Blob Blame History Raw
-------------------------------------------------------------------
Wed Jun 25 04:40:45 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.12.1:
* Fixed
- #5277: Fixed a bug allowing the block device to starve all
other devices when backed by a sufficiently slow drive.
-------------------------------------------------------------------
Fri May 09 05:53:40 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.12.0:
* Added
- #5048: Added support for PVH boot mode. This is used when an
x86 kernel provides the appropriate ELF Note to indicate that
PVH boot mode is supported. Linux kernels newer than 5.0
compiled with CONFIG_PVH=y set this ELF Note, as do FreeBSD
kernels.
- #5065 Added support for Intel AMX (Advanced Matrix
Extensions). To be able to take and restore a snapshot of
Intel AMX state, Xsave is used instead of kvm_xsave, so users
need to regenerate snapshots.
- #4731: Added support for modifying the host TAP device name
during snapshot restore.
- #5146: Added Intel Sapphire Rapids as a supported and tested
platform for Firecracker.
- #5148: Added ARM Graviton4 as a supported and tested platform
for Firecracker.
* - Changed
- #5118: Cleared WAITPKG CPUID bit in CPUID normalization. The
feature enables a guest to put a physical processor into an
idle state, which is undesirable in a FaaS environment since
that is what the host wants to decide.
- #5142: Clarified what CPU models are supported by each
existing CPU template. Firecracker exits with an error if a
CPU template is used on an unsupported CPU model.
* Deprecated
- #4948: Deprecated the page_size_kib field in the UFFD
handshake, and replaced it with a page_size field. The
page_size_kib field is misnamed, as the value Firecracker
sets it to is actually the page size in bytes, not KiB. It
will be removed in Firecracker 2.0.
* Fixed
- #5074 Fix the SendCtrlAltDel command not working for
ACPI-enabled guest kernels, by dropping the i8042.nopnp
argument from the default kernel command line Firecracker
constructs.
- #5122: Keep the UFFD Unix domain socket open to prevent the
race condition between the guest memory mappings message and
the shutdown event that was sometimes causing arrival of an
empty message on the UFFD handler side.
- #5143: Fixed to report process_startup_time_us and
process_startup_time_cpu_us metrics for api_server right
after the API server starts, while previously reported before
applying seccomp filter and starting the API server. Users
may observe a bit longer startup time metrics.
* Dependencies
- build(deps): Bump the firecracker group with 4 updates
- build(deps): Bump the firecracker group across 1 directory
with 8 updates
- chore: update bincode to 2.0
- build(deps): Bump the firecracker group with 13 updates
- chore: bump devctr version
- build(deps): Bump the firecracker group across 1 directory
with 33 updates
- chore: Update fingerprint
-------------------------------------------------------------------
Thu Apr 17 18:25:24 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- BuildRequire cargo and rust without the constraint for 1.82
-------------------------------------------------------------------
Tue Mar 18 13:34:58 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.11.0:
* Added
- #4987: Reset physical counter register (CNTPCT_EL0) on VM
startup. This avoids VM reading the host physical counter
value. This is only possible on 6.4 and newer kernels. For
older kernels physical counter will still be passed to the
guest unmodified. See more info here
- #5088: Added AMD Genoa as a supported and tested platform for
Firecracker.
* - Changed
- #4913: Removed unnecessary fields (max_connections and
max_pending_resets) from the snapshot format, bumping the
snapshot version to 5.0.0. Users need to regenerate
snapshots.
- #4926: Replace underlying implementation for seccompiler from
in house one in favor of libseccomp which produces smaller
and more optimized BPF code.
* - Fixed
- #4921: Fixed swagger CpuConfig definition to include missing
aarch64-specific fields.
- #4916: Fixed IovDeque implementation to work with any host
page size. This fixes virtio-net device on non 4K host
kernels.
- #4991: Fixed mem_size_mib and track_dirty_pages being
mandatory for all PATCH /machine-config requests. Now, they
can be omitted which leaves these parts of the machine
configuration unchanged.
- #5007: Fixed watchdog softlockup warning on x86_64 guests
when a vCPU is paused during GDB debugging.
- #5021 If a balloon device is inflated post UFFD-backed
snapshot restore, Firecracker now causes remove UFFD messages
to be sent to the UFFD handler. Previously, no such message
would be sent.
- #5034: Fix an integer underflow in the jailer when computing
the value it passes to Firecracker's --parent-cpu-time-us
values, which caused development builds of Firecracker to
crash (but production builds were unaffected as underflows do
not panic in release mode).
