firecracker-microvm/firecracker v0.25.0

Firecracker v0.25.0

on GitHub

Added

• Added devtool build --ssh-keys flag to support fetching from private
  git repositories.
• Added option to configure block device flush.
• Added --new-pid-ns flag to the Jailer in order to spawn the Firecracker
  process in a new PID namespace.
• Added API metrics for GET, PUT and PATCH requests on /mmds endpoint.
• Added --describe-snapshot flag to Firecracker to fetch the data format
  version of a snapshot state file provided as argument.
• Added --no-seccomp parameter for disabling the default seccomp filters.
• Added --seccomp-filter parameter for supplying user-provided, custom filters.
• Added the seccompiler-bin binary that is used to compile JSON seccomp filters
  into serialized BPF for Firecracker consumption.
• Snapshotting support for GICv2 enabled guests.
• Added devtool install to deploy built binaries in /usr/local/bin or a
  given path.
• Added code logic to send VIRTIO_VSOCK_EVENT_TRANSPORT_RESET on snapshot
  creation, when the Vsock device is active. The event will close active
  connections on the guest.
• Added GET request on /vm/config that provides full microVM configuration
  as a JSON HTTP response.
• Added --resource-limit flag to jailer to limit resources such as: number of
  file descriptors allowed at a time (with a default value of 2048) and maximum
  size of files created by the process.

Changed

• Changed Docker images repository from DockerHub to Amazon ECR.
• Fixed off-by-one error in virtio-block descriptor address validation.
• Changed the PATCH request on /balloon/statistics to schedule the first
  statistics update immediately after processing the request.
• Deprecated the --seccomp-level parameter. It will be removed in a future
  release. Using it logs a runtime warning.
• Experimental gnu libc builds use empty default seccomp filters, allowing all
  system calls.

Fixed

• Fixed non-compliant check for the RTC device ensuring a fixed
  4-sized data buffer.
• Unnecessary interrupt assertion was removed from the RTC.
  However, a dummy interrupt is still allocated for snapshot
  compatibility reasons.
• Fixed the SIGPIPE signal handler so Firecracker no longer exits. The signal
  is still recorded in metrics and logs.
• Fixed ballooning API definitions by renaming all fields which mentioned "MB"
  to use "MiB" instead.
• Snapshot related host files (vm-state, memory, block backing files) are now
  flushed to their backing mediums as part of the CreateSnapshot operation.
• Fixed the SSBD mitigation not being enabled on aarch64 with the provided
  prod-host-setup.md.
• Fixed the balloon statistics not working after a snapshot restore event.
• The utc_timestamp_ms now reports the timestamp in ms from the UTC UNIX
  Epoch, as the name suggests. It was previously using a monotonic clock with
  an undefined starting point.