chore(deps): update dependency hashicorp/nomad to v1.10.5

[renovate]

This PR contains the following updates:

Package	Update	Change
hashicorp/nomad	minor	1.9.3 -> 1.10.5

---

Release Notes

hashicorp/nomad (hashicorp/nomad)

v1.10.5

Compare Source

1.10.5 (September 09, 2025)

SECURITY:

• build: Update Go to 1.24.7 to address CVE-2025-47910 [GH-26713]
• build: Update go-getter to 1.7.9 to address CVE-2025-8959. Nomad Client Agents with Landlock support are not impacted by this vulnerability. [GH-26533]
• client: inspect artifacts for sandbox escape when landlock is unavailable [GH-26608]

IMPROVEMENTS:

• agent: Allow agent logging to the Windows Event Log [GH-26441]
• cli: Add commands for installing and uninstalling Windows system service [GH-26442]
• config: Validate the keyring configuration block label against supported values on agent startup [GH-26673]
• scheduling: Improve performance of scheduling when checking reserved ports usage [GH-26712]

BUG FIXES:

• csi: fix EOF error when registering volumes [GH-26642]
• dispatch: Fixed a bug where evaluations were not created atomically with dispatched jobs, which could prevent dispatch jobs from creating allocations [GH-26710]
• exec: Adjust USER and HOME env vars when user value is set [GH-25859]
• exec: Correctly set the LOGNAME env var when the job specification user value is set [GH-26703]
• logs: skip logging SIGPIPE [GH-26582]

v1.10.4

Compare Source

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-47906 [GH-26451]

IMPROVEMENTS:

• cli: Added monitor export cli command to retrieve journald logs or the contents of the Nomad log file for a given Nomad agent [GH-26178]
• command: Add historical log capture to nomad operator debug command with -log-lookback and -log-file-export flags [GH-26410]
• metrics: Added node_pool label to blocked_evals metrics [GH-26215]
• sentinel (Enterprise): Added policy scope for csi-volumes [GH-26438]

BUG FIXES:

• alloc exec: Fixed executor panic when exec-ing a rootless raw_exec task [GH-26401]
• cli: Fixed a bug where acl policy self command would output all policies when used with a management token [GH-26396]
• client: run all allocrunner postrun (cleanup) hooks, even if any of them error [GH-26271]
• consul: Add AllocIPv6 option to allow IPv6 address being used for service registration [GH-25632]
• jobspec: Validate required hook field in lifecycle block [GH-26285]
• services: Fixed a bug where Nomad services were deleted if a node missed heartbeats and recovered before allocs were migrated [GH-26424]

v1.10.3

Compare Source

IMPROVEMENTS:

• consul: Added kind field to service block for Consul service registrations [GH-26170]
• docker: Added support for cgroup namespaces in the task config [GH-25927]
• task environment: new NOMAD_UNIX_ADDR env var points to the task API unix socket, for use with workload identity [GH-25598]

BUG FIXES:

• agent: Fixed a bug to prevent a possible panic during graceful shutdown [GH-26018]
• agent: Fixed a bug to prevent panic during graceful server shutdown [GH-26171]
• agent: Fixed bug where agent would exit early from graceful shutdown when managed by systemd [GH-26023]
• cli: Fix panic when restarting stopped job with no scaling policies [GH-26131]
• cli: Fixed a bug in the tls cert create command that always added "<role>.global.nomad"` to the certificate DNS names, even when the specified region was not "global"`. [GH-26086]
• cli: Fixed a bug where the acl token self command only performed lookups for tokens set as environment variables and not by the -token flag. [GH-26183]
• client: Attempt to rollback directory creation when the mkdir plugin fails to perform ownership changes on it [GH-26194]
• client: Fixed bug where drained batch jobs would not be rescheduled if no eligible nodes were immediately available [GH-26025]
• docker: Fixed a bug where very low resources.cpu values could generate invalid cpu weights on hosts with very large client.cpu_total_compute values [GH-26081]
• host volumes: Fixed a bug where volumes with server-terminal allocations could be deleted from clients but not the state store [GH-26213]
• tls: Fixed a bug where reloading the Nomad server process with an updated tls.verify_server_hostname configuration parameter would not apply an update to internal RPC handler verification and require a full server restart [GH-26107]
• vault: Fixed a bug where non-periodic tokens would not have their TTL incremented to the lease duration [GH-26041]

v1.10.2

Compare Source

BREAKING CHANGES:

