firecracker

Fixed

• Limited serial device buffer size to maximum 64 bytes.

Added

• Added a new API call, PUT /metrics, for configuring the metrics system.
• Added app_name field in InstanceInfo struct for storing the application
  name.
• New command-line parameters for firecracker, named --log-path,
  --level, --show-level and --show-log-origin that can be used
  for configuring the Logger when starting the process. When using
  this method for configuration, only --log-path is mandatory.
• Added a guide for updating the dev container image.
• Added a new API call, PUT /mmds/config, for configuring the
  MMDS with a custom valid link-local IPv4 address.
• Added experimental JSON response format support for MMDS guest applications
  requests.
• Added metrics for the vsock device.
• Added devtool strip command which removes debug symbols from the release
• Added the tx_malformed_frames metric for the virtio net device, emitted
  when a TX frame missing the VNET header is encountered.

Fixed

• Added --version flag to both Firecracker and Jailer.
• Return 405 Method Not Allowed MMDS response for non HTTP GET MMDS
  requests originating from guest.
• Fixed folder permissions in the jail (#1802).
• Any number of whitespace characters are accepted after ":" when parsing HTTP
  headers.
• Potential panic condition caused by the net device expecting to find a VNET
  header in every frame.
• Potential crash scenario caused by "Content-Length" HTTP header field
  accepting negative values.
• Fixed #1754 - net: traffic blocks when running ingress UDP performance tests
  with very large buffers.

Changed

• Updated CVE-2019-3016 mitigation information in
  Production Host Setup
• In case of using an invalid JSON as a 'config-file' for Firecracker,
  the process will exit with return code 152.
• Removed the testrun.sh wrapper.
• Removed metrics_fifo field from the logger configuration.
• Renamed log_fifo field from LoggerConfig to log_path and
  metrics_fifo field from MetricsConfig to metrics_path.
• PATCH /drives/{id} only allowed post-boot. Use PUT for pre-boot
  updates to existing configurations.
• PATCH /network-interfaces/{id} only allowed post-boot. Use PUT for
  pre-boot updates to existing configurations.
• Changed returned status code from 500 Internal Server Error to
  501 Not Implemented, for queries on the MMDS endpoint in IMDS format, when
  the requested resource value type is unsupported.
• Allowed the MMDS data store to be initialized with all supported JSON types.
  Retrieval of these values within the guest, besides String, Array, and
  Dictionary, is only possible in JSON mode.
• PATCH request on /mmds before the data store is initialized returns
  403 BadRequest.
• Segregated MMDS documentation in MMDS design documentation and MMDS user
  guide documentation.

Fixed

• Fixed #1754 - net: traffic blocks when running ingress UDP performance tests
  with very large buffers.

Fixed

• Fixed #1754 - net: traffic blocks when running ingress UDP performance tests
  with very large buffers.

Fixed

• Added --version flag to both Firecracker and Jailer.

Added

• Support for booting with an initial RAM disk image. This image can be
  specified through the new initrd_path field of the /boot-source API
  request.

Fixed

• Fixed #1469 - Broken GitHub location for Firecracker release binary.
• The jailer allows changing the default api socket path by using the extra
  arguments passed to firecracker.
• Fixed #1456 - Occasional KVM_EXIT_SHUTDOWN and bad syscall (14) during
  VM shutdown.
• Updated the production host setup guide with steps for addressing
  CVE-2019-18960.
• The HTTP header parsing is now case insensitive.
• The put_api_requests and patch_api_requests metrics for net devices were
  un-swapped.

Changed

• Removed redundant --seccomp-level jailer parameter since it can be
  simply forwarded to the Firecracker executable using "end of command
  options" convention.
• Removed memory.dirty_pages metric.
• Removed options field from the logger configuration.
• Decreased release binary size by ~15%.
• Changed default API socket path to /run/firecracker.socket. This path
  also applies when running with the jailer.
• Disabled KVM dirty page tracking by default.
• Removed redundant RescanBlockDevice action from the /actions API.
  The functionality is available through the PATCH /drives API.
  See docs/api_requests/patch-block.md.

Added

• Added support for GICv2.

