v1.10.1

1.10.1 (May 13, 2025)

BREAKING CHANGES:

• api: The non-functional option -peer-address has been removed from the operator raft remove-peer command and equivalent API [GH-25599]
• core: Errors encountered when reloading agent configuration will now cause agents to exit. Before configuration errors during reloads were only logged. This could lead to agents running but unable to communicate [GH-25721]

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-22873 [GH-25818]

IMPROVEMENTS:

• command: added priority flag to job dispatch command [GH-25622]

BUG FIXES:

• agent: Fixed a bug where reloading the agent with systemd notification enabled would cause the agent to be killed by system [GH-25636]
• cli: Respect NOMAD_REGION environment variable in operator debug command [GH-25716]
• client: fix failure cleaning up namespace on batch jobs [GH-25714]
• docker: Fix missing stats for rss, cache and swap memory for cgroups v1 [GH-25741]
• encrypter: Refactor startup decryption task handling to avoid timing problems with task addition on FSM restore [GH-25795]
• java: Fixed a bug where the default task user was set to 'nobody' on Windows [GH-25648]
• metrics: Fixed a bug where RSS and cache stats would not be reported for docker, exec, and java drivers under Linux cgroups v2 [GH-25751]
• scheduler: Fixed a bug in accounting for resources.cores that could prevent placements on nodes with available cores [GH-25705]
• scheduler: Fixed a bug where draining a node with canaries could result in a stuck deployment [GH-25726]
• scheduler: Fixed a bug where updating the rescheduler tracker could corrupt the state store [GH-25698]
• scheduler: Use core ID when selecting cores. This fixes a panic in the scheduler when the reservable_cores is not a contiguous list of core IDs. [GH-25340]
• server: Added a new server configuration option named start_timeout with a default value of 30s. This duration is used to monitor the server setup and startup processes which must complete before it is considered healthy, such as keyring decryption. If these processes do not complete before the timeout is reached, the server process will exit. [GH-25803]
• ui: Fixed a bug where the job list page incorrectly calculated if a job had paused tasks. [GH-25742]

v1.9.9 (Enterprise)

BREAKING CHANGES:

• core: Errors encountered when reloading agent configuration will now cause agents to exit. Before configuration errors during reloads were only logged. This could lead to agents running but unable to communicate [GH-25721]

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-22873 [GH-25818]
• sentinel (Enterprise): Fixed a bug where in some cases hard-mandatory policies could be overridden with -policy-override. CVE-2025-3744.

BUG FIXES:

• agent: Fixed a bug where reloading the agent with systemd notification enabled would cause the agent to be killed by system [GH-25636]
• api: Fixed pagination bug which could result in duplicate results [GH-25792]
• cli: Respect NOMAD_REGION environment variable in operator debug command [GH-25716]
• client: fix failure cleaning up namespace on batch jobs [GH-25714]
• docker: Fix missing stats for rss, cache and swap memory for cgroups v1 [GH-25741]
• encrypter: Refactor startup decryption task handling to avoid timing problems with task addition on FSM restore [GH-25795]
• metrics: Fixed a bug where RSS and cache stats would not be reported for docker, exec, and java drivers under Linux cgroups v2 [GH-25751]
• scheduler: Fixed a bug in accounting for resources.cores that could prevent placements on nodes with available cores [GH-25705]
• scheduler: Fixed a bug where draining a node with canaries could result in a stuck deployment [GH-25726]
• scheduler: Fixed a bug where updating the rescheduler tracker could corrupt the state store [GH-25698]
• scheduler: Use core ID when selecting cores. This fixes a panic in the scheduler when the reservable_cores is not a contiguous list of core IDs. [GH-25340]
• server: Added a new server configuration option named start_timeout with a default value of 30s. This duration is used to monitor the server setup and startup processes which must complete before it is considered healthy, such as keyring decryption. If these processes do not complete before the timeout is reached, the server process will exit. [GH-25803]
• ui: Fixed a bug where the job list page incorrectly calculated if a job had paused tasks. [GH-25742]

v1.8.13 (Enterprise)

BREAKING CHANGES:

• core: Errors encountered when reloading agent configuration will now cause agents to exit. Before configuration errors during reloads were only logged. This could lead to agents running but unable to communicate [GH-25721]

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-22873 [GH-25818]
• sentinel (Enterprise): Fixed a bug where in some cases hard-mandatory policies could be overridden with -policy-override. CVE-2025-3744.

