backport of commit 4dfedf1

.github/workflows/build.yml

@@ -90,7 +90,7 @@ jobs:
         with:
           ref: ${{ github.event.inputs.build-ref }}
       - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
 
@@ -142,7 +142,7 @@ jobs:
         with:
           ref: ${{ github.event.inputs.build-ref }}
       - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
 
@@ -265,7 +265,7 @@ jobs:
         run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
 
       - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
 
@@ -356,7 +356,7 @@ jobs:
         goos: [linux]
         goarch: [amd64]
     steps:
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{needs.get-go-version.outputs.go-version}}
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

.github/workflows/checks.yaml

@@ -41,7 +41,7 @@ jobs:
       - name: Git config token
         if: endsWith(github.repository, '-enterprise')
         run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: true
           go-version-file: .go-version

.github/workflows/release.yml

@@ -81,7 +81,7 @@ jobs:
           echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
 
       - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ steps.get-go-version.outputs.go-version }}
 

.github/workflows/security-scan.yml

@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: ${{ contains(runner.name, 'Github Actions') }}
           go-version-file: .go-version

.github/workflows/test-core.yaml

@@ -59,7 +59,7 @@ jobs:
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: ${{ contains(runner.name, 'Github Actions') }}
           go-version-file: .go-version
@@ -74,7 +74,7 @@ jobs:
     timeout-minutes: 8
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: true
           go-version-file: .go-version
@@ -102,7 +102,7 @@ jobs:
           - quick
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: ${{ contains(runner.name, 'Github Actions') }}
           go-version-file: .go-version

.github/workflows/test-e2e.yml

@@ -53,7 +53,7 @@ jobs:
       - name: Git config token
         if: endsWith(github.repository, '-enterprise')
         run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: ${{ contains(runner.name, 'Github Actions') }}
           go-version-file: .go-version
@@ -70,7 +70,7 @@ jobs:
       - name: Git config token
         if: endsWith(github.repository, '-enterprise')
         run: git config --global url.'https://${{ secrets.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: ${{ contains(runner.name, 'Github Actions') }}
           go-version-file: .go-version

.github/workflows/test-windows.yml

@@ -52,7 +52,7 @@ jobs:
       - run: git config --global core.autocrlf false
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: ".go-version"
       - name: Show installed Go version

.go-version

@@ -1 +1 @@
-1.23.3
+1.23.2

CHANGELOG.md

@@ -94,18 +94,6 @@ BUG FIXES:
 * template: Fixed a panic on client restart when using change_mode=script [[GH-24057](https://github.com/hashicorp/nomad/issues/24057)]
 * ui: Fixes an issue where variables paths would not let namespaced users write variables unless they also had wildcard namespace variable write permissions [[GH-24073](https://github.com/hashicorp/nomad/issues/24073)]
 
-## 1.8.7 Enterprise (November 8, 2024)
-
-SECURITY:
-
-* csi: Fixed a bug where a user with csi-write-volume permissions to one namespace can create volumes in another namespace (CVE-2024-10975) [[GH-24396](https://github.com/hashicorp/nomad/issues/24396)]
-
-BUG FIXES:
-
-* connect: add validation to ensure that connect native services specify a port [[GH-24329](https://github.com/hashicorp/nomad/issues/24329)]
-* keyring: Fixed a panic on server startup when decrypting AEAD key data with empty RSA block [[GH-24383](https://github.com/hashicorp/nomad/issues/24383)]
-* scheduler: fixed a bug where resource calculation did not account correctly for poststart tasks [[GH-24297](https://github.com/hashicorp/nomad/issues/24297)]
-
 ## 1.8.6 Enterprise(October 21, 2024)
 
 IMPROVEMENTS:
@@ -245,7 +233,7 @@ BUG FIXES:
 * server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [[GH-23383](https://github.com/hashicorp/nomad/issues/23383)]
 * template: Fix template rendering on Windows [[GH-23432](https://github.com/hashicorp/nomad/issues/23432)]
 * ui: Actions run from jobs with explicit name properties now work from the web UI [[GH-23553](https://github.com/hashicorp/nomad/issues/23553)]
-* ui: Don't show keyboard nav hints when taking a screenshot [[GH-23365](https://github.com/hashicorp/nomad/issues/23365)]
+* ui: Dont show keyboard nav hints when taking a screenshot [[GH-23365](https://github.com/hashicorp/nomad/issues/23365)]
 * ui: Fix an issue where a remotely purged job would prevent redirect from taking place in the web UI [[GH-23492](https://github.com/hashicorp/nomad/issues/23492)]
 * ui: Fix an issue where access to Job Templates in the UI was restricted to variable.write access [[GH-23458](https://github.com/hashicorp/nomad/issues/23458)]
 * ui: Fix the Upload Jobspec button on the Run Job page [[GH-23548](https://github.com/hashicorp/nomad/issues/23548)]
@@ -342,18 +330,6 @@ BUG FIXES:
 * ui: Show the namespace in the web UI exec command hint [[GH-20218](https://github.com/hashicorp/nomad/issues/20218)]
 * windows: Fixed a regression where scanning task processes was inefficient [[GH-20619](https://github.com/hashicorp/nomad/issues/20619)]
 
