build(deps): bump github.com/hashicorp/nomad from 1.9.3 to 1.9.4

[dependabot]

Bumps github.com/hashicorp/nomad from 1.9.3 to 1.9.4.

Release notes

Sourced from github.com/hashicorp/nomad's releases.

v1.9.4

1.9.4 (December 18, 2024)

SECURITY:

• api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
• security: Added more host environment variables to the default deny list for tasks [GH-24540]
• security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
• security: add executeTemplate to default template function_denylist [GH-24541]

IMPROVEMENTS:

• actions: Nomad Actions names now accept a wider range of names [GH-24642]
• api: Sanitise hcl variables before storage on JobSubmission [GH-24423]
• client: Emit telemetry from prerun and prestart hooks for monitoring and alerting [GH-24556]
• cni: Add Nomad specific workload information to CNI_ARGS [GH-24319]
• core: add the possibility to scale system jobs between 0 and 1 [GH-24363]
• ui: Add an Edit From Version button as an option when reverting from an older job version [GH-24168]
• ui: Adds metadata tables to Task Group and Task pages [GH-24594]

BUG FIXES:

• agent: Fixed a bug where retry_join gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561]
• api: Fixed a bug where alloc exec/logs/fs APIs would return errors for non-global regions [GH-24644]
• cli: Ensure the operator autopilot health command only outputs JSON when the json flag is supplied [GH-24655]
• consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
• consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
• csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
• csi: Removed redundant namespace output from volume status command [GH-24432]
• discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
• drivers: fix executor leak when drivers error starting tasks [GH-24495]
• executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
• keyring: Fixed a bug when decrypting aead with an empty RSA block on state upserts [GH-24442]
• networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
• scheduler: Fix bug where forced garbage collection does not ignore GC thresholds [GH-24456]
• scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
• ui: Fix a bug where namespaced jobs wouldn't show diffs on the versions page [GH-24466]
• ui: Fix an issue where 2 parent jobs would see the others dispatches if it were otherwise empty [GH-24668]
• ui: Fix an issue where cmd+click or ctrl+click would double-open a var [GH-24316]
• ui: Fix an issue where system jobs with garbage-collected allocations were showing as Scaled Down [GH-24620]
• ui: Fix an issue where volumes weren't navigable [GH-24542]
• vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
• windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]

Changelog

Sourced from github.com/hashicorp/nomad's changelog.

1.9.4 (December 18, 2024)

SECURITY:

• api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
• security: Added more host environment variables to the default deny list for tasks [GH-24540]
• security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
• security: add executeTemplate to default template function_denylist [GH-24541]

IMPROVEMENTS:

• actions: Nomad Actions names now accept a wider range of names [GH-24642]
• api: Sanitise hcl variables before storage on JobSubmission [GH-24423]
• client: Emit telemetry from prerun and prestart hooks for monitoring and alerting [GH-24556]
• cni: Add Nomad specific workload information to CNI_ARGS [GH-24319]
• core: add the possibility to scale system jobs between 0 and 1 [GH-24363]
• ui: Add an Edit From Version button as an option when reverting from an older job version [GH-24168]
• ui: Adds metadata tables to Task Group and Task pages [GH-24594]

BUG FIXES:

• agent: Fixed a bug where retry_join gave up after a single failure, rather than retrying until max attempts had been reached [GH-24561]
• api: Fixed a bug where alloc exec/logs/fs APIs would return errors for non-global regions [GH-24644]
• cli: Ensure the operator autopilot health command only outputs JSON when the json flag is supplied [GH-24655]
• consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
• consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
• csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
• csi: Removed redundant namespace output from volume status command [GH-24432]
• discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
• drivers: fix executor leak when drivers error starting tasks [GH-24495]
• executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
• keyring: Fixed a bug when decrypting aead with an empty RSA block on state upserts [GH-24442]
• networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
• scheduler: Fix bug where forced garbage collection does not ignore GC thresholds [GH-24456]
• scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
• ui: Fix a bug where namespaced jobs wouldn't show diffs on the versions page [GH-24466]
• ui: Fix an issue where 2 parent jobs would see the others dispatches if it were otherwise empty [GH-24668]
• ui: Fix an issue where cmd+click or ctrl+click would double-open a var [GH-24316]
• ui: Fix an issue where system jobs with garbage-collected allocations were showing as Scaled Down [GH-24620]
• ui: Fix an issue where volumes weren't navigable [GH-24542]
• vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
• windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]

Commits

• 5e49fcd Generate files for 1.9.4 release
• d38cb71 Backport of [ui] Bugfix: prevent parent job from showing another job's dispat...
• 56d851a github: notify Slack when CI fails on merge to main/release (#24707)
• 6c073da Backport of discovery: correctly handle IPv6 addresses from go-discover into ...
• 11b1597 backport of commit a4ac2025f4ac10b051ce99078fc01e8407d1c37a (#24703)
• 64100b5 backport of commit 932c3ebfb0f9d2898066f84d6b7585112ec10f94 (#24696)
• 666bd5a Backport of: E2E: use a variable for region (#24693) (#24695)
• 9ba9255 backport of commit e48bfeccd7f416a5698da1c91fec2ed293ada216 (#24689)
• 31692ec backport of commit 71e3716435528dcf3f68d50817c9190508c44447 (#24687)
• 359a718 Backport of sec: fix alloc workload identity namespace permission into releas...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.