- #5045: Fixed an issue where firecracker intermittently
receives SIGHUP when using jailer with --new-pid-ns but
without --daemonize.
- #4995: Firecracker no longer overwrites CPUID leaf 0x80000000
when running AMD hardware, meaning the guest can now discover
a greater range of CPUID leaves in the extended function
range (this range is host kernel dependent).
- #5046: Retry KVM_CREATE_VM on EINTR that occasionally happen
on heavily loaded hosts to improve reliability of microVM
creation.
- #5052: Build the empty seccomp policy as default for debug
builds to avoid crashes on syscalls introduced by debug
assertions from Rust 1.80.0.
-------------------------------------------------------------------
Mon Dec 02 10:04:57 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.10.1:
* chore: bump version to 1.10.1
* chore: Bump snapshot version
-------------------------------------------------------------------
Mon Nov 11 18:15:54 UTC 2024 - kskarthik@disroot.org
- Update to version 1.10.0:
* Added
- #4834: Add VIRTIO_NET_F_RX_MRGBUF support to the virtio-net
device. When this feature is negotiated, guest virtio-net
driver can perform more efficient memory management which in
turn improves RX and TX performance.
- #4460: Add a call to KVM_KVMCLOCK_CTRL after pausing vCPUs on
x86_64 architectures. This ioctl sets a flag in the KVM state
of the vCPU indicating that it has been paused by the host
userspace. In guests that use kvmclock, the soft lockup
watchdog checks this flag. If it is set, it won't trigger the
lockup condition. Calling the ioctl for guests that don't use
kvmclock will fail. These failures are not fatal. We log the
failure and increase the vcpu.kvmclock_ctrl_fails metric.
- #4869: Added support for Aarch64 systems which feature CPU
caches with a number of sets higher than u16::MAX.
- #4797, #4854: Added GDB debugging support for a microVM guest
kernel. Please see our GDB debugging documentation for more
information.
* Changed
- #4844: Upgrade virtio-net device to use readv syscall to
avoid unnecessary memory copies on RX path, increasing the RX
performance.
* Removed
- #4804: Drop Support for guest kernel 4.14. Linux 4.14 reached
end-of-life in January 2024 The minimum supported guest
kernel now is 5.10
* Fixed
- #4796: Fixed Vsock not notifying guest about
TRANSPORT_RESET_EVENT event after snapshot restore. This
resulted in guest waiting indefinitely on a connection which
was reset during snapshot creation.
- #4790: v1.9.0 was missing most of the debugging information
in the debuginfo file, due to a change in the Cargo defaults.
This has been corrected.
- #4826: Add missing configuration of tap offload features when
restoring from a snapshot. Setting the features was
previously moved from net device creation to device
activation time, but it was not reflected in the restore
path. This was leading to inability to connect to the
restored VM if the offload features were used.
-------------------------------------------------------------------
Thu Sep 26 13:18:02 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.9.0:
* Added
- #4687: Added VMGenID support for microVMs running on ARM
hosts with 6.1 guest kernels. Support for VMGenID via
DeviceTree bindings exists only on mainline 6.10 Linux
onwards. Users of Firecracker will need to backport the
relevant patches on top of their 6.1 kernels to make use of
the feature.
- #4732, #4733, #4741, #4746: Added official support for 6.1
microVM guest kernels.
* Changed
- nothing
* Deprecated
- Support for guest kernel 4.14 is now deprecated. We will
completely remove 4.14 support with Firecracker version v1.10
* Removed
- #4689: Drop support for host kernel 4.14. Linux 4.14 reached
end-of-life in January 2024. The minimum supported kernel now
is 5.10. Guest kernel 4.14 is still supported.
* Fixed
- 4680: Fixed an issue (#4659) where the virtio-net device
implementation would always assume the guest accepts all
VirtIO features the device offers. This is always true with
the Linux guest kernels we are testing but other kernels,
like FreeBSD make different assumptions. This PR fixes the
emulation code to set the TAP features based on the features
accepted by the guest.
- Update to version 1.8.0:
* Added
- #4428: Added ACPI support to Firecracker for x86_64 microVMs.
Currently, we pass ACPI tables with information about the
available vCPUs, interrupt controllers, VirtIO and legacy x86
devices to the guest. This allows booting kernels without
MPTable support. Please see our kernel policy documentation
for more information regarding relevant kernel
configurations.
- #4487: Added support for the Virtual Machine Generation
Identifier (VMGenID) device on x86_64 platforms. VMGenID is a
virtual device that allows VMMs to notify guests when they
are resumed from a snapshot. Linux includes VMGenID support
since version 5.18. It uses notifications from the device to
reseed its internal CSPRNG. Please refer to snapshot support
and random for clones documention for more info on VMGenID.
