Nomad

BREAKING CHANGES:

• docker: The default infra_image for pause containers is now registry.k8s.io/pause [GH-23927]

IMPROVEMENTS:

• build: update to go1.22.6 [GH-23805]
• cli: Increase default log level and duration when capturing logs with operator debug [GH-23850]

BUG FIXES:

• node: Fixed bug where sysbatch allocations were started prematurely [GH-23858]

BREAKING CHANGES:

• docker: The default infra_image for pause containers is now registry.k8s.io/pause [GH-23927]

IMPROVEMENTS:

• build: update to go1.22.6 [GH-23805]

BUG FIXES:

• node: Fixed bug where sysbatch allocations were started prematurely [GH-23858]

1.8.4 (September 17, 2024)

BREAKING CHANGES:

• docker: The default infra_image for pause containers is now registry.k8s.io/pause [GH-23927]

IMPROVEMENTS:

• build: update to go1.22.6 [GH-23805]
• cgroups: Allow clients with delegated cgroups check that required cgroup v2 controllers exist [GH-23803]
• docker: Disable cpuset management for non-root clients [GH-23804]
• identity: Added support for server-configured additional claims on the Vault default_identity block [GH-23675]
• namespaces: Allow enabling/disabling allowed network modes per namespace [GH-23813]
• ui: Badge added for Scaled Down jobs [GH-23829]

DEPRECATIONS:

• api: the JobParseRequest.HCLv1 field will be removed in Nomad 1.9.0 [GH-23913]
• jobspec: using the -hcl1 flag for HCLv1 job specifications will now emit a warning at the command line. This feature will be removed in Nomad 1.9.0 [GH-23913]

BUG FIXES:

• identity: Fixed a bug where dispatch and periodic jobs would have their job ID and not parent job ID used when creating the subject claim [GH-23902]
• identity: Fixed a bug where dispatch and periodic jobs would have their job ID and not parent job ID used when interpolating vault.default_identity.extra_claims [GH-23817]
• node: Fixed bug where sysbatch allocations were started prematurely [GH-23858]
• ui: Fix an issue where cmd+click or ctrl+click would double-open a job [GH-23832]

SECURITY:

• security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

• keyring: Added support for prepublishing keys [GH-23577]

BUG FIXES:

• api: Fixed a bug where an api.Config targeting a unix domain socket could not be reused between clients [GH-23785]
• cni: .conf and .json config files are now parsed properly [GH-23629]
• docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
• identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
• keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
• keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
• keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
• networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
• scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
• template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
• windows: Fix bug with containers capabilities on Docker CE [GH-23599]

SECURITY:

• security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

• keyring: Added support for prepublishing keys [GH-23577]

BUG FIXES:

• cni: .conf and .json config files are now parsed properly [GH-23629]
• docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
• keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
• keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
• keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
• networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
• scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
• template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
• windows: Fix bug with containers capabilities on Docker CE [GH-23599]

1.8.3 (August 13, 2024)

SECURITY:

• security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

• acl: Submitting a policy with a leading / in a variable path will now return an error to prevent improperly working policies. [GH-23757]
• cli: Added option to return original HCL in job inspect command [GH-23699]
• cli: Added support for updating the roles for an ACL token [GH-18532]
• cli: acl token create will now emit a warning if the token has a policy that does not yet exist [GH-16437]
• keyring: Added support for encrypting the keyring via Vault transit or external KMS [GH-23580]
• keyring: Added support for prepublishing keys [GH-23577]
• metrics: Added client.tasks metrics to track task states [GH-23773]
• resources: Added resources.secrets field to configure size of secrets directory on Linux [GH-23696]
• tls: Allow setting the tls_min_version field to "tls13" [GH-23713]
• ui: added a Pack badge to the jobs index page for jobs run via Nomad Pack [GH-23404]

BUG FIXES:

• api: Fixed a bug where an api.Config targeting a unix domain socket could not be reused between clients [GH-23785]
• cni: .conf and .json config files are now parsed properly [GH-23629]
• cni: network.cni jobspec updates now replace allocs to apply the new network config [GH-23764]
• docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
• identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
• keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
• keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
• keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
• networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
• scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
• template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
• ui: Fixed storage/plugin 404s by unescaping a slash character in the request URL [GH-23625]
• windows: Fix bug with containers capabilities on Docker CE [GH-23599]

