github.com/slackhq/nebula@v1.9.0/CHANGELOG.md (about) 1 # Changelog 2 3 All notable changes to this project will be documented in this file. 4 5 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 6 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 7 8 ## [Unreleased] 9 10 ## [1.9.0] - 2024-05-07 11 12 ### Deprecated 13 14 - This release adds a new setting `default_local_cidr_any` that defaults to 15 true to match previous behavior, but will default to false in the next 16 release (1.10). When set to false, `local_cidr` is matched correctly for 17 firewall rules on hosts acting as unsafe routers, and should be set for any 18 firewall rules you want to allow unsafe route hosts to access. See the issue 19 and example config for more details. (#1071, #1099) 20 21 ### Added 22 23 - Nebula now has an official Docker image `nebulaoss/nebula` that is 24 distroless and contains just the `nebula` and `nebula-cert` binaries. You 25 can find it here: https://hub.docker.com/r/nebulaoss/nebula (#1037) 26 27 - Experimental binaries for `loong64` are now provided. (#1003) 28 29 - Added example service script for OpenRC. (#711) 30 31 - The SSH daemon now supports inlined host keys. (#1054) 32 33 - The SSH daemon now supports certificates with `sshd.trusted_cas`. (#1098) 34 35 ### Changed 36 37 - Config setting `tun.unsafe_routes` is now reloadable. (#1083) 38 39 - Small documentation and internal improvements. (#1065, #1067, #1069, #1108, 40 #1109, #1111, #1135) 41 42 - Various dependency updates. (#1139, #1138, #1134, #1133, #1126, #1123, #1110, 43 #1094, #1092, #1087, #1086, #1085, #1072, #1063, #1059, #1055, #1053, #1047, 44 #1046, #1034, #1022) 45 46 ### Removed 47 48 - Support for the deprecated `local_range` option has been removed. Please 49 change to `preferred_ranges` (which is also now reloadable). (#1043) 50 51 - We are now building with go1.22, which means that for Windows you need at 52 least Windows 10 or Windows Server 2016. This is because support for earlier 53 versions was removed in Go 1.21. See https://go.dev/doc/go1.21#windows (#981) 54 55 - Removed vagrant example, as it was unmaintained. (#1129) 56 57 - Removed Fedora and Arch nebula.service files, as they are maintained in the 58 upstream repos. (#1128, #1132) 59 60 - Remove the TCP round trip tracking metrics, as they never had correct data 61 and were an experiment to begin with. (#1114) 62 63 ### Fixed 64 65 - Fixed a potential deadlock introduced in 1.8.1. (#1112) 66 67 - Fixed support for Linux when IPv6 has been disabled at the OS level. (#787) 68 69 - DNS will return NXDOMAIN now when there are no results. (#845) 70 71 - Allow `::` in `lighthouse.dns.host`. (#1115) 72 73 - Capitalization of `NotAfter` fixed in DNS TXT response. (#1127) 74 75 - Don't log invalid certificates. It is untrusted data and can cause a large 76 volume of logs. (#1116) 77 78 ## [1.8.2] - 2024-01-08 79 80 ### Fixed 81 82 - Fix multiple routines when listen.port is zero. This was a regression 83 introduced in v1.6.0. (#1057) 84 85 ### Changed 86 87 - Small dependency update for Noise. (#1038) 88 89 ## [1.8.1] - 2023-12-19 90 91 ### Security 92 93 - Update `golang.org/x/crypto`, which includes a fix for CVE-2023-48795. (#1048) 94 95 ### Fixed 96 97 - Fix a deadlock introduced in v1.8.0 that could occur during handshakes. (#1044) 98 99 - Fix mobile builds. (#1035) 100 101 ## [1.8.0] - 2023-12-06 102 103 ### Deprecated 104 105 - The next minor release of Nebula, 1.9.0, will require at least Windows 10 or 106 Windows Server 2016. This is because support for earlier versions was removed 107 in Go 1.21. See https://go.dev/doc/go1.21#windows 108 109 ### Added 110 111 - Linux: Notify systemd of service readiness. This should resolve timing issues 112 with services that depend on Nebula being active. For an example of how to 113 enable this, see: `examples/service_scripts/nebula.service`. (#929) 114 115 - Windows: Use Registered IO (RIO) when possible. Testing on a Windows 11 116 machine shows ~50x improvement in throughput. (#905) 117 118 - NetBSD, OpenBSD: Added rudimentary support. (#916, #812) 119 120 - FreeBSD: Add support for naming tun devices. (#903) 121 122 ### Changed 