VMGenID state is part of the snapshot format of Firecracker.
As a result, Firecracker snapshot version is now 2.0.0.
* Changed
- #4492: Changed --config parameter of cpu-template-helper
optional. Users no longer need to prepare kernel, rootfs and
Firecracker configuration files to use cpu-template-helper.
- #4537 Changed T2CL template to pass through bit 27 and 28 of
MSR_IA32_ARCH_CAPABILITIES (RFDS_NO and RFDS_CLEAR) since KVM
consider they are able to be passed through and T2CL isn't
designed for secure snapshot migration between different
processors.
- #4537 Changed T2S template to set bit 27 of
MSR_IA32_ARCH_CAPABILITIES (RFDS_NO) to 1 since it assumes
that the fleet only consists of processors that are not
affected by RFDS.
- #4388: Avoid setting kvm_immediate_exit to 1 if are already
handling an exit, or if the vCPU is stopped. This avoids a
spurious KVM exit upon restoring snapshots.
- #4567: Do not initialize vCPUs in powered-off state upon
snapshot restore. No functional change, as vCPU
initialization is only relevant for the booted case (where
the guest expects CPUs to be powered off).
* Deprecated
- Firecracker's --start-time-cpu-us and --start-time-us
parameters are deprecated and will be removed in v2.0 or
later. They are used by the jailer to pass the value that
should be subtracted from the (CPU) time, when emitting the
start_time_us and start_time_cpu_us metrics. These parameters
were never meant to be used by end customers, and we
recommend doing any such time adjustments outside
Firecracker.
- Booting with microVM kernels that rely on MPTable on x86_64
is deprecated and support will be removed in v2.0 or later.
We suggest to users of Firecracker to use guest kernels with
ACPI support. For x86_64 microVMs, ACPI will be the only way
Firecracker passes hardware information to the guest once
MPTable support is removed.
* Fixed
- #4526: Added a check in the network TX path that the size of
the network frames the guest passes to us is not bigger than
the maximum frame the device expects to handle. On the TX
path, we copy frames destined to MMDS from guest memory to
Firecracker memory. Without the check, a mis-behaving
virtio-net driver could cause an increase in the memory
footprint of the Firecracker process. Now, if we receive such
a frame, we ignore it and increase Net::tx_malformed_frames
metric.
- #4536: Make the first differential snapshot taken after a
full snapshot contain only the set of memory pages changed
since the full snapshot. Previously, these differential
snapshots would contain all memory pages. This will result in
potentially much smaller differential snapshots after a full
snapshot.
- #4578: Fix UFFD support not being forward-compatible with new
ioctl options introduced in Linux 6.6. See also
bytecodealliance/userfaultfd-rs#61.
- #4630: On x86_64, when taking a snapshot, if a vCPU has
MSR_IA32_TSC_DEADLINE set to 0, Firecracker will replace it
with the MSR_IA32_TSC value from the same vCPU. This is to
guarantee that the vCPU will continue receiving TSC
interrupts after restoring from the snapshot even if an
interrupt is lost when taking a snapshot.
- #4666: Fixed Firecracker sometimes restoring
MSR_IA32_TSC_DEADLINE before MSR_IA32_TSC. Now it always
restores MSR_IA32_TSC_DEADLINE MSR after MSR_IA32_TSC, as KVM
relies on the guest TSC for correct restoration of
MSR_IA32_TSC_DEADLINE. This fixed guests using the
TSC_DEADLINE hardware feature receiving incorrect timer
interrupts after snapshot restoration, which could lead to
them seemingly getting stuck in sleep-related syscalls (see
also #4099).
- Update to version 1.7.0:
* Added
- #4346: Added support to emit aggregate (minimum/maximum/sum)
latency for VcpuExit::MmioRead, VcpuExit::MmioWrite,
VcpuExit::IoIn and VcpuExit::IoOut. The average for these VM
exits is not emitted since it can be deduced from the
available emitted metrics.
- #4360: Added dev-preview support for backing a VM's guest
memory by 2M hugetlbfs pages. Please see the documentation
for more information
- #4490: Added block and net device metrics for file/tap access
latencies and queue backlog lengths, which can be used to
analyse saturation of the Firecracker VMM thread and
underlying layers. Queue backlog length metrics are flushed
periodically. They can be used to esimtate an average queue
length by request by dividing its value by the number of
requests served.
* Changed
- #4230: Changed microVM snapshot format version strategy.
