v1.3.3

1.3.3 (August 05, 2022)

IMPROVEMENTS:

• csi: Add stage_publish_base_dir field to csi_plugin block to support plugins that require a specific staging/publishing directory for mounts [GH-13919]
• qemu: use shorter socket file names to reduce the chance of hitting the max path length [GH-13971]
• template: Expose consul-template configuration options at the client level for nomad_retry. [GH-13907]
• template: Templates support new uid/gid parameter pair [GH-13755]
• ui: Reorder and apply the same style to the Evaluations list page filters to match the Job list page. [GH-13866]

BUG FIXES:

• acl: Fixed a bug where the timestamp for expiring one-time tokens was not deterministic between servers [GH-13737]
• deployments: Fixed a bug that prevented auto-approval if canaries were marked as unhealthy during deployment [GH-14001]
• metrics: Fixed a bug where blocked evals with no class produced no dc:class scope metrics [GH-13786]
• namespaces: Fixed a bug that allowed deleting a namespace that contained a CSI volume [GH-13880]
• qemu: restore the monitor socket path when restoring a QEMU task. [GH-14000]
• servicedisco: Fixed a bug where non-unique services would escape job validation [GH-13869]
• ui: Add missing breadcrumb in the Evaluations page. [GH-13865]
• ui: Fixed a bug where task memory was reported as zero on systems using cgroups v2 [GH-13670]

v1.2.10

1.2.10 (August 05, 2022)

BUG FIXES:

• acl: Fixed a bug where the timestamp for expiring one-time tokens was not deterministic between servers [GH-13737]
• deployments: Fixed a bug that prevented auto-approval if canaries were marked as unhealthy during deployment [GH-14001]
• metrics: Fixed a bug where blocked evals with no class produced no dc:class scope metrics [GH-13786]
• namespaces: Fixed a bug that allowed deleting a namespace that contained a CSI volume [GH-13880]
• qemu: restore the monitor socket path when restoring a QEMU task. [GH-14000]

v1.1.16

1.1.16 (August 05, 2022)

BUG FIXES:

• acl: Fixed a bug where the timestamp for expiring one-time tokens was not deterministic between servers [GH-13737]
• deployments: Fixed a bug that prevented auto-approval if canaries were marked as unhealthy during deployment [GH-14001]
• namespaces: Fixed a bug that allowed deleting a namespace that contained a CSI volume [GH-13880]
• qemu: restore the monitor socket path when restoring a QEMU task. [GH-14000]

v1.3.2

1.3.2 (July 13, 2022)

IMPROVEMENTS:

• agent: Added delete support to the eval HTTP API [GH-13492]
• agent: emit a warning message if the agent starts with bootstrap_expect set to an even number. [GH-12961]
• agent: logs are no longer buffered at startup when logging in JSON format [GH-13076]
• api: enable setting ?choose parameter when querying services [GH-12862]
• api: refactor ACL check when using the all namespaces wildcard in the job and alloc list endpoints [GH-13608]
• api: support Authorization Bearer header in lieu of X-Nomad-Token header [GH-12534]
• bootstrap: Added option to allow for an operator generated bootstrap token to be passed to the acl bootstrap command [GH-12520]
• cli: Added delete command to the eval CLI [GH-13492]
• cli: Added scheduler get-config and scheduler set-config commands to the operator CLI [GH-13045]
• cli: always display job ID and namespace in the eval status command [GH-13581]
• cli: display namespace and node ID in the eval list command and when eval status matches multiple evals [GH-13581]
• cli: update default redis and use nomad service discovery [GH-13044]
• client: added more fault tolerant defaults for template configuration [GH-13041]
• core: Added the ability to pause and un-pause the eval broker and blocked eval broker [GH-13045]
• core: On node updates skip creating evaluations for jobs not in the node's datacenter. [GH-12955]
• core: automatically mark clients with recurring plan rejections as ineligible [GH-13421]
• driver/docker: Eliminate excess Docker registry pulls for the infra_image when it already exists locally. [GH-13265]
• fingerprint: add support for detecting kernel architecture of clients. (attribute: kernel.arch) [GH-13182]
• hcl: added support for using the filebase64 function in jobspecs [GH-11791]
• metrics: emit nomad.nomad.plan.rejection_tracker.node_score metric for the number of times a node had a plan rejection within the past time window [GH-13421]
• qemu: add support for guest agent socket [GH-12800]
• ui: Namespace filter query paramters are now isolated by route [GH-13679]