• template: Support for the following non-hermetic sprig functions has been removed: sprig_date, sprig_dateInZone, sprig_dateModify, sprig_htmlDate, sprig_htmlDateInZone, sprig_dateInZone, sprig_dateModify, sprig_randAlphaNum, sprig_randAlpha, sprig_randAscii, sprig_randNumeric, sprig_randBytes, sprig_uuidv4, sprig_env, sprig_expandenv, and sprig_getHostByName. [GH-25998]

SECURITY:

• identity: Fixed bug where workflow identity policies are matched by job ID prefix (CVE-2025-4922) [GH-25869]
• template: Bump the consul-template version to resolve CVE-2025-27144, CVE-2025-22869, CVE-2025-22870 and CVE-2025-22872. [GH-25998]
• template: Removed support to the non-hermetic sprig_env, sprig_expandenv, and sprig_getHostByName sprig functions to prevent potential leakage of environment or network information, since they can allow reading environment variables or resolving domain names to IP addresses. [GH-25998]

IMPROVEMENTS:

• cli: Added job start command to allow starting a stopped job from the cli [GH-24150]
• client: Add gc_volumes_on_node_gc configuration to delete host volumes when nodes are garbage collected [GH-25903]
• client: add ability to set maximum allocation count by adding node_max_allocs to client configuration [GH-25785]
• host volumes: Add -force flag to volume delete command for removing volumes from GC'd nodes [GH-25902]
• identity: Allow ACL policies to be applied to a namespace [GH-25871]
• ipv6: bind and advertise addresses are now made to adhere to RFC-5942 §4 (reference: https://www.rfc-editor.org/rfc/rfc5952.html#section-4) [GH-25921]
• reporting (Enterprise): Added support for offline utilization reporting [GH-25844]
• template: adds ability to specify once mode for job templates [GH-25922]
• wi: new API endpoint for listing workload-attached ACL policies [GH-25588]

BUG FIXES:

• api: Fixed pagination bug which could result in duplicate results [GH-25792]
• client: Fixed a bug where disconnect.stop_on_client_after timeouts were extended or ignored [GH-25946]
• csi: Fixed -secret values not being sent with the nomad volume snapshot delete command [GH-26022]
• disconnect: Fixed a bug where pending evals for reconnected allocs were not cancelled [GH-25923]
• driver: Allow resources.cpu values above the maximum cpu.share value on Linux [GH-25963]
• job: Ensure sidecar task volume_mounts are added to planning diff object [GH-25878]
• reconnecting client: fix issue where reconcile strategy was sometimes ignored [GH-25799]
• scaling: Set the scaling policies to disabled when a job is stopped [GH-25911]
• scheduler: Fixed a bug where a node with no affinity could be selected over a node with low affinity [GH-25800]
• scheduler: Fixed a bug where planning or running a system job with constraints & previously running allocations would return a failed allocation error [GH-25850]
• telemetry: Fix excess CPU consumption from alloc stats collection [GH-25870]
• telemetry: Fixed a bug where alloc stats were still collected (but not published) if telemetry.publish_allocation_metrics=false. [GH-25870]
• ui: Fix incorrect calculation of permissions when ACLs are disabled which meant actions such as client drains were incorrectly blocked [GH-25881]

v1.10.1

Compare Source

BREAKING CHANGES:

• api: The non-functional option -peer-address has been removed from the operator raft remove-peer command and equivalent API [GH-25599]
• core: Errors encountered when reloading agent configuration will now cause agents to exit. Before configuration errors during reloads were only logged. This could lead to agents running but unable to communicate [GH-25721]

