| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: firecracker | Distribution: openSUSE Tumbleweed |
| Version: 1.15.0 | Vendor: openSUSE |
| Release: 1.2 | Build date: Tue Mar 10 07:59:18 2026 |
| Group: Unspecified | Build host: reproducible |
| Size: 6909650 | Source RPM: firecracker-1.15.0-1.2.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://firecracker-microvm.github.io/ | |
| Summary: Virtual Machine Monitor for creating microVMs | |
Firecracker is a virtualization technology for creating and managing multi-tenant container and function-based services.
Apache-2.0
* Tue Mar 10 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.15.0:
* Added
- #5510, #5593, #5564: Add support for the VMClock device. The
implementation supports the snapshot safety features proposed
here, but doesn't provide currently any clock-specific
information for helping the guest synchronize its clocks.
More information can be found in docs.
- #5574, #5671, #5674 #5690 Added Intel Granite Rapids as a
supported and tested platform for Firecracker on 6.1 host
kernel versions.
* Changed
- #5564: which added support for VMClock, uses one extra GSI
for the VMClock device itself which reduces the available
GSIs for VirtIO devices. New maximum values is 92 devices on
Aarch64 and 17 devices on x86.
- #5631: Update binary copy process inside Jailer to disallow
symlinks and hardlinks at the destination path and change
ownership of the copied binary to the specified uid/gid.
* Fixed
- #5698: Fixed the possible ENXIO error which could occur
during file open operation if the underlying file is FIFO
without active readers already attached.
- #5688: Fixed vsock local port reuse across snapshot restore
by saving the last used local port into the snapshot, so
users need to regenerate snapshots.
- #5705: Fixed a bug that caused Firecracker to corrupt the
memory files of differential snapshots for VMs with multiