| ------------------------------------------------------------------- |
| Wed Jun 25 04:40:45 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de> |
| |
| - Update to version 1.12.1: |
| * Fixed |
| - |
| other devices when backed by a sufficiently slow drive. |
| |
| ------------------------------------------------------------------- |
| Fri May 09 05:53:40 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de> |
| |
| - Update to version 1.12.0: |
| * Added |
| - |
| x86 kernel provides the appropriate ELF Note to indicate that |
| PVH boot mode is supported. Linux kernels newer than 5.0 |
| compiled with CONFIG_PVH=y set this ELF Note, as do FreeBSD |
| kernels. |
| - |
| Extensions). To be able to take and restore a snapshot of |
| Intel AMX state, Xsave is used instead of kvm_xsave, so users |
| need to regenerate snapshots. |
| - |
| during snapshot restore. |
| - |
| platform for Firecracker. |
| - |
| for Firecracker. |
| * - Changed |
| - |
| feature enables a guest to put a physical processor into an |
| idle state, which is undesirable in a FaaS environment since |
| that is what the host wants to decide. |
| - |
| existing CPU template. Firecracker exits with an error if a |
| CPU template is used on an unsupported CPU model. |
| * Deprecated |
| - |
| handshake, and replaced it with a page_size field. The |
| page_size_kib field is misnamed, as the value Firecracker |
| sets it to is actually the page size in bytes, not KiB. It |
| will be removed in Firecracker 2.0. |
| * Fixed |
| - |
| ACPI-enabled guest kernels, by dropping the i8042.nopnp |
| argument from the default kernel command line Firecracker |
| constructs. |
| - |
| race condition between the guest memory mappings message and |
| the shutdown event that was sometimes causing arrival of an |
| empty message on the UFFD handler side. |
| - |
| process_startup_time_cpu_us metrics for api_server right |
| after the API server starts, while previously reported before |
| applying seccomp filter and starting the API server. Users |
| may observe a bit longer startup time metrics. |
| * Dependencies |
| - build(deps): Bump the firecracker group with 4 updates |
| - build(deps): Bump the firecracker group across 1 directory |
| with 8 updates |
| - chore: update bincode to 2.0 |
| - build(deps): Bump the firecracker group with 13 updates |
| - chore: bump devctr version |
| - build(deps): Bump the firecracker group across 1 directory |
| with 33 updates |
| - chore: Update fingerprint |
| |
| ------------------------------------------------------------------- |
| Thu Apr 17 18:25:24 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de> |
| |
| - BuildRequire cargo and rust without the constraint for 1.82 |
| |
| ------------------------------------------------------------------- |
| Tue Mar 18 13:34:58 UTC 2025 - opensuse_buildservice@ojkastl.de |
| |
| - Update to version 1.11.0: |
| * Added |
| - |
| startup. This avoids VM reading the host physical counter |
| value. This is only possible on 6.4 and newer kernels. For |
| older kernels physical counter will still be passed to the |
| guest unmodified. See more info here |
| - |
| Firecracker. |
| * - Changed |
| - |
| max_pending_resets) from the snapshot format, bumping the |
| snapshot version to 5.0.0. Users need to regenerate |
| snapshots. |
| - |
| in house one in favor of libseccomp which produces smaller |
| and more optimized BPF code. |
| * - Fixed |
| - |
| aarch64-specific fields. |
| - |
| page size. This fixes virtio-net device on non 4K host |
| kernels. |
| - |
| mandatory for all PATCH /machine-config requests. Now, they |
| can be omitted which leaves these parts of the machine |
| configuration unchanged. |
| - |
| when a vCPU is paused during GDB debugging. |
| - |
| snapshot restore, Firecracker now causes remove UFFD messages |
| to be sent to the UFFD handler. Previously, no such message |
| would be sent. |
| - |
| the value it passes to Firecracker's --parent-cpu-time-us |
| values, which caused development builds of Firecracker to |
| crash (but production builds were unaffected as underflows do |
| not panic in release mode). |
| - #5045: Fixed an issue where firecracker intermittently |
| receives SIGHUP when using jailer with --new-pid-ns but |
| without --daemonize. |
| - #4995: Firecracker no longer overwrites CPUID leaf 0x80000000 |
| when running AMD hardware, meaning the guest can now discover |
| a greater range of CPUID leaves in the extended function |
| range (this range is host kernel dependent). |
| - #5046: Retry KVM_CREATE_VM on EINTR that occasionally happen |
| on heavily loaded hosts to improve reliability of microVM |
| creation. |
| - #5052: Build the empty seccomp policy as default for debug |
| builds to avoid crashes on syscalls introduced by debug |
| assertions from Rust 1.80.0. |
| |
| ------------------------------------------------------------------- |
| Mon Dec 02 10:04:57 UTC 2024 - opensuse_buildservice@ojkastl.de |
| |
| - Update to version 1.10.1: |
| * chore: bump version to 1.10.1 |
| * chore: Bump snapshot version |
| |
| ------------------------------------------------------------------- |
| Mon Nov 11 18:15:54 UTC 2024 - kskarthik@disroot.org |
| |
| - Update to version 1.10.0: |
| * Added |
| - #4834: Add VIRTIO_NET_F_RX_MRGBUF support to the virtio-net |
| device. When this feature is negotiated, guest virtio-net |
| driver can perform more efficient memory management which in |
| turn improves RX and TX performance. |
| - #4460: Add a call to KVM_KVMCLOCK_CTRL after pausing vCPUs on |
| x86_64 architectures. This ioctl sets a flag in the KVM state |
| of the vCPU indicating that it has been paused by the host |
| userspace. In guests that use kvmclock, the soft lockup |
| watchdog checks this flag. If it is set, it won't trigger the |
| lockup condition. Calling the ioctl for guests that don't use |
| kvmclock will fail. These failures are not fatal. We log the |
| failure and increase the vcpu.kvmclock_ctrl_fails metric. |
| - #4869: Added support for Aarch64 systems which feature CPU |
| caches with a number of sets higher than u16::MAX. |
| - #4797, #4854: Added GDB debugging support for a microVM guest |
| kernel. Please see our GDB debugging documentation for more |
| information. |
| * Changed |
| - #4844: Upgrade virtio-net device to use readv syscall to |
| avoid unnecessary memory copies on RX path, increasing the RX |
| performance. |
| * Removed |
| - #4804: Drop Support for guest kernel 4.14. Linux 4.14 reached |
| end-of-life in January 2024 The minimum supported guest |
| kernel now is 5.10 |
| * Fixed |
| - #4796: Fixed Vsock not notifying guest about |
| TRANSPORT_RESET_EVENT event after snapshot restore. This |
| resulted in guest waiting indefinitely on a connection which |
| was reset during snapshot creation. |
| - #4790: v1.9.0 was missing most of the debugging information |
| in the debuginfo file, due to a change in the Cargo defaults. |
| This has been corrected. |
| - #4826: Add missing configuration of tap offload features when |
| restoring from a snapshot. Setting the features was |
| previously moved from net device creation to device |
| activation time, but it was not reflected in the restore |
| path. This was leading to inability to connect to the |
| restored VM if the offload features were used. |
| |
| ------------------------------------------------------------------- |
| Thu Sep 26 13:18:02 UTC 2024 - opensuse_buildservice@ojkastl.de |
| |
| - Update to version 1.9.0: |
| * Added |
| - #4687: Added VMGenID support for microVMs running on ARM |
| hosts with 6.1 guest kernels. Support for VMGenID via |
| DeviceTree bindings exists only on mainline 6.10 Linux |
| onwards. Users of Firecracker will need to backport the |
| relevant patches on top of their 6.1 kernels to make use of |
| the feature. |
| - #4732, #4733, #4741, #4746: Added official support for 6.1 |
| microVM guest kernels. |
| * Changed |
| - nothing |
| * Deprecated |
| - Support for guest kernel 4.14 is now deprecated. We will |
| completely remove 4.14 support with Firecracker version v1.10 |
| * Removed |
| - #4689: Drop support for host kernel 4.14. Linux 4.14 reached |
| end-of-life in January 2024. The minimum supported kernel now |
| is 5.10. Guest kernel 4.14 is still supported. |
| * Fixed |
| - 4680: Fixed an issue (#4659) where the virtio-net device |
| implementation would always assume the guest accepts all |
| VirtIO features the device offers. This is always true with |
| the Linux guest kernels we are testing but other kernels, |
| like FreeBSD make different assumptions. This PR fixes the |
| emulation code to set the TAP features based on the features |
| accepted by the guest. |
| - Update to version 1.8.0: |
| * Added |
| - #4428: Added ACPI support to Firecracker for x86_64 microVMs. |
| Currently, we pass ACPI tables with information about the |
| available vCPUs, interrupt controllers, VirtIO and legacy x86 |
| devices to the guest. This allows booting kernels without |
| MPTable support. Please see our kernel policy documentation |
| for more information regarding relevant kernel |
| configurations. |
| - #4487: Added support for the Virtual Machine Generation |
| Identifier (VMGenID) device on x86_64 platforms. VMGenID is a |
| virtual device that allows VMMs to notify guests when they |
| are resumed from a snapshot. Linux includes VMGenID support |