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-22873 [GH-25818]
• sentinel (Enterprise): Fixed a bug where in some cases hard-mandatory policies could be overridden with -policy-override. CVE-2025-3744 [GH-2618]

IMPROVEMENTS:

• command: added priority flag to job dispatch command [GH-25622]

BUG FIXES:

• agent: Fixed a bug where reloading the agent with systemd notification enabled would cause the agent to be killed by system [GH-25636]
• cli: Respect NOMAD_REGION environment variable in operator debug command [GH-25716]
• client: fix failure cleaning up namespace on batch jobs [GH-25714]
• docker: Fix missing stats for rss, cache and swap memory for cgroups v1 [GH-25741]
• encrypter: Refactor startup decryption task handling to avoid timing problems with task addition on FSM restore [GH-25795]
• java: Fixed a bug where the default task user was set to 'nobody' on Windows [GH-25648]
• metrics: Fixed a bug where RSS and cache stats would not be reported for docker, exec, and java drivers under Linux cgroups v2 [GH-25751]
• scheduler: Fixed a bug in accounting for resources.cores that could prevent placements on nodes with available cores [GH-25705]
• scheduler: Fixed a bug where draining a node with canaries could result in a stuck deployment [GH-25726]
• scheduler: Fixed a bug where updating the rescheduler tracker could corrupt the state store [GH-25698]
• scheduler: Use core ID when selecting cores. This fixes a panic in the scheduler when the reservable_cores is not a contiguous list of core IDs. [GH-25340]
• server: Added a new server configuration option named start_timeout with a default value of 30s. This duration is used to monitor the server setup and startup processes which must complete before it is considered healthy, such as keyring decryption. If these processes do not complete before the timeout is reached, the server process will exit. [GH-25803]
• ui: Fixed a bug where the job list page incorrectly calculated if a job had paused tasks. [GH-25742]

v1.10.0

Compare Source

FEATURES:

• Dynamic Host Volumes: Nomad now supports creating host volumes via the API [GH-24479]
• OIDC Login: Nomad now enables PKCE for OIDC logins, and supports the private key JWT / client assertion option in the OIDC authentication flow. [GH-25231]
• Stateful Deployments: Nomad now supports stateful deployments when using dynamic host volumes. [GH-24993]

BREAKING CHANGES:

• agent: Plugins stored within the plugin_dir will now only be executed when they have a corresponding plugin configuration block. Any plugin found without a corresponding configuration block will be skipped. [GH-18530]
• api: QuotaSpec.RegionLimit is now of type QuotaResources instead of Resources [GH-24785]
• consul: Identities are no longer added to tasks by default when they include a template block.
  Please see Nomad's upgrade guide
  for more detail. [GH-25298]
• consul: The deprecated token-based authentication workflow for allocations has been removed. Please see Nomad's upgrade guide for more detail. [GH-25217]
• disconnected nodes: ignore the previously deprecated disconnect group fields in favor of the disconnect block introduced in Nomad 1.8 [GH-25284]
• drivers: remove remote task support for task drivers [GH-24909]
• sentinel: The sentinel apply command now requires the -scope option [GH-24601]
• vault: The deprecated token-based authentication workflow for allocations has been removed. Please
  see Nomad's upgrade guide for
  more detail. [GH-25155]

IMPROVEMENTS:

• build: Updated Go to 1.24.2 [GH-25623]
• cli: Add -group option to alloc exec, alloc logs, alloc fs commands [GH-25568]
• cli: Added UI URL hints to the end of common CLI commands and a -ui flag to auto-open them [GH-24454]
• client: Fixed a bug where JSON formatted logs would not show the requested and overlapping cores when failing to reserve cores [GH-25523]
• client: Improve memory usage by dropping references to task environment [GH-25373]
• cni: Add a warning log when CNI check commands fail [GH-25581]
• csi: Accept ID prefixes and wildcard namespace for the volume delete command [GH-24997]
• csi: Added CSI volume and plugin events to the event stream [GH-24724]
• csi: Show volume capabilities in the volume status command [GH-25173]
• drivers/docker: adds image_pull_timeout to plugin config options [GH-25489]
• drivers/rawexec: adds denied_envvars to driver and task config options [GH-25511]
• rawexec: add support for setting the task user on windows platform [GH-25496]
• rpc: Added ability to configure yamux session parameters [GH-25466]
• ui: Added Dynamic Host Volumes to the web UI [GH-25224]
• ui: Added a scope selector for sentinel policy page [GH-25390]
• ui: Makes jobs list filtering case-insensitive [GH-25378]
• ui: Updated icons to the newest design system [GH-25353]

DEPRECATIONS:

• api: QuotaSpec.VariablesLimit field is deprecated and will be removed in Nomad 1.12.0. Use QuotaSpec.RegionLimit.Storage.Variables instead. [GH-24785]
• quotas: the variables_limit field in the quota specification is deprecated and replaced by a new storage block under the region_limit block, with a variables field. The variables_limit field will be removed in Nomad 1.12.0 [GH-24785]

BUG FIXES:

• client: fixed a bug where AMD CPUs were not correctly fingerprinting base speed [GH-24415]
• client: remove blocking call during client gc [GH-25123]
• client: skip a task groups shutdown_delay when all tasks have already been deregistered [GH-25157]
• csi: Fixed a CSI ExpandVolume bug where the namespace was left out of the staging path [GH-25253]
• csi: Fixed a bug where GC would attempt and fail to delete plugins that had volumes [GH-25432]
• csi: Fixed a bug where cleaning up volume claims on GC'd nodes would cause errors on the leader [GH-25428]
• csi: Fixed a bug where in-flight CSI RPCs would not be cancelled on client GC or dev agent shutdown [GH-25472]
• drivers: set -1 exit code in case of executor failure for the exec, raw_exec, java, and qemu task drivers [GH-25453]
• job: Ensure migrate block difference is added to planning diff object [GH-25528]
• scheduler: Fixed a bug that made affinity and spread updates destructive [GH-25109]
• server: Validate num_schedulers configuration parameter is between 0 and the number of CPUs available on the machine [GH-25441]
• services: Fixed a bug where Nomad native services would not be correctly interpolated during in-place updates [GH-25373]
• services: Fixed a bug where task-level services, checks, and identities could interpolate jobspec values from other tasks in the same group [GH-25373]

v1.9.7

Compare Source

BREAKING CHANGES:

• node: The node attribute consul.addr.dns has been changed to unique.consul.addr.dns. The node attribute nomad.advertise.address has been changed to unique.advertise.address. [GH-24942]

SECURITY:

• auth: Redact OIDC client secret from API responses and event stream (CVE-2025-1296) [GH-25328]

IMPROVEMENTS:

• build: Updated Go to 1.24.1 [GH-25249]
• config: Allow disabling wait in client config [GH-25255]
• cpustats: Add config "cpu_disable_dmidecode" to disable cpu detection using dmidecode [GH-25108]
• metrics: Fix the process lookup for raw_exec when running rootless [GH-25198]
• ui: System, Batch and Sysbatch jobs get a "Revert to prev version" button on their main pages [GH-25104]

BUG FIXES:

• cli: Add node_prefix read when setting up the task workload identity Consul policy [GH-25310]
• cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions [GH-25093]
• csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted [GH-25307]
• fingerprint: Fixed a bug where Consul/Vault would never be fingerprinted if not available on agent start [GH-25102]
• hcl: Avoid panics by checking null values on durations [GH-25294]
• rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely [GH-25201]
• scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly [GH-24942]
• template: Fixed a bug where unset client.template retry blocks ignored defaults [GH-25113]
• template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the
  quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or
  more template blocks. [GH-25140]

v1.9.6

Compare Source

BREAKING CHANGES:

• fingerprint: Consul and Vault fingerprints no longer reload periodically [GH-24526]

SECURITY:

• api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
• build: Updated Go to 1.23.6 [GH-25041]
• event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]

IMPROVEMENTS:

• auth: adds VerboseLogging option to auth-method config for debugging SSO [GH-24892]
• cli: Added actions available to a job when running nomad job status command [GH-24959]
• event stream: adds ability to authenticate using workload identities [GH-24849]
• services: Nomad service checks now support the tls_skip_verify parameter [GH-24781]
• task schedule: The task being paused no longer impacts restart attempts [GH-25085]
• ui: Contextualizes the Start Job button on whether it is startable, revertable, or not [GH-24985]

BUG FIXES:

• agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
• agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
• client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
• csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
• docker: Fixed a bug that prevented image_pull_timeout from being applied [GH-24991]
• docker: Fixed a bug where "error reading image pull progress" caused the allocation to get stuck pending [GH-24981]
• reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
• state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
• taskrunner: fix panic when a task with dynamic user is recovered [GH-24739]
• ui: Ensure pending service check blocks are filled [GH-24818]
• ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
• vault: Fixed a bug where successful renewal was logged as an error [GH-25040]

v1.9.5

Compare Source

IMPROVEMENTS:

• client: Add noswap mount option to secrets directory where supported on Linux [GH-24645]
• deps: Upgraded aws-sdk-go from v1 to v2 [GH-24720]
• keyring: Warn if deleting a key previously used to encrypt an existing variable [GH-24766]
• ui: Added possibility to supply HCL variable values on job submission [GH-24622]
• ui: add leadership status for servers in other regions [GH-24723]

BUG FIXES:

• docker: Fix a bug where images with port number and no tags weren't parsed correctly [GH-24547]
• driver/docker: Fix container CPU stats collection where previous CPU stats were missing and causing incorrect calculations [GH-24768]
• drivers: validate logmon plugin during reattach [GH-24798]
• networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]

v1.9.4

Compare Source

SECURITY:

• api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
• security: Added more host environment variables to the default deny list for tasks [GH-24540]
• security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
• security: add executeTemplate to default template function_denylist [GH-24541]

IMPROVEMENTS:

• actions: Nomad Actions names now accept a wider range of names [GH-24642]
• api: Sanitise hcl variables before storage on JobSubmission [GH-24423]
• client: Emit telemetry from prerun and prestart hooks for monitoring and alerting [GH-24556]
• cni: Add Nomad specific workload information to CNI_ARGS [GH-24319]
• core: add the possibility to scale system jobs between 0 and 1 [GH-24363]
• ui: Add an Edit From Version button as an option when reverting from an older job version [GH-24168]
• ui: Adds metadata tables to Task Group and Task pages [GH-24594]

BUG FIXES:

• agent: Fixed a bug where retry_join gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561]
• api: Fixed a bug where alloc exec/logs/fs APIs would return errors for non-global regions [GH-24644]
• cli: Ensure the operator autopilot health command only outputs JSON when the json flag is supplied [GH-24655]
• consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
• consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
• csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
• csi: Removed redundant namespace output from volume status command [GH-24432]
• discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
• drivers: fix executor leak when drivers error starting tasks [GH-24495]
• executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
• keyring: Fixed a bug when decrypting aead with an empty RSA block on state upserts [GH-24442]
• networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
• scheduler: Fix bug where forced garbage collection does not ignore GC thresholds [GH-24456]
• scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
• ui: Fix a bug where namespaced jobs wouldn't show diffs on the versions page [GH-24466]
• ui: Fix an issue where 2 parent jobs would see the others dispatches if it were otherwise empty [GH-24668]
• ui: Fix an issue where cmd+click or ctrl+click would double-open a var [GH-24316]
• ui: Fix an issue where system jobs with garbage-collected allocations were showing as Scaled Down [GH-24620]
• ui: Fix an issue where volumes weren't navigable [GH-24542]
• vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
• windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.