v1.3.9

1.3.9 (February 14, 2023)

SECURITY:

• artifact: Provide mitigations against unbounded artifact decompression [GH-16126]
• build: Update to go1.20.1 [GH-16182]

v1.2.16

1.2.16 (February 14, 2023)

SECURITY:

• artifact: Provide mitigations against unbounded artifact decompression [GH-16126]
• build: Update to go1.20.1 [GH-16182]

v1.5.0-beta.1

1.5.0 (Unreleased)

FEATURES:

• Dynamic Node Metadata: Allow users and tasks to update Node metadata via an API [GH-15844]
• SSO via OIDC: Allow users to authenticate with Nomad via OIDC providers [GH-15816]

BREAKING CHANGES:

• cli: The deprecated gossip keyring commands nomad operator keyring, nomad keyring, nomad operator keygen, and nomad keygen have been removed. Use the nomad operator gossip keyring commands to manage the gossip keyring [GH-16068]
• config: the datacenter field for agent configuration no longer accepts the * character as part of the datacenter name [GH-11170]
• core: Ensure no leakage of evaluations for batch jobs. Prior to this change allocations and evaluations for batch jobs were never garbage collected until the batch job was explicitly stopped. The new batch_eval_gc_threshold server configuration controls how often they are collected. The default threshold is 24h. [GH-15097]
• metrics: The metric nomad.nomad.broker.total_blocked has been renamed to nomad.nomad.broker.total_pending to reduce confusion with the nomad.blocked_eval.total_blocked metric. [GH-15835]

IMPROVEMENTS:

• api: improved error returned from AllocFS.Logs when response is not JSON [GH-15558]
• build: Added hyper-v isolation mode for docker on Windows [GH-15819]
• build: Update to go1.20 [GH-16029]
• cli: Add -json and -t flag to nomad acl token create command [GH-16055]
• cli: Added -wait flag to deployment status for use with -monitor mode [GH-15262]
• cli: Added sprig function support for -t templates [GH-9053]
• cli: Added tls command to enable creating Certificate Authority and Self signed TLS certificates.
  There are two sub commands tls ca and tls cert that are helpers when creating certificates. [GH-14296]
• cli: nomad job stop can be used to stop multiple jobs concurrently. [GH-12582]
• cli: add a nomad operator client state command [GH-15469]
• cli: we now recommend .nomad.hcl extension for job files, so job init creates example.nomad.hcl [GH-15997]
• client/fingerprint/storage: Added config options disk_total_mb and disk_free_mb to override detected disk space [GH-15852]
• client: Add option to enable hairpinMode on Nomad bridge [GH-15961]
• client: Added a TaskEvent when task shutdown is waiting on shutdown_delay [GH-14775]
• client: Log task events at INFO log level [GH-15842]
• client: added http api access for tasks via unix socket [GH-15864]
• client: detect and cleanup leaked iptables rules [GH-15407]
• client: execute artifact downloads in sandbox process [GH-15328]
• consul/connect: Adds support for proxy upstream opaque config [GH-15761]
• consul: add client configuration for grpc_ca_file [GH-15701]
• core: Eliminate deprecated practice of seeding rand package [GH-16074]
• deps: Update github.com/containerd/containerd from 1.6.6 to 1.6.12 [GH-15726]
• deps: Update github.com/docker/docker from 20.10.21+incompatible to 20.10.23+incompatible [GH-15848]
• deps: Update github.com/fsouza/go-dockerclient from 1.8.2 to 1.9.0 [GH-14898]
• deps: Update google.golang.org/grpc from 1.48.0 to 1.50.1 [GH-14897]
• deps: Update google.golang.org/grpc to v1.51.0 [GH-15402]
• docs: link to an envoy troubleshooting doc when envoy bootstrap fails [GH-15908]
• env/ec2: update cpu metadata [GH-15770]
• fingerprint: Detect CNI plugins and set versions as node attributes [GH-15452]
• identity: Add identity jobspec block for exposing workload identity to tasks [GH-15755]
• identity: Allow workloads to use RPCs associated with HTTP API [GH-15870]
• jobspec: the datacenters field now accepts wildcards [GH-11170]
• metrics: Added metrics for rate of RPC requests [GH-15876]
• scheduler: allow using device IDs in affinity and constraint [GH-15455]
• server: Added raft snapshot arguments to server config [GH-15522]
• server: Certain raft configuration elements can now be reloaded without restarting the server [GH-15522]
• ui, cli: Adds Job Templates to the "Run Job" Web UI and makes them accessible via new flags on nomad job init [GH-15746]
• ui: Add a button for expanding the Task sidebar to full width [GH-15735]
• ui: Added a Policy Editor interface for management tokens [GH-13976]
• ui: Added a ui.label block to agent config, letting operators set a visual label and color for their Nomad instance [GH-16006]
• ui: Made task rows in Allocation tables look more aligned with their parent [GH-15363]
• ui: Show events alongside logs in the Task sidebar [GH-15733]
• ui: The web UI now provides a Token Management interface for management users on policy pages [GH-15435]
• ui: The web UI will now show canary_tags of services anyplace we would normally show tags. [GH-15458]
• ui: give users a notification if their token is going to expire within the next 10 minutes [GH-15091]
• ui: redirect users to Sign In should their tokens ever come back expired or not-found [GH-15073]
• variables: Increased maximum size to 64KiB [GH-15983]
• vault: configure Nomad User-Agent on vault clients [GH-15745]
• volumes: Allow per_alloc to be used with host_volumes [GH-15780]