| since version 5.18. It uses notifications from the device to |
| reseed its internal CSPRNG. Please refer to snapshot support |
| and random for clones documention for more info on VMGenID. |
| VMGenID state is part of the snapshot format of Firecracker. |
| As a result, Firecracker snapshot version is now 2.0.0. |
| * Changed |
| - #4492: Changed --config parameter of cpu-template-helper |
| optional. Users no longer need to prepare kernel, rootfs and |
| Firecracker configuration files to use cpu-template-helper. |
| - #4537 Changed T2CL template to pass through bit 27 and 28 of |
| MSR_IA32_ARCH_CAPABILITIES (RFDS_NO and RFDS_CLEAR) since KVM |
| consider they are able to be passed through and T2CL isn't |
| designed for secure snapshot migration between different |
| processors. |
| - |
| MSR_IA32_ARCH_CAPABILITIES (RFDS_NO) to 1 since it assumes |
| that the fleet only consists of processors that are not |
| affected by RFDS. |
| - |
| handling an exit, or if the vCPU is stopped. This avoids a |
| spurious KVM exit upon restoring snapshots. |
| - |
| snapshot restore. No functional change, as vCPU |
| initialization is only relevant for the booted case (where |
| the guest expects CPUs to be powered off). |
| * Deprecated |
| - Firecracker's --start-time-cpu-us and --start-time-us |
| parameters are deprecated and will be removed in v2.0 or |
| later. They are used by the jailer to pass the value that |
| should be subtracted from the (CPU) time, when emitting the |
| start_time_us and start_time_cpu_us metrics. These parameters |
| were never meant to be used by end customers, and we |
| recommend doing any such time adjustments outside |
| Firecracker. |
| - Booting with microVM kernels that rely on MPTable on x86_64 |
| is deprecated and support will be removed in v2.0 or later. |
| We suggest to users of Firecracker to use guest kernels with |
| ACPI support. For x86_64 microVMs, ACPI will be the only way |
| Firecracker passes hardware information to the guest once |
| MPTable support is removed. |
| * Fixed |
| - #4526: Added a check in the network TX path that the size of |
| the network frames the guest passes to us is not bigger than |
| the maximum frame the device expects to handle. On the TX |
| path, we copy frames destined to MMDS from guest memory to |
| Firecracker memory. Without the check, a mis-behaving |
| virtio-net driver could cause an increase in the memory |
| footprint of the Firecracker process. Now, if we receive such |
| a frame, we ignore it and increase Net::tx_malformed_frames |
| metric. |
| - #4536: Make the first differential snapshot taken after a |
| full snapshot contain only the set of memory pages changed |
| since the full snapshot. Previously, these differential |
| snapshots would contain all memory pages. This will result in |
| potentially much smaller differential snapshots after a full |
| snapshot. |
| - #4578: Fix UFFD support not being forward-compatible with new |
| ioctl options introduced in Linux 6.6. See also |
| bytecodealliance/userfaultfd-rs#61. |
| - #4630: On x86_64, when taking a snapshot, if a vCPU has |
| MSR_IA32_TSC_DEADLINE set to 0, Firecracker will replace it |
| with the MSR_IA32_TSC value from the same vCPU. This is to |
| guarantee that the vCPU will continue receiving TSC |
| interrupts after restoring from the snapshot even if an |
| interrupt is lost when taking a snapshot. |
| - #4666: Fixed Firecracker sometimes restoring |
| MSR_IA32_TSC_DEADLINE before MSR_IA32_TSC. Now it always |
| restores MSR_IA32_TSC_DEADLINE MSR after MSR_IA32_TSC, as KVM |
| relies on the guest TSC for correct restoration of |
| MSR_IA32_TSC_DEADLINE. This fixed guests using the |
| TSC_DEADLINE hardware feature receiving incorrect timer |
| interrupts after snapshot restoration, which could lead to |
| them seemingly getting stuck in sleep-related syscalls (see |
| also #4099). |
| - Update to version 1.7.0: |
| * Added |
| - #4346: Added support to emit aggregate (minimum/maximum/sum) |
| latency for VcpuExit::MmioRead, VcpuExit::MmioWrite, |
| VcpuExit::IoIn and VcpuExit::IoOut. The average for these VM |
| exits is not emitted since it can be deduced from the |
| available emitted metrics. |
| - #4360: Added dev-preview support for backing a VM's guest |
| memory by 2M hugetlbfs pages. Please see the documentation |
| for more information |
| - |
| latencies and queue backlog lengths, which can be used to |
| analyse saturation of the Firecracker VMM thread and |
| underlying layers. Queue backlog length metrics are flushed |
| periodically. They can be used to esimtate an average queue |
| length by request by dividing its value by the number of |
| requests served. |
| * Changed |
| - |