Firecracker snapshot format now has a version that is
independent of Firecracker version. The current version of
the snapshot format is v1.0.0. From now on, the Firecracker
binary will define the snapshot format version it supports
and it will only be able to load snapshots with format that
is backwards compatible with that version. Users can pass the
--snapshot-version flag to the Firecracker binary to see its
supported snapshot version format. This change renders all
previous Firecracker snapshots (up to Firecracker version
v1.6.0) incompatible with the current Firecracker version.
- #4449: Added information about page size to the payload
Firecracker sends to the UFFD handler. Each memory region
object now contains a page_size_kib field. See also the
hugepages documentation.
- #4501: Only use memfd to back guest memory if a
vhost-user-blk device is configured, otherwise use anonymous
private memory. This is because serving page faults of shared
memory used by memfd is slower and may impact workloads.
* Fixed
- #4409: Fixed a bug in the cpu-template-helper that made it
panic during conversion of cpu configuration with SVE
registers to the cpu template on aarch64 platform. Now
cpu-template-helper will print warnings if it encounters SVE
registers during the conversion process. This is because cpu
templates are limited to only modify registers less than 128
bits.
- #4413: Fixed a bug in the Firecracker that prevented it to
restore snapshots of VMs that had SVE enabled.
- #4414: Made PATCH requests to the /machine-config endpoint
transactional, meaning Firecracker's configuration will be
unchanged if the request returns an error. This fixes a bug
where a microVM with incompatible balloon and guest memory
size could be booted, due to the check for this condition
happening after Firecracker's configuration was updated.
- #4259: Added a double fork mechanism in the Jailer to avoid
setsid() failures occurred while running Jailer as the
process group leader. However, this changed the behaviour of
Jailer and now the Firecracker process will always have a
different PID than the Jailer process.
- #4436: Added a "Known Limitations" section in the Jailer docs
to highlight the above change in behaviour introduced in
PR#4259.
- #4442: As a solution to the change in behaviour introduced in
PR#4259, provided a mechanism to reliably fetch Firecracker
PID. With this change, Firecracker process's PID will always
be available in the Jailer's root directory regardless of
whether new_pid_ns was set.
- #4468: Fixed a bug where a client would hang or timeout when
querying for an MMDS path whose content is empty, because the
'Content-Length' header field was missing in a response.
- Update to version 1.6.0:
* Added
- #4145: Added support for per net device metrics. In addition
to aggregate metrics net, each individual net device will
emit metrics under the label "net_{iface_id}". E.g. the
associated metrics for the endpoint
"/network-interfaces/eth0" will be available under "net_eth0"
in the metrics json object.
- #4202: Added support for per block device metrics. In
addition to aggregate metrics block, each individual block
device will emit metrics under the label "block_{drive_id}".
E.g. the associated metrics for the endpoint
"/drives/{drive_id}" will be available under "block_drive_id"
in the metrics json object.
- #4205: Added a new vm-state subcommand to info-vmstate
command in the snapshot-editor tool to print MicrovmState of
vmstate snapshot file in a readable format. Also made the
vcpu-states subcommand available on x86_64.
- #4063: Added source-level instrumentation based tracing. See
tracing for more details.
- #4138, #4170, #4223, #4247, #4226: Added developer preview
only (NOT for production use) support for vhost-user block
devices. Firecracker implements a vhost-user frontend. Users
are free to choose from existing open source backend
solutions or their own implementation. Known limitation:
snapshotting is not currently supported for microVMs
containing vhost-user block devices. See the related doc page
for details. The device emits metrics under the label
"vhost_user_{device}_{drive_id}".
* Changed
- #4309: The jailer’s option --parent-cgroup will move the
process to that cgroup if no cgroup options are provided.
- Simplified and clarified the removal policy of deprecated API
elements to follow semantic versioning 2.0.0. For more
information, please refer to this GitHub discussion.
- #4180: Refactored error propagation to avoid logging and
printing an error on exits with a zero exit code. Now, on
successful exit “Firecracker exited successfully” is logged.
- #4194: Removed support for creating Firecracker snapshots
targeting older versions of Firecracker. With this change,
running ‘firecracker –version’ will not print the supported
snapshot versions.
- #4301: Allow merging of diff snapshots into base snapshots by
directly writing the diff snapshot on top of the base
snapshot’s memory file. This can be done by setting the
mem_file_path to the path of the pre-existing full snapshot.
* Deprecated
- #4209: rebase-snap tool is now deprecated. Users should use
snapshot-editor for rebasing diff snapshots.