-## 1.7.15 (November 8, 2024)
-
-SECURITY:
-
-* csi: Fixed a bug where a user with csi-write-volume permissions to one namespace can create volumes in another namespace (CVE-2024-10975) [[GH-24396](https://github.com/hashicorp/nomad/issues/24396)]
-
-BUG FIXES:
-
-* connect: add validation to ensure that connect native services specify a port [[GH-24329](https://github.com/hashicorp/nomad/issues/24329)]
-* deps: Fixed a bug where restarting Nomad could cause an unrelated process with the same PID as a failed executor to be killed [[GH-24265](https://github.com/hashicorp/nomad/issues/24265)]
-* scheduler: fixed a bug where resource calculation did not account correctly for poststart tasks [[GH-24297](https://github.com/hashicorp/nomad/issues/24297)]
-
 ## 1.7.14 Enterprise (October 21, 2024)
 
 IMPROVEMENTS:
@@ -645,7 +621,7 @@ IMPROVEMENTS:
 
 * audit (Enterprise): Added ACL token role links to audit log auth objects [[GH-19415](https://github.com/hashicorp/nomad/issues/19415)]
 * ui: Added a new example template with Task Actions [[GH-19153](https://github.com/hashicorp/nomad/issues/19153)]
-* ui: Don't allow new jobspec download until template is populated, and remove group count from jobs index [[GH-19377](https://github.com/hashicorp/nomad/issues/19377)]
+* ui: dont allow new jobspec download until template is populated, and remove group count from jobs index [[GH-19377](https://github.com/hashicorp/nomad/issues/19377)]
 * ui: make the exec window look nicer on mobile screens [[GH-19332](https://github.com/hashicorp/nomad/issues/19332)]
 
 BUG FIXES:
@@ -720,7 +696,7 @@ IMPROVEMENTS:
 * ui: for system and sysbatch jobs, now show client name on hover in job panel [[GH-19051](https://github.com/hashicorp/nomad/issues/19051)]
 * ui: nicer comment styles in UI example jobs [[GH-19037](https://github.com/hashicorp/nomad/issues/19037)]
 * ui: show plan output warnings alongside placement failures and dry-run info when running a job through the web ui [[GH-19225](https://github.com/hashicorp/nomad/issues/19225)]
-* ui: simplify presentation of task event times (10m2.230948s becomes 10m2s etc.) [[GH-18595](https://github.com/hashicorp/nomad/issues/18595)]
+* ui: simplify presentation of task event times (10m2.230948s bceomes 10m2s etc.) [[GH-18595](https://github.com/hashicorp/nomad/issues/18595)]
 * vars: Added a locking feature for Nomad Variables [[GH-18520](https://github.com/hashicorp/nomad/issues/18520)]
 
 DEPRECATIONS:

client/allocrunner/taskrunner/consul_hook.go

@@ -25,7 +25,7 @@ const (
 
 	// consulTokenFilePerms is the level of file permissions granted on the file in
 	// the secrets directory for the task
-	consulTokenFilePerms = 0640
+	consulTokenFilePerms = 0440
 )
 
 type consulHook struct {

client/lib/nsutil/netns_linux.go

@@ -133,11 +133,11 @@ func UnmountNS(nsPath string) error {
 	// Only unmount if it's been bind-mounted (don't touch namespaces in /proc...)
 	if strings.HasPrefix(nsPath, NetNSRunDir) {
 		if err := unix.Unmount(nsPath, 0); err != nil {
-			return fmt.Errorf("failed to unmount NS: at %s: %w", nsPath, err)
+			return fmt.Errorf("failed to unmount NS: at %s: %v", nsPath, err)
 		}
 
 		if err := os.Remove(nsPath); err != nil {
-			return fmt.Errorf("failed to remove ns path %s: %w", nsPath, err)
+			return fmt.Errorf("failed to remove ns path %s: %v", nsPath, err)
 		}
 	}
 

client/vaultclient/vaultclient.go

@@ -399,7 +399,6 @@ func (c *vaultClient) renew(req *vaultClientRenewalRequest) error {
 
 	var renewalErr error
 	leaseDuration := req.increment
-
 	if req.isToken {
 		// Set the token in the API client to the one that needs renewal
 		c.client.SetToken(req.id)
@@ -435,24 +434,14 @@ func (c *vaultClient) renew(req *vaultClientRenewalRequest) error {
 	next := time.Now().Add(renewalDuration)
 
