Updated to Go 1.16.12. Earlier versions of Go contained 2 CVEs. CVE-2021-44717 could allow a task on a Unix system with exhausted file handles to misdirect I/O. CVE-2021-44716 could create unbounded memory growth in HTTP2 servers. Nomad servers do not use HTTP2. [GH-11662]
core (Enterprise): Update licensing library to v0.0.11 to include race condition fix. [GH-10253]
agent: Only allow querying Prometheus formatted metrics if Prometheus is enabled within the config [GH-10140]
api: Ensured that api.LicenseGet returned response meta data [GH-10276]
api: Added missing devices block to AllocatedTaskResources [GH-10064]
api: Fixed a panic that may occur on concurrent access to an SDK client [GH-10302]
cli: Fixed a bug where non-int proxy port would panic CLI [GH-10072]
cli: Fixed a bug where snapshot agent command panics on launch [GH-10276]
cli: Remove extra linefeeds in monitor.log files written by nomad operator debug. [GH-10252]
cli: Fixed a bug where parsing HCLv2 may panic on some variable interpolation syntax [GH-10326] [GH-10419]
cli: Fixed a bug where nomad operator debug incorrectly parsed https Consul API URLs. [GH-10082]
cli: Fixed a panic where nomad job run or plan would crash when supplied with non-existent -var-file files. [GH-10569]
client: Fixed log formatting when killing tasks. [GH-10135]
client: Added handling for cgroup-v2 memory metrics [GH-10286]
client: Only publish measured allocation memory metrics [GH-10376]
client: Fixed a bug where small files would be assigned the wrong content type. [GH-10348]
consul/connect: Fixed a bug where job plan always different when using expose checks. [GH-10492]
consul/connect: Fixed a bug where HTTP ingress gateways could not use wildcard names. [GH-10457]
cni: Fallback to an interface with an IP address if sandbox interface lacks one. [GH-9895]
csi: Fixed a bug where volume with IDs that are a substring prefix of another volume could use the wrong volume for feasibility checking. [GH-10158]
drivers/docker: Fixed a bug where Dockerfile STOPSIGNAL was not honored. [GH-10441]
drivers/raw_exec: Fixed a bug where exit codes could be dropped and return a spurious error. [GH-10494]
scheduler: Fixed a bug where Nomad reports negative or incorrect running children counts for periodic jobs. [GH-10145]
scheduler: Fixed a bug where jobs requesting multiple CSI volumes could be incorrectly scheduled if only one of the volumes passed feasibility checking. [GH-10143]
ACL authentication is now required for the Nomad API job parse endpoint to address a potential security vulnerability
SECURITY:
Add ACL requirement and HCL validation to the job parse API endpoint to prevent excessive CPU usage. CVE-2022-24685 [GH-12038]
Fix race condition in use of go-getter that could cause a client agent to download the wrong artifact into the wrong destination. CVE-2022-24686 [GH-12036]
Resolve symlinks to prevent unauthorized access to files outside the allocation directory. CVE-2022-24683 [GH-12037]
1.0.17 (February 1, 2022)
BUG FIXES:
csi: Fixed a bug where garbage collected allocations could block new claims on a volume [GH-11890]
csi: Fixed a bug where releasing volume claims would fail with ACL errors after leadership transitions. [GH-11891]
csi: Fixed a bug where volume claim releases that were not fully processed before a leadership transition would be ignored [GH-11776]
csi: Unmount volumes from the client before sending unpublish RPC [GH-11892]
1.0.16 (January 18, 2022)
BUG FIXES:
agent: Validate reserved_ports are valid to prevent unschedulable nodes. [GH-11830]
cli: Fixed a bug where the -stale flag was not respected by nomad operator debug [GH-11678]
client: Fixed a bug where clients would ignore the client_auto_join setting after losing connection with the servers, causing them to incorrectly fallback to Consul discovery if it was set to false. [GH-11585]
client: Fixed a memory and goroutine leak for batch tasks and any task that exits without being shut down from the server [GH-11741]
client: Fixed host network reserved port fingerprinting [GH-11728]
core: Fix missing fields in Node.Copy() [GH-11744]
csi: Fixed a bug where deregistering volumes would attempt to deregister the wrong volume if the ID was a prefix of the intended volume [GH-11852]
drivers: Fixed a bug where the resolv.conf copied from the system was not readable to unprivileged processes within the task [GH-11856]
quotas (Enterprise): Fixed a bug quotas can be incorrectly calculated when nodes fail ranking. [GH-11848]
rpc: Fixed scaling policy get index response when the policy is found [GH-11579]
scheduler: detect, log, and emit nomad.nomad.plan.node_rejected metric when an unexpected port collision is detected [GH-11793]
scheduler: Fixed a performance bug where spread and node affinity can cause a job to take longer than the nack timeout to be evaluated. [GH-11712]
template: Fixed a bug where templates did not receive an updated vault token if change_mode = "noop" was set in the job definition's vault stanza. [GH-11783]
1.0.15 (December 13, 2021)
SECURITY:
Updated to Go 1.16.12. Earlier versions of Go contained 2 CVEs. CVE-2021-44717 could allow a task on a Unix system with exhausted file handles to misdirect I/O. CVE-2021-44716 could create unbounded memory growth in HTTP2 servers. Nomad servers do not use HTTP2. [GH-11662]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/MatthiasScholz/cos/network/alerts).
Bumps github.com/hashicorp/nomad from 1.0.0 to 1.0.18.
Release notes
Sourced from github.com/hashicorp/nomad's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/nomad's changelog.
... (truncated)
Commits
7eb2ad2
Release v1.0.18c46dfd8
Generate files for 1.0.18 release0146d33
ci: set macos build xcode to a support version53b2709
chore: go mod tidybb96eb8
docs: add 1.0.18 to changelog83e9de5
scheduler: prevent panic in spread iterator during alloc stop321c221
api: prevent excessice CPU load on job parse1aa46c3
client: check escaping of alloc dir using symlinkse5c7638
client: fix race condition in use of go-getterc19be8d
Release v1.0.17Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/MatthiasScholz/cos/network/alerts).