123 124 - `pki.disconnect_invalid` will now default to true. This means that once a 125 certificate expires, the tunnel will be disconnected. If you use SIGHUP to 126 reload certificates without restarting Nebula, you should ensure all of your 127 clients are on 1.7.0 or newer before you enable this feature. (#859) 128 129 - Limit how often a busy tunnel can requery the lighthouse. The new config 130 option `timers.requery_wait_duration` defaults to `60s`. (#940) 131 132 - The internal structures for hostmaps were refactored to reduce memory usage 133 and the potential for subtle bugs. (#843, #938, #953, #954, #955) 134 135 - Lots of dependency updates. 136 137 ### Fixed 138 139 - Windows: Retry wintun device creation if it fails the first time. (#985) 140 141 - Fix issues with firewall reject packets that could cause panics. (#957) 142 143 - Fix relay migration during re-handshakes. (#964) 144 145 - Various other refactors and fixes. (#935, #952, #972, #961, #996, #1002, 146 #987, #1004, #1030, #1032, ...) 147 148 ## [1.7.2] - 2023-06-01 149 150 ### Fixed 151 152 - Fix a freeze during config reload if the `static_host_map` config was changed. (#886) 153 154 ## [1.7.1] - 2023-05-18 155 156 ### Fixed 157 158 - Fix IPv4 addresses returned by `static_host_map` DNS lookup queries being 159 treated as IPv6 addresses. (#877) 160 161 ## [1.7.0] - 2023-05-17 162 163 ### Added 164 165 - `nebula-cert ca` now supports encrypting the CA's private key with a 166 passphrase. Pass `-encrypt` in order to be prompted for a passphrase. 167 Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF 168 parameters default to RFC recommendations, but can be overridden via CLI 169 flags `-argon-memory`, `-argon-parallelism`, and `-argon-iterations`. (#386) 170 171 - Support for curve P256 and BoringCrypto has been added. See README section 172 "Curve P256 and BoringCrypto" for more details. (#865, #861, #769, #856, #803) 173 174 - New firewall rule `local_cidr`. This could be used to filter destinations 175 when using `unsafe_routes`. (#507) 176 177 - Add `unsafe_route` option `install`. This controls whether the route is 178 installed in the systems routing table. (#831) 179 180 - Add `tun.use_system_route_table` option. Set to true to manage unsafe routes 181 directly on the system route table with gateway routes instead of in Nebula 182 configuration files. This is only supported on Linux. (#839) 183 184 - The metric `certificate.ttl_seconds` is now exposed via stats. (#782) 185 186 - Add `punchy.respond_delay` option. This allows you to change the delay 187 before attempting punchy.respond. Default is 5 seconds. (#721) 188 189 - Added SSH commands to allow the capture of a mutex profile. (#737) 190 191 - You can now set `lighthouse.calculated_remotes` to make it possible to do 192 handshakes without a lighthouse in certain configurations. (#759) 193 194 - The firewall can be configured to send REJECT replies instead of the default 195 DROP behavior. (#738) 196 197 - For macOS, an example launchd configuration file is now provided. (#762) 198 199 ### Changed 200 201 - Lighthouses and other `static_host_map` entries that use DNS names will now 202 be automatically refreshed to detect when the IP address changes. (#796) 203 204 - Lighthouses send ACK replies back to clients so that they do not fall into 205 connection testing as often by clients. (#851, #408) 206 207 - Allow the `listen.host` option to contain a hostname. (#825) 208 209 - When Nebula switches to a new certificate (such as via SIGHUP), we now 210 rehandshake with all existing tunnels. This allows firewall groups to be 211 updated and `pki.disconnect_invalid` to know about the new certificate 212 expiration time. (#838, #857, #842, #840, #835, #828, #820, #807) 213 214 ### Fixed 215 216 - Always disconnect blocklisted hosts, even if `pki.disconnect_invalid` is 217 not set. (#858) 218 219 - Dependencies updated and go1.20 required. (#780, #824, #855, #854) 220 221 - Fix possible race condition with relays. (#827) 222 223 - FreeBSD: Fix connection to the localhost's own Nebula IP. (#808) 224 225 - Normalize and document some common log field values. (#837, #811) 226 227 - Fix crash if you set unlucky values for the firewall timeout configuration 228 options. (#802) 229 230 - Make DNS queries case insensitive. (#793) 231 232 - Update example systemd configurations to want `nss-lookup`. (#791) 233 234 - Errors with SSH commands now go to the SSH tunnel instead of stderr. (#757) 235 236 - Fix a hang when shutting down Android. (#772) 237 238 ## [1.6.1] - 2022-09-26 239 240 ### Fixed 241 242 - Refuse to process underlay packets received from overlay IPs. This prevents 243 confusion on hosts that have unsafe routes configured. (#741) 244 245 - The ssh `reload` command did not work on Windows, since it relied on sending 246 a SIGHUP signal internally. This has been fixed. (#725) 247 248 - A regression in v1.5.2 that broke unsafe routes on Mobile clients has been 249 fixed. (#729) 250 251 ## [1.6.0] - 2022-06-30 252 253 ### Added 254 255 - Experimental: nebula clients can be configured to act as relays for other nebula clients. 256 Primarily useful when stubborn NATs make a direct tunnel impossible. (#678) 257 258 - Configuration option to report manually specified `ip:port`s to lighthouses. (#650) 259 260 - Windows arm64 build. (#638) 261 262 - `punchy` and most `lighthouse` config options now support hot reloading. (#649) 263 264 ### Changed 265 266 - Build against go 1.18. (#656) 267 268 - Promoted `routines` config from experimental to supported feature. (#702) 269 270 - Dependencies updated. (#664) 271 272 ### Fixed 273 274 - Packets destined for the same host that sent it will be returned on MacOS. 275 This matches the default behavior of other operating systems. (#501) 276 277 - `unsafe_route` configuration will no longer crash on Windows. (#648) 278 279 - A few panics that were introduced in 1.5.x. (#657, #658, #675) 280 281 ### Security 282 283 - You can set `listen.send_recv_error` to control the conditions in which 284 `recv_error` messages are sent. Sending these messages can expose the fact 285 that Nebula is running on a host, but it speeds up re-handshaking. (#670) 286 287 ### Removed 288 289 - `x509` config stanza support has been removed. (#685) 290 291 ## [1.5.2] - 2021-12-14 292 293 ### Added 294 295 - Warn when a non lighthouse node does not have lighthouse hosts configured. (#587) 296 297 ### Changed 298 299 - No longer fatals if expired CA certificates are present in `pki.ca`, as long as 1 valid CA is present. (#599) 300 301 - `nebula-cert` will now enforce ipv4 addresses. (#604) 302 303 - Warn on macOS if an unsafe route cannot be created due to a collision with an 304 existing route. (#610) 305 306 - Warn if you set a route MTU on platforms where we don't support it. (#611) 307 308 ### Fixed 309 310 - Rare race condition when tearing down a tunnel due to `recv_error` and sending packets on another thread. (#590) 311 312 - Bug in `routes` and `unsafe_routes` handling that was introduced in 1.5.0. (#595) 313 314 - `-test` mode no longer results in a crash. (#602) 315 316 ### Removed 317 318 - `x509.ca` config alias for `pki.ca`. (#604) 319 320 ### Security 321 322 - Upgraded `golang.org/x/crypto` to address an issue which allowed unauthenticated clients to cause a panic in SSH 323 servers. (#603) 324 325 ## 1.5.1 - 2021-12-13 326 327 (This release was skipped due to discovering #610 and #611 after the tag was 328 created.) 329 330 ## [1.5.0] - 2021-11-11 331 332 ### Added 333 334 - SSH `print-cert` has a new `-raw` flag to get the PEM representation of a certificate. (#483) 335 336 - New build architecture: Linux `riscv64`. (#542) 337 338 - New experimental config option `remote_allow_ranges`. (#540) 339 340 - New config option `pki.disconnect_invalid` that will tear down tunnels when they become invalid (through expiry or 341 removal of root trust). Default is `false`. Note, this will not currently recognize if a remote has changed 342 certificates since the last handshake. (#370) 343 344 - New config option `unsafe_routes.