Fixed

• Fixed CVE-2019-18960 - Fixed a logical error in bounds checking performed
  on vsock virtio descriptors.
• Fixed #1283 - Can't start a VM in AARCH64 with vcpus number more than 16.
• Fixed #1088 - The backtrace are printed on panic, no longer causing a
  seccomp fault.
• Fixed #1375 - Change logger options type from Value to Vec to
  prevent potential unwrap on None panics.
• Fixed #1436 - Raise interrupt for TX queue used descriptors
• Fixed #1439 - Prevent achieving 100% cpu load when the net device rx is
  throttled by the ratelimiter
• Fixed #1437 - Invalid fields in rate limiter related API requests are
  now failing with a proper error message.
• Fixed #1316 - correctly determine the size of a virtio device backed
  by a block device.
• Fixed #1383 - Log failed api requests.

Changed

• Decreased release binary size by 10%.

Fixed (on top of v0.19.0):

• Fixed a logical error in bounds checking performed on vsock virtio descriptors (CVE-2019-18960).

Fixed (on top of v0.18.0):

• Fixed a logical error in bounds checking performed on vsock virtio descriptors (CVE-2019-18960).

Added

• New command-line parameter for firecracker, named --no-api, which
  will disable the API server thread. If set, the user won't be able to send
  any API requests, neither before, nor after the vm has booted. It must be
  paired with --config-file parameter. Also, when API server is disabled,
  MMDS is no longer available now.
• New command-line parameter for firecracker, named --config-file, which
  represents the path to a file that contains a JSON which can be used for
  configuring and starting a microVM without sending any API requests.
• The jailer adheres to the "end of command options" convention, meaning
  all parameters specified after -- are forwarded verbatim to Firecracker.
• Added KVM_PTP support to the recommended guest kernel config.
• Added entry in FAQ.md for Firecracker Guest timekeeping.

Changed

• Vsock API call: PUT /vsocks/{id} changed to PUT /vsock and no longer
  appear to support multiple vsock devices. Any subsequent calls to this API
  endpoint will override the previous vsock device configuration.
• Removed unused 'Halting' and 'Halted' instance states.

Fixed

• Fixed serial console on aarch64 (GitHub issue #1147).
• Upon panic, the terminal is now reset to canonical mode.
• Explicit error upon failure of vsock device creation.
• The failure message returned by an API call is flushed in the log FIFOs.
• Insert virtio devices in the FDT in order of their addresses sorted from
  low to high.
• Enforce the maximum length of the network interface name to be 16 chars as
  specified in the Linux Kernel.
• Changed the vsock property id to vsock_id so that the API client can be
  successfully generated from the swagger definition.

Added

• New device: virtio-vsock, backed by Unix domain sockets (GitHub issue #650).
  See docs/vsock.md.

Fixed

• Updated the documentation for integration tests.
• Fixed high CPU usage before guest network interface is brought up (GitHub
  issue #1049).
• Fixed an issue that caused the wrong date (month) to appear in the log.
• Fixed a bug that caused the seccomp filter to reject legit syscalls in some
  rare cases (GitHub issue #1206).
• Docs: updated the production host setup guide.
• Docs: updated the rootfs and kernel creation guide.

Removed

• Removed experimental support for vhost-based vsock devices.

Added

• New API call: PATCH /machine-config/, used to update VM configuration,
  before the microVM boots.
• Added an experimental swagger definition that includes the specification for
  the vsock API call.
• Added a signal handler for SIGBUS and SIGSEGV that immediately terminates
  the process upon intercepting the signal.
• Added documentation for signal handling utilities.
• Added [alpha] aarch64 support.
• Added metrics for successful read and write operations of MMDS, Net and Block devices.

Changed

• vcpu_count, mem_size_mib and ht_enabled have been changed to be mandatory
  for PUT requests on /machine-config/.
• Disallow invalid seccomp levels by exiting with error.

Fixed

• Incorrect handling of bind mounts within the jailed rootfs.
• Corrected the guide for Alpine guest setup.

Added

• Added [alpha] AMD support.
• New devtool command: prepare_release. This updates the Firecracker
  version, crate dependencies and credits in preparation for a new release.
• New devtool command: tag. This creates a new git tag for the specified
  release number, based on the changelog contents.
• New doc section about building with glibc.

Changed

• Dropped the JSON-formatted context command-line parameter from Firecracker
  in favor of individual classic command-line parameters.
• When running with jailer the location of the API socket has changed to
  <jail-root-path>/api.socket (API socket was moved inside the jail).
• PUT and PATCH requests on /mmds with data containing any value type other
  than String, Array, Object will return status code 400.
• Improved multiple error messages.
• Removed all kernel modules from the recommended kernel config.

