From 352df9c222c55381e16b4e83474f2689a886cf94 Mon Sep 17 00:00:00 2001
From: Chris Baker <1675087+cgbaker@users.noreply.github.com>
Date: Fri, 29 Jan 2021 19:41:48 +0000
Subject: [PATCH] vesion-specific upgrade guide for 1.0.3 and 0.12.10

---
 .../content/docs/upgrade/upgrade-specific.mdx | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx
index a6e3f8127..ce9a94b0a 100644
--- a/website/content/docs/upgrade/upgrade-specific.mdx
+++ b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -14,6 +14,31 @@ upgrade. However, specific versions of Nomad may have more details provided for
 their upgrades as a result of new features or changed behavior. This page is
 used to document those details separately from the standard upgrade flow.
 
+## Nomad 1.0.3, 0.12.10
+
+Nomad versions 1.0.3 and 0.12.10 change the behavior of the `exec` and `java` drivers so that
+tasks are isolated in their own PID and IPC namespaces. As a result, the
+process launched by these drivers will be PID 1 in the namespace. This has
+[significant impact](https://man7.org/linux/man-pages/man7/pid_namespaces.7.html)
+on the treatment of a process by the Linux kernel. Furthermore, tasks in the
+same allocation will no longer be able to coordinate using signals, SystemV IPC
+objects, or POSIX message queues. Operators should weigh potential impact of an
+upgrade on their applications against the security consequences inherent in using
+the host namespaces.
+
+This is the sole change for Nomad 1.0.3, intended to provide better process
+isolation by default. An upcoming version of Nomad will include options for
+configuring this behavior.
+
+This change is limited to the `exec` and `java` driver plugins. It does not affect
+the Nomad server. This only affect Nomad clients running on Linux, using the
+`exec` or `java` drivers or third-party driver plugins which relied on the shared
+Nomad executor library.
+
+Upgrading a Nomad client to 1.0.3 or 0.12.10 will not restart existing tasks.
+As such, processes from existing `exec`/`java` tasks will need to be manually restarted
+(using `alloc stop` or another mechanism) in order to be fully isolated.
+
 ## Nomad 1.0.2
 
 #### Dynamic secrets trigger template changes on client restart