docs: v1.6.0 requires ipc_lock cap for mlock (#17881)

Fixes #17780

website/content/docs/upgrade/upgrade-specific.mdx

@@ -13,6 +13,88 @@ upgrade. However, specific versions of Nomad may have more details provided for
 their upgrades as a result of new features or changed behavior. This page is
 used to document those details separately from the standard upgrade flow.
 
+## Nomad 1.6.0
+
+#### Enterprise License Validation with BuildDate
+
+Nomad Enterprise 1.6.0 now compares license `ExpirationTime` with the Nomad binary's `BuildDate`,
+rather than comparing the sometimes more lenient license `TerminationTime` with `time.Now()`.
+See the [licensing FAQ](/nomad/docs/v1.6.x/enterprise/license/faq) for more info,
+but most relevant here is that you should run the new
+[`nomad license inspect`](/nomad/docs/commands/license/inspect) command
+before trying to upgrade your Enterprise servers to v1.6.0 or higher.
+
+#### Job Evaluate API Endpoint Requires `submit-job` Instead of `read-job`
+
+Nomad 1.6.0 updated the ACL capability requirement for the job evaluate
+endpoint from `read-job` to `submit-job` to better reflect that this operation
+writes state to Nomad. This endpoint is used by the `nomad job eval` CLI
+command and so the ACL requirements changed for the command as well. Users that
+called this endpoint or used this command using tokens with just the `read-job`
+capability or the `read` policy must update their tokens to use the
+`submit-job` capability or the `write` policy.
+
+#### Exec Driver Requires New Capability for mlock
+
+Nomad 1.6.0 updated the `exec` task driver to maintain the max memory locked
+limit set by the host system. In earlier versions of Nomad this limit was
+*unset* unintentionally.
+
+In practice this means that `exec` tasks such as Vault which use the `mlock`
+system call will now need to explicitly add the `ipc_lock` capability.
+
+First [allow the `ipc_lock` capability in the Client
+configuration][allow_caps_exec]:
+
+```hcl
+plugin "exec" {
+  config {
+    allow_caps = ["audit_write", "chown", "dac_override", "fowner", "fsetid",
+      "kill", "mknod", "net_bind_service", "setfcap", "setgid", "setpcap",
+      "setuid", "sys_chroot", "ipc_lock"]
+  }
+}
+```
+
+Then [add the `ipc_lock` capability to the exec task][cap_add_exec] that uses
+`mlock`:
+
+```hcl
+task "vault" {
+  driver = "exec"
+
+  config {
+    cap_add = ["ipc_lock"]
+
+    # ... other task configuration
+  }
+
+# ... rest of jobspec
+```
+
+These additions are backward compatible with Nomad v1.5, so Clients and Jobs
+should be updated prior to upgrading to Nomad v1.6.
+
+See [#17780](https://github.com/hashicorp/nomad/issues/17780) for details.
+
+#### Command `nomad tls cert create` flag `-cluster-region` deprecated
+
+Nomad 1.6.0 will deprecate the command `nomad tls cert create` flag `-cluster-region`
+in favour of using the standard flag `-region`. The `-cluster-region` flag
+will be removed in Nomad 1.7.0
+
+#### 32-bit Intel Builds Deprecated
+
+Starting with Nomad 1.6.0, HashiCorp will no longer release 32-bit Intel builds
+of Nomad and Nomad Enterprise (the builds named `windows_386` and
+`linux_386`). Bug fixes will continue to be backported to the 1.5.x and 1.4.x
+versions so long as those major versions are still supported.
+
+The 32-bit ARM build (`linux_arm` for the armhf architecture) is deprecated and
+may be removed in a future major version of Nomad. The 32-bit ARM build is not
+tested and may include bugs around platform-specific integer sizes. Using 64-bit
+builds for small form-factor hosts such as the RaspberryPi is strongly
+recommended.
 
 ## Nomad 1.5.5