui: adds keyboard nav for switching between regions by pressing "r 1", "r 2", etc. [GH-17169]
• ui: change token input type from text to password [GH-17345]
• ui: remove namespace, type, and priority columns from child job table [GH-17645]
• vault: Add new configuration disable_file to prevent access to the Vault token by tasks that use image filesystem isolation [GH-13343]

DEPRECATIONS:

• envoy: remove support for envoy fallback image [GH-17044]

BUG FIXES:

• api: Fixed a bug that caused a panic when calling the Jobs().Plan() function with a job missing an ID [GH-17689]
• api: add missing constant for unknown allocation status [GH-17726]
• cgroups: Fixed a bug removing all DevicesSets when alloc is created/removed [GH-17535]
• cli: Fix a panic in the nomad job restart command when monitoring replacement allocations [GH-17346]
• cli: Output error messages during deployment monitoring [GH-17348]
• client: Fixed a bug where Nomad incorrectly wrote to memory swappiness cgroup on old kernels [GH-17625]
• client: Fixed a bug where agent would panic during drain incurred by shutdown [GH-17450]
• client: fixed a bug that prevented Nomad from fingerprinting Consul 1.13.8 correctly [GH-17349]
• core: Fix panic around client deregistration and pending heartbeats [GH-17316]
• core: fixed a bug that caused job validation to fail when a task with kill_timeout was placed inside a group with update.progress_deadline set to 0 [GH-17342]
• docker: Fixed a bug where network pause container would not be removed after node restart [GH-17455]
• drivers/docker: Fixed a bug where long-running docker operations would incorrectly timeout [GH-17731]
• identity: Fixed a bug where workload identities for periodic and dispatch jobs would not have access to their parent job's ACL policy [GH-17018]
• replication: Fix a potential panic when a non-authoritative region is upgraded and a server with the new version becomes the leader. [GH-17476]
• scheduler: Fixed a panic when a node has only one configured dynamic port [GH-17619]
• tls: Fixed a bug where the nomad tls cert command did not create certificates with the correct SANs for them to work with non default domain and region names. [GH-16959]
• ui: dont show a service as healthy when its parent allocation stops running [GH-17465]
• ui: fix a mirage-only issue where our mock token logs repeated unnecessarily [GH-17010]
• ui: fixed a handful of UX-related bugs during variable editing [GH-17319]
• ui: fixes an issue where the allocations table on child (periodic, parameterized) job pages wouldn't update when accessed via their parent [GH-17214]
• ui: preserve newlines when displaying shown variables in non-json mode [GH-17343]

v1.5.6

1.5.6 (May 19, 2023)

IMPROVEMENTS:

• core: Prevent task.kill_timeout being greater than update.progress_deadline [GH-16761]

BUG FIXES:

• bug: Corrected status description and modification time for canceled evaluations [GH-17071]
• build: Linux packages now have vendor label and set the default label to HashiCorp. This fix is implemented for any future releases, but will not be updated for historical releases [GH-16071]
• client: Fixed a bug where restarting a terminal allocation turns it into a zombie where allocation and task hooks will run unexpectedly [GH-17175]
• client: clean up resources upon failure to restore task during client restart [GH-17104]
• logs: Fixed a bug where disabling log collection would prevent Windows tasks from starting [GH-17199]
• scale: Fixed a bug where evals could be created with the wrong type [GH-17092]
• scheduler: Fixed a bug where implicit spread targets were treated as separate targets for scoring [GH-17195]
• scheduler: Fixed a bug where scores for spread scheduling could be -Inf [GH-17198]
• services: Fixed a bug preventing group service deregistrations after alloc restarts [GH-16905]

v1.4.10

1.4.10 (May 19, 2023)

IMPROVEMENTS:

• core: Prevent task.kill_timeout being greater than update.progress_deadline [GH-16761]

BUG FIXES:

• bug: Corrected status description and modification time for canceled evaluations [GH-17071]
• client: Fixed a bug where restarting a terminal allocation turns it into a zombie where allocation and task hooks will run unexpectedly [GH-17175]
• client: clean up resources upon failure to restore task during client restart [GH-17104]
• scale: Fixed a bug where evals could be created with the wrong type [GH-17092]
• scheduler: Fixed a bug where implicit spread targets were treated as separate targets for scoring [GH-17195]
• scheduler: Fixed a bug where scores for spread scheduling could be -Inf [GH-17198]

v1.3.15

1.3.15 (May 19, 2023)

BUG FIXES:

• bug: Corrected status description and modification time for canceled evaluations [GH-17071]
• client: Fixed a bug where restarting a terminal allocation turns it into a zombie where allocation and task hooks will run unexpectedly [GH-17175]
• client: clean up resources upon failure to restore task during client restart [GH-17104]
• scale: Fixed a bug where evals could be created with the wrong type [GH-17092]
• scheduler: Fixed a bug where implicit spread targets were treated as separate targets for scoring [GH-17195]
• scheduler: Fixed a bug where scores for spread scheduling could be -Inf [GH-17198]

v1.5.5

1.5.5 (May 05, 2023)