BREAKING CHANGES:

• docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

• build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
• migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
• security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

• deps: Updated Consul API to 1.29.1. [GH-23436]
• deps: Updated consul-template to 0.39 to allow admin partition and sameness groups queries. [GH-23436]
• docker: Validate that unprivileged containers aren't running as ContainerAdmin on Windows [GH-23443]

BUG FIXES:

• api: Fixed bug where newlines in JobSubmission vars weren't encoded correctly [GH-23560]
• cli: Fixed bug where the plugin status command would fail if the plugin ID was a prefix of another plugin ID [GH-23502]
• cli: Fixed bug where the quota status and quota inspect commands would fail if the quota name was a prefix of another quota name [GH-23502]
• cli: Fixed bug where the scaling policy info command would fail if the policy ID was a prefix of another policy ID [GH-23502]
• cli: Fixed bug where the service info command would fail if the service name was a prefix of another service name in the same namespace [GH-23502]
• cli: Fixed bug where the volume deregister, volume detach, and volume status commands would fail if the volume ID was a prefix of another volume ID in the same namespace [GH-23502]
• consul: Fixed a bug where service registration and Envoy bootstrap would not wait for Consul ACL tokens and services to be replicated to the local agent [GH-23381]
• qemu: Fixed a bug that prevented qemu tasks from running on Linux [GH-23466]
• quota (Enterprise): Fixed a bug where a task's resource core count was not translated to CPU MHz and checked against its quota when performing a job plan [GH-18876]
• scheduler: Fix a bug where reserved resources are not calculated correctly [GH-23386]
• server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [GH-23383]
• template: Fix template rendering on Windows [GH-23432]

BREAKING CHANGES:

• docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

• build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
• migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
• security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

• deps: Updated Consul API to 1.29.1. [GH-23436]
• deps: Updated consul-template to 0.39 to allow admin partition and sameness groups queries. [GH-23436]
• docker: Validate that unprivileged containers aren't running as ContainerAdmin on Windows [GH-23443]

BUG FIXES:

• api: Fixed bug where newlines in JobSubmission vars weren't encoded correctly [GH-23560]
• cli: Fixed bug where the plugin status command would fail if the plugin ID was a prefix of another plugin ID [GH-23502]
• cli: Fixed bug where the quota status and quota inspect commands would fail if the quota name was a prefix of another quota name [GH-23502]
• cli: Fixed bug where the scaling policy info command would fail if the policy ID was a prefix of another policy ID [GH-23502]
• cli: Fixed bug where the service info command would fail if the service name was a prefix of another service name in the same namespace [GH-23502]
• cli: Fixed bug where the volume deregister, volume detach, and volume status commands would fail if the volume ID was a prefix of another volume ID in the same namespace [GH-23502]
• quota (Enterprise): Fixed a bug where a task's resource core count was not translated to CPU MHz and checked against its quota when performing a job plan [GH-18876]
• scheduler: Fix a bug where reserved resources are not calculated correctly [GH-23386]
• server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [GH-23383]
• template: Fix template rendering on Windows [GH-23432]

1.8.2 (July 16, 2024)

BREAKING CHANGES:

• docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

• build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
• migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
• security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

• client: add a preferred_address_family config to prefer ipv4 or ipv6 when deducing IP from network interface [GH-23389]
• cni: allow users to input CNI args in job specification [GH-23538]
• deps: Updated Consul API to 1.29.1. [GH-23436]
• deps: Updated consul-template to 0.39 to allow admin partition and sameness groups queries. [GH-23436]
• docker: Validate that unprivileged containers aren't running as ContainerAdmin on Windows [GH-23443]
• namespaces: Added warnings if deleting namespaces that have existing objects associated with them [GH-23499]
• quota (Enterprise): Allow CPU cores to be configured within a quota [GH-23543]
• scaling: Added -check-index support to job scale command [GH-23457]
• ui: Allow users to create Global ACL tokens from the Administration UI [GH-23506]
• ui: Update headers in the Admin section to use the HashiCorp Design System [GH-23366]
• ui: allow for multiple namespaces in jobs index filters [GH-23468]

BUG FIXES:

• api: Fixed bug where newlines in JobSubmission vars weren't encoded correctly [GH-23560]
• cli: Fixed bug where the plugin status command would fail if the plugin ID was a prefix of another plugin ID [GH-23502]
• cli: Fixed bug where the quota status and quota inspect commands would fail if the quota name was a prefix of another quota name [GH-23502]
• cli: Fixed bug where the scaling policy info command would fail if the policy ID was a prefix of another policy ID [GH-23502]
• cli: Fixed bug where the service info command would fail if the service name was a prefix of another service name in the same namespace [GH-23502]
• cli: Fixed bug where the volume deregister, volume detach, and volume status commands would fail if the volume ID was a prefix of another volume ID in the same namespace [GH-23502]
• consul: Fixed a bug where service registration and Envoy bootstrap would not wait for Consul ACL tokens and services to be replicated to the local agent [GH-23381]
• plugins: Fix panic on systems that don't support NUMA [GH-23399]
• qemu: Fixed a bug that prevented qemu tasks from running on Linux [GH-23466]
• quota (Enterprise): Fixed a bug where a task's resource core count was not translated to CPU MHz and checked against its quota when performing a job plan [GH-18876]
• scheduler: Fix a bug where reserved resources are not calculated correctly [GH-23386]
• server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [GH-23383]
• template: Fix template rendering on Windows [GH-23432]
• ui: Actions run from jobs with explicit name properties now work from the web UI [GH-23553]
• ui: Dont show keyboard nav hints when taking a screenshot [GH-23365]
• ui: Fix an issue where a remotely purged job would prevent redirect from taking place in the web UI [GH-23492]
• ui: Fix an issue where access to Job Templates in the UI was restricted to variable.write access [GH-23458]
• ui: Fix the Upload Jobspec button on the Run Job page [GH-23548]
• ui: Fixed support for namespace parameter on job statuses API [GH-23456]
• ui: fix an issue where gateway timeouts would cause the jobs list to revert to null, gives users a Pause Fetch option [GH-23427]
• vault: Fixed a bug where requests to derive or renew tokens could be sent to the wrong namespace [GH-23491]

1.6.12 Enterprise (June 19, 2024)

SECURITY:

• build: Updated Go to 1.22.4 to address Go stdlib vulnerabilities CVE-2024-24789 and CVE-2024-24790 [GH-23172]

IMPROVEMENTS:

• cli: operator snapshot inspect now includes details of data in snapshot [GH-18372]
• docker: Added container_exists_attempts plugin configuration variable [GH-22419]
• exec: Fixed a bug where exec driver tasks would fail on older versions of glibc [GH-23331]

BUG FIXES:

• acl: Fix plugin policy validation when checking write permissions [GH-23274]
• connect: fix validation with multiple socket paths [GH-22312]
• driver: Fixed a bug where the exec, java, and raw_exec drivers would not configure cgroups to allow access to devices provided by device plugins [GH-22518]
• scheduler: Fixed a bug where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-12319]

1.6.11 Enterprise (May 28, 2024)

SECURITY:

• deps: Updated docker dependency to 25.0.5 [GH-20171]

BUG FIXES:

• cli: Fix handling of scaling jobs which don't generate evals [GH-20479]
• client: terminate old exec task processes before starting new ones, to avoid accidentally leaving running processes in case of an error [GH-20500]
• core: Fix multiple incorrect type conversion for potential overflows [GH-20553]
• csi: Fixed a bug where concurrent mount and unmount operations could unstage volumes needed by another allocation [GH-20550]
• csi: Fixed a bug where plugins would not be deleted on GC if their job updated the plugin ID [GH-20555]
• csi: Fixed a bug where volumes in different namespaces but the same ID would fail to stage on the same client [GH-20532]
• quota (Enterprise): Fixed a bug where quota usage would not be freed if a job was purged
• services: Added retry to Nomad service deregistration RPCs during alloc stop [GH-20596]
• services: Fixed bug where Nomad services might not be deregistered when nodes are marked down or allocations are terminal [GH-20590]
• structs: Fix job canonicalization for array type fields [GH-20522]
• ui: Show the namespace in the web UI exec command hint [GH-20218]

1.7.9 Enterprise (June 19, 2024)

SECURITY:

• build: Updated Go to 1.22.4 to address Go stdlib vulnerabilities CVE-2024-24789 and CVE-2024-24790 [GH-23172]

IMPROVEMENTS:

• cli: operator snapshot inspect now includes details of data in snapshot [GH-18372]
• docker: Added container_exists_attempts plugin configuration variable [GH-22419]
• exec: Fixed a bug where exec driver tasks would fail on older versions of glibc [GH-23331]

BUG FIXES:

• acl: Fix plugin policy validation when checking write permissions [GH-23274]
• connect: fix validation with multiple socket paths [GH-22312]
• consul: (Enterprise) Fixed a bug where gateway config entries were written before Sentinel policies were enforced [GH-22228]
• consul: Fixed a bug where Consul admin partition was not used to login via Consul JWT auth method [GH-22226]
• consul: Fixed a bug where gateway config entries were written to the Nomad server agent's Consul partition and not the client's partition [GH-22228]
• driver: Fixed a bug where the exec, java, and raw_exec drivers would not configure cgroups to allow access to devices provided by device plugins [GH-22518]
• scheduler: Fixed a bug where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-12319]

1.7.8 Enterprise (May 28, 2024)

SECURITY:

• deps: Updated docker dependency to 25.0.5 [GH-20171]

IMPROVEMENTS:

• auth: Add support for authenticating via Workload Identity to the quota and sentinel APIs
• autopilot: Added operator autopilot health command to review Autopilot health data [GH-20156]
• cli: Add -jwks-ca-file argument to setup consul/vault commands [GH-20518]
• client/volumes: Add a mount volume level option for selinux tags on volumes [GH-19839]
• consul: provide tasks that have Consul tokens the CONSUL_HTTP_TOKEN environment variable [GH-20519]
• ui: Improve error and warning messages for invalid variable and job template paths/names [GH-19989]
• ui: Prompt a user before they close an exec window to prevent accidental close-browser-tab shortcuts that overlap with terminal ones [GH-19985]

BUG FIXES:

• cli: Fix handling of scaling jobs which don't generate evals [GH-20479]
• client: Fix unallocated CPU metric calculation when client reserved CPU is set [GH-20543]
• client: terminate old exec task processes before starting new ones, to avoid accidentally leaving running processes in case of an error [GH-20500]
• config: Fixed a panic triggered by registering a job specifying a Vault cluster that has not been configured within the server [GH-22227]
• core: Fix multiple incorrect type conversion for potential overflows [GH-20553]
• csi: Fixed a bug where concurrent mount and unmount operations could unstage volumes needed by another allocation [GH-20550]
• csi: Fixed a bug where plugins would not be deleted on GC if their job updated the plugin ID [GH-20555]
• csi: Fixed a bug where volumes in different namespaces but the same ID would fail to stage on the same client [GH-20532]
• job endpoint: fix implicit constraint mutation for task-level services [GH-22229]
• quota (Enterprise): Fixed a bug where quota usage would not be freed if a job was purged
• services: Added retry to Nomad service deregistration RPCs during alloc stop [GH-20596]
• services: Fixed bug where Nomad services might not be deregistered when nodes are marked down or allocations are terminal [GH-20590]
• structs: Fix job canonicalization for array type fields [GH-20522]
• ui: Fix a bug where the UI would prompt a user to promote a deployment with unplaced canaries [GH-20408]
• ui: Fixed an issue where keynav would not trigger evaluation sidebar expand [GH-20047]
• ui: Show the namespace in the web UI exec command hint [GH-20218]
• windows: Fixed a regression where scanning task processes was inefficient [GH-20619]

1.8.1 (June 19, 2024)

SECURITY:

• build: Updated Go to 1.22.4 to address Go stdlib vulnerabilities CVE-2024-24789 and CVE-2024-24790 [GH-23172]

IMPROVEMENTS:

• api: Add support for setting Notes field for Consul health checks [GH-22397]
• cli: operator snapshot inspect now includes details of data in snapshot [GH-18372]
• docker: Added container_exists_attempts plugin configuration variable [GH-22419]
• docker: Added support for oom_score_adj [GH-23297]
• exec: Fixed a bug where exec driver tasks would fail on older versions of glibc [GH-23331]
• metrics (Enterprise): Publish quota utilization as metrics [GH-22912]
• raw_exec: Added support for oom_score_adj [GH-23308]
• ui: adds a Stopped label for jobs that a user has manually stopped [GH-23328]
• ui: namespace dropdown gets a search field and supports many namespaces [GH-20626]
• ui: shorten client/node metadata/attributes display and make parent-terminal attributes show up [GH-23290]