| Firecracker snapshot format now has a version that is |
| independent of Firecracker version. The current version of |
| the snapshot format is v1.0.0. From now on, the Firecracker |
| binary will define the snapshot format version it supports |
| and it will only be able to load snapshots with format that |
| is backwards compatible with that version. Users can pass the |
| --snapshot-version flag to the Firecracker binary to see its |
| supported snapshot version format. This change renders all |
| previous Firecracker snapshots (up to Firecracker version |
| v1.6.0) incompatible with the current Firecracker version. |
| - |
| Firecracker sends to the UFFD handler. Each memory region |
| object now contains a page_size_kib field. See also the |
| hugepages documentation. |
| - |
| vhost-user-blk device is configured, otherwise use anonymous |
| private memory. This is because serving page faults of shared |
| memory used by memfd is slower and may impact workloads. |
| * Fixed |
| - |
| panic during conversion of cpu configuration with SVE |
| registers to the cpu template on aarch64 platform. Now |
| cpu-template-helper will print warnings if it encounters SVE |
| registers during the conversion process. This is because cpu |
| templates are limited to only modify registers less than 128 |
| bits. |
| - |
| restore snapshots of VMs that had SVE enabled. |
| - |
| transactional, meaning Firecracker's configuration will be |
| unchanged if the request returns an error. This fixes a bug |
| where a microVM with incompatible balloon and guest memory |
| size could be booted, due to the check for this condition |
| happening after Firecracker's configuration was updated. |
| - |
| setsid() failures occurred while running Jailer as the |
| process group leader. However, this changed the behaviour of |
| Jailer and now the Firecracker process will always have a |
| different PID than the Jailer process. |
| - |
| to highlight the above change in behaviour introduced in |
| PR |
| - |
| PR |
| PID. With this change, Firecracker process's PID will always |
| be available in the Jailer's root directory regardless of |
| whether new_pid_ns was set. |
| - |
| querying for an MMDS path whose content is empty, because the |
| 'Content-Length' header field was missing in a response. |
| - Update to version 1.6.0: |
| * Added |
| - |
| to aggregate metrics net, each individual net device will |
| emit metrics under the label "net_{iface_id}". E.g. the |
| associated metrics for the endpoint |
| "/network-interfaces/eth0" will be available under "net_eth0" |
| in the metrics json object. |
| - |
| addition to aggregate metrics block, each individual block |
| device will emit metrics under the label "block_{drive_id}". |
| E.g. the associated metrics for the endpoint |
| "/drives/{drive_id}" will be available under "block_drive_id" |
| in the metrics json object. |
| - |
| command in the snapshot-editor tool to print MicrovmState of |
| vmstate snapshot file in a readable format. Also made the |
| vcpu-states subcommand available on x86_64. |
| - |
| tracing for more details. |
| - |
| only (NOT for production use) support for vhost-user block |
| devices. Firecracker implements a vhost-user frontend. Users |
| are free to choose from existing open source backend |
| solutions or their own implementation. Known limitation: |
| snapshotting is not currently supported for microVMs |
| containing vhost-user block devices. See the related doc page |
| for details. The device emits metrics under the label |
| "vhost_user_{device}_{drive_id}". |
| * Changed |
| - |
| process to that cgroup if no cgroup options are provided. |
| - Simplified and clarified the removal policy of deprecated API |
| elements to follow semantic versioning 2.0.0. For more |
| information, please refer to this GitHub discussion. |
| - |
| printing an error on exits with a zero exit code. Now, on |
| successful exit “Firecracker exited successfully” is logged. |
| - |
| targeting older versions of Firecracker. With this change, |
| running ‘firecracker –version’ will not print the supported |
| snapshot versions. |
| - |
| directly writing the diff snapshot on top of the base |
| snapshot’s memory file. This can be done by setting the |
| mem_file_path to the path of the pre-existing full snapshot. |
| * Deprecated |
| - |
| snapshot-editor for rebasing diff snapshots. |
| * Fixed |
| - |
| preventing it from printing the source code file of the log |
| messages. |
| - |
| successful shutdown when starting Firecracker with --no-api. |
| - |
| “RunWithApiError error: MicroVMStopped without an error: |
| GenericError” when exiting after encountering an emulation |
| error. It now correctly prints “RunWithApiError error: |