* Fixed
- #4171: Fixed a bug that ignored the --show-log-origin option,
preventing it from printing the source code file of the log
messages.
- #4178: Fixed a bug reporting a non-zero exit code on
successful shutdown when starting Firecracker with --no-api.
- #4261: Fixed a bug where Firecracker would log
“RunWithApiError error: MicroVMStopped without an error:
GenericError” when exiting after encountering an emulation
error. It now correctly prints “RunWithApiError error:
MicroVMStopped with an error: GenericError”.
- #4242: Fixed a bug introduced in #4047 that limited the
--level option of logger to Pascal-cased values (e.g.
accepting “Info”, but not “info”). It now ignores case again.
- #4286: Fixed a bug in the asynchronous virtio-block engine
that rendered the device non-functional after a PATCH request
was issued to Firecracker for updating the path to the
host-side backing file of the device.
- #4301: Fixed a bug where if Firecracker was instructed to
take a snapshot of a microvm which itself was restored from a
snapshot, specifying mem_file_path to be the path of the
memory file from which the microvm was restored would result
in both the microvm and the snapshot being corrupted. It now
instead performs a “write-back” of all memory that was
updated since the snapshot was originally loaded.
- Update to version 1.5.1:
* Added
- #4287: Document a caveat to the jailer docs when using the
--parent-cgroup option, which results in it being ignored by
the jailer. Refer to the jailer documentation for a
workaround.
* Changed
- #4191: Refactored error propagation to avoid logging and
printing an error on exits with a zero exit code. Now, on
successful exit "Firecracker exited successfully" is logged.
* Fixed
- #4277: Fixed a bug that ignored the --show-log-origin option,
preventing it from printing the source code file of the log
messages.
- #4179: Fixed a bug reporting a non-zero exit code on
successful shutdown when starting Firecracker with --no-api.
- #4271: Fixed a bug where Firecracker would log
"RunWithApiError error: MicroVMStopped without an error:
GenericError" when exiting after encountering an emulation
error. It now correctly prints "RunWithApiError error:
MicroVMStopped with an error: GenericError".
- #4270: Fixed a bug introduced in #4047 that limited the
--level option of logger to Pascal-cased values (e.g.
accepting "Info", but not "info"). It now ignores case again.
- #4295: Fixed a bug in the asynchronous virtio-block engine
that rendered the device non-functional after a PATCH request
was issued to Firecracker for updating the path to the
host-side backing file of the device.
- Update to version 1.5.0:
* Added
- #3837: Added official support for Linux 6.1. See
prod-host-setup for some security and performance
considerations.
- #4045 and #4075: Added snapshot-editor tool for modifications
of snapshot files. It allows for rebasing of memory snapshot
files, printing and removing aarch64 registers from the
vmstate and obtaining snapshot version.
- #3967: Added new fields to the custom CPU templates. (aarch64
only) vcpu_features field allows modifications of vCPU
features enabled during vCPU initialization. kvm_capabilities
field allows modifications of KVM capability checks that
Firecracker performs during boot. If any of these fields are
in use, minimal target snapshot version is restricted to 1.5.
* Changed
- Updated deserialization of bitmap for custom CPU templates to
allow usage of '_' as a separator.
- Changed the strip feature of cpu-template-helper tool to
operate bitwise.
- Better logs during validation of CPU ID in snapshot
restoration path. Also Firecracker now does not fail if it
can't get CPU ID from the host or can't find CPU ID in the
snapshot.
- Changed the serial device to only try to initialize itself if
stdin is a terminal or a FIFO pipe. This fixes logged
warnings about the serial device failing to initialize if the
process is daemonized (in which case stdin is /dev/null
instead of a terminal).
- Changed to show a warning message when launching a microVM
with C3 template on a processor prior to Intel Cascade Lake,
because the guest kernel does not apply the mitigation
against MMIO stale data vulnerability when it is running on a
processor that does not enumerate FBSDP_NO, PSDP_NO and
SBDR_SSDP_NO on IA32_ARCH_CAPABILITIES MSR.
- Made Firecracker resize its file descriptor table on process
start. It now preallocates the in-kernel fdtable to hold
RLIMIT_NOFILE many fds (or 2048 if no limit is set). This
avoids the kernel reallocating the fdtable during Firecracker
operations, resulting in a 30ms to 70ms reduction of snapshot
restore times for medium to large microVMs with many devices
attached.
- Changed the dump feature of cpu-template-helper tool not to
enumerate program counter (PC) on ARM because it is
determined by the given kernel image and it is useless in the
custom CPU template context.