BUG FIXES:

• agent: Fixed a bug where reloading the agent with systemd notification enabled would cause the agent to be killed by system [GH-25636]
• api: Fixed pagination bug which could result in duplicate results [GH-25792]
• cli: Respect NOMAD_REGION environment variable in operator debug command [GH-25716]
• client: fix failure cleaning up namespace on batch jobs [GH-25714]
• metrics: Fixed a bug where RSS and cache stats would not be reported for docker, exec, and java drivers under Linux cgroups v2 [GH-25751]
• scheduler: Fixed a bug in accounting for resources.cores that could prevent placements on nodes with available cores [GH-25705]
• scheduler: Fixed a bug where draining a node with canaries could result in a stuck deployment [GH-25726]
• scheduler: Fixed a bug where updating the rescheduler tracker could corrupt the state store [GH-25698]
• scheduler: Use core ID when selecting cores. This fixes a panic in the scheduler when the reservable_cores is not a contiguous list of core IDs. [GH-25340]
• ui: Fixed a bug where the job list page incorrectly calculated if a job had paused tasks. [GH-25742]

v1.9.8 (Enterprise)

IMPROVEMENTS:

• build: Updated Go to 1.24.2 [GH-25623]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• ui: Makes jobs list filtering case-insensitive [GH-25378]

BUG FIXES:

• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

v1.8.12 (Enterprise)

IMPROVEMENTS:

• build: Updated Go to 1.24.2 [GH-25623]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]

BUG FIXES:

• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

v1.10.0

1.10.0 (April 09, 2025)

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API [GH-24479]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block.
  Please see Nomad's upgrade guide
  for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please
  see Nomad's upgrade guide for
  more detail. [GH-25155]

IMPROVEMENTS:

• cli: Add -group option to alloc exec, alloc logs, alloc fs commands [GH-25568]
• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• client: Fixed a bug where JSON formatted logs would not show the requested and overlapping cores when failing to reserve cores [GH-25523]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• drivers/docker: adds image_pull_timeout to plugin config options [GH-25489]
• drivers/rawexec: adds denied_envvars to driver and task config options [GH-25511]
• rawexec: add support for setting the task user on windows platform [GH-25496]
• rpc: Added ability to configure yamux session parameters [GH-25466]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]
• ui: Added a scope selector for sentinel policy page [GH-25390]
• ui: Makes jobs list filtering case-insensitive [GH-25378]
• ui: Updated icons to the newest design system [GH-25353]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

v1.10.0-rc.1

1.10.0-rc.1 (April 3, 2025)

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API [GH-24479]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block.
  Please see Nomad's upgrade guide
  for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please
  see Nomad's upgrade guide for
  more detail. [GH-25155]

IMPROVEMENTS:

• cli: Add -group option to alloc exec, alloc logs, alloc fs commands [GH-25568]
• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• client: Fixed a bug where JSON formatted logs would not show the requested and overlapping cores when failing to reserve cores [GH-25523]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• drivers/docker: adds image_pull_timeout to plugin config options [GH-25489]
• drivers/rawexec: adds denied_envvars to driver and task config options [GH-25511]
• rawexec: add support for setting the task user on windows platform [GH-25496]
• rpc: Added ability to configure yamux session parameters [GH-25466]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]
• ui: Added a scope selector for sentinel policy page [GH-25390]
• ui: Makes jobs list filtering case-insensitive [GH-25378]
• ui: Updated icons to the newest design system [GH-25353]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

v1.10.0-beta.1

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API. [GH-24479]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block.
  Please see Nomad's upgrade guide
  for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please
  see Nomad's upgrade guide for
  more detail. [GH-25155]

IMPROVEMENTS:

• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]

v1.9.7

1.9.7 (March 11, 2025)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• config: Allow disabling wait in client config [GH-25255]
• cpustats: Add config "cpu_disable_dmidecode" to disable cpu detection using dmidecode [GH-25108]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]
• ui: System, Batch and Sysbatch jobs get a "Revert to prev version" button on their main pages [GH-25104]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• fingerprint: Fixed a bug where Consul/Vault would never be fingerprinted if not available on agent start [GH-25102]
• hcl: Avoid panics by checking null values on durations [GH-25294]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the
  quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or
  more template blocks. [GH-25140]

v1.8.11 (Enterprise)

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or more template blocks. [GH-25140]