Fixed

• Corrected the seccomp filter when building with glibc.

Removed

• Removed the seccomp.bad_syscalls metric.

Fixed

• Corrected the conditional compilation of the seccomp rule for madvise.

Fixed

• A madvise call issued by the musl allocator was added to the seccomp
  whitelist to prevent Firecracker from terminating abruptly when allocating
  memory in certain conditions.

Added

• New API action: SendCtrlAltDel, used to initiate a graceful shutdown,
  if the guest has driver support for i8042 and AT Keyboard. See
  the docs for details.
• New metric counting the number of egress packets with a spoofed MAC:
  net.tx_spoofed_mac_count.
• New API call: PATCH /network-interfaces/, used to update the rate limiters
  on a network interface, after the start of a microVM.

Changed

• Added missing vmm_version field to the InstanceInfo API swagger
  definition, and marked several other mandatory fields as such.
• New default command line for guest kernel:
  reboot=k panic=1 pci=off nomodules 8250.nr_uarts=0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd.

Fixed

• virtio-blk: VIRTIO_BLK_T_FLUSH now working as expected.
• Vsock devices can be attached when starting Firecracker using the jailer.
• Vsock devices work properly when seccomp filtering is enabled.

Added

• Documentation for development environment setup on AWS in dev-machine-setup.md.
• Documentation for microVM networking setup in docs/network-setup.md.
• Limit the maximum supported vCPUs to 32.

Changed

• Log the app version when the Logger is initialized.
• Pretty print panic information.
• Firecracker terminates with exit code 148 when a non-whitelisted syscall is intercepted.

Fixed

• Fixed build with the vsock feature.

Added

• Documentation for Logger API Requests in docs/api_requests/logger.md.
• Documentation for Actions API Requests in docs/api_requests/actions.md.
• Documentation for MMDS in docs/mmds.md.
• Flush metrics on request via a PUT /actions with the action_type
  field set to FlushMetrics.

Changed

• Updated the swagger definition of the Logger to specify the required fields
  and provide default values for optional fields.
• Default seccomp-level is 2 (was previously 0).
• API Resource IDs can only contain alphanumeric characters and underscores.

Fixed

• Seccomp filters are now applied to all Firecracker threads.
• Enforce minimum length of 1 character for the jailer ID.
• Exit with error code when starting the jailer process fails.

Removed

• Removed InstanceHalt from the list of possible actions.

Added

• The /logger API has a new field called options. This is an array of
  strings that specify additional logging configurations. The only supported
  value is LogDirtyPages.
• When the LogDirtyPages option is configured via PUT /logger, a new metric
  called memory.dirty_pages is computed as the number of pages dirtied by the
  guest since the last time the metric was flushed.
• Log messages on both graceful and forceful termination.
• Availability of the list of dependencies for each commit inside the code base.
• Documentation on vsock experimental feature and host setup recommendations.

Changed

• PUT requests on /mmds always return 204 on success.
• PUT operations on /network-interfaces API resources no longer accept
  the previously required state parameter.
• The jailer starts with --seccomp-level=2 (was previously 0) by default.
• Log messages use anonymous-instance as instance id if none is specified.

Fixed

• Fixed crash upon instance start on hosts without 1GB huge page support.
• Fixed "fault_message" inconsistency between Open API specification and code base.
• Ensure MMDS compatibility with C5's IMDS implementation.
• Corrected the swagger specification to ensure OpenAPI 2.0 compatibility.

Added

• Apache-2.0 license
• Docs:
  • charter
  • contribution guildelines
  • design
  • getting started guide
  • security policy
  • specifications
• Experimental vhost-based vsock implementation.

Changed

• Improved MMDS network stack performance
• If the logging system is not yet initialized (via PUT /logger), log events
  are now sent to stdout/stderr.
• Moved the instance_info_fails metric under get_api_requests
• Improved readme and added links to more detailed information,
  now featured in subject-specific docs.

Fixed

• Fixed bug in the MMDS network stack, that caused some RST packets to be sent
  without a destination.
• Fixed bug in PATCH /drives, whereby the ID in the path was not checked
  against the ID in the body.