upgrade notes for 0.9.5
This commit is contained in:
parent
2ca11b9121
commit
105c7cdee1
|
@ -44,6 +44,16 @@ to match the default.
|
||||||
|
|
||||||
For more information on upgrading Raft, see [Upgrading to Raft Protocol 3](/guides/upgrade/upgrade-specific.html#upgrading-to-raft-protocol-3).
|
For more information on upgrading Raft, see [Upgrading to Raft Protocol 3](/guides/upgrade/upgrade-specific.html#upgrading-to-raft-protocol-3).
|
||||||
|
|
||||||
|
## Nomad 0.9.5
|
||||||
|
|
||||||
|
### Template Rendering
|
||||||
|
|
||||||
|
Nomad 0.9.5 includes security fixes for privilege escalation vulnerabilities in handling of job `template` stanzas:
|
||||||
|
|
||||||
|
* The client host's environment variables are now cleaned before rendering the template. If a template includes the `env` function, the job should include an [`env`](https://www.nomadproject.io/docs/job-specification/env.html) stanza to allow access to the variable in the template.
|
||||||
|
* The `plugin` function is no longer permitted by default and will raise an error if used in a template. Operator can opt-in to permitting this function with the new [`template.function_blacklist`](https://www.nomadproject.io/docs/configuration/client.html#template-parameters) field in the client configuration.
|
||||||
|
* The `file` function has been changed to restrict paths to fall inside the task directory by default. Paths that used the `NOMAD_TASK_DIR` environment variable to prefix file paths should work unchanged. Relative paths or symlinks that point outside the task directory will raise an error. An operator can opt-out of this protection with the new [`template.disable_file_sandbox`](https://www.nomadproject.io/docs/configuration/client.html#template-parameters) field in the client configuration.
|
||||||
|
|
||||||
## Nomad 0.9.0
|
## Nomad 0.9.0
|
||||||
|
|
||||||
### Preemption
|
### Preemption
|
||||||
|
|
Loading…
Reference in New Issue