Nomad

1.9.12 Enterprise (August 13, 2025)

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-47906 [GH-26451]

BUG FIXES:

• alloc exec: Fixed executor panic when exec-ing a rootless raw_exec task [GH-26401]
• client: run all allocrunner postrun (cleanup) hooks, even if any of them error [GH-26271]
• consul: Add AllocIPv6 option to allow IPv6 address being used for service registration [GH-25632]
• jobspec: Validate required hook field in lifecycle block [GH-26285]
• reporting (Enterprise): Fixed a bug where older servers could panic if the leader upgrades to version with offline reporting
• services: Fixed a bug where Nomad services were deleted if a node missed heartbeats and recovered before allocs were migrated [GH-26424]

1.10.4 (August 13, 2025)

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-47906 [GH-26451]

IMPROVEMENTS:

• cli: Added monitor export cli command to retrieve journald logs or the contents of the Nomad log file for a given Nomad agent [GH-26178]
• command: Add historical log capture to nomad operator debug command with -log-lookback and -log-file-export flags [GH-26410]
• metrics: Added node_pool label to blocked_evals metrics [GH-26215]
• sentinel (Enterprise): Added policy scope for csi-volumes [GH-26438]

BUG FIXES:

• alloc exec: Fixed executor panic when exec-ing a rootless raw_exec task [GH-26401]
• cli: Fixed a bug where acl policy self command would output all policies when used with a management token [GH-26396]
• client: run all allocrunner postrun (cleanup) hooks, even if any of them error [GH-26271]
• consul: Add AllocIPv6 option to allow IPv6 address being used for service registration [GH-25632]
• jobspec: Validate required hook field in lifecycle block [GH-26285]
• services: Fixed a bug where Nomad services were deleted if a node missed heartbeats and recovered before allocs were migrated [GH-26424]

1.9.11 Enterprise (July 8, 2025)

BUG FIXES:

• agent: Fixed a bug to prevent a possible panic during graceful shutdown [GH-26018]
• agent: Fixed a bug to prevent panic during graceful server shutdown [GH-26171]
• agent: Fixed bug where agent would exit early from graceful shutdown when managed by systemd [GH-26023]
• cli: Fixed a bug in the tls cert create command that always added "<role>.global.nomad"` to the certificate DNS names, even when the specified region was not "global"`. [GH-26086]
• client: Fixed bug where drained batch jobs would not be rescheduled if no eligible nodes were immediately available [GH-26025]
• docker: Fixed a bug where very low resources.cpu values could generate invalid cpu weights on hosts with very large client.cpu_total_compute values [GH-26081]
• tls: Fixed a bug where reloading the Nomad server process with an updated tls.verify_server_hostname configuration parameter would not apply an update to internal RPC handler verification and require a full server restart [GH-26107]
• vault: Fixed a bug where non-periodic tokens would not have their TTL incremented to the lease duration [GH-26041]

1.8.15 Enterprise (July 8, 2025)

BUG FIXES:

• agent: Fixed a bug to prevent a possible panic during graceful shutdown [GH-26018]
• agent: Fixed a bug to prevent panic during graceful server shutdown [GH-26171]
• agent: Fixed bug where agent would exit early from graceful shutdown when managed by systemd [GH-26023]
• cli: Fixed a bug in the tls cert create command that always added "<role>.global.nomad"` to the certificate DNS names, even when the specified region was not "global"`. [GH-26086]
• client: Fixed bug where drained batch jobs would not be rescheduled if no eligible nodes were immediately available [GH-26025]
• docker: Fixed a bug where very low resources.cpu values could generate invalid cpu weights on hosts with very large client.cpu_total_compute values [GH-26081]
• encrypter: Fixes a bug where waiting for the active keyset wouldn't return correctly
• tls: Fixed a bug where reloading the Nomad server process with an updated tls.verify_server_hostname configuration parameter would not apply an update to internal RPC handler verification and require a full server restart [GH-26107]
• vault: Fixed a bug where non-periodic tokens would not have their TTL incremented to the lease duration [GH-26041]

1.10.3 (July 08, 2025)

IMPROVEMENTS:

• consul: Added kind field to service block for Consul service registrations [GH-26170]
• docker: Added support for cgroup namespaces in the task config [GH-25927]
• task environment: new NOMAD_UNIX_ADDR env var points to the task API unix socket, for use with workload identity [GH-25598]

BUG FIXES:

• agent: Fixed a bug to prevent a possible panic during graceful shutdown [GH-26018]
• agent: Fixed a bug to prevent panic during graceful server shutdown [GH-26171]
• agent: Fixed bug where agent would exit early from graceful shutdown when managed by systemd [GH-26023]
• cli: Fix panic when restarting stopped job with no scaling policies [GH-26131]
• cli: Fixed a bug in the tls cert create command that always added "<role>.global.nomad"` to the certificate DNS names, even when the specified region was not "global"`. [GH-26086]
• cli: Fixed a bug where the acl token self command only performed lookups for tokens set as environment variables and not by the -token flag. [GH-26183]
• client: Attempt to rollback directory creation when the mkdir plugin fails to perform ownership changes on it [GH-26194]
• client: Fixed bug where drained batch jobs would not be rescheduled if no eligible nodes were immediately available [GH-26025]
• docker: Fixed a bug where very low resources.cpu values could generate invalid cpu weights on hosts with very large client.cpu_total_compute values [GH-26081]
• host volumes: Fixed a bug where volumes with server-terminal allocations could be deleted from clients but not the state store [GH-26213]
• tls: Fixed a bug where reloading the Nomad server process with an updated tls.verify_server_hostname configuration parameter would not apply an update to internal RPC handler verification and require a full server restart [GH-26107]
• vault: Fixed a bug where non-periodic tokens would not have their TTL incremented to the lease duration [GH-26041]

1.8.14 Enterprise (June 10, 2025)

BREAKING CHANGES:

• template: Support for the following non-hermetic sprig functions has been removed: sprig_date, sprig_dateInZone, sprig_dateModify, sprig_htmlDate, sprig_htmlDateInZone, sprig_dateInZone, sprig_dateModify, sprig_randAlphaNum, sprig_randAlpha, sprig_randAscii, sprig_randNumeric, sprig_randBytes, sprig_uuidv4, sprig_env, sprig_expandenv, and sprig_getHostByName. [GH-25998]

SECURITY:

• identity: Fixed bug where workflow identity policies are matched by job ID prefix (CVE-2025-4922) [GH-25869]
• template: Bump the consul-template version to resolve CVE-2025-27144, CVE-2025-22869, CVE-2025-22870 and CVE-2025-22872. [GH-25998]
• template: Removed support to the non-hermetic sprig_env, sprig_expandenv, and sprig_getHostByName sprig functions to prevent potential leakage of environment or network information, since they can allow reading environment variables or resolving domain names to IP addresses. [GH-25998]

IMPROVEMENTS:

• reporting (Enterprise): Added support for offline utilization reporting [GH-25844]

BUG FIXES:

• client: Fixed a bug where disconnect.stop_on_client_after timeouts were extended or ignored [GH-25946]
• csi: Fixed -secret values not being sent with the nomad volume snapshot delete command [GH-26022]
• disconnect: Fixed a bug where pending evals for reconnected allocs were not cancelled [GH-25923]
• driver: Allow resources.cpu values above the maximum cpu.share value on Linux [GH-25963]
• job: Ensure sidecar task volume_mounts are added to planning diff object [GH-25878]
• reconnecting client: fix issue where reconcile strategy was sometimes ignored [GH-25799]
• scaling: Set the scaling policies to disabled when a job is stopped [GH-25911]
• scheduler: Fixed a bug where a node with no affinity could be selected over a node with low affinity [GH-25800]
• scheduler: Fixed a bug where planning or running a system job with constraints & previously running allocations would return a failed allocation error [GH-25850]
• telemetry: Fix excess CPU consumption from alloc stats collection [GH-25870]
• telemetry: Fixed a bug where alloc stats were still collected (but not published) if telemetry.publish_allocation_metrics=false. [GH-25870]
• vault: Fixed a bug where poststop tasks could not obtain Vault tokens after the main task failed

1.9.10 Enterprise (June 10, 2025)

BREAKING CHANGES:

• template: Support for the following non-hermetic sprig functions has been removed: sprig_date, sprig_dateInZone, sprig_dateModify, sprig_htmlDate, sprig_htmlDateInZone, sprig_dateInZone, sprig_dateModify, sprig_randAlphaNum, sprig_randAlpha, sprig_randAscii, sprig_randNumeric, sprig_randBytes, sprig_uuidv4, sprig_env, sprig_expandenv, and sprig_getHostByName. [GH-25998]

SECURITY:

• identity: Fixed bug where workflow identity policies are matched by job ID prefix (CVE-2025-4922) [GH-25869]
• template: Bump the consul-template version to resolve CVE-2025-27144, CVE-2025-22869, CVE-2025-22870 and CVE-2025-22872. [GH-25998]
• template: Removed support to the non-hermetic sprig_env, sprig_expandenv, and sprig_getHostByName sprig functions to prevent potential leakage of environment or network information, since they can allow reading environment variables or resolving domain names to IP addresses. [GH-25998]