<route>.metric` will set a metric for a specific unsafe route. It's useful if you have 345 more than one identical route and want to prefer one against the other. (#353) 346 347 ### Changed 348 349 - Build against go 1.17. (#553) 350 351 - Build with `CGO_ENABLED=0` set, to create more portable binaries. This could 352 have an effect on DNS resolution if you rely on anything non-standard. (#421) 353 354 - Windows now uses the [wintun](https://www.wintun.net/) driver which does not require installation. This driver 355 is a large improvement over the TAP driver that was used in previous versions. If you had a previous version 356 of `nebula` running, you will want to disable the tap driver in Control Panel, or uninstall the `tap0901` driver 357 before running this version. (#289) 358 359 - Darwin binaries are now universal (works on both amd64 and arm64), signed, and shipped in a notarized zip file. 360 `nebula-darwin.zip` will be the only darwin release artifact. (#571) 361 362 - Darwin uses syscalls and AF_ROUTE to configure the routing table, instead of 363 using `/sbin/route`. Setting `tun.dev` is now allowed on Darwin as well, it 364 must be in the format `utun[0-9]+` or it will be ignored. (#163) 365 366 ### Deprecated 367 368 - The `preferred_ranges` option has been supported as a replacement for 369 `local_range` since v1.0.0. It has now been documented and `local_range` 370 has been officially deprecated. (#541) 371 372 ### Fixed 373 374 - Valid recv_error packets were incorrectly marked as "spoofing" and ignored. (#482) 375 376 - SSH server handles single `exec` requests correctly. (#483) 377 378 - Signing a certificate with `nebula-cert sign` now verifies that the supplied 379 ca-key matches the ca-crt. (#503) 380 381 - If `preferred_ranges` (or the deprecated `local_range`) is configured, we 382 will immediately switch to a preferred remote address after the reception of 383 a handshake packet (instead of waiting until 1,000 packets have been sent). 384 (#532) 385 386 - A race condition when `punchy.respond` is enabled and ensures the correct 387 vpn ip is sent a punch back response in highly queried node. (#566) 388 389 - Fix a rare crash during handshake due to a race condition. (#535) 390 391 ## [1.4.0] - 2021-05-11 392 393 ### Added 394 395 - Ability to output qr code images in `print`, `ca`, and `sign` modes for `nebula-cert`. 396 This is useful when configuring mobile clients. (#297) 397 398 - Experimental: Nebula can now do work on more than 2 cpu cores in send and receive paths via 399 the new `routines` config option. (#382, #391, #395) 400 401 - ICMP ping requests can be responded to when the `tun.disabled` is `true`. 402 This is useful so that you can "ping" a lighthouse running in this mode. (#342) 403 404 - Run smoke tests via `make smoke-docker`. (#287) 405 406 - More reported stats, udp memory use on linux, build version (when using Prometheus), firewall, 407 handshake, and cached packet stats. (#390, #405, #450, #453) 408 409 - IPv6 support for the underlay network. (#369) 410 411 - End to end testing, run with `make e2e`. (#425, #427, #428) 412 413 ### Changed 414 415 - Darwin will now log stdout/stderr to a file when using `-service` mode. (#303) 416 417 - Example systemd unit file now better arranged startup order when using `sshd` 418 and other fixes. (#317, #412, #438) 419 420 - Reduced memory utilization/garbage collection. (#320, #323, #340) 421 422 - Reduced CPU utilization. (#329) 423 424 - Build against go 1.16. (#381) 425 426 - Refactored handshakes to improve performance and correctness. (#401, #402, #404, #416, #451) 427 428 - Improved roaming support for mobile clients. (#394, #457) 429 430 - Lighthouse performance and correctness improvements. (#406, #418, #429, #433, #437, #442, #449) 431 432 - Better ordered startup to enable `sshd`, `stats`, and `dns` subsystems to listen on 433 the nebula interface. (#375) 434 435 ### Fixed 436 437 - No longer report handshake packets as `lost` in stats. (#331) 438 439 - Error handling in the `cert` package. (#339, #373) 440 441 - Orphaned pending hostmap entries are cleaned up. (#344) 442 443 - Most known data races are now resolved. (#396, #400, #424) 444 445 - Refuse to run a lighthouse on an ephemeral port. (#399) 446 447 - Removed the global references. (#423, #426, #446) 448 449 - Reloading via ssh command avoids a panic. (#447) 450 451 - Shutdown is now performed in a cleaner way. (#448) 452 453 - Logs will now find their way to Windows event viewer when running under `-service` mode 454 in Windows. (#443) 455 456 ## [1.3.0] - 2020-09-22 457 458 ### Added 459 460 - You can emit statistics about non-message packets by setting the option 461 `stats.message_metrics`. You can similarly emit detailed statistics about 462 lighthouse packets by setting the option `stats.lighthouse_metrics`. See 463 the example config for more details. (#230) 464 465 - We now support freebsd/amd64. This is experimental, please give us feedback. 