- The ability to create snapshots for an older version of
Firecracker is now deprecated. As a result, the version body
field in PUT on /snapshot/create request in deprecated.
- Added support for the /dev/userfaultfd device available on
linux kernels >= 6.1. This is the default for creating UFFD
handlers on these kernel versions. If it is unavailable,
Firecracker falls back to the userfaultfd syscall.
- Deprecated cpu_template field in PUT and PATCH requests on
/machine-config API, which is used to set a static CPU
template. Custom CPU templates added in v1.4.0 are available
as an improved iteration of the static CPU templates. For
more information about the transition from static CPU
templates to custom CPU templates, please refer to this
GitHub discussion.
- Changed default log level from Warn to Info. This results in
more logs being output by default.
* Fixed
- Fixed a change in behavior of normalize host brand string
that breaks Firecracker on external instances.
- Fixed the T2A CPU template not to unset the MMX bit
(CPUID.80000001h:EDX[23]) and the FXSR bit
(CPUID.80000001h:EDX[24]).
- Fixed the T2A CPU template to set the RstrFpErrPtrs bit
(CPUID.80000008h:EBX[2]).
- Fixed a bug where Firecracker would crash during boot if a
guest set up a virtio queue that partially overlapped with
the MMIO gap. Now Firecracker instead correctly refuses to
activate the corresponding virtio device.
- Fixed the T2CL CPU template to pass through security
mitigation bits that are listed by KVM as bits able to be
passed through. By making the most use of the available
hardware security mitigations on a processor that a guest is
running on, the guest might be able to benefit from
performance improvements.
- Fixed the T2S CPU template to set the GDS_NO bit of the
IA32_ARCH_CAPABILITIES MSR to 1 in accordance with an Intel
microcode update. To use the template securely, users should
apply the latest microcode update on the host.
- Fixed the spelling of the nomodule param passed in the
default kernel command line parameters. This is a breaking
change for setups that use the default kernel command line
which also depend on being able to load kernel modules at
runtime. This may also break setups which use the default
kernel command line and which use an init binary that
inadvertently depends on the misspelled param ("nomodules")
being present at the command line, since this param will no
longer be passed.
-------------------------------------------------------------------
Tue Oct 10 14:01:39 UTC 2023 - Andrea Manzini <andrea.manzini@suse.com>
- Update to 1.4.1:
* Fixed a change in behavior of normalize host brand string that breaks
Firecracker on external instances.
* Fixed the T2A CPU template not to unset the MMX bit (CPUID.80000001h:EDX[23])
and the FXSR bit (CPUID.80000001h:EDX[24]).
* Fixed the T2A CPU template to set the RstrFpErrPtrs bit
(CPUID.80000008h:EBX[2]).
- Update to 1.4.0:
Added
* Added support for custom CPU templates allowing users to adjust vCPU features
exposed to the guest via CPUID, MSRs and ARM registers.
* Introduced V1N1 static CPU template for ARM to represent Neoverse V1 CPU
as Neoverse N1.
* Added support for the virtio-rng entropy device. The device is optional. A
single device can be enabled per VM using the /entropy endpoint.
* Added a cpu-template-helper tool for assisting with creating and managing
custom CPU templates.
Changed
* Set FDP_EXCPTN_ONLY bit (CPUID.7h.0:EBX[6]) and ZERO_FCS_FDS bit
(CPUID.7h.0:EBX[13]) in Intel's CPUID normalization process.
Fixed
* Fixed feature flags in T2S CPU template on Intel Ice Lake.
* Fixed CPUID leaf 0xb to be exposed to guests running on AMD host.
* Fixed a performance regression in the jailer logic for closing open file
descriptors.
* A race condition that has been identified between the API thread and the VMM
thread due to a misconfiguration of the api_event_fd.
* Fixed CPUID leaf 0x1 to disable perfmon and debug feature on x86 host.
* Fixed passing through cache information from host in CPUID leaf 0x80000006.
* Fixed the T2S CPU template to set the RRSBA bit of the IA32_ARCH_CAPABILITIES
MSR to 1 in accordance with an Intel microcode update.
* Fixed the T2CL CPU template to pass through the RSBA and RRSBA bits of the
IA32_ARCH_CAPABILITIES MSR from the host in accordance with an Intel microcode
update.
* Fixed passing through cache information from host in CPUID leaf 0x80000005.
* Fixed the T2A CPU template to disable SVM (nested virtualization).
* Fixed the T2A CPU template to set EferLmsleUnsupported bit
(CPUID.80000008h:EBX[20]), which indicates that EFER[LMSLE] is not supported.