| MicroVMStopped with an error: GenericError”. |
| - |
| --level option of logger to Pascal-cased values (e.g. |
| accepting “Info”, but not “info”). It now ignores case again. |
| - |
| that rendered the device non-functional after a PATCH request |
| was issued to Firecracker for updating the path to the |
| host-side backing file of the device. |
| - |
| take a snapshot of a microvm which itself was restored from a |
| snapshot, specifying mem_file_path to be the path of the |
| memory file from which the microvm was restored would result |
| in both the microvm and the snapshot being corrupted. It now |
| instead performs a “write-back” of all memory that was |
| updated since the snapshot was originally loaded. |
| - Update to version 1.5.1: |
| * Added |
| - |
| --parent-cgroup option, which results in it being ignored by |
| the jailer. Refer to the jailer documentation for a |
| workaround. |
| * Changed |
| - |
| printing an error on exits with a zero exit code. Now, on |
| successful exit "Firecracker exited successfully" is logged. |
| * Fixed |
| - |
| preventing it from printing the source code file of the log |
| messages. |
| - |
| successful shutdown when starting Firecracker with --no-api. |
| - |
| "RunWithApiError error: MicroVMStopped without an error: |
| GenericError" when exiting after encountering an emulation |
| error. It now correctly prints "RunWithApiError error: |
| MicroVMStopped with an error: GenericError". |
| - |
| --level option of logger to Pascal-cased values (e.g. |
| accepting "Info", but not "info"). It now ignores case again. |
| - |
| that rendered the device non-functional after a PATCH request |
| was issued to Firecracker for updating the path to the |
| host-side backing file of the device. |
| - Update to version 1.5.0: |
| * Added |
| - |
| prod-host-setup for some security and performance |
| considerations. |
| - |
| of snapshot files. It allows for rebasing of memory snapshot |
| files, printing and removing aarch64 registers from the |
| vmstate and obtaining snapshot version. |
| - |
| only) vcpu_features field allows modifications of vCPU |
| features enabled during vCPU initialization. kvm_capabilities |
| field allows modifications of KVM capability checks that |
| Firecracker performs during boot. If any of these fields are |
| in use, minimal target snapshot version is restricted to 1.5. |
| * Changed |
| - Updated deserialization of bitmap for custom CPU templates to |
| allow usage of '_' as a separator. |
| - Changed the strip feature of cpu-template-helper tool to |
| operate bitwise. |
| - Better logs during validation of CPU ID in snapshot |
| restoration path. Also Firecracker now does not fail if it |
| can't get CPU ID from the host or can't find CPU ID in the |
| snapshot. |
| - Changed the serial device to only try to initialize itself if |
| stdin is a terminal or a FIFO pipe. This fixes logged |
| warnings about the serial device failing to initialize if the |
| process is daemonized (in which case stdin is /dev/null |
| instead of a terminal). |
| - Changed to show a warning message when launching a microVM |
| with C3 template on a processor prior to Intel Cascade Lake, |
| because the guest kernel does not apply the mitigation |
| against MMIO stale data vulnerability when it is running on a |
| processor that does not enumerate FBSDP_NO, PSDP_NO and |
| SBDR_SSDP_NO on IA32_ARCH_CAPABILITIES MSR. |
| - Made Firecracker resize its file descriptor table on process |
| start. It now preallocates the in-kernel fdtable to hold |
| RLIMIT_NOFILE many fds (or 2048 if no limit is set). This |
| avoids the kernel reallocating the fdtable during Firecracker |
| operations, resulting in a 30ms to 70ms reduction of snapshot |
| restore times for medium to large microVMs with many devices |
| attached. |
| - Changed the dump feature of cpu-template-helper tool not to |
| enumerate program counter (PC) on ARM because it is |
| determined by the given kernel image and it is useless in the |
| custom CPU template context. |
| - The ability to create snapshots for an older version of |
| Firecracker is now deprecated. As a result, the version body |
| field in PUT on /snapshot/create request in deprecated. |
| - Added support for the /dev/userfaultfd device available on |
| linux kernels >= 6.1. This is the default for creating UFFD |
| handlers on these kernel versions. If it is unavailable, |
| Firecracker falls back to the userfaultfd syscall. |
| - Deprecated cpu_template field in PUT and PATCH requests on |
| /machine-config API, which is used to set a static CPU |
| template. Custom CPU templates added in v1.4.0 are available |
| as an improved iteration of the static CPU templates. For |