DEPRECATIONS:

• api: The connect ConsulExposeConfig.Path field is deprecated in favor of ConsulExposeConfig.Paths [GH-15541]
• api: The connect ConsulProxy.ExposeConfig field is deprecated in favor of ConsulProxy.Expose [GH-15541]

BUG FIXES:

• acl: Fixed a bug in token creation which failed to parse expiration TTLs correctly [GH-15999]
• acl: Fixed a bug where creating/updating a policy which was invalid would return a 404 status code, not a 400 [GH-16000]
• agent: Make agent syslog log level follow log_level config [GH-15625]
• api: Fix stale querystring parameter value as boolean [GH-15605]
• api: Fixed a bug where exposeConfig field was not provided correctly when getting the jobs via the API [GH-15541]
• api: Fixed a nil pointer dereference when periodic jobs are missing their periodic spec [GH-13845]
• check: Add support for sending custom host header [GH-15337]
• cli: Fixed a bug where plans for periodic jobs would return exit code 1 when the job was already register [GH-14492]
• cli: Fixed a panic in deployment status when rollback deployments are slow to appear [GH-16011]
• cli: corrected typos in ACL role create/delete CLI commands [GH-15382]
• cli: fix nomad fmt -check flag not returning error code [GH-15797]
• client: Fixed a bug where allocation cleanup hooks would not run [GH-15477]
• connect: ingress ...

v1.4.3

1.4.3 (November 21, 2022)

IMPROVEMENTS:

• api: Added an API for counting evaluations that match a filter [GH-15147]
• cli: Improved performance of eval delete with large filter sets [GH-15117]
• consul: add trace logging around service registrations [GH-6115]
• deps: Updated github.com/aws/aws-sdk-go from 1.44.84 to 1.44.126 [GH-15081]
• deps: Updated github.com/docker/cli from 20.10.18+incompatible to 20.10.21+incompatible [GH-15078]
• exec: Allow running commands from mounted host volumes [GH-14851]
• scheduler: when multiple evaluations are pending for the same job, evaluate the latest and cancel the intermediaries on success [GH-14621]
• server: Add a git revision tag to the serf tags gossiped between servers. [GH-9159]
• template: Expose per-template configuration for error_on_missing_key. This allows jobspec authors to specify that a
  template should fail if it references a struct or map key that does not exist. The default value is false and should be
  fully backward compatible. [GH-14002]
• ui: Adds a "Pack" tag and logo on the jobs list index when appropriate [GH-14833]
• ui: add consul connect service upstream and on-update info to the service sidebar [GH-15324]
• ui: allow users to upload files by click or drag in the web ui [GH-14747]

BUG FIXES:

• api: Ensure all request body decode errors return a 400 status code [GH-15252]
• autopilot: Fixed a bug where autopilot would try to fetch raft stats from other regions [GH-15290]
• cleanup: fixed missing timer.Reset for plan queue stat emitter [GH-15134]
• client: Fixed a bug where tasks would restart without waiting for interval [GH-15215]
• client: fixed a bug where non-docker tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running [GH-15214]
• client: prevent allocations from failing on client reconnect by retrying RPC requests when no servers are available yet [GH-15140]
• csi: Fixed race condition that can cause a panic when volume is garbage collected [GH-15101]
• device: Fixed a bug where device plugins would not fingerprint on startup [GH-15125]
• drivers: Fixed a bug where one goroutine was leaked per task [GH-15180]
• drivers: pass missing propagation_mode configuration for volume mounts to external plugins [GH-15096]
• event_stream: fixed a bug where dynamic port values would fail to serialize in the event stream [GH-12916]
• fingerprint: Ensure Nomad can correctly fingerprint Consul gRPC where the Consul agent is running v1.14.0 or greater [GH-15309]
• keyring: Fixed a bug where a missing key would prevent any further replication. [GH-15092]
• keyring: Fixed a bug where replication would stop after snapshot restores [GH-15227]
• keyring: Re-enabled keyring garbage collection after fixing a bug where keys would be garbage collected even if they were used to sign a live allocation's workload identity. [GH-15092]
• scheduler: Fixed a bug that prevented disconnected allocations to be updated after they reconnect. [GH-15068]
• scheduler: Prevent unnecessary placements when disconnected allocations reconnect. [GH-15068]
• template: Fixed a bug where template could cause agent panic on startup [GH-15192]
• ui: Fixed a bug where the task log sidebar would close and re-open if the parent job state changed [GH-15146]
• variables: Fixed a bug where a long-running rekey could hit the nack timeout [GH-15102]
• wi: Fixed a bug where clients running pre-1.4.0 allocations would erase the token used to query service registrations after upgrade [GH-15121]

v1.3.8

1.3.8 (November 21, 2022)

BUG FIXES:

• api: Ensure all request body decode errors return a 400 status code [GH-15252]
• cleanup: fixed missing timer.Reset for plan queue stat emitter [GH-15134]
• client: Fixed a bug where tasks would restart without waiting for interval [GH-15215]
• client: fixed a bug where non-docker tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running [GH-15214]
• client: prevent allocations from failing on client reconnect by retrying RPC requests when no servers are available yet [GH-15140]
• csi: Fixed race condition that can cause a panic when volume is garbage collected [GH-15101]
• device: Fixed a bug where device plugins would not fingerprint on startup [GH-15125]
• drivers: Fixed a bug where one goroutine was leaked per task [GH-15180]
• drivers: pass missing propagation_mode configuration for volume mounts to external plugins [GH-15096]
• event_stream: fixed a bug where dynamic port values would fail to serialize in the event stream [GH-12916]
• fingerprint: Ensure Nomad can correctly fingerprint Consul gRPC where the Consul agent is running v1.14.0 or greater [GH-15309]
• scheduler: Fixed a bug that prevented disconnected allocations to be updated after they reconnect. [GH-15068]
• scheduler: Prevent unnecessary placements when disconnected allocations reconnect. [GH-15068]
• template: Fixed a bug where template could cause agent panic on startup [GH-15192]

v1.2.15

1.2.15 (November 21, 2022)

BUG FIXES:

• api: Ensure all request body decode errors return a 400 status code [GH-15252]
• cleanup: fixed missing timer.Reset for plan queue stat emitter [GH-15134]
• client: Fixed a bug where tasks would restart without waiting for interval [GH-15215]
• client: fixed a bug where non-docker tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running [GH-15214]
• csi: Fixed race condition that can cause a panic when volume is garbage collected [GH-15101]
• device: Fixed a bug where device plugins would not fingerprint on startup [GH-15125]
• drivers: Fixed a bug where one goroutine was leaked per task [GH-15180]
• drivers: pass missing propagation_mode configuration for volume mounts to external plugins [GH-15096]
• event_stream: fixed a bug where dynamic port values would fail to serialize in the event stream [GH-12916]
• fingerprint: Ensure Nomad can correctly fingerprint Consul gRPC where the Consul agent is running v1.14.0 or greater [GH-15309]

v1.4.2

1.4.2 (October 26, 2022)

SECURITY:

• event stream: Fixed a bug where ACL token expiration was not checked when emitting events [GH-15013]

IMPROVEMENTS:

• cli: Added -id-prefix-template option to nomad job dispatch [GH-14631]
• cli: add nomad fmt to the CLI [GH-14779]
• deps: update go-memdb for goroutine leak fix [GH-14983]
• docker: improve memory usage for docker_logger [GH-14875]
• event stream: Added ACL role topic with create and delete types [GH-14923]
• scheduler: Allow jobs not requiring network resources even when no network is fingerprinted [GH-14300]
• ui: adds searching and filtering to the topology page [GH-14913]

BUG FIXES:

