Tags: bchalios/firecracker
Tags
Added * Added jailer option `--parent-cgroup <relative_path>` to allow the placement of microvm cgroups in custom cgroup nested hierarchies. The default value is `<exec-file>` which is backwards compatible to the behavior before this change. * Added jailer option `--cgroup-version <1|2>` to support running the jailer on systems that have cgroup-v2. Default value is `1` which means that if `--cgroup-version` is not specified, the jailer will try to create cgroups on cgroup-v1 hierarchies only. * Added `--http-api-max-payload-size` parameter to configure the maximum payload size for PUT and PATCH requests. * Limit MMDS data store size to `--http-api-max-payload-size`. * Cleanup all environment variables in Jailer. * Added metrics for accesses to deprecated HTTP and command line API endpoints. * Added permanent HTTP endpoint for `GET` on `/version` for getting the Firecracker version. * Added `--metadata` parameter to enable MMDS content to be supplied from a file allowing the MMDS to be used when using `--no-api` to disable the API server. * Checksum file for the release assets. * Added support for custom headers to MMDS requests. Accepted headers are: `X-metadata-token`, which accepts a string value that provides a session token for MMDS requests; and `X-metadata-token-ttl-seconds`, which specifies the lifetime of the session token in seconds. * Support and validation for host and guest kernel 5.10. * A [kernel support policy](docs/kernel-policy.md). * Added `io_engine` to the pre-boot block device configuration. Possible values: `Sync` (the default option) or `Async` (only available for kernels newer than 5.10.51). The `Async` variant introduces a block device engine that uses io_uring for executing requests asynchronously, which is in **developer preview** (NOT for production use). See `docs/api_requests/block-io-engine.md`. * Added `block.io_engine_throttled_events` metric for measuring the number of virtio events throttled because of the IO engine. * New optional `version` field to PUT requests towards `/mmds/config` to configure MMDS version. Accepted values are `V1` and `V2` and default is `V1`. MMDS `V2` is **developer preview only** (NOT for production use) and it does not currently work after snapshot load. * Mandatory `network_interfaces` field to PUT requests towards `/mmds/config` which contains a list of network interface IDs capable of forwarding packets to MMDS. Changed * Removed the `--node` jailer parameter. * Deprecated `vsock_id` body field in `PUT`s on `/vsock`. * Removed the deprecated the `--seccomp-level parameter`. * `GET` requests to MMDS require a session token to be provided through `X-metadata-token` header when using V2. * Allow `PUT` requests to MMDS in order to generate a session token to be used for future `GET` requests when version 2 is used. * Remove `allow_mmds_requests` field from the request body that attaches network interfaces. Specifying interfaces that allow forwarding requests to MMDS is done by adding the network interface's ID to the `network_interfaces` field of PUT `/mmds/config` request's body. * Renamed `/machine-config` `ht_enabled` to `smt`. * `smt` field is now optional on PUT `/machine-config`, defaulting to `false`. * Configuring `smt: true` on aarch64 via the API is forbidden. Fixed * Fixed incorrect propagation of init parameters in kernel commandline. Related to: [firecracker-microvm#2709](firecracker-microvm#2709). * Adapt T2 and C3 CPU templates for kernel 5.10. Firecracker was not previously masking some CPU features of the host or emulated by KVM, introduced in more recent kernels: `umip`, `vmx`, `avx512_vnni`. * Fix jailer's cgroup implementation to accept properties that contain multiple dots.
Fixed * Adapt T2 and C3 CPU templates for kernel 5.10. Firecracker was not previously masking some CPU features of the host or emulated by KVM, introduced in more recent kernels: `umip`, `vmx`, `avx512_vnni`. * Fixed incorrect propagation of init parameters in kernel commandline. Related to: [firecracker-microvm#2709](firecracker-microvm#2709).
Added * Added devtool build `--ssh-keys` flag to support fetching from private git repositories. * Added option to configure block device flush. * Added `--new-pid-ns` flag to the Jailer in order to spawn the Firecracker process in a new PID namespace. * Added API metrics for `GET`, `PUT` and `PATCH` requests on `/mmds` endpoint. * Added `--describe-snapshot` flag to Firecracker to fetch the data format version of a snapshot state file provided as argument. * Added `--no-seccomp` parameter for disabling the default seccomp filters. * Added `--seccomp-filter` parameter for supplying user-provided, custom filters. * Added the `seccompiler-bin` binary that is used to compile JSON seccomp filters into serialized BPF for Firecracker consumption. * Snapshotting support for GICv2 enabled guests. * Added `devtool install` to deploy built binaries in `/usr/local/bin` or a given path. * Added code logic to send `VIRTIO_VSOCK_EVENT_TRANSPORT_RESET` on snapshot creation, when the Vsock device is active. The event will close active connections on the guest. * Added `GET` request on `/vm/config` that provides full microVM configuration as a JSON HTTP response. * Added `--resource-limit` flag to jailer to limit resources such as: number of file descriptors allowed at a time (with a default value of 2048) and maximum size of files created by the process. Changed * Changed Docker images repository from DockerHub to Amazon ECR. * Fixed off-by-one error in virtio-block descriptor address validation. * Changed the `PATCH` request on `/balloon/statistics` to schedule the first statistics update immediately after processing the request. * Deprecated the `--seccomp-level parameter`. It will be removed in a future release. Using it logs a runtime warning. * Experimental gnu libc builds use empty default seccomp filters, allowing all system calls. Fixed * Fixed non-compliant check for the RTC device ensuring a fixed 4-sized data buffer. * Unnecessary interrupt assertion was removed from the RTC. However, a dummy interrupt is still allocated for snapshot compatibility reasons. * Fixed the SIGPIPE signal handler so Firecracker no longer exits. The signal is still recorded in metrics and logs. * Fixed ballooning API definitions by renaming all fields which mentioned "MB" to use "MiB" instead. * Snapshot related host files (vm-state, memory, block backing files) are now flushed to their backing mediums as part of the CreateSnapshot operation. * Fixed the SSBD mitigation not being enabled on `aarch64` with the provided `prod-host-setup.md`. * Fixed the balloon statistics not working after a snapshot restore event. * The `utc_timestamp_ms` now reports the timestamp in ms from the UTC UNIX Epoch, as the name suggests. It was previously using a monotonic clock with an undefined starting point.
PreviousNext