BUG FIXES:

• api: Fix listing evaluations with the wildcard namespace and an ACL token [GH-13530]
• api: Fixed a bug where Consul token was not respected for job revert API [GH-13065]
• cli: Fixed a bug in the names of the node drain and node status sub-commands [GH-13656]
• cli: Fixed a bug where job validate did not respect vault token or namespace [GH-13070]
• client: Fixed a bug where max_kill_timeout client config was ignored [GH-13626]
• client: Fixed a bug where network.dns block was not interpolated [GH-12817]
• cni: Fixed a bug where loopback address was not set for all drivers [GH-13428]
• connect: Added missing ability of setting Connect upstream destination namespace [GH-13125]
• core: Fixed a bug where an evicted batch job would not be rescheduled [GH-13205]
• core: Fixed a bug where blocked eval resources were incorrectly computed [GH-13104]
• core: Fixed a bug where reserved ports on multiple node networks would be treated as a collision. client.reserved.reserved_ports is now merged into each host_network's reserved ports instead of being treated as a collision. [GH-13651]
• core: Fixed a bug where the plan applier could deadlock if leader's state lagged behind plan's creation index for more than 5 seconds. [GH-13407]
• csi: Fixed a regression where a timeout was introduced that prevented some plugins from running by marking them as unhealthy after 30s by introducing a configurable health_timeout field [GH-13340]
• csi: Fixed a scheduler bug where failed feasibility checks would return early and prevent processing additional nodes [GH-13274]
• docker: Fixed a bug where cgroups-v1 parent was being set [GH-13058]
• lifecycle: fixed a bug where sidecar tasks were not being stopped last [GH-13055]
• state: Fix listing evaluations from all namespaces [GH-13551]
• ui: Allow running jobs from a namespace-limited token [GH-13659]
• ui: Fix a bug that prevented viewing the details of an evaluation in a non-default namespace [GH-13530]
• ui: Fixed a bug that prevented the UI task exec functionality to work from behind a reverse proxy. [GH-12925]
• ui: Fixed an issue where editing or running a job with a namespace via the UI would throw a 404 on redirect. [GH-13588]
• ui: fixed a bug where links to jobs with "@" in their name would mis-identify namespace and 404 [GH-13012]
• volumes: Fixed a bug where additions, updates, or removals of host volumes or CSI volumes were not treated as destructive updates [GH-13008]

v1.2.9

1.2.9 (July 13, 2022)

BUG FIXES:

• api: Fix listing evaluations with the wildcard namespace and an ACL token [GH-13552]
• api: Fixed a bug where Consul token was not respected for job revert API [GH-13065]
• cli: Fixed a bug in the names of the node drain and node status sub-commands [GH-13656]
• client: Fixed a bug where max_kill_timeout client config was ignored [GH-13626]
• client: Fixed a bug where network.dns block was not interpolated [GH-12817]
• cni: Fixed a bug where loopback address was not set for all drivers [GH-13428]
• connect: Added missing ability of setting Connect upstream destination namespace [GH-13125]
• core: Fixed a bug where an evicted batch job would not be rescheduled [GH-13205]
• core: Fixed a bug where blocked eval resources were incorrectly computed [GH-13104]
• core: Fixed a bug where reserved ports on multiple node networks would be treated as a collision. client.reserved.reserved_ports is now merged into each host_network's reserved ports instead of being treated as a collision. [GH-13651]
• core: Fixed a bug where the plan applier could deadlock if leader's state lagged behind plan's creation index for more than 5 seconds. [GH-13407]
• csi: Fixed a regression where a timeout was introduced that prevented some plugins from running by marking them as unhealthy after 30s by introducing a configurable health_timeout field [GH-13340]
• csi: Fixed a scheduler bug where failed feasibility checks would return early and prevent processing additional nodes [GH-13274]
• lifecycle: fixed a bug where sidecar tasks were not being stopped last [GH-13055]
• state: Fix listing evaluations from all namespaces [GH-13551]
• ui: Allow running jobs from a namespace-limited token [GH-13659]
• ui: Fixed a bug that prevented the UI task exec functionality to work from behind a reverse proxy. [GH-12925]
• volumes: Fixed a bug where additions, updates, or removals of host volumes or CSI volumes were not treated as destructive updates [GH-13008]

v1.1.15

1.1.15 (July 13, 2022)

