Tags: sooids/firecracker
Tags
Added * The API `PATCH` methods for `machine-config` can now be used to reset the `cpu_template` to `"None"`. Until this change there was no way to reset the `cpu_template` once it was set. * Added a `rebase-snap` tool for rebasing a diff snapshot over a base snapshot. * Mmds version is persisted across snapshot-restore. Snapshot compatibility is preserved bidirectionally, to and from a Firecracker version that does not support persisting the Mmds version. In such cases, the default V1 option is used. * Added `--mmds-size-limit` for limiting the mmds data store size instead of piggy-backing on `--http-api-max-payload-size`. If left unconfigured it defaults to the value of `--http-api-max-payload-size`, to provide backwards compatibility. * Added optional `mem_backend` body field in `PUT` requests on `/snapshot/load`. This new parameter is an object that defines the configuration of the backend responsible for handling memory loading during snapshot restore. The `mem_backend` parameter contains `backend_type` and `backend_path` required fields. `backend_type` is an enum that can take either `File` or `Uffd` as value. Interpretation of `backend_path` field depends on the value of `backend_type`. If `File`, then the user must provide the path to file that contains the guest memory to be loaded. Otherwise, if `backend_type` is `Uffd`, then `backend_path` is the path to a unix domain socket where a custom page fault handler process is listening and expecting a UFFD to be sent by Firecracker. The UFFD is used to handle the guest memory page faults in the separate process. * Added logging for the snapshot/restore and async block device IO engine features to indicate they are in development preview. Changed * The API `PATCH` method for `/machine-config` can be now used to change `track_dirty_pages` on aarch64. * MmdsV2 is now Generally Available. * MmdsV1 is now deprecated and will be removed in Firecracker v2.0.0. Use MmdsV2 instead. * Deprecated `mem_file_path` body field in `PUT` on `/snapshot/load` request. Fixed * Fixed inconsistency that allowed the start of a microVM from a JSON file without specifying the `vcpu_count` and `mem_size_mib` parameters for `machine-config` although they are mandatory when configuring via the API. Now these fields are mandatory when specifying `machine-config` in the JSON file and when using the `PUT` request on `/machine-config`. * Fixed inconsistency that allowed a user to specify the `cpu_template` parameter and set `smt` to `True` in `machine-config` when starting from a JSON file on aarch64 even though they are not permitted when using `PUT` or `PATCH` in the API. Now Firecracker will return an error on aarch64 if `smt` is set to `True` or if `cpu_template` is specified. * Fixed inconsistent behaviour of the `PUT` method for `/machine-config` that would reset the `track_dirty_pages` parameter to `false` if it was not specified in the JSON body of the request, but left the `cpu_template` parameter intact if it was not present in the request. Now a `PUT` request for `/machine-config` will reset all optional parameters (`smt`, `cpu_template`, `track_dirty_pages`) to their default values if they are not specified in the `PUT` request. * Fixed incosistency in the swagger definition with the current state of the `/vm/config` endpoint.
Added * Added jailer option `--parent-cgroup <relative_path>` to allow the placement of microvm cgroups in custom cgroup nested hierarchies. The default value is `<exec-file>` which is backwards compatible to the behavior before this change. * Added jailer option `--cgroup-version <1|2>` to support running the jailer on systems that have cgroup-v2. Default value is `1` which means that if `--cgroup-version` is not specified, the jailer will try to create cgroups on cgroup-v1 hierarchies only. * Added `--http-api-max-payload-size` parameter to configure the maximum payload size for PUT and PATCH requests. * Limit MMDS data store size to `--http-api-max-payload-size`. * Cleanup all environment variables in Jailer. * Added metrics for accesses to deprecated HTTP and command line API endpoints. * Added permanent HTTP endpoint for `GET` on `/version` for getting the Firecracker version. * Added `--metadata` parameter to enable MMDS content to be supplied from a file allowing the MMDS to be used when using `--no-api` to disable the API server. * Checksum file for the release assets. * Added support for custom headers to MMDS requests. Accepted headers are: `X-metadata-token`, which accepts a string value that provides a session token for MMDS requests; and `X-metadata-token-ttl-seconds`, which specifies the lifetime of the session token in seconds. * Support and validation for host and guest kernel 5.10. * A [kernel support policy](docs/kernel-policy.md). * Added `io_engine` to the pre-boot block device configuration. Possible values: `Sync` (the default option) or `Async` (only available for kernels newer than 5.10.51). The `Async` variant introduces a block device engine that uses io_uring for executing requests asynchronously, which is in **developer preview** (NOT for production use). See `docs/api_requests/block-io-engine.md`. * Added `block.io_engine_throttled_events` metric for measuring the number of virtio events throttled because of the IO engine. * New optional `version` field to PUT requests towards `/mmds/config` to configure MMDS version. Accepted values are `V1` and `V2` and default is `V1`. MMDS `V2` is **developer preview only** (NOT for production use) and it does not currently work after snapshot load. * Mandatory `network_interfaces` field to PUT requests towards `/mmds/config` which contains a list of network interface IDs capable of forwarding packets to MMDS. Changed * Removed the `--node` jailer parameter. * Deprecated `vsock_id` body field in `PUT`s on `/vsock`. * Removed the deprecated the `--seccomp-level parameter`. * `GET` requests to MMDS require a session token to be provided through `X-metadata-token` header when using V2. * Allow `PUT` requests to MMDS in order to generate a session token to be used for future `GET` requests when version 2 is used. * Remove `allow_mmds_requests` field from the request body that attaches network interfaces. Specifying interfaces that allow forwarding requests to MMDS is done by adding the network interface's ID to the `network_interfaces` field of PUT `/mmds/config` request's body. * Renamed `/machine-config` `ht_enabled` to `smt`. * `smt` field is now optional on PUT `/machine-config`, defaulting to `false`. * Configuring `smt: true` on aarch64 via the API is forbidden. Fixed * Fixed incorrect propagation of init parameters in kernel commandline. Related to: [firecracker-microvm#2709](firecracker-microvm#2709). * Adapt T2 and C3 CPU templates for kernel 5.10. Firecracker was not previously masking some CPU features of the host or emulated by KVM, introduced in more recent kernels: `umip`, `vmx`, `avx512_vnni`. * Fix jailer's cgroup implementation to accept properties that contain multiple dots.
Fixed * Adapt T2 and C3 CPU templates for kernel 5.10. Firecracker was not previously masking some CPU features of the host or emulated by KVM, introduced in more recent kernels: `umip`, `vmx`, `avx512_vnni`. * Fixed incorrect propagation of init parameters in kernel commandline. Related to: [firecracker-microvm#2709](firecracker-microvm#2709).
Added * Added devtool build `--ssh-keys` flag to support fetching from private git repositories. * Added option to configure block device flush. * Added `--new-pid-ns` flag to the Jailer in order to spawn the Firecracker process in a new PID namespace. * Added API metrics for `GET`, `PUT` and `PATCH` requests on `/mmds` endpoint. * Added `--describe-snapshot` flag to Firecracker to fetch the data format version of a snapshot state file provided as argument. * Added `--no-seccomp` parameter for disabling the default seccomp filters. * Added `--seccomp-filter` parameter for supplying user-provided, custom filters. * Added the `seccompiler-bin` binary that is used to compile JSON seccomp filters into serialized BPF for Firecracker consumption. * Snapshotting support for GICv2 enabled guests. * Added `devtool install` to deploy built binaries in `/usr/local/bin` or a given path. * Added code logic to send `VIRTIO_VSOCK_EVENT_TRANSPORT_RESET` on snapshot creation, when the Vsock device is active. The event will close active connections on the guest. * Added `GET` request on `/vm/config` that provides full microVM configuration as a JSON HTTP response. * Added `--resource-limit` flag to jailer to limit resources such as: number of file descriptors allowed at a time (with a default value of 2048) and maximum size of files created by the process. Changed * Changed Docker images repository from DockerHub to Amazon ECR. * Fixed off-by-one error in virtio-block descriptor address validation. * Changed the `PATCH` request on `/balloon/statistics` to schedule the first statistics update immediately after processing the request. * Deprecated the `--seccomp-level parameter`. It will be removed in a future release. Using it logs a runtime warning. * Experimental gnu libc builds use empty default seccomp filters, allowing all system calls. Fixed * Fixed non-compliant check for the RTC device ensuring a fixed 4-sized data buffer. * Unnecessary interrupt assertion was removed from the RTC. However, a dummy interrupt is still allocated for snapshot compatibility reasons. * Fixed the SIGPIPE signal handler so Firecracker no longer exits. The signal is still recorded in metrics and logs. * Fixed ballooning API definitions by renaming all fields which mentioned "MB" to use "MiB" instead. * Snapshot related host files (vm-state, memory, block backing files) are now flushed to their backing mediums as part of the CreateSnapshot operation. * Fixed the SSBD mitigation not being enabled on `aarch64` with the provided `prod-host-setup.md`. * Fixed the balloon statistics not working after a snapshot restore event. * The `utc_timestamp_ms` now reports the timestamp in ms from the UTC UNIX Epoch, as the name suggests. It was previously using a monotonic clock with an undefined starting point.
PreviousNext