v1.9.7

1.9.7 (March 11, 2025)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• config: Allow disabling wait in client config [GH-25255]
• cpustats: Add config "cpu_disable_dmidecode" to disable cpu detection using dmidecode [GH-25108]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]
• ui: System, Batch and Sysbatch jobs get a "Revert to prev version" button on their main pages [GH-25104]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• fingerprint: Fixed a bug where Consul/Vault would never be fingerprinted if not available on agent start [GH-25102]
• hcl: Avoid panics by checking null values on durations [GH-25294]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the
  quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or
  more template blocks. [GH-25140]

v1.8.11 (Enterprise)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or more template blocks. [GH-25140]

v1.7.19 (Enterprise)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• hcl: Avoid panics by checking null values on durations [GH-25294]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or more template blocks. [GH-25140]

v1.9.6

1.9.6 (February 11, 2025)

BREAKING CHANGES:

• fingerprint: Consul and Vault fingerprints no longer reload periodically [GH-24526]

SECURITY:

• api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
• build: Updated Go to 1.23.6 [GH-25041]
• event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

• auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
• cli: Added actions available to a job when running nomad job status command [GH-24959]
• event stream: adds ability to authenticate using workload identities [GH-24849]
• services: Nomad service checks now support the tls_skip_verify parameter [GH-24781]
• task schedule: The task being paused no longer impacts restart attempts [GH-25085]
• ui: Contextualizes the Start Job button on whether it is startable, revertable, or not [GH-24985]

BUG FIXES:

• agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
• agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
• client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
• csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
• docker: Fixed a bug that prevented image_pull_timeout from being applied [GH-24991]
• docker: Fixed a bug where "error reading image pull progress" caused the allocation to get stuck pending [GH-24981]
• reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
• state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
• taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
• ui: Ensure pending service check blocks are filled [GH-24818]
• ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
• vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.8.10 (Enterprise)

SECURITY:

• api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
• build: Updated Go to 1.23.6 [GH-25041]
• event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

• auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
• event stream: adds ability to authenticate using workload identities [GH-24849]

BUG FIXES:

• agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
• agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
• client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
• csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
• networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
• reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
• state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
• taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
• ui: Ensure pending service check blocks are filled [GH-24818]
• ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
• vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.7.18 (Enterprise)

SECURITY:

• api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
• build: Updated Go to 1.23.6 [GH-25041]
• event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

• auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
• event stream: adds ability to authenticate using workload identities [GH-24849]

BUG FIXES:

• agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
• agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
• client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
• csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
• networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
• reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
• state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
• ui: Ensure pending service check blocks are filled [GH-24818]
• ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
• vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.9.5

1.9.5 (January 14, 2025)

IMPROVEMENTS:

• client: Add noswap mount option to secrets directory where supported on Linux [GH-24645]
• deps: Upgraded aws-sdk-go from v1 to v2 [GH-24720]
• keyring: Warn if deleting a key previously used to encrypt an existing variable [GH-24766]
• ui: Added possibility to supply HCL variable values on job submission [GH-24622]
• ui: add leadership status for servers in other regions [GH-24723]

BUG FIXES:

• docker: Fix a bug where images with port number and no tags weren't parsed correctly [GH-24547]
• driver/docker: Fix container CPU stats collection where previous CPU stats were missing and causing incorrect calculations [GH-24768]
• drivers: validate logmon plugin during reattach [GH-24798]
• networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]

v1.8.9 (Enterprise)

IMPROVEMENTS:

• api: Sanitise hcl variables before storage on JobSubmission [GH-24423]
• deps: Upgraded aws-sdk-go from v1 to v2 [GH-24720]

BUG FIXES:

• drivers: validate logmon plugin during reattach [GH-24798]

v1.7.17 (Enterprise)

IMPROVEMENTS:

• deps: Upgraded aws-sdk-go from v1 to v2 [GH-24720]

BUG FIXES:

• drivers: validate logmon plugin during reattach [GH-24798]

v1.7.16 (Enterprise)

SECURITY:

• api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
• security: Added more host environment variables to the default deny list for tasks [GH-24540]
• security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
• security: add executeTemplate to default template function_denylist [GH-24541]

BUG FIXES:

• agent: Fixed a bug where retry_join gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561]
• cli: Ensure the operator autopilot health command only outputs JSON when the json flag is supplied [GH-24655]
• consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
• consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
• csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
• csi: Removed redundant namespace output from volume status command [GH-24432]
• discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
• drivers: fix executor leak when drivers error starting tasks [GH-24495]
• executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
• fix: handles consul template re-renders on client restart [GH-24399]
• networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
• scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
• vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
• windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]