- Update to 1.3.3:
* Fixed passing through cache information from host in CPUID leaf 0x80000006.
-------------------------------------------------------------------
Thu May 18 06:17:40 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
- Update to 1.3.2:
Added
* Introduced T2CL (Intel) and T2A (AMD) CPU templates to provide
instruction set feature parity between Intel and AMD CPUs when using
these templates.
* Added Graviton3 support (c7g instance type).
Changed
* Improved error message when invalid network backend provided.
* Improved TCP throughput by between 5% and 15% (depending on CPU) by using
* scatter-gather I/O in the net device's TX path.
* Upgraded Rust toolchain from 1.64.0 to 1.66.0.
* Made seccompiler output bit-reproducible.
Fixed
* Fixed feature flags in T2 CPU template on Intel Ice Lake.
* A race condition that has been identified between the API thread and the VMM
thread due to a misconfiguration of the api_event_fd.
-------------------------------------------------------------------
Mon Dec 19 10:44:16 UTC 2022 - Andrea Manzini <andrea.manzini@suse.com>
- Update to version 1.2.0
* Added a new CPU template called T2S
* Added a new CLI option --metrics-path PATH
* Added baselines for m6i.metal and m6a.metal
* Changed the jailer option --exec-file to fail if the filename does not
contain the string firecracker
* Updated Rust toolchain and all dependencies to their respective newest versions
* Made the T2 template more robust by explicitly disabling additional
CPUID flags that should be off
* Now MAC address is correctly displayed when queried with GET /vm/config
* Fixed a self-DoS scenario in the virtio-queue code
* Fixed the bad handling of kernel cmdline parameters when init arguments were
provided via JSON PUT /boot-source request
* Fixed a bug on ARM64 hosts where the upper 64bits of the V0-V31 FL/SIMD
registers were not saved correctly
-------------------------------------------------------------------
Sat Oct 1 17:55:05 UTC 2022 - Liang Yan <lyan@opensuse.org>
- Update firecracker to version 1.1.1
https://github.com/firecracker-microvm/firecracker/releases/tag/v1.1.1
https://github.com/firecracker-microvm/firecracker/releases/tag/v1.1.0
- Add build depenceny clang
- Update cargo_config based on new vendor
-------------------------------------------------------------------
Mon Jun 20 03:26:38 UTC 2022 - William Brown <william.brown@suse.com>
- Automatic update of vendored dependencies
-------------------------------------------------------------------
Tue May 24 06:33:07 UTC 2022 - William Brown <william.brown@suse.com>
- Automatic update of vendored dependencies
- Remove 0001-cargo-update-regex-dependency.patch due to update of
vendored dependencies
-------------------------------------------------------------------
Wed Mar 16 13:17:24 UTC 2022 - Liang Yan <lyan@opensuse.org>
- Bump rust to 1.46.0 for vmm-sys-util building
https://blog.rust-lang.org/2020/08/27/Rust-1.46.0.html#const-fn-improvements
- Bump Regex crate to 1.5.5
(CVE-2022-24713, boo#1196972)
0001-cargo-update-regex-dependency.patch
-------------------------------------------------------------------
Mon Feb 14 01:02:21 UTC 2022 - Liang Yan <ly@xryan.net>
- Update firecracker to version 1.0.0
Detail could be found below:
https://github.com/firecracker-microvm/firecracker/releases/tag/v1.0.0
* Patches dropped:
0001-dependencies-Included-vm-fdt-crate.patch
0002-vm-fdt-Replace-libfdt-with-vm-fdt.patch
0003-libfdt-bindings-Deleted-libfdt-bindings-crate.patch
-------------------------------------------------------------------
Tue Sep 14 23:45:26 UTC 2021 - Liang Yan <lyan@suse.com>
- Replace libfdt with vm-fdt.
0001-dependencies-Included-vm-fdt-crate.patch
0002-vm-fdt-Replace-libfdt-with-vm-fdt.patch
0003-libfdt-bindings-Deleted-libfdt-bindings-crate.patch
-------------------------------------------------------------------
Wed Sep 8 22:16:33 UTC 2021 - Liang Yan <lyan@suse.com>
- Update firecracker to version 0.25.0
Add workspace to firecracker. The workspace has three packages,
firecracker,jailer,seccompiler
Detail could be found below:
https://github.com/firecracker-microvm/firecracker/blob/main/CHANGELOG.md
-------------------------------------------------------------------
Mon May 25 11:54:18 UTC 2020 - Liang Yan <lyan@suse.com>
- Update firecracker to version 0.19.1:
Added:
* New device: virtio-vsock, backed by Unix domain sockets.