| more information about the transition from static CPU |
| templates to custom CPU templates, please refer to this |
| GitHub discussion. |
| - Changed default log level from Warn to Info. This results in |
| more logs being output by default. |
| * Fixed |
| - Fixed a change in behavior of normalize host brand string |
| that breaks Firecracker on external instances. |
| - Fixed the T2A CPU template not to unset the MMX bit |
| (CPUID.80000001h:EDX[23]) and the FXSR bit |
| (CPUID.80000001h:EDX[24]). |
| - Fixed the T2A CPU template to set the RstrFpErrPtrs bit |
| (CPUID.80000008h:EBX[2]). |
| - Fixed a bug where Firecracker would crash during boot if a |
| guest set up a virtio queue that partially overlapped with |
| the MMIO gap. Now Firecracker instead correctly refuses to |
| activate the corresponding virtio device. |
| - Fixed the T2CL CPU template to pass through security |
| mitigation bits that are listed by KVM as bits able to be |
| passed through. By making the most use of the available |
| hardware security mitigations on a processor that a guest is |
| running on, the guest might be able to benefit from |
| performance improvements. |
| - Fixed the T2S CPU template to set the GDS_NO bit of the |
| IA32_ARCH_CAPABILITIES MSR to 1 in accordance with an Intel |
| microcode update. To use the template securely, users should |
| apply the latest microcode update on the host. |
| - Fixed the spelling of the nomodule param passed in the |
| default kernel command line parameters. This is a breaking |
| change for setups that use the default kernel command line |
| which also depend on being able to load kernel modules at |
| runtime. This may also break setups which use the default |
| kernel command line and which use an init binary that |
| inadvertently depends on the misspelled param ("nomodules") |
| being present at the command line, since this param will no |
| longer be passed. |
| |
| ------------------------------------------------------------------- |
| Tue Oct 10 14:01:39 UTC 2023 - Andrea Manzini <andrea.manzini@suse.com> |
| |
| - Update to 1.4.1: |
| * Fixed a change in behavior of normalize host brand string that breaks |
| Firecracker on external instances. |
| * Fixed the T2A CPU template not to unset the MMX bit (CPUID.80000001h:EDX[23]) |
| and the FXSR bit (CPUID.80000001h:EDX[24]). |
| * Fixed the T2A CPU template to set the RstrFpErrPtrs bit |
| (CPUID.80000008h:EBX[2]). |
| |
| - Update to 1.4.0: |
| Added |
| * Added support for custom CPU templates allowing users to adjust vCPU features |
| exposed to the guest via CPUID, MSRs and ARM registers. |
| * Introduced V1N1 static CPU template for ARM to represent Neoverse V1 CPU |
| as Neoverse N1. |
| * Added support for the virtio-rng entropy device. The device is optional. A |
| single device can be enabled per VM using the /entropy endpoint. |
| * Added a cpu-template-helper tool for assisting with creating and managing |
| custom CPU templates. |
| |
| Changed |
| * Set FDP_EXCPTN_ONLY bit (CPUID.7h.0:EBX[6]) and ZERO_FCS_FDS bit |
| (CPUID.7h.0:EBX[13]) in Intel's CPUID normalization process. |
| |
| Fixed |
| * Fixed feature flags in T2S CPU template on Intel Ice Lake. |
| * Fixed CPUID leaf 0xb to be exposed to guests running on AMD host. |
| * Fixed a performance regression in the jailer logic for closing open file |
| descriptors. |
| * A race condition that has been identified between the API thread and the VMM |
| thread due to a misconfiguration of the api_event_fd. |
| * Fixed CPUID leaf 0x1 to disable perfmon and debug feature on x86 host. |
| * Fixed passing through cache information from host in CPUID leaf 0x80000006. |
| * Fixed the T2S CPU template to set the RRSBA bit of the IA32_ARCH_CAPABILITIES |
| MSR to 1 in accordance with an Intel microcode update. |
| * Fixed the T2CL CPU template to pass through the RSBA and RRSBA bits of the |
| IA32_ARCH_CAPABILITIES MSR from the host in accordance with an Intel microcode |
| update. |
| * Fixed passing through cache information from host in CPUID leaf 0x80000005. |
| * Fixed the T2A CPU template to disable SVM (nested virtualization). |
| * Fixed the T2A CPU template to set EferLmsleUnsupported bit |
| (CPUID.80000008h:EBX[20]), which indicates that EFER[LMSLE] is not supported. |
| |
| - Update to 1.3.3: |
| * Fixed passing through cache information from host in CPUID leaf 0x80000006. |
| |
| ------------------------------------------------------------------- |
| Thu May 18 06:17:40 UTC 2023 - Paolo Stivanin <info@paolostivanin.com> |
| |
| - Update to 1.3.2: |
| Added |
| * Introduced T2CL (Intel) and T2A (AMD) CPU templates to provide |
| instruction set feature parity between Intel and AMD CPUs when using |
