Nomad

SECURITY:

• security: Upgrade tooling to Go 1.25.8 [GH-27653]

IMPROVEMENTS:

• acl (Enterprise): Added sentinel policy block to allow managing Sentinel policies without a management token [GH-27556]
• acl: Added fine-grained ACL capabilities for saving snapshots and reading the Enterprise license [GH-27525]
• acl: Added fine-grained ACL capability for rotating the keyring [GH-27526]
• agent: Added agent.tls.cert.expiration_seconds and agent.tls.ca.expiration_seconds telemetry data points to track TLS certificate expiration. [GH-27538]
• cli: Added autocompletions for ACL auth method, binding rule, policy, and token subcommands [GH-27505]
• cli: Improved options autocompletions for various commands [GH-27506]
• cli: Reduced server overhead when dispatching jobs or forcing periodic jobs from the CLI [GH-27631]
• cli: Truncate results when job commands return a large set of jobs that match the provided ID prefix [GH-27631]
• consul (enterprise): adds ability to specify cluster specific consul tokens with environment variables [GH-27574]
• events: Added a Deleted flag to JobDeregistered event type to differentiate between stopped and deleted jobs [GH-27614]

BUG FIXES:

• acl: Fixed a bug where a bearer-token authenticated request could panic the handler for checking claims [GH-27550]
• artifact: Fix artifact inspection when using file mode [GH-27552]
• config: Fixed a bug where the keyring block could only be specified a maximum of two times [GH-27579]
• config: Fixed parsing of Vault and Consul blocks as JSON that included objects such as task_identity [GH-27595]
• consul: fixes bug where clients were passing node token to connect envoy container, causing acl not found errors [GH-27574]
• core: Fixed system jobs being rescheduled after a node is drained and marked eligible again [GH-27499]
• deployments: Fixed a bug where a task group dropped from a system job could cause deployment state to be overwritten incorrectly [GH-27604]
• deployments: Fixed a bug where system job canary state could be incorrectly changed after a promotion [GH-27497]
• deployments: Fixed a bug where system job deployments would not be marked healthy even though all allocations were healthy [GH-27497]
• drivers: Pass error when included in fingerprint response [GH-27537]
• dynamic host volumes: Fixed a bug with sticky volumes where replacement allocations would not use the previous volume claim [GH-27613]
• http: Ensure the correct HTTP protocol version is set on event stream responses [GH-27586]
• job status: Fixes regression setting job status when jobs have matching prefix [GH-27516]
• keyring (Enterprise): Fixed a bug where in mixed-version clusters with pre-1.9 servers, a keyring rotation that returns an error for an unavailable KMS could prevent future server restarts [GH-27581]
• scheduler: Fix a potential panic in the system scheduler when deploying jobs with multiple task groups and infeasible nodes that become feasible [GH-27571]
• scheduler: Fixed a bug where system deployments would not complete on clusters with pre-1.11.0 nodes [GH-27605]
• state: Fixed a potential state store corruption bug in the service/batch scheduler and deployment watcher [GH-27548]

1.11.1 (December 09, 2025)

BREAKING CHANGES:

• docker: removed deprecated email auth config parameter [GH-27156]

SECURITY:

• build: Updated toolchain to Go 1.25.5 [GH-27186]

IMPROVEMENTS:

• connect: allow configuring identities for sidecar_task [GH-25877]
• landlock: check paths exist on setup [GH-27149]
• oidc: add support for array-based OIDC claims [GH-26958]
• qemu: Adds config parameters to modify qemu emulator binary and machine types and removes some hardcoded KVM accelerator settings. Defaults to previously used values of qemu-system-x86_64 and pc. The driver no longer forces machine type "host", or the -smp flag when using resources.cores with the KVM accelerator. [GH-27128]
• secrets: Adds nomad job ID and namespace to plugin environment [GH-27207]

BUG FIXES:

• acl: Made /agent and /recommendations endpoints workload-identity-aware [GH-27099]
• acl: include additional necessary permissions in the course-grained "scale" policy for nomad-autoscaler [GH-27061]
• api: Fixed a bug in the Go API where an event stream request without a topic filter would require a management token [GH-27065]
• cli: Fixed the var get command which was incorrectly displaying the variable modify time as the create time [GH-27208]
• client: return 403 when the caller doesn't have log streaming capabilities [GH-27098]
• csi: Fixed a bug where reading a volume from the API or event stream could erase its secrets [GH-27176]
• drain: Fixed a bug where clients configured with leave_on_terminate or leave_on_interrupt and drain_on_shutdown would receive a permission denied error when attempting to leave the cluster and drain themselves [GH-27115]
• dynamic host volumes: Ensure requested directory permission is correctly applied [GH-27068]
• dynamic host volumes: fix Windows compatibility [GH-27147]
• fingerprint: simplify storage fingerprint calculation to just (total disk space - reserved disk) [GH-27019]
• keyring: Do not mark the key as inactive until all follow-up rekey evals have completed. [GH-27193]
• keyring: Ensure follow-up rekey evals can be successfully created. [GH-27193]
• oidc: Add support for RFC9207, requiring an issuer param in authorization response if the provider requires it [GH-27168]
• reconciler: fixes a bug where stopping a job does not stop all allocations [GH-27175]
• scheduler (Enterprise): Fixed a bug where tasks were not placed on same numa node as reserved device [GH-27177]
• scheduler: Fixed a bug that was previously patched incorrectly where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-27129]
• server: Fixed a bug where a large backlog of unblocking evals could cause backpressure on Raft writes [GH-27184]
• ui: Fixed the error message presented for invalid Variables definitions [GH-26235]