* New command-line parameter for firecracker, named --no-api, which
will disable the API server thread. Also, when API server is disabled,
MMDS is no longer available now.
* New command-line parameter for firecracker, named --config-file, which
represents the path to a file that contains a JSON which can be used for
configuring and starting a microVM without sending any API requests.
* The jailer adheres to the "end of command options" convention, meaning
all parameters specified after -- are forwarded verbatim to Firecracker.
* Added KVM_PTP support to the recommended guest kernel config.
* Added entry in FAQ.md for Firecracker Guest timekeeping.
Changed:
* Vsock API call: PUT /vsocks/{id} changed to PUT /vsock and no longer
appear to support multiple vsock devices. Any subsequent calls to this API
endpoint will override the previous vsock device configuration.
Removed:
* Removed experimental support for vhost-based vsock devices.
* Removed unused 'Halting' and 'Halted' instance states.
-------------------------------------------------------------------
Mon May 25 11:11:56 UTC 2020 - Liang Yan <lyan@suse.com>
- Modify spec file:
* Change the group to "System/Emulators/PC" which is maintained by virt team.
* Use "rm -f " instead of "rm" to remove spurious files
* Remove macro "_missing_doc_files_terminate_build"
-------------------------------------------------------------------
Sun May 24 01:20:05 UTC 2020 - Liang Yan <lyan@suse.com>
- Fix Tumbelweed builds by removing /usr/.crates2.json.
-------------------------------------------------------------------
Fri Sep 13 14:45:15 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Trim marketing wording from description.
-------------------------------------------------------------------
Tue Sep 10 13:47:51 UTC 2019 - Marco Vedovati <mvedovati@suse.com>
- Fix aarch64 builds
- Bump min rust version to 1.35.0
-------------------------------------------------------------------
Mon Sep 9 16:51:51 UTC 2019 - Marco Vedovati <mvedovati@suse.com>
- Update firecracker to version 0.17.0:
Added:
* New API call: PATCH /machine-config/, used to update VM configuration,
before the microVM boots.
* Added an experimental swagger definition that includes the specification
for the vsock API call.
* Added a signal handler for SIGBUS and SIGSEGV that immediately terminates
the process upon intercepting the signal.
* Added documentation for signal handling utilities.
* Added [alpha] aarch64 support.
* Added metrics for successful read and write operations of MMDS, Net and
Block devices.
Changed:
* vcpu_count, mem_size_mib and ht_enabled have been changed to be mandatory
for PUT requests on /machine-config/.
* Disallow invalid seccomp levels by exiting with error.
Fixed:
* Incorrect handling of bind mounts within the jailed rootfs.
* Corrected the guide for Alpine guest setup.
-------------------------------------------------------------------
Wed May 29 11:25:08 UTC 2019 - Marco Vedovati <mvedovati@suse.com>
- Update firecracker to version 0.16.0:
+ Added [alpha] AMD support.
* Corrected the seccomp filter when building with glibc.
- Removed the seccomp.bad_syscalls metric.
* Dropped the JSON-formatted context command-line parameter from Firecracker
in favor of individual classic command-line parameters.
* Improved multiple error messages.
* Removed all kernel modules from the recommended kernel config.
-------------------------------------------------------------------
Mon May 6 17:31:52 UTC 2019 - Marco Vedovati <mvedovati@suse.com>
- Fixed vsock support (needed for katacontainers interoperability)
* Use `cargo install` to build and install build artifacts
during the build phase, to avoid building the crate twice.
-------------------------------------------------------------------
Sat Mar 23 08:13:35 UTC 2019 - Flavio Castelli <fcastelli@suse.com>
- Added patches 0001-Fixed-basic-seccomp-filter-for-glibc.patch and
0002-Fixed-advanced-seccomp-filter-for-glibc.patch: change the
seccomp filtering rules to allow the execution of certain syscalls
that are used when the binary is built with glibc instead of musl.
-------------------------------------------------------------------
Fri Mar 22 21:25:39 UTC 2019 - Flavio Castelli <fcastelli@suse.com>
- Ensure build happens only on supported architectures
- Enable vsock experimental feature
-------------------------------------------------------------------
Fri Mar 15 08:18:36 UTC 2019 - opensuse Cloud User <fcastelli@suse.com>
- Make spec file arch independent
-------------------------------------------------------------------
Thu Mar 14 23:36:02 UTC 2019 - Flavio Castelli <fcastelli@suse.com>
- Initial package version 0.15.2