BUG FIXES:

• logging: Fixed a bug where alloc logs would not be collected after an upgrade to 1.5.4 [GH-17087]

v1.3.14

1.3.14 (May 03, 2023)

v1.5.4

1.5.4 (May 02, 2023)

BREAKING CHANGES:

• artifact: environment variables no longer inherited by default from Nomad client [GH-15514]

IMPROVEMENTS:

• acl: New auth-method type: JWT [GH-15897]
• build: Update from Go 1.20.3 to Go 1.20.4 [GH-17056]
• cli: Added new nomad job restart command to restart all allocations for a job [GH-16278]
• cli: stream both stdout and stderr logs by default when following an allocation [GH-16556]
• client/fingerprint: detect fastest cpu core during cpu performance fallback [GH-16740]
• client: Added drain_on_shutdown configuration [GH-16827]
• connect: Added support for meta field on sidecar service block [GH-16705]
• dependency: update runc to 1.1.5 [GH-16712]
• driver/docker: Default devices.container_path to devices.host_path like Docker's CLI [GH-16811]
• ephemeral disk: migrate=true now implies sticky=true [GH-16826]
• fingerprint/cpu: correctly fingerprint P/E cores of Apple Silicon chips [GH-16672]
• jobspec: Added option for disabling task log collection in the logs block [GH-16962]
• license: show Terminated field in license get command [GH-16892]
• ui: Added copy-to-clipboard buttons to server and client pages [GH-16548]
• ui: added new keyboard commands for job start, stop, exec, and client metadata [GH-16378]

BUG FIXES:

• api: Fixed filtering on maps with missing keys [GH-16991]
• cli: Fix panic on job plan when -diff=false [GH-16944]
• client: Fix CNI plugin version fingerprint when output includes protocol version [GH-16776]
• client: Fix address for ports in IPv6 networks [GH-16723]
• client: Fixed a bug where restarting proxy sidecar tasks failed [GH-16815]
• client: Prevent a panic when an allocation has a legacy task-level bridge network and uses a driver that does not create a network namespace [GH-16921]
• client: Remove setting attributes when spawning the getter child [GH-16791]
• core: the deployment's list endpoint now supports look up by prefix using the wildcard for namespace [GH-16792]
• csi: gracefully recover tasks that use csi node plugins [GH-16809]
• docker: Fixed a bug where plugin config values were ignored [GH-16713]
• drain: Fixed a bug where drains would complete based on the server status and not the client status of an allocation [GH-14348]
• driver/exec: Fixed a bug where cap_drop and cap_add would not expand capabilities [GH-16643]
• fix: Added "/usr/libexec" to the landlocked directories the getter has access to [GH-16900]
• scale: Do not allow scale requests for jobs of type system [GH-16969]
• scheduler: Fix reconciliation of reconnecting allocs when the replacement allocations are not running [GH-16609]
• scheduler: honor false value for distinct_hosts constraint [GH-16907]
• server: Added verification of cron jobs already running before forcing new evals right after leader change [GH-16583]
• ui: Fix a visual bug where evaluation response wasn't scrollable in the Web UI. [GH-16960]

v1.4.9

1.4.9 (May 02, 2023)

IMPROVEMENTS:

• build: Update from Go 1.20.3 to Go 1.20.4 [GH-17056]
• dependency: update runc to 1.1.5 [GH-16712]

BUG FIXES:

• api: Fixed filtering on maps with missing keys [GH-16991]
• build: Linux packages now have vendor label and set the default label to HashiCorp. This fix is implemented for any future releases, but will not be updated for historical releases [GH-16071]
• client: Fix CNI plugin version fingerprint when output includes protocol version [GH-16776]
• client: Fix address for ports in IPv6 networks [GH-16723]
• client: Fixed a bug where restarting proxy sidecar tasks failed [GH-16815]
• client: Prevent a panic when an allocation has a legacy task-level bridge network and uses a driver that does not create a network namespace [GH-16921]
• core: the deployment's list endpoint now supports look up by prefix using the wildcard for namespace [GH-16792]
• csi: gracefully recover tasks that use csi node plugins [GH-16809]
• docker: Fixed a bug where plugin config values were ignored [GH-16713]
• drain: Fixed a bug where drains would complete based on the server status and not the client status of an allocation [GH-14348]
• driver/exec: Fixed a bug where cap_drop and cap_add would not expand capabilities [GH-16643]
• scale: Do not allow scale requests for jobs of type system [GH-16969]
• scheduler: Fix reconciliation of reconnecting allocs when the replacement allocations are not running [GH-16609]
• scheduler: honor false value for distinct_hosts constraint [GH-16907]
• server: Added verification of cron jobs already running before forcing new evals right after leader change [GH-16583]
• services: Fixed a bug preventing group service deregistrations after alloc restarts [GH-16905]