Nomad v1.3.1 Release Notes

Release Date: 2022-05-19 // about 1 month ago
  • ๐Ÿ”’ SECURITY:

    • ๐Ÿ‘ท A vulnerability was identified in the go-getter library that Nomad uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. CVE-2022-30324 [GH-13057]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  agent: fixed a panic on startup when the server.protocol_version config parameter was set [GH-12962]

Previous changes from v1.3.0

  • ๐Ÿ”‹ FEATURES:

    • Edge compute improvements: Added support for reconnecting healthy allocations when disconnected clients reconnect. [GH-12476]
    • Native service discovery: Register and discover services using builtin simple service discovery. [GH-12368]

    ๐Ÿ’ฅ BREAKING CHANGES:

    • โฌ‡๏ธ agent: The state database on both clients and servers will automatically migrate its underlying database on startup. Downgrading to a previous version of an agent after upgrading it to Nomad 1.3 is not supported. [GH-12107]
    • โฌ‡๏ธ client: The client state store will be automatically migrated to a new schema version when upgrading a client. Downgrading to a previous version of the client after upgrading it to Nomad 1.3 is not supported. To downgrade safely, users should erase the Nomad client's data directory. [GH-12078]
    • connect: Consul Service Identity ACL tokens automatically generated for Connect services are now created as Local rather than Global tokens. Nomad clusters with Connect services making cross-Consul ๐Ÿ”ง datacenter requests will need to ensure their Consul agents are configured with anonymous ACL tokens of sufficient node and service read permissions. [GH-8068]
    • ๐Ÿ‘ connect: The minimum Consul version supported by Nomad's Connect integration is now Consul v1.8.0. [GH-8068]
    • ๐Ÿš€ csi: The client filesystem layout for CSI plugins has been updated to correctly handle the lifecycle of multiple allocations serving the same plugin. Running plugin tasks will not be updated after upgrading the client, but it is recommended to redeploy CSI plugin jobs after upgrading the cluster. [GH-12078]
    • โฌ‡๏ธ raft: The default raft protocol version is now 3 so you must follow the Upgrading to Raft Protocol 3 guide when upgrading an existing cluster to Nomad 1.3.0. Downgrading the raft protocol version is not supported. [GH-11572]

    ๐Ÿ”’ SECURITY:

    • server: validate mTLS certificate names on agent to agent endpoints [GH-11956]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • agent: Switch from boltdb/bolt to go.etcd.io/bbolt [GH-12107]
    • api: Add related query parameter to the Evaluation details endpoint [GH-12305]
    • ๐Ÿ‘ท api: Add support for filtering and pagination to the jobs and volumes list endpoint [GH-12186]
    • ๐Ÿ‘ api: Add support for filtering and pagination to the node list endpoint [GH-12727]
    • ๐Ÿ‘ api: Add support for filtering, sorting, and pagination to the ACL tokens and allocations list endpoint [GH-12186]
    • ๐Ÿ‘ท api: Added ParseHCLOpts helper func to ease parsing HCLv1 jobspecs [GH-12777]
    • api: CSI secrets for list and delete snapshots are now passed in HTTP headers [GH-12144]
    • ๐Ÿ”Š api: AllocFS.Logs now explicitly closes frames channel after being canceled [GH-12248]
    • 0๏ธโƒฃ api: default to using DefaultPooledTransport client to support keep-alive by default [GH-12492]
    • ๐Ÿš€ api: filter values of evaluation and deployment list api endpoints [GH-12034]
    • ๐Ÿš€ api: sort return values of evaluation and deployment list api endpoints by creation index [GH-12054]
    • ๐Ÿ— build: make targets now respect GOBIN variable [GH-12077]
    • โฌ†๏ธ build: upgrade and speedup circleci configuration [GH-11889]
    • ๐Ÿ‘ท cli: Added -json flag to nomad job {run,plan,validate} to support parsing JSON formatted jobs [GH-12591]
    • cli: Added -os flag to node status to display operating system name [GH-12388]
    • cli: Added nomad operator api command to ease querying Nomad's HTTP API. [GH-10808]
    • cli: CSI secrets argument for volume snapshot list has been made consistent with volume snapshot delete [GH-12144]
    • cli: Return a redacted value for mount flags in the volume status command, instead of <none> [GH-12150]
    • cli: operator debug command now skips generating pprofs to avoid a panic on Nomad 0.11.2. 0.11.1, and 0.11.0 [GH-12807]
    • ๐Ÿ”ง cli: add nomad config validate command to check configuration files without an agent [GH-9198]
    • cli: added -pprof-interval to nomad operator debug command [GH-11938]
    • cli: display the Raft version instead of the Serf protocol in the nomad server members command [GH-12317]
    • cli: rename the nomad server members -detailed flag to -verbose so it matches other commands [GH-12317]
    • client: Added NOMAD_SHORT_ALLOC_ID allocation env var [GH-12603]
    • client: Allow interpolation of the network.dns block [GH-12021]
    • client: Download up to 3 artifacts concurrently [GH-11531]
    • ๐Ÿ‘ client: Enable support for cgroups v2 [GH-12274]
    • ๐Ÿ–จ client: fingerprint AWS instance life cycle option [GH-12371]
    • client: set NOMAD_CPU_CORES environment variable when reserving cpu cores [GH-12496]
    • connect: automatically set alloc_id in envoy_stats_tags configuration [GH-12543]
    • connect: bootstrap envoy sidecars using -proxy-for [GH-12011]
    • consul/connect: write Envoy bootstrapping information to disk for debugging [GH-11975]
    • consul: Added implicit Consul constraint for task groups utilising Consul service and check registrations [GH-12602]
    • ๐Ÿ‘ consul: add go-sockaddr templating support to nomad consul address [GH-12084]
    • consul: improve service name validation message to include maximum length requirement [GH-12012]
    • ๐Ÿ”ง core: Enable configuring raft boltdb freelist sync behavior [GH-12107]
    • ๐Ÿ”ง core: The unused protocol_version agent configuration value has been removed. [GH-11600]
    • csi: Add pagination parameters to volume snapshot list command [GH-12193]
    • csi: Added -secret and -parameter flags to volume snapshot create command [GH-12360]
    • ๐Ÿ‘ csi: Added support for storage topology [GH-12129]
    • ๐Ÿ”Œ csi: Allow for concurrent plugin allocations [GH-12078]
    • โšก๏ธ csi: Allow volumes to be re-registered to be updated while not in use [GH-12167]
    • ๐Ÿ”Œ csi: Display plugin capabilities in nomad plugin status -verbose output [GH-12116]
    • csi: Respect the verbose flag in the output of volume status [GH-12153]
    • ๐Ÿ”Œ csi: Sort allocations in plugin status output [GH-12154]
    • csi: add flag for providing secrets as a set of key/value pairs to delete a volume [GH-11245]
    • csi: allow namespace field to be passed in volume spec [GH-12400]
    • โšก๏ธ deps: Update hashicorp/raft-boltdb to v2.2.0 [GH-12107]
    • โšก๏ธ deps: Update serf library to v0.9.7 [GH-12130]
    • โšก๏ธ deps: Updated hashicorp/consul-template to v0.29.0 [GH-12747]
    • โšก๏ธ deps: Updated hashicorp/raft to v1.3.5 [GH-12079]
    • โฌ†๏ธ deps: Upgrade kr/pty to creack/pty v1.1.5 [GH-11855]
    • ๐Ÿ“ฆ deps: use gorilla package for gzip http handler [GH-11843]
    • ๐Ÿ”Œ drainer: defer draining CSI plugin jobs until system jobs are drained [GH-12324]
    • ๐Ÿ‘ drivers/raw_exec: Add support for cgroups v2 in raw_exec driver [GH-12419]
    • ๐Ÿšš drivers: removed support for restoring tasks created before Nomad 0.9 [GH-12791]
    • ๐Ÿ–จ fingerprint: add support for detecting DigitalOcean environment [GH-12015]
    • metrics: Emit metrics regarding raft boltdb operations [GH-12107]
    • metrics: emit nomad.vault.token_last_renewal and nomad.vault.token_next_renewal metrics for Vault token renewal information [GH-12435]
    • ๐Ÿ“‡ namespaces: Allow adding custom metadata to namespaces. [GH-12138]
    • namespaces: Allow enabling/disabling allowed drivers per namespace. [GH-11807]
    • 0๏ธโƒฃ raft: The default raft protocol version is now 3. [GH-11572]
    • โฑ scheduler: Seed node shuffling with the evaluation ID to make the order reproducible [GH-12008]
    • โฑ scheduler: recover scheduler goroutines on panic [GH-12009]
    • server: Transfer Raft leadership in case the Nomad server fails to establish leadership [GH-12293]
    • โฌ‡๏ธ server: store and check previous Raft protocol version to prevent downgrades [GH-12362]
    • services: Enable setting arbitrary address on Nomad or Consul service registration [GH-12720]
    • โฌ†๏ธ template: Upgraded to from consul-template v0.25.2 to v0.28.0 which includes the sprig library of functions and more. [GH-12312]
    • ๐Ÿ’ป ui: added visual indicators for disconnected allocations and client nodes [GH-12544]
    • ๐Ÿ’ป ui: break long service tags into multiple lines [GH-11995]
    • ๐Ÿ’ป ui: change sort-order of evaluations to be reverse-chronological [GH-12847]
    • ๐Ÿ’ป ui: make buttons with confirmation more descriptive of their actions [GH-12252]

    ๐Ÿ—„ DEPRECATIONS:

    • ๐Ÿšš Raft protocol version 2 is deprecated and will be removed in Nomad 1.4.0. [GH-11572]

    ๐Ÿ› BUG FIXES:

    • api: Apply prefix filter when querying CSI volumes in all namespaces [GH-12184]
    • cleanup: prevent leaks from time.After [GH-11983]
    • ๐Ÿ›  client: Fixed a bug that could prevent a preempting alloc from ever starting. [GH-12779]
    • ๐Ÿ›  client: Fixed a bug where clients that retry blocking queries would not reset the correct blocking duration [GH-12593]
    • ๐Ÿ›  config: Fixed a bug where the reservable_cores setting was not respected [GH-12044]
    • ๐Ÿ‘ท core: Fixed auto-promotion of canaries in jobs with at least one task group without canaries. [GH-11878]
    • core: prevent malformed plans from crashing leader [GH-11944]
    • ๐Ÿ”Œ csi: Fixed a bug where plugin status commands could choose the incorrect plugin if a plugin with a name that matched the same prefix existed. [GH-12194]
    • ๐Ÿ”Œ csi: Fixed a bug where volume snapshot list did not correctly filter by plugin IDs. The -plugin parameter is required. [GH-12197]
    • โฑ csi: Fixed a bug where allocations with volume claims would fail their first placement after a reschedule [GH-12113]
    • โช csi: Fixed a bug where allocations with volume claims would fail to restore after a client restart [GH-12113]
    • ๐Ÿ”Œ csi: Fixed a bug where creating snapshots required a plugin ID instead of falling back to the volume's plugin ID [GH-12195]
    • ๐Ÿ›  csi: Fixed a bug where fields were missing from the Read Volume API response [GH-12178]
    • ๐Ÿ›  csi: Fixed a bug where garbage collected nodes would block releasing a volume [GH-12350]
    • ๐Ÿ›  csi: Fixed a bug where per-alloc volumes used the incorrect ID when querying for alloc status -verbose [GH-12573]
    • โšก๏ธ csi: Fixed a bug where plugin configuration updates were not considered destructive [GH-12774]
    • ๐Ÿ”Œ csi: Fixed a bug where plugins would not restart if they failed any time after a client restart [GH-12752]
    • ๐Ÿ”Œ csi: Fixed a bug where plugins written in NodeJS could fail to fingerprint [GH-12359]
    • ๐Ÿ”Œ csi: Fixed a bug where purging a job with a missing plugin would fail [GH-12114]
    • ๐Ÿ›  csi: Fixed a bug where single-use access modes were not enforced during validation [GH-12337]
    • ๐Ÿ›  csi: Fixed a bug where the maximum number of volume claims was incorrectly enforced when an allocation claims a volume [GH-12112]
    • ๐Ÿ”Œ csi: Fixed a bug where the plugin instance manager would not retry the initial gRPC connection to plugins [GH-12057]
    • ๐Ÿ”Œ csi: Fixed a bug where the plugin supervisor would not restart the task if it failed to connect to the plugin [GH-12057]
    • ๐Ÿ›  csi: Fixed a bug where volume snapshot timestamps were always zero values [GH-12352]
    • ๐Ÿ”Œ csi: Fixed bug where accessing plugins was subject to a data race [GH-12553]
    • ๐Ÿ›  csi: fixed a bug where volume detach, volume deregister, and volume status commands did not accept an exact ID if multiple volumes matched the prefix [GH-12051]
    • ๐Ÿ”Œ csi: provide CSI_ENDPOINT environment variable to plugin tasks [GH-12050]
    • ๐Ÿ‘ท jobspec: Fixed a bug where connect sidecar resources were ignored when using HCL1 [GH-11927]
    • ๐Ÿ›  lifecycle: Fixed a bug where successful poststart tasks were marked as unhealthy [GH-11945]
    • ๐Ÿ›  recommendations (Enterprise): Fixed a bug where the recommendations list RPC incorrectly forwarded requests to the authoritative region [GH-12040]
    • โšก๏ธ scheduler: fixed a bug where in-place updates on ineligible nodes would be ignored [GH-12264]
    • server: Write peers.json file with correct permissions [GH-12369]
    • ๐Ÿ›  template: Fixed a bug preventing allowing all consul-template functions. [GH-12312]
    • 0๏ธโƒฃ template: Fixed a bug where the default function_denylist would be appended to a specified list [GH-12071]
    • ๐Ÿ’ป ui: Fix the link target for CSI volumes on the task detail page [GH-11896]
    • ๐Ÿ’ป ui: Fixed a bug where volumes were being incorrectly linked when per_alloc=true [GH-12713]
    • ๐Ÿ‘ท ui: fix broken link to task-groups in the Recent Allocations table in the Job Detail overview page. [GH-12765]
    • ๐Ÿ’ป ui: fix the unit for the task row memory usage metric [GH-11980]