• acl: Callers should be able to read policies linked via roles to the token used [GH-14982]
• acl: Ensure all federated servers meet v.1.4.0 minimum before ACL roles can be written [GH-14908]
• acl: Fixed a bug where Nomad version checking for one-time tokens was enforced across regions [GH-14912]
• cli: prevent a panic when the Nomad API returns an error while collecting a debug bundle [GH-14992]
• client: Check ACL token expiry when resolving token within ACL cache [GH-14922]
• client: Fixed a bug where Nomad could not detect cores on recent RHEL systems [GH-15027]
• client: Fixed a bug where network fingerprinters were not reloaded when the client configuration was reloaded with SIGHUP [GH-14615]
• client: Resolve ACL roles within client ACL cache [GH-14922]
• consul: Fixed a bug where services continuously re-registered [GH-14917]
• consul: atomically register checks on initial service registration [GH-14944]
• deps: Update hashicorp/consul-template to 90370e07bf621811826b803fb633dadbfb4cf287; fixes template rerendering issues when only user or group set [GH-15045]
• deps: Update hashicorp/raft to v1.3.11; fixes unstable leadership on server removal [GH-15021]
• event stream: Check ACL token expiry when resolving tokens [GH-14923]
• event stream: Resolve ACL roles within ACL tokens [GH-14923]
• keyring: Fixed a bug where nomad system gc forced a root keyring rotation. [GH-15009]
• keyring: Fixed a bug where if a key is rotated immediately following a leader election, plans that are in-flight may get signed before the new leader has the key. Allow for a short timeout-and-retry to avoid rejecting plans. [GH-14987]
• keyring: Fixed a bug where keyring initialization is blocked by un-upgraded federated regions [GH-14901]
• keyring: Fixed a bug where root keyring garbage collection configuration values were not respected. [GH-15009]
• keyring: Fixed a bug where root keyring initialization could occur before the raft FSM on the leader was verified to be up-to-date. [GH-14987]
• keyring: Fixed a bug where root keyring replication could make incorrectly stale queries and exit early if those queries did not return the expected key. [GH-14987]
• keyring: Fixed a bug where the root keyring replicator's rate limiting would be skipped if the keyring replication exceeded the burst rate. [GH-14987]
• keyring: Removed root key garbage collection to avoid orphaned workload identities [GH-15034]
• nomad native service discovery: Ensure all local servers meet v.1.3.0 minimum before service registrations can be written [GH-14924]
• scheduler: Fixed a bug where version checking for disconnected clients handling was enforced across regions [GH-14912]
• servicedisco: Fixed a bug where job using checks could land on incompatible client [GH-14868]
• services: Fixed a regression where check task validation stopped allowing some configurations [GH-14864]
• ui: Fixed line charts to update x-axis (time) where relevant [GH-14814]
• ui: Fixes an issue where service tags would bleed past the edge of the screen [GH-14832]
• variables: Fixed a bug where Nomad version checking was not enforced for writing to variables [GH-14912]

v1.3.7

1.3.7 (October 26, 2022)

IMPROVEMENTS:

• deps: update go-memdb for goroutine leak fix [GH-14983]
• docker: improve memory usage for docker_logger [GH-14875]

BUG FIXES:

• acl: Fixed a bug where Nomad version checking for one-time tokens was enforced across regions [GH-14911]
• client: Fixed a bug where Nomad could not detect cores on recent RHEL systems [GH-15027]
• consul: Fixed a bug where services continuously re-registered [GH-14917]
• consul: atomically register checks on initial service registration [GH-14944]
• deps: Update hashicorp/raft to v1.3.11; fixes unstable leadership on server removal [GH-15021]
• nomad native service discovery: Ensure all local servers meet v.1.3.0 minimum before service registrations can be written [GH-14924]
• scheduler: Fixed a bug where version checking for disconnected clients handling was enforced across regions [GH-14911]

v1.2.14

1.2.14 (October 26, 2022)

IMPROVEMENTS:

• deps: update go-memdb for goroutine leak fix [GH-14983]

BUG FIXES:

• acl: Fixed a bug where Nomad version checking for one-time tokens was enforced across regions [GH-14910]
• deps: Update hashicorp/raft to v1.3.11; fixes unstable leadership on server removal [GH-15021]

v1.4.1

1.4.1 (October 06, 2022)

BUG FIXES:

• keyring: Fixed a panic that can occur during upgrades to 1.4.0 when initializing the keyring [GH-14821]