 	fatal := false
-	if renewalErr != nil {
-		// These errors aren't wrapped by the Vault SDK, so we have to read the
-		// error messages. Unfortunately we can't easily enumerate non-fatal
-		// errors so we have a large set here. These can be found at in
-		// vault/expiration.go.
-		// Current as of vault commit 52ba156d47da170bf40471fe57d72522030bdc7e
-		errMsg := renewalErr.Error()
-		if strings.Contains(errMsg, "no namespace") ||
-			strings.Contains(errMsg, "cannot renew a token across namespaces") ||
-			strings.Contains(errMsg, "invalid lease ID") ||
-			strings.Contains(errMsg, "lease expired") ||
-			strings.Contains(errMsg, "lease is not renewable") ||
-			strings.Contains(errMsg, "lease not found") ||
-			strings.Contains(errMsg, "permission denied") ||
-			strings.Contains(errMsg, "token not found") {
-			fatal = true
-		}
-	} else {
+	if renewalErr != nil &&
+		(strings.Contains(renewalErr.Error(), "lease not found or lease is not renewable") ||
+			strings.Contains(renewalErr.Error(), "invalid lease ID") ||
+			strings.Contains(renewalErr.Error(), "lease is not renewable") ||
+			strings.Contains(renewalErr.Error(), "token not found") ||
+			strings.Contains(renewalErr.Error(), "permission denied")) {
+		fatal = true
+	} else if renewalErr != nil {
 		c.logger.Debug("renewal error details", "req.increment", req.increment, "lease_duration", leaseDuration, "renewal_duration", renewalDuration)
 		c.logger.Error("error during renewal of lease or token failed due to a non-fatal error; retrying",
 			"error", renewalErr, "period", next)

command/volume_status_csi.go

@@ -205,9 +205,11 @@ func (c *VolumeStatusCommand) formatBasic(vol *api.CSIVolume) (string, error) {
 		fmt.Sprintf("Controllers Expected|%d", vol.ControllersExpected),
 		fmt.Sprintf("Nodes Healthy|%d", vol.NodesHealthy),
 		fmt.Sprintf("Nodes Expected|%d", vol.NodesExpected),
+
 		fmt.Sprintf("Access Mode|%s", vol.AccessMode),
 		fmt.Sprintf("Attachment Mode|%s", vol.AttachmentMode),
 		fmt.Sprintf("Mount Options|%s", csiVolMountOption(vol.MountOptions, nil)),
+		fmt.Sprintf("Namespace|%s", vol.Namespace),
 	}
 
 	// Exit early

contributing/README.md

@@ -33,7 +33,7 @@ A development environment is supplied via Vagrant to make getting started easier
 
 Developing without Vagrant
 ---
-1. Install [Go 1.23.3+](https://golang.org/) *(Note: `gcc-go` is not supported)*
+1. Install [Go 1.23.2+](https://golang.org/) *(Note: `gcc-go` is not supported)*
 1. Clone this repo
    ```sh
    $ git clone https://github.com/hashicorp/nomad.git

dev/hooks/pre-push

@@ -31,7 +31,6 @@ if [ -f version/version_ent.go ]; then
 fi
 
 # do not push directly to main, stable-*, release/*
-# do not push Enterprise tags
 # ====================
 while read local_ref local_sha remote_ref remote_sha
 do
@@ -46,13 +45,5 @@ do
     if echo "$remote_ref"|grep -q 'refs/heads/release/.*'; then
         fail "refusing to push directly to a branch prefixed \`release/\`"
     fi
-
-    if echo "$remote_ref" | grep -q 'refs/tags/v.*\+ent'; then
-        fail "refusing to push Nomad Enterprise tag"
-    fi
-
-    if echo "$remote_ref" | grep -q 'refs/tags/v.*\+pro'; then
-        fail "refusing to push Nomad Enterprise (pro) tag"
-    fi
-
 done
+

drivers/shared/capabilities/defaults.go

@@ -6,9 +6,8 @@ package capabilities
 import (
 	"fmt"
 	"regexp"
-	"runtime"
 
-	"github.com/moby/sys/capability"
+	"github.com/syndtr/gocapability/capability"
 )
 
 const (
@@ -41,19 +40,18 @@ func NomadDefaults() *Set {
 func Supported() *Set {
 	s := New(nil)
 
-	var list []capability.Cap
+	last := capability.CAP_LAST_CAP
 
-	switch runtime.GOOS {
-	case "linux":
-		list, _ = capability.ListSupported()
-	default:
-		// capability.ListSupported() will always return an empty list on
-		// non-linux systems
-		list = capability.ListKnown()
+	// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
 	}
 
 	// accumulate every capability supported by this system
-	for _, c := range list {
+	for _, c := range capability.List() {
+		if c > last {
+			continue
+		}
 		s.Add(c.String())
 	}