466 (#103) 467 468 - We now release a binary for `linux/mips-softfloat` which has also been 469 stripped to reduce filesize and hopefully have a better chance on running on 470 small mips devices. (#231) 471 472 - You can set `tun.disabled` to true to run a standalone lighthouse without a 473 tun device (and thus, without root). (#269) 474 475 - You can set `logging.disable_timestamp` to remove timestamps from log lines, 476 which is useful when output is redirected to a logging system that already 477 adds timestamps. (#288) 478 479 ### Changed 480 481 - Handshakes should now trigger faster, as we try to be proactive with sending 482 them instead of waiting for the next timer tick in most cases. (#246, #265) 483 484 - Previously, we would drop the conntrack table whenever firewall rules were 485 changed during a SIGHUP. Now, we will maintain the table and just validate 486 that an entry still matches with the new rule set. (#233) 487 488 - Debug logs for firewall drops now include the reason. (#220, #239) 489 490 - Logs for handshakes now include the fingerprint of the remote host. (#262) 491 492 - Config item `pki.blacklist` is now `pki.blocklist`. (#272) 493 494 - Better support for older Linux kernels. We now only set `SO_REUSEPORT` if 495 `tun.routines` is greater than 1 (default is 1). We also only use the 496 `recvmmsg` syscall if `listen.batch` is greater than 1 (default is 64). 497 (#275) 498 499 - It is possible to run Nebula as a library inside of another process now. 500 Note that this is still experimental and the internal APIs around this might 501 change in minor version releases. (#279) 502 503 ### Deprecated 504 505 - `pki.blacklist` is deprecated in favor of `pki.blocklist` with the same 506 functionality. Existing configs will continue to load for this release to 507 allow for migrations. (#272) 508 509 ### Fixed 510 511 - `advmss` is now set correctly for each route table entry when `tun.routes` 512 is configured to have some routes with higher MTU. (#245) 513 514 - Packets that arrive on the tun device with an unroutable destination IP are 515 now dropped correctly, instead of wasting time making queries to the 516 lighthouses for IP `0.0.0.0` (#267) 517 518 ## [1.2.0] - 2020-04-08 519 520 ### Added 521 522 - Add `logging.timestamp_format` config option. The primary purpose of this 523 change is to allow logging timestamps with millisecond precision. (#187) 524 525 - Support `unsafe_routes` on Windows. (#184) 526 527 - Add `lighthouse.remote_allow_list` to filter which subnets we will use to 528 handshake with other hosts. See the example config for more details. (#217) 529 530 - Add `lighthouse.local_allow_list` to filter which local IP addresses and/or 531 interfaces we advertise to the lighthouses. See the example config for more 532 details. (#217) 533 534 - Wireshark dissector plugin. Add this file in `dist/wireshark` to your 535 Wireshark plugins folder to see Nebula packet headers decoded. (#216) 536 537 - systemd unit for Arch, so it can be built entirely from this repo. (#216) 538 539 ### Changed 540 541 - Added a delay to punching via lighthouse signal to deal with race conditions 542 in some linux conntrack implementations. (#210) 543 544 See deprecated, this also adds a new `punchy.delay` option that defaults to `1s`. 