BUG FIXES:

• api: Fixed a bug where Consul token was not respected for job revert API [GH-13065]
• cli: Fixed a bug in the names of the node drain and node status sub-commands [GH-13656]
• client: Fixed a bug where max_kill_timeout client config was ignored [GH-13626]
• cni: Fixed a bug where loopback address was not set for all drivers [GH-13428]
• core: Fixed a bug where an evicted batch job would not be rescheduled [GH-13205]
• core: Fixed a bug where reserved ports on multiple node networks would be treated as a collision. client.reserved.reserved_ports is now merged into each host_network's reserved ports instead of being treated as a collision. [GH-13651]
• core: Fixed a bug where the plan applier could deadlock if leader's state lagged behind plan's creation index for more than 5 seconds. [GH-13407]
• csi: Fixed a regression where a timeout was introduced that prevented some plugins from running by marking them as unhealthy after 30s by introducing a configurable health_timeout field [GH-13340]
• csi: Fixed a scheduler bug where failed feasibility checks would return early and prevent processing additional nodes [GH-13274]
• lifecycle: fixed a bug where sidecar tasks were not being stopped last [GH-13055]
• ui: Allow running jobs from a namespace-limited token [GH-13659]
• ui: Fixed a bug that prevented the UI task exec functionality to work from behind a reverse proxy. [GH-12925]
• volumes: Fixed a bug where additions, updates, or removals of host volumes or CSI volumes were not treated as destructive updates [GH-13008]

v1.3.1

1.3.1 (May 19, 2022)

SECURITY:

• A vulnerability was identified in the go-getter library that Nomad uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. CVE-2022-30324 [GH-13057]

BUG FIXES:

• agent: fixed a panic on startup when the server.protocol_version config parameter was set [GH-12962]

v1.2.8

1.2.8 (May 19, 2022)

SECURITY:

• A vulnerability was identified in the go-getter library that Nomad uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. CVE-2022-30324 [GH-13057]

v1.1.14

1.1.14 (May 19, 2022)

SECURITY:

• A vulnerability was identified in the go-getter library that Nomad uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. CVE-2022-30324 [GH-13057]

v1.3.0

1.3.0 (May 11, 2022)

FEATURES:

• Edge compute improvements: Added support for reconnecting healthy allocations when disconnected clients reconnect. [GH-12476]
• Native service discovery: Register and discover services using builtin simple service discovery. [GH-12368]

BREAKING CHANGES:

• agent: The state database on both clients and servers will automatically migrate its underlying database on startup. Downgrading to a previous version of an agent after upgrading it to Nomad 1.3 is not supported. [GH-12107]
• client: The client state store will be automatically migrated to a new schema version when upgrading a client. Downgrading to a previous version of the client after upgrading it to Nomad 1.3 is not supported. To downgrade safely, users should erase the Nomad client's data directory. [GH-12078]
• connect: Consul Service Identity ACL tokens automatically generated for Connect services are now
  created as Local rather than Global tokens. Nomad clusters with Connect services making cross-Consul
  datacenter requests will need to ensure their Consul agents are configured with anonymous ACL tokens
  of sufficient node and service read permissions. [GH-8068]
• connect: The minimum Consul version supported by Nomad's Connect integration is now Consul v1.8.0. [GH-8068]
• csi: The client filesystem layout for CSI plugins has been updated to correctly handle the lifecycle of multiple allocations serving the same plugin. Running plugin tasks will not be updated after upgrading the client, but it is recommended to redeploy CSI plugin jobs after upgrading the cluster. [GH-12078]
• raft: The default raft protocol version is now 3 so you must follow the Upgrading to Raft Protocol 3 guide when upgrading an existing cluster to Nomad 1.3.0. Downgrading the raft protocol version is not supported. [GH-11572]

SECURITY:

• server: validate mTLS certificate names on agent to agent endpoints [GH-11956]

IMPROVEMENTS:

• agent: Switch from boltdb/bolt to go.etcd.io/bbolt [GH-12107]
• api: Add related query parameter to the Evaluation details endpoint [GH-12305]
• api: Add support for filtering and pagination to the jobs and volumes list endpoint [GH-12186]
• api: Add support for filtering and pagination to the node list endpoint [GH-12727]
• api: Add support for filtering, sorting, and pagination to the ACL tokens and allocations list endpoint [GH-12186]
• api: Added ParseHCLOpts helper func to ease parsing HCLv1 jobspecs [GH-12777]
• api: CSI secrets for list and delete snapshots are now passed in HTTP headers [GH-12144]
• api: AllocFS.Logs now explicitly closes frames channel after being canceled [GH-12248]
• api: default to using DefaultPooledTransport client to support keep-alive by default [GH-12492]
• api: filter values of evaluation and deployment list api endpoints [GH-12034]
• api: sort return values of evaluation and deployment list api endpoints by creation index [GH-12054]
• build: make targets now respect GOBIN variable [GH-12077]
• build: upgrade and speedup circleci configuration [GH-11889]
• cli: Added -json flag to nomad job {run,plan,validate} to support parsing JSON formatted jobs [GH-12591]
• cli: Added -os flag to node status to display operating system name [GH-12388]
• cli: Added nomad operator api command to ease querying Nomad's HTTP API. [GH-10808]
• cli: CSI secrets argument for volume snapshot list has been made consistent with volume snapshot delete [GH-12144]
• cli: Return a redacted value for mount flags in the volume status command, instead of <none> [GH-12150]
• cli: operator debug command now skips generating pprofs to avoid a panic on Nomad 0.11.2. 0.11.1, and 0.11.0 [GH-12807]
• cli: add nomad config validate command to check configuration files without an agent [GH-9198]
• cli: added -pprof-interval to nomad operator debug command [GH-11938]
• cli: display the Raft version instead of the Serf protocol in the nomad server members command [GH-12317]
• cli: rename the nomad server members -detailed flag to -verbose so it matches other commands [GH-12317]
• client: Added NOMAD_SHORT_ALLOC_ID allocation env var [GH-12603]
• client: Allow interpolation of the network.dns block [GH-12021]
• client: Download up to 3 artifacts concurrently [GH-11531]
• client: Enable support for cgroups v2 [GH-12274]
• client: fingerprint AWS instance life cycle option [GH-12371]
• client: set NOMAD_CPU_CORES environment variable when reserving cpu cores [GH-12496]
• connect: automatically set alloc_id in envoy_stats_tags configuration [GH-12543]
• connect: bootstrap envoy sidecars using -proxy-for [GH-12011]
• consul/connect: write Envoy bootstrapping information to disk for debugging [GH-11975]
• consul: Added implicit Consul constraint for task groups utilising Consul service and check registrations [GH-12602]
• consul: add go-sockaddr templating support to nomad consul address [GH-12084]
• consul: improve service name validation message to include maximum length requirement [GH-12012]
• core: Enable configuring raft boltdb freelist sync behavior [GH-12107]
• core: The unused protocol_version agent configuration value has been removed. [GH-11600]
• csi: Add pagination parameters to volume snapshot list command [GH-12193]
• csi: Added -secret and -parameter flags to volume snapshot create command [GH-12360]
• csi: Added support for storage topology [GH-12129]
• csi: Allow for concurrent plugin allocations [GH-12078]
• csi: Allow volumes to be re-registered to be updated while not in use [GH-12167]
• csi: Display plugin capabilities in nomad plugin status -verbose output [GH-12116]
• csi: Respect the verbose flag in the output of volume status [GH-12153]
• csi: Sort allocations in plugin status output [GH-12154]
• csi: add flag for providing secrets as a set of key/value pairs to delete a volume [GH-11245]
• csi: allow namespace field to be passed in volume spec [GH-12400]
• deps: Update hashicorp/raft-boltdb to v2.2.0 [GH-12107]
• deps: Update serf library to v0.9.7 [GH-12130]
• deps: Updated hashicorp/consul-template to v0.29.0 [GH-12747]
• deps: Updated hashicorp/raft to v1.3.5 [GH-12079]
• deps: Upgrade kr/pty to creack/pty v1.1.5 [GH-11855]
• deps: use gorilla package for gzip http handler [GH-11843]
• drainer: defer draining CSI plugin jobs until system jobs are drained [GH-12324]
• drivers/raw_exec: Add support for cgroups v2 in raw_exec driver [GH-12419]
• drivers: removed support for restoring tasks created before Nomad 0.9 [GH-12791]
• fingerprint: add support for detecting DigitalOcean environment [[GH-12015](https://github.c...