IMPROVEMENTS:

• reporting (Enterprise): Added support for offline utilization reporting [GH-25844]

BUG FIXES:

• client: Fixed a bug where disconnect.stop_on_client_after timeouts were extended or ignored [GH-25946]
• csi: Fixed -secret values not being sent with the nomad volume snapshot delete command [GH-26022]
• disconnect: Fixed a bug where pending evals for reconnected allocs were not cancelled [GH-25923]
• driver: Allow resources.cpu values above the maximum cpu.share value on Linux [GH-25963]
• job: Ensure sidecar task volume_mounts are added to planning diff object [GH-25878]
• reconnecting client: fix issue where reconcile strategy was sometimes ignored [GH-25799]
• scaling: Set the scaling policies to disabled when a job is stopped [GH-25911]
• scheduler: Fixed a bug where a node with no affinity could be selected over a node with low affinity [GH-25800]
• scheduler: Fixed a bug where planning or running a system job with constraints & previously running allocations would return a failed allocation error [GH-25850]
• telemetry: Fix excess CPU consumption from alloc stats collection [GH-25870]
• telemetry: Fixed a bug where alloc stats were still collected (but not published) if telemetry.publish_allocation_metrics=false. [GH-25870]
• vault: Fixed a bug where poststop tasks could not obtain Vault tokens after the main task failed

1.10.2 (June 09, 2025)

BREAKING CHANGES:

• template: Support for the following non-hermetic sprig functions has been removed: sprig_date, sprig_dateInZone, sprig_dateModify, sprig_htmlDate, sprig_htmlDateInZone, sprig_dateInZone, sprig_dateModify, sprig_randAlphaNum, sprig_randAlpha, sprig_randAscii, sprig_randNumeric, sprig_randBytes, sprig_uuidv4, sprig_env, sprig_expandenv, and sprig_getHostByName. [GH-25998]

SECURITY:

• identity: Fixed bug where workflow identity policies are matched by job ID prefix (CVE-2025-4922) [GH-25869]
• template: Bump the consul-template version to resolve CVE-2025-27144, CVE-2025-22869, CVE-2025-22870 and CVE-2025-22872. [GH-25998]
• template: Removed support to the non-hermetic sprig_env, sprig_expandenv, and sprig_getHostByName sprig functions to prevent potential leakage of environment or network information, since they can allow reading environment variables or resolving domain names to IP addresses. [GH-25998]

IMPROVEMENTS:

• cli: Added job start command to allow starting a stopped job from the cli [GH-24150]
• client: Add gc_volumes_on_node_gc configuration to delete host volumes when nodes are garbage collected [GH-25903]
• client: add ability to set maximum allocation count by adding node_max_allocs to client configuration [GH-25785]
• host volumes: Add -force flag to volume delete command for removing volumes from GC'd nodes [GH-25902]
• identity: Allow ACL policies to be applied to a namespace [GH-25871]
• ipv6: bind and advertise addresses are now made to adhere to RFC-5942 §4 (reference: https://www.rfc-editor.org/rfc/rfc5952.html#section-4) [GH-25921]
• reporting (Enterprise): Added support for offline utilization reporting [GH-25844]
• template: adds ability to specify once mode for job templates [GH-25922]
• wi: new API endpoint for listing workload-attached ACL policies [GH-25588]

BUG FIXES:

• api: Fixed pagination bug which could result in duplicate results [GH-25792]
• client: Fixed a bug where disconnect.stop_on_client_after timeouts were extended or ignored [GH-25946]
• csi: Fixed -secret values not being sent with the nomad volume snapshot delete command [GH-26022]
• disconnect: Fixed a bug where pending evals for reconnected allocs were not cancelled [GH-25923]
• driver: Allow resources.cpu values above the maximum cpu.share value on Linux [GH-25963]
• job: Ensure sidecar task volume_mounts are added to planning diff object [GH-25878]
• reconnecting client: fix issue where reconcile strategy was sometimes ignored [GH-25799]
• scaling: Set the scaling policies to disabled when a job is stopped [GH-25911]
• scheduler: Fixed a bug where a node with no affinity could be selected over a node with low affinity [GH-25800]
• scheduler: Fixed a bug where planning or running a system job with constraints & previously running allocations would return a failed allocation error [GH-25850]
• telemetry: Fix excess CPU consumption from alloc stats collection [GH-25870]
• telemetry: Fixed a bug where alloc stats were still collected (but not published) if telemetry.publish_allocation_metrics=false. [GH-25870]
• ui: Fix incorrect calculation of permissions when ACLs are disabled which meant actions such as client drains were incorrectly blocked [GH-25881]