| these templates. |
| * Added Graviton3 support (c7g instance type). |
| Changed |
| * Improved error message when invalid network backend provided. |
| * Improved TCP throughput by between 5% and 15% (depending on CPU) by using |
| * scatter-gather I/O in the net device's TX path. |
| * Upgraded Rust toolchain from 1.64.0 to 1.66.0. |
| * Made seccompiler output bit-reproducible. |
| Fixed |
| * Fixed feature flags in T2 CPU template on Intel Ice Lake. |
| * A race condition that has been identified between the API thread and the VMM |
| thread due to a misconfiguration of the api_event_fd. |
| |
| ------------------------------------------------------------------- |
| Mon Dec 19 10:44:16 UTC 2022 - Andrea Manzini <andrea.manzini@suse.com> |
| |
| - Update to version 1.2.0 |
| * Added a new CPU template called T2S |
| * Added a new CLI option --metrics-path PATH |
| * Added baselines for m6i.metal and m6a.metal |
| * Changed the jailer option --exec-file to fail if the filename does not |
| contain the string firecracker |
| * Updated Rust toolchain and all dependencies to their respective newest versions |
| * Made the T2 template more robust by explicitly disabling additional |
| CPUID flags that should be off |
| * Now MAC address is correctly displayed when queried with GET /vm/config |
| * Fixed a self-DoS scenario in the virtio-queue code |
| * Fixed the bad handling of kernel cmdline parameters when init arguments were |
| provided via JSON PUT /boot-source request |
| * Fixed a bug on ARM64 hosts where the upper 64bits of the V0-V31 FL/SIMD |
| registers were not saved correctly |
| |
| ------------------------------------------------------------------- |
| Sat Oct 1 17:55:05 UTC 2022 - Liang Yan <lyan@opensuse.org> |
| |
| - Update firecracker to version 1.1.1 |
| https://github.com/firecracker-microvm/firecracker/releases/tag/v1.1.1 |
| https://github.com/firecracker-microvm/firecracker/releases/tag/v1.1.0 |
| - Add build depenceny clang |
| - Update cargo_config based on new vendor |
| |
| ------------------------------------------------------------------- |
| Mon Jun 20 03:26:38 UTC 2022 - William Brown <william.brown@suse.com> |
| |
| - Automatic update of vendored dependencies |
| |
| ------------------------------------------------------------------- |
| Tue May 24 06:33:07 UTC 2022 - William Brown <william.brown@suse.com> |
| |
| - Automatic update of vendored dependencies |
| - Remove 0001-cargo-update-regex-dependency.patch due to update of |
| vendored dependencies |
| |
| ------------------------------------------------------------------- |
| Wed Mar 16 13:17:24 UTC 2022 - Liang Yan <lyan@opensuse.org> |
| |
| - Bump rust to 1.46.0 for vmm-sys-util building |
| https://blog.rust-lang.org/2020/08/27/Rust-1.46.0.html |
| - Bump Regex crate to 1.5.5 |
| (CVE-2022-24713, boo |
| 0001-cargo-update-regex-dependency.patch |
| |
| ------------------------------------------------------------------- |
| Mon Feb 14 01:02:21 UTC 2022 - Liang Yan <ly@xryan.net> |
| |
| - Update firecracker to version 1.0.0 |
| Detail could be found below: |
| https://github.com/firecracker-microvm/firecracker/releases/tag/v1.0.0 |
| |
| * Patches dropped: |
| 0001-dependencies-Included-vm-fdt-crate.patch |
| 0002-vm-fdt-Replace-libfdt-with-vm-fdt.patch |
| 0003-libfdt-bindings-Deleted-libfdt-bindings-crate.patch |
| |
| ------------------------------------------------------------------- |
| Tue Sep 14 23:45:26 UTC 2021 - Liang Yan <lyan@suse.com> |
| |
| - Replace libfdt with vm-fdt. |
| 0001-dependencies-Included-vm-fdt-crate.patch |
| 0002-vm-fdt-Replace-libfdt-with-vm-fdt.patch |
| 0003-libfdt-bindings-Deleted-libfdt-bindings-crate.patch |
| |
| ------------------------------------------------------------------- |
| Wed Sep 8 22:16:33 UTC 2021 - Liang Yan <lyan@suse.com> |
| |
| - Update firecracker to version 0.25.0 |
| Add workspace to firecracker. The workspace has three packages, |
| firecracker,jailer,seccompiler |
| |
| Detail could be found below: |
| https://github.com/firecracker-microvm/firecracker/blob/main/CHANGELOG.md |
| |
| ------------------------------------------------------------------- |
| Mon May 25 11:54:18 UTC 2020 - Liang Yan <lyan@suse.com> |
| |
| - Update firecracker to version 0.19.1: |
| Added: |
| * New device: virtio-vsock, backed by Unix domain sockets. |
| * New command-line parameter for firecracker, named --no-api, which |
| will disable the API server thread. Also, when API server is disabled, |
| MMDS is no longer available now. |
| * New command-line parameter for firecracker, named --config-file, which |
| represents the path to a file that contains a JSON which can be used for |