545 546 - Validate all `lighthouse.hosts` and `static_host_map` VPN IPs are in the 547 subnet defined in our cert. Exit with a fatal error if they are not in our 548 subnet, as this is an invalid configuration (we will not have the proper 549 routes set up to communicate with these hosts). (#170) 550 551 - Use absolute paths to system binaries on macOS and Windows. (#191) 552 553 - Add configuration options for `handshakes`. This includes options to tweak 554 `try_interval`, `retries` and `wait_rotation`. See example config for 555 descriptions. (#179) 556 557 - Allow `-config` file to not end in `.yaml` or `yml`. Useful when using 558 `-test` and automated tools like Ansible that create temporary files without 559 suffixes. (#189) 560 561 - The config test mode, `-test`, is now more thorough and catches more parsing 562 issues. (#177) 563 564 - Various documentation and example fixes. (#196) 565 566 - Improved log messages. (#181, #200) 567 568 - Dependencies updated. (#188) 569 570 ### Deprecated 571 572 - `punchy`, `punch_back` configuration options have been collapsed under the 573 now top level `punchy` config directive. (#210) 574 575 `punchy.punch` - This is the old `punchy` option. Should we perform NAT hole 576 punching (default false)? 577 578 `punchy.respond` - This is the old `punch_back` option. Should we respond to 579 hole punching by hole punching back (default false)? 580 581 ### Fixed 582 583 - Reduce memory allocations when not using `unsafe_routes`. (#198) 584 585 - Ignore packets from self to self. (#192) 586 587 - MTU fixed for `unsafe_routes`. (#209) 588 589 ## [1.1.0] - 2020-01-17 590 591 ### Added 592 593 - For macOS and Windows, build a special version of the binary that can install 594 and manage its own service configuration. You can use this with `nebula 595 -service`. If you are building from source, use `make service` to build this feature. 596 - Support for `mips`, `mips64`, `386` and `ppc64le` processors on Linux. 597 - You can now configure the DNS listen host and port with `lighthouse.dns.host` 598 and `lighthouse.dns.port`. 599 - Subnet and routing support. You can now add a `unsafe_routes` section to your 600 config to allow hosts to act as gateways to other subnets. Read the example 601 config for more details. This is supported on Linux and macOS. 602 603 ### Changed 604 605 - Certificates now have more verifications performed, including making sure 606 the certificate lifespan does not exceed the lifespan of the root CA. This 607 could cause issues if you have signed certificates with expirations beyond 608 the expiration of your CA, and you will need to reissue your certificates. 609 - If lighthouse interval is set to `0`, never update the lighthouse (mobile 610 optimization). 611 - Various documentation and example fixes. 612 - Improved error messages. 613 - Dependencies updated. 614 615 ### Fixed 616 617 - If you have a firewall rule with `group: ["one-group"]`, this will 618 now be accepted, with a warning to use `group: "one-group"` instead. 619 - The `listen.host` configuration option was previously ignored (the bind host 620 was always 0.0.0.0). This option will now be honored. 621 - The `ca_sha` and `ca_name` firewall rule options should now work correctly. 622 623 ## [1.0.0] - 2019-11-19 624 625 ### Added 626 627 - Initial public release. 628 629 [Unreleased]: https://github.com/slackhq/nebula/compare/v1.9.0...HEAD 630 [1.9.0]: https://github.com/slackhq/nebula/releases/tag/v1.9.0 631 [1.8.2]: https://github.com/slackhq/nebula/releases/tag/v1.8.2 632 [1.8.1]: https://github.com/slackhq/nebula/releases/tag/v1.8.1 633 [1.8.0]: https://github.com/slackhq/nebula/releases/tag/v1.8.0 634 [1.7.2]: https://github.com/slackhq/nebula/releases/tag/v1.7.2 635 [1.7.1]: https://github.com/slackhq/nebula/releases/tag/v1.7.1 636 [1.7.0]: https://github.com/slackhq/nebula/releases/tag/v1.7.0 637 [1.6.1]: https://github.com/slackhq/nebula/releases/tag/v1.6.1 638 [1.6.0]: https://github.com/slackhq/nebula/releases/tag/v1.6.0 639 [1.5.2]: https://github.com/slackhq/nebula/releases/tag/v1.5.2 640 [1.5.0]: https://github.com/slackhq/nebula/releases/tag/v1.5.0 641 [1.4.0]: https://github.com/slackhq/nebula/releases/tag/v1.4.0 642 [1.3.0]: https://github.com/slackhq/nebula/releases/tag/v1.3.0 643 [1.2.0]: https://github.com/slackhq/nebula/releases/tag/v1.2.0 644 [1.1.0]: https://github.com/slackhq/nebula/releases/tag/v1.1.0 645 [1.0.0]: https://github.com/slackhq/nebula/releases/tag/v1.0.0