BREAKING CHANGES:

• core: Errors encountered when reloading agent configuration will now cause agents to exit. Before configuration errors during reloads were only logged. This could lead to agents running but unable to communicate [GH-25721]

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-22873 [GH-25818]
• sentinel (Enterprise): Fixed a bug where in some cases hard-mandatory policies could be overridden with -policy-override. CVE-2025-3744.

BUG FIXES:

• agent: Fixed a bug where reloading the agent with systemd notification enabled would cause the agent to be killed by system [GH-25636]
• api: Fixed pagination bug which could result in duplicate results [GH-25792]
• cli: Respect NOMAD_REGION environment variable in operator debug command [GH-25716]
• client: fix failure cleaning up namespace on batch jobs [GH-25714]
• docker: Fix missing stats for rss, cache and swap memory for cgroups v1 [GH-25741]
• encrypter: Refactor startup decryption task handling to avoid timing problems with task addition on FSM restore [GH-25795]
• metrics: Fixed a bug where RSS and cache stats would not be reported for docker, exec, and java drivers under Linux cgroups v2 [GH-25751]
• scheduler: Fixed a bug in accounting for resources.cores that could prevent placements on nodes with available cores [GH-25705]
• scheduler: Fixed a bug where draining a node with canaries could result in a stuck deployment [GH-25726]
• scheduler: Fixed a bug where updating the rescheduler tracker could corrupt the state store [GH-25698]
• scheduler: Use core ID when selecting cores. This fixes a panic in the scheduler when the reservable_cores is not a contiguous list of core IDs. [GH-25340]
• server: Added a new server configuration option named start_timeout with a default value of 30s. This duration is used to monitor the server setup and startup processes which must complete before it is considered healthy, such as keyring decryption. If these processes do not complete before the timeout is reached, the server process will exit. [GH-25803]
• ui: Fixed a bug where the job list page incorrectly calculated if a job had paused tasks. [GH-25742]

BREAKING CHANGES:

• core: Errors encountered when reloading agent configuration will now cause agents to exit. Before configuration errors during reloads were only logged. This could lead to agents running but unable to communicate [GH-25721]

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-22873 [GH-25818]
• sentinel (Enterprise): Fixed a bug where in some cases hard-mandatory policies could be overridden with -policy-override. CVE-2025-3744.

BUG FIXES:

• agent: Fixed a bug where reloading the agent with systemd notification enabled would cause the agent to be killed by system [GH-25636]
• api: Fixed pagination bug which could result in duplicate results [GH-25792]
• cli: Respect NOMAD_REGION environment variable in operator debug command [GH-25716]
• client: fix failure cleaning up namespace on batch jobs [GH-25714]
• metrics: Fixed a bug where RSS and cache stats would not be reported for docker, exec, and java drivers under Linux cgroups v2 [GH-25751]
• scheduler: Fixed a bug in accounting for resources.cores that could prevent placements on nodes with available cores [GH-25705]
• scheduler: Fixed a bug where draining a node with canaries could result in a stuck deployment [GH-25726]
• scheduler: Fixed a bug where updating the rescheduler tracker could corrupt the state store [GH-25698]
• scheduler: Use core ID when selecting cores. This fixes a panic in the scheduler when the reservable_cores is not a contiguous list of core IDs. [GH-25340]
• ui: Fixed a bug where the job list page incorrectly calculated if a job had paused tasks. [GH-25742]

1.10.1 (May 13, 2025)

BREAKING CHANGES:

• api: The non-functional option -peer-address has been removed from the operator raft remove-peer command and equivalent API [GH-25599]
• core: Errors encountered when reloading agent configuration will now cause agents to exit. Before configuration errors during reloads were only logged. This could lead to agents running but unable to communicate [GH-25721]

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-22873 [GH-25818]

IMPROVEMENTS:

• command: added priority flag to job dispatch command [GH-25622]

BUG FIXES:

• agent: Fixed a bug where reloading the agent with systemd notification enabled would cause the agent to be killed by system [GH-25636]
• cli: Respect NOMAD_REGION environment variable in operator debug command [GH-25716]
• client: fix failure cleaning up namespace on batch jobs [GH-25714]
• docker: Fix missing stats for rss, cache and swap memory for cgroups v1 [GH-25741]
• encrypter: Refactor startup decryption task handling to avoid timing problems with task addition on FSM restore [GH-25795]
• java: Fixed a bug where the default task user was set to 'nobody' on Windows [GH-25648]
• metrics: Fixed a bug where RSS and cache stats would not be reported for docker, exec, and java drivers under Linux cgroups v2 [GH-25751]
• scheduler: Fixed a bug in accounting for resources.cores that could prevent placements on nodes with available cores [GH-25705]
• scheduler: Fixed a bug where draining a node with canaries could result in a stuck deployment [GH-25726]
• scheduler: Fixed a bug where updating the rescheduler tracker could corrupt the state store [GH-25698]
• scheduler: Use core ID when selecting cores. This fixes a panic in the scheduler when the reservable_cores is not a contiguous list of core IDs. [GH-25340]
• server: Added a new server configuration option named start_timeout with a default value of 30s. This duration is used to monitor the server setup and startup processes which must complete before it is considered healthy, such as keyring decryption. If these processes do not complete before the timeout is reached, the server process will exit. [GH-25803]
• ui: Fixed a bug where the job list page incorrectly calculated if a job had paused tasks. [GH-25742]

IMPROVEMENTS:

• build: Updated Go to 1.24.2 [GH-25623]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]

BUG FIXES:

• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

IMPROVEMENTS:

• build: Updated Go to 1.24.2 [GH-25623]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• ui: Makes jobs list filtering case-insensitive [GH-25378]

BUG FIXES:

• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

1.10.0 (April 09, 2025)

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API [GH-24479]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block. Please see Nomad's upgrade guide for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25155]

IMPROVEMENTS:

• cli: Add -group option to alloc exec, alloc logs, alloc fs commands [GH-25568]
• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• client: Fixed a bug where JSON formatted logs would not show the requested and overlapping cores when failing to reserve cores [GH-25523]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• drivers/docker: adds image_pull_timeout to plugin config options [GH-25489]
• drivers/rawexec: adds denied_envvars to driver and task config options [GH-25511]
• rawexec: add support for setting the task user on windows platform [GH-25496]
• rpc: Added ability to configure yamux session parameters [GH-25466]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]
• ui: Added a scope selector for sentinel policy page [GH-25390]
• ui: Makes jobs list filtering case-insensitive [GH-25378]
• ui: Updated icons to the newest design system [GH-25353]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

1.10.0-rc.1 (April 3, 2025)

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API [GH-24479]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block. Please see Nomad's upgrade guide for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25155]

IMPROVEMENTS:

• cli: Add -group option to alloc exec, alloc logs, alloc fs commands [GH-25568]
• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• client: Fixed a bug where JSON formatted logs would not show the requested and overlapping cores when failing to reserve cores [GH-25523]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• drivers/docker: adds image_pull_timeout to plugin config options [GH-25489]
• drivers/rawexec: adds denied_envvars to driver and task config options [GH-25511]
• rawexec: add support for setting the task user on windows platform [GH-25496]
• rpc: Added ability to configure yamux session parameters [GH-25466]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]
• ui: Added a scope selector for sentinel policy page [GH-25390]
• ui: Makes jobs list filtering case-insensitive [GH-25378]
• ui: Updated icons to the newest design system [GH-25353]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API. [GH-24479]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block. Please see Nomad's upgrade guide for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25155]

IMPROVEMENTS:

• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• hcl: Avoid panics by checking null values on durations [GH-25294]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or more template blocks. [GH-25140]

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or more template blocks. [GH-25140]

1.9.7 (March 11, 2025)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• config: Allow disabling wait in client config [GH-25255]
• cpustats: Add config "cpu_disable_dmidecode" to disable cpu detection using dmidecode [GH-25108]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]
• ui: System, Batch and Sysbatch jobs get a "Revert to prev version" button on their main pages [GH-25104]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• fingerprint: Fixed a bug where Consul/Vault would never be fingerprinted if not available on agent start [GH-25102]
• hcl: Avoid panics by checking null values on durations [GH-25294]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or more template blocks. [GH-25140]

SECURITY:

• api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
• build: Updated Go to 1.23.6 [GH-25041]
• event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

• auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
• event stream: adds ability to authenticate using workload identities [GH-24849]

BUG FIXES:

• agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
• agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
• client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
• csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
• networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
• reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
• state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
• ui: Ensure pending service check blocks are filled [GH-24818]
• ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
• vault: Fixed a bug where successful renewal was logged as an error [GH-25040]