Nomad 1.5 adds single sign-on and dynamic node metadata

We are excited to announce that the GA release of HashiCorp Nomad 1.5 is now available. Nomad is a simple and flexible orchestrator used to deploy and manage containers and non-containerized applications. Nomad works across multiple cloud, on-premises, and edge environments.

Here’s what’s new in Nomad and the Nomad ecosystem:

• Single sign-on (SSO) and OIDC support
• Dynamic node metadata
• Task API access
• Job templates
• Access control list (ACL) policies and tokens UI

»Single sign-on and OIDC support

Nomad uses an ACL system to control permissions within the cluster. Traditionally, users have accessed Nomad using an ACL token linked to an ACL policy or ACL role. Distribution and renewal of these tokens was, until now, something that Nomad administrators had to manage themselves. This could result in users having to create home-grown tooling as well as poor ergonomics for requesting, invalidating, and renewing tokens.

Single sign-on in Nomad 1.5 allows users to sign into Nomad using their identity provider (IDP) of choice. Any OIDC-compliant identity provider will integrate with Nomad 1.5. This includes common IDPs such as Okta or Auth0, major cloud provider identity services such as Amazon Cognito, Google Identity Platform, and Azure Active Directory, and, of course, HashiCorp Vault.

Nomad administrators can now spend less time worrying about credential management, and Nomad end users can have a seamless login flow that matches other tools in their organization. Users can log in via the UI or via the CLI using the new nomad login command:

For details on how to set up SSO in Nomad, see the SSO setup tutorials, view the documentation on Auth Methods, or see the nomad login command details.

»Dynamic node metadata

Nomad client nodes can be configured with arbitrary metadata to help inform scheduling decisions such as adding constraints, affinities, or spread blocks to Nomad jobs. Until Nomad 1.5, this metadata had to be static, meaning that it was defined once in the Nomad client config, and any changes to node metadata had to be accompanied by a Nomad client restart.

Now, in Nomad 1.5, metadata can be dynamically modified via the API, CLI, or UI:

nomad node meta apply -node-id aws-t2-622 inodes=127126 custom-key=val

This feature gives users more control over scheduling decisions. Dynamic metadata updates can be helpful in a wide variety of situations, such as conditional scheduling based on changes to node-level dependencies, customized node health or resource checks, and scheduling in response to batch jobs that change the configuration of their client node.

In Nomad 1.5, metadata that has already been specified can be overridden on client nodes, or new metadata keys and values can be added from scratch.

»Task API access

Some Nomad tasks communicate with the Nomad API. Examples of such jobs include autoscaling controllers, custom operator tasks, and any job that needs to modify dynamic node metadata. Task API access makes it simpler to interact with Nomad from any Nomad Task.

To make it easier for Nomad tasks to communicate with Nomad itself, version 1.5 includes a Unix domain socket (UDS) in tasks. This socket is mounted at ${NOMAD_SECRETS_DIR}/api.sock. Requests made over this socket require authentication, which can take the form of a standard Nomad token or a workload identity token. For example, if you wanted to check an agent’s health from inside an allocation’s environment, you could run the following command:

curl -H "Authorization: Bearer ${NOMAD_TOKEN}" --unix-socket "${NOMAD_SECRETS_DIR}/api.sock" -v "localhost/v1/agent/health"

»Job templates

The Nomad UI and CLI now include job templates to help new Nomad users more quickly learn how to write Nomad jobs. To use a job template, first go to “Run a Job” in the Nomad UI, then click “Choose from a Template” and select your template:

Nomad automatically includes a template for a simple service job, batch jobs, service discovery, and Nomad variables. These are meant to help new users learn the basics of writing Nomad job specs. In addition to using these default templates, Nomad administrators can add their own templates and override the provided templates.

These templates are also available from the CLI using the nomad job init command with the new -template and -list-templates flags.

Note: While job templates are a great tool to get new Nomad users up to speed, for more advanced templating needs we recommend using Nomad Pack and version-controlled files.

»UI improvements

The Nomad UI has been updated with new features that make it easier to manage permissions and policies, faster to view task events, and simpler to learn the basics of Nomad jobs.

»ACL policies and tokens UI

First, the Nomad UI now includes a new Policies section where Nomad administrators can view, create, and update Nomad ACL policies.

Each policy page also shows the policy’s tokens, allows for the deletion of tokens, shows CLI commands for creating long-lived tokens, and allows for the creation of short-lived test tokens:

This makes it easier for Nomad administrators to learn how to use the ACL system, know who has which permissions, and keep their Nomad clusters secure.

»Task events in sidebar

Additionally, the Nomad UI now includes task events in the logs sidebar for allocations. When examining or debugging an allocation, task events help you understand why an allocation is in its current state. For instance, if authorization failed when downloading a container image, this information would not be surfaced in stderr or stdout, but could be found only in a task event. The sidebar now contains this information, making it even faster to understand the state of each allocation:

»Customizable header

»More Nomad updates

Outside of these core improvements, new additions to in Nomad 1.5 and in minor releases since Nomad 1.4 was released include:

• The datacenters field in jobspecs is now optional and supports * as a wildcard character.
• New nomad tls ca and nomad tls cert commands for more easily creating certificates and self signed certificate authorities.
• A new fmt command to format configuration, job, and volume files into canonical HCL.
• The ability to run commands from mounted volumes with the exec driver.
• The ability to specify job IDs in parameterized jobs with a new -id-prefix-template flag.
• The nomad job stop command can now stop multiple jobs simultaneously.
• Sprig support added to the -t flag to allow for more complex template-based formatting of CLI output.
• New support for Consul Connect upstream configs.
• Maximum size for Nomad Variables increased to 64 KiB.
• A new isolation flag in the Docker driver, which allows for hyper-v isolation on Windows workloads.
• Improvements to evaluations: a new API endpoint for counting evaluations by type, faster deletion of evaluations, and significantly improved performance when handling large spikes in evaluations, which help protect overall cluster health.
• The new nomad operator client-state command can be used to more quickly get information about a client node.
• Additional UI improvements, including: filtering nodes on the topology page, exposing if a job is a Pack or Connect-enabled, the ability to upload jobspec files, and an expandable logs sidebar,

»Community updates

Nomad is committed to being an open source-first project, and we’re always looking for open source contributors. If you’re familiar with Go or interested in learning/honing your Golang skills, we invite you to join the group of Nomad contributors helping to improve the product.

Looking for a place to start? Head to the Nomad contribute page for a curated list of good first issues. If you’re a returning Nomad contributor looking for an interesting problem to solve, take a glance at issues labeled “help-wanted” or “good first issue”. For help getting started, check out the Nomad contributing documentation or comment directly on the issue with any questions you have.

We also encourage our users to go to the official Nomad Community Forums or join us for community office hours if they have Nomad questions or feedback. We also would like to thank some of our community members for creating unofficial spaces for Nomad users to connect. Thank you to the communities on Gitter and the HashiCorp Community Discord.

»Get started with Nomad 1.5

We encourage you to try out the new features in Nomad 1.5:

• Download Nomad 1.5 from the project website.
• Learn more about Nomad with tutorials on the HashiCorp Learn site.
• Contribute to Nomad by submitting a pull request for a GitHub issue with the “help wanted” or “good first issue” label.
• Participate in our community forums, office hours, and other events.