| configuring and starting a microVM without sending any API requests. |
| * The jailer adheres to the "end of command options" convention, meaning |
| all parameters specified after -- are forwarded verbatim to Firecracker. |
| * Added KVM_PTP support to the recommended guest kernel config. |
| * Added entry in FAQ.md for Firecracker Guest timekeeping. |
| Changed: |
| * Vsock API call: PUT /vsocks/{id} changed to PUT /vsock and no longer |
| appear to support multiple vsock devices. Any subsequent calls to this API |
| endpoint will override the previous vsock device configuration. |
| Removed: |
| * Removed experimental support for vhost-based vsock devices. |
| * Removed unused 'Halting' and 'Halted' instance states. |
| |
| ------------------------------------------------------------------- |
| Mon May 25 11:11:56 UTC 2020 - Liang Yan <lyan@suse.com> |
| |
| - Modify spec file: |
| * Change the group to "System/Emulators/PC" which is maintained by virt team. |
| * Use "rm -f " instead of "rm" to remove spurious files |
| * Remove macro "_missing_doc_files_terminate_build" |
| |
| ------------------------------------------------------------------- |
| Sun May 24 01:20:05 UTC 2020 - Liang Yan <lyan@suse.com> |
| |
| - Fix Tumbelweed builds by removing /usr/.crates2.json. |
| |
| ------------------------------------------------------------------- |
| Fri Sep 13 14:45:15 UTC 2019 - Jan Engelhardt <jengelh@inai.de> |
| |
| - Trim marketing wording from description. |
| |
| ------------------------------------------------------------------- |
| Tue Sep 10 13:47:51 UTC 2019 - Marco Vedovati <mvedovati@suse.com> |
| |
| - Fix aarch64 builds |
| - Bump min rust version to 1.35.0 |
| |
| ------------------------------------------------------------------- |
| Mon Sep 9 16:51:51 UTC 2019 - Marco Vedovati <mvedovati@suse.com> |
| |
| - Update firecracker to version 0.17.0: |
| Added: |
| * New API call: PATCH /machine-config/, used to update VM configuration, |
| before the microVM boots. |
| * Added an experimental swagger definition that includes the specification |
| for the vsock API call. |
| * Added a signal handler for SIGBUS and SIGSEGV that immediately terminates |
| the process upon intercepting the signal. |
| * Added documentation for signal handling utilities. |
| * Added [alpha] aarch64 support. |
| * Added metrics for successful read and write operations of MMDS, Net and |
| Block devices. |
| Changed: |
| * vcpu_count, mem_size_mib and ht_enabled have been changed to be mandatory |
| for PUT requests on /machine-config/. |
| * Disallow invalid seccomp levels by exiting with error. |
| Fixed: |
| * Incorrect handling of bind mounts within the jailed rootfs. |
| * Corrected the guide for Alpine guest setup. |
| |
| ------------------------------------------------------------------- |
| Wed May 29 11:25:08 UTC 2019 - Marco Vedovati <mvedovati@suse.com> |
| |
| - Update firecracker to version 0.16.0: |
| + Added [alpha] AMD support. |
| * Corrected the seccomp filter when building with glibc. |
| - Removed the seccomp.bad_syscalls metric. |
| * Dropped the JSON-formatted context command-line parameter from Firecracker |
| in favor of individual classic command-line parameters. |
| * Improved multiple error messages. |
| * Removed all kernel modules from the recommended kernel config. |
| |
| ------------------------------------------------------------------- |
| Mon May 6 17:31:52 UTC 2019 - Marco Vedovati <mvedovati@suse.com> |
| |
| - Fixed vsock support (needed for katacontainers interoperability) |
| * Use `cargo install` to build and install build artifacts |
| during the build phase, to avoid building the crate twice. |
| |
| ------------------------------------------------------------------- |
| Sat Mar 23 08:13:35 UTC 2019 - Flavio Castelli <fcastelli@suse.com> |
| |
| - Added patches 0001-Fixed-basic-seccomp-filter-for-glibc.patch and |
| 0002-Fixed-advanced-seccomp-filter-for-glibc.patch: change the |
| seccomp filtering rules to allow the execution of certain syscalls |
| that are used when the binary is built with glibc instead of musl. |
| |
| ------------------------------------------------------------------- |
| Fri Mar 22 21:25:39 UTC 2019 - Flavio Castelli <fcastelli@suse.com> |
| |
| - Ensure build happens only on supported architectures |
| - Enable vsock experimental feature |
| |
| ------------------------------------------------------------------- |
| Fri Mar 15 08:18:36 UTC 2019 - opensuse Cloud User <fcastelli@suse.com> |
| |
| - Make spec file arch independent |
| |
| ------------------------------------------------------------------- |
| Thu Mar 14 23:36:02 UTC 2019 - Flavio Castelli <fcastelli@suse.com> |
| |
| - Initial package version 0.15.2 |