BUG FIXES:

• acl: Fix plugin policy validation when checking write permissions [GH-23274]
• api: (Enterprise) fixed Allocations.GetPauseState method discarding the task argument [GH-23377]
• client: Fixed a bug where empty task directories would be left behind [GH-23237]
• connect: fix validation with multiple socket paths [GH-22312]
• consul: (Enterprise) Fixed a bug where gateway config entries were written before Sentinel policies were enforced [GH-22228]
• consul: Fixed a bug where Consul admin partition was not used to login via Consul JWT auth method [GH-22226]
• consul: Fixed a bug where gateway config entries were written to the Nomad server agent's Consul partition and not the client's partition [GH-22228]
• driver: Fixed a bug where the exec, java, and raw_exec drivers would not configure cgroups to allow access to devices provided by device plugins [GH-22518]
• scheduler: Fixed a bug where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-12319]
• task schedule: Fixed a bug where schedules wrongly errored as invalid on the last day of the month [GH-23329]
• ui: unbind job detail running allocations count from job-summary endpoint [GH-23306]

1.8.0 (May 28, 2024)

IMPROVEMENTS:

• agent: Added support for systemd readiness notifications [GH-20528]
• api: new /v1/jobs/statuses endpoint collates details about jobs' allocs and latest deployment, intended for use in the updated UI jobs index page [GH-20130]
• artifact: Added support for downloading artifacts without validating the TLS certificate [GH-20126]
• autopilot: Added operator autopilot health command to review Autopilot health data [GH-20156]
• cli: Add -jwks-ca-file argument to setup consul/vault commands [GH-20518]
• client/volumes: Add a mount volume level option for selinux tags on volumes [GH-19839]
• client: expose network namespace bridge/cni configuration values as task env vars [GH-11810]
• connect: Added support for volume_mount blocks on sidecar task overrides [GH-20575]
• consul/connect: Attempt autodetection of podman task driver for Connect gateways [GH-20611]
• consul: provide tasks that have Consul tokens the CONSUL_HTTP_TOKEN environment variable [GH-20519]
• core: Do not create evaluations within batch deregister endpoint during job garbage collection [GH-20510]
• csi: Added support for wildcard namespace to plugin status command [GH-20551]
• deps: Update msgpack to v2 [GH-20173]
• deps: Updated docker dependency to 26.0.1 [GH-20389]
• driver/rawexec: Allow specifying custom cgroups [GH-20481]
• func: Allow custom paths to be added the the getter landlock [GH-20315]
• jobspec: Add a schedule{} block for time based task execution (Enterprise) [GH-22201]
• metrics: Added tracking of enqueue and dequeue times of evaluations to the broker [GH-20329]
• networking: Inject constraints on CNI plugins when using bridge networking [GH-15473]
• scheduler: Added a new configuration to avoid rescheduling allocations if a nodes misses one or more heartbits [GH-19101]
• server: Add new options for reconcilation in case of disconnected nodes [GH-20029]
• ui: Added a UI for creating, editing and deleting Sentinel Policies [GH-20483]
• ui: Added a copy button on Action output [GH-19496]
• ui: Added a new UI block to job spec in order to provide description and links in the Web UI [GH-18292]
• ui: Added token.name information to the top nav for ease of operator debugging [GH-20539]
• ui: Improve error and warning messages for invalid variable and job template paths/names [GH-19989]
• ui: Overhaul of the Jobs Index list page, with live updates, more informative statuses, filter expressions, and pagination [GH-20452]
• ui: Prompt a user before they close an exec window to prevent accidental close-browser-tab shortcuts that overlap with terminal ones [GH-19985]
• ui: Replaced single-line variable value fields with multi-line textarea blocks [GH-19544]
• ui: Updated the style of components in the Variables web ui [GH-19544]
• ui: change the State filter on clients page to split out eligibility and drain status [GH-18607]

BUG FIXES:

• cli: Fix handling of scaling jobs which don't generate evals [GH-20479]
• client: Fix unallocated CPU metric calculation when client reserved CPU is set [GH-20543]
• client: terminate old exec task processes before starting new ones, to avoid accidentally leaving running processes in case of an error [GH-20500]
• config: Fixed a panic triggered by registering a job specifying a Vault cluster that has not been configured within the server [GH-22227]
• core: Fix multiple incorrect type conversion for potential overflows [GH-20553]
• csi: Fixed a bug where concurrent mount and unmount operations could unstage volumes needed by another allocation [GH-20550]
• csi: Fixed a bug where plugins would not be deleted on GC if their job updated the plugin ID [GH-20555]
• csi: Fixed a bug where volumes in different namespaces but the same ID would fail to stage on the same client [GH-20532]
• job endpoint: fix implicit constraint mutation for task-level services [GH-22229]
• quota (Enterprise): Fixed a bug where quota usage would not be freed if a job was purged
• services: Added retry to Nomad service deregistration RPCs during alloc stop [GH-20596]
• services: Fixed bug where Nomad services might not be deregistered when nodes are marked down or allocations are terminal [GH-20590]
• structs: Fix job canonicalization for array type fields [GH-20522]
• ui: Fix a bug where the UI would prompt a user to promote a deployment with unplaced canaries [GH-20408]
• ui: Fixed an issue where keynav would not trigger evaluation sidebar expand [GH-20047]
• ui: Show the namespace in the web UI exec command hint [GH-20218]
• windows: Fixed a regression where scanning task processes was inefficient [GH-20619]

IMPROVEMENTS:

• agent: Added support for systemd readiness notifications [GH-20528]
• api: new /v1/jobs/statuses endpoint collates details about jobs' allocs and latest deployment, intended for use in the updated UI jobs index page [GH-20130]
• artifact: Added support for downloading artifacts without validating the TLS certificate [GH-20126]
• autopilot: Added operator autopilot health command to review Autopilot health data [GH-20156]
• cli: Add -jwks-ca-file argument to setup consul/vault commands [GH-20518]
• client/volumes: Add a mount volume level option for selinux tags on volumes [GH-19839]
• client: expose network namespace bridge/cni configuration values as task env vars [GH-11810]
• connect: Added support for volume_mount blocks on sidecar task overrides [GH-20575]
• consul/connect: Attempt autodetection of podman task driver for Connect gateways [GH-20611]
• consul: provide tasks that have Consul tokens the CONSUL_HTTP_TOKEN environment variable [GH-20519]
• core: Do not create evaluations within batch deregister endpoint during job garbage collection [GH-20510]
• csi: Added support for wildcard namespace to plugin status command [GH-20551]
• deps: Update msgpack to v2 [GH-20173]
• deps: Updated docker dependency to 26.0.1 [GH-20389]
• driver/rawexec: Allow specifying custom cgroups [GH-20481]
• func: Allow custom paths to be added the the getter landlock [GH-20315]
• jobspec: Add a schedule{} block for time based task execution (Enterprise) [GH-22201]
• metrics: Added tracking of enqueue and dequeue times of evaluations to the broker [GH-20329]
• networking: Inject constraints on CNI plugins when using bridge networking [GH-15473]
• scheduler: Added a new configuration to avoid rescheduling allocations if a nodes misses one or more heartbits [GH-19101]
• server: Add new options for reconcilation in case of disconnected nodes [GH-20029]
• ui: Added a UI for creating, editing and deleting Sentinel Policies [GH-20483]
• ui: Added a copy button on Action output [GH-19496]
• ui: Added a new UI block to job spec in order to provide description and links in the Web UI [GH-18292]
• ui: Added token.name information to the top nav for ease of operator debugging [GH-20539]
• ui: Improve error and warning messages for invalid variable and job template paths/names [GH-19989]
• ui: Overhaul of the Jobs Index list page, with live updates, more informative statuses, filter expressions, and pagination [GH-20452]
• ui: Prompt a user before they close an exec window to prevent accidental close-browser-tab shortcuts that overlap with terminal ones [GH-19985]
• ui: Replaced single-line variable value fields with multi-line textarea blocks [GH-19544]
• ui: Updated the style of components in the Variables web ui [GH-19544]
• ui: change the State filter on clients page to split out eligibility and drain status [GH-18607]

BUG FIXES:

• cli: Fix handling of scaling jobs which don't generate evals [GH-20479]
• client: Fix unallocated CPU metric calculation when client reserved CPU is set [GH-20543]
• client: terminate old exec task processes before starting new ones, to avoid accidentally leaving running processes in case of an error [GH-20500]
• core: Fix multiple incorrect type conversion for potential overflows [GH-20553]
• csi: Fixed a bug where concurrent mount and unmount operations could unstage volumes needed by another allocation [GH-20550]
• csi: Fixed a bug where plugins would not be deleted on GC if their job updated the plugin ID [GH-20555]
• csi: Fixed a bug where volumes in different namespaces but the same ID would fail to stage on the same client [GH-20532]
• quota (Enterprise): Fixed a bug where quota usage would not be freed if a job was purged
• services: Added retry to Nomad service deregistration RPCs during alloc stop [GH-20596]
• services: Fixed bug where Nomad services might not be deregistered when nodes are marked down or allocations are terminal [GH-20590]
• structs: Fix job canonicalization for array type fields [GH-20522]
• ui: Fix a bug where the UI would prompt a user to promote a deployment with unplaced canaries [GH-20408]
• ui: Fixed an issue where keynav would not trigger evaluation sidebar expand [GH-20047]
• ui: Show the namespace in the web UI exec command hint [GH-20218]
• windows: Fixed a regression where scanning task processes was inefficient [GH-20619]

1.8.0 (Unreleased)

IMPROVEMENTS:

• agent: Added support for systemd readiness notifications [GH-20528]
• api: new /v1/jobs/statuses endpoint collates details about jobs' allocs and latest deployment, intended for use in the updated UI jobs index page [GH-20130]
• artifact: Added support for downloading artifacts without validating the TLS certificate [GH-20126]
• autopilot: Added operator autopilot health command to review Autopilot health data [GH-20156]
• cli: Add -jwks-ca-file argument to setup consul/vault commands [GH-20518]
• client/volumes: Add a mount volume level option for selinux tags on volumes [GH-19839]
• consul: provide tasks that have Consul tokens the CONSUL_HTTP_TOKEN environment variable [GH-20519]
• core: Do not create evaluations within batch deregister endpoint during job garbage collection [GH-20510]
• deps: Update msgpack to v2 [GH-20173]
• deps: Updated docker dependency to 26.0.1 [GH-20389]
• func: Allow custom paths to be added the the getter landlock [GH-20315]
• metrics: Added tracking of enqueue and dequeue times of evaluations to the broker [GH-20329]
• networking: Inject constraints on CNI plugins when using bridge networking [GH-15473]
• scheduler: Added a new configuration to avoid rescheduling allocations if a nodes misses one or more heartbits [GH-19101]
• server: Add new options for reconcilation in case of disconnected nodes [GH-20029]
• ui: Added a copy button on Action output [GH-19496]
• ui: Improve error and warning messages for invalid variable and job template paths/names [GH-19989]
• ui: Overhaul of the Jobs Index list page, with live updates, more informative statuses, filter expressions, and pagination [GH-20452]
• ui: Prompt a user before they close an exec window to prevent accidental close-browser-tab shortcuts that overlap with terminal ones [GH-19985]
• ui: Replaced single-line variable value fields with multi-line textarea blocks [GH-19544]
• ui: Updated the style of components in the Variables web ui [GH-19544]
• ui: change the State filter on clients page to split out eligibility and drain status [GH-18607]

BUG FIXES:

• cli: Fix handling of scaling jobs which don't generate evals [GH-20479]
• quota (Enterprise): Fixed a bug where quota usage would not be freed if a job was purged
• ui: Fix a bug where the UI would prompt a user to promote a deployment with unplaced canaries [GH-20408]
• ui: Fixed an issue where keynav would not trigger evaluation sidebar expand [GH-20047]
• ui: Show the namespace in the web UI exec command hint [GH-20218]

1.7.7 (April 16, 2024)

SECURITY:

• artifact: Updated go-getter dependency to v1.7.4 to address CVE-2024-3817 [GH-20391]

IMPROVEMENTS:

• autopilot: add Enterprise health information to autopilot API [GH-20153]
• cli: Collect only one heap profile per operator debug interval [GH-20219]
• consul/connect: Added support for TLS configuration, headers configuration, and request limit configuration to ingress service block [GH-16753]
• consul/connect: Added support for destination partition in upstream block [GH-20167]
• scheduler: Record exhausted node metrics for devices when preemption fails to find an allocation to evict [GH-20346]
• ui: When you re-bind keyboard shortcuts they now correctly show up in shift-held hints [GH-20235]

BUG FIXES:

• agent: allow configuration of in-memory telemetry sink [GH-20166]
• api: Fixed a bug where AllocDirStats field was missing from Read Stats client API [GH-20261]
• cli: Fixed a bug where operator debug did not respect the -pprof-interval flag and would take only one profile [GH-20206]
• cni: Fixed a regression where default DNS set by dockerd or other task drivers was not respected [GH-20189]
• config: Fixed a bug where IPv6 addresses were not accepted without ports for client.servers blocks [GH-20324]
• consul: Fixed a bug where services with interpolation would not get correctly signed Workload Identities [GH-20344]
• deployments: Fixed a goroutine leak when jobs are purged [GH-20348]
• deps: Updated consul-template dependency to 0.37.4 to fix a resource leak [GH-20234]
• docker: Fixed a bug where cpuset cgroup would not be updated on cgroup v1 systems [GH-20294]
• docker: Fixed a bug where cpuset would not be updated on cgroup v2 systems using cgroupfs [GH-20276]
• drain: Fixed a bug where Workload Identity tokens could not be used to drain a node [GH-20317]
• namespace/node pool: Fixed a bug where the -region flag would not be respected for namespace and node pool updates if ACLs were disabled [GH-20220]
• state: Fixed a bug where restarting a server could fail if the Raft logs include a drain update that used a now-expired token [GH-20317]
• template: Fixed a bug where a partial client.template block would cause defaults for unspecified fields to be ignored [GH-20165]
• ui: Fix an issue where the job status box would error if an allocation had no task events [GH-20383]

1.5.17 (April 16, 2024)

SECURITY:

• artifact: Updated go-getter dependency to v1.7.4 to address CVE-2024-3817 [GH-20391]

BUG FIXES:

• api: Fixed a bug where AllocDirStats field was missing from Read Stats client API [GH-20261]
• cli: Fixed a bug where operator debug did not respect the -pprof-interval flag and would take only one profile [GH-20206]
• cni: Fixed a regression where default DNS set by dockerd or other task drivers was not respected [GH-20189]
• config: Fixed a bug where IPv6 addresses were not accepted without ports for client.servers blocks [GH-20324]
• deployments: Fixed a goroutine leak when jobs are purged [GH-20348]
• deps: Updated consul-template dependency to 0.37.4 to fix a resource leak [GH-20234]
• drain: Fixed a bug where Workload Identity tokens could not be used to drain a node [GH-20317]
• state: Fixed a bug where restarting a server could fail if the Raft logs include a drain update that used a now-expired token [GH-20317]
• template: Fixed a bug where a partial client.template block would cause defaults for unspecified fields to be ignored [GH-20165]

1.6.10 (April 16, 2024)

SECURITY:

• artifact: Updated go-getter dependency to v1.7.4 to address CVE-2024-3817 [GH-20391]

BUG FIXES:

• api: Fixed a bug where AllocDirStats field was missing from Read Stats client API [GH-20261]
• cli: Fixed a bug where operator debug did not respect the -pprof-interval flag and would take only one profile [GH-20206]
• cni: Fixed a regression where default DNS set by dockerd or other task drivers was not respected [GH-20189]
• config: Fixed a bug where IPv6 addresses were not accepted without ports for client.servers blocks [GH-20324]
• deployments: Fixed a goroutine leak when jobs are purged [GH-20348]
• deps: Updated consul-template dependency to 0.37.4 to fix a resource leak [GH-20234]
• drain: Fixed a bug where Workload Identity tokens could not be used to drain a node [GH-20317]
• namespace/node pool: Fixed a bug where the -region flag would not be respected for namespace and node pool updates if ACLs were disabled [GH-20220]
• state: Fixed a bug where restarting a server could fail if the Raft logs include a drain update that used a now-expired token [GH-20317]
• template: Fixed a bug where a partial client.template block would cause defaults for unspecified fields to be ignored [GH-20165]
• ui: Fix an issue where the job status box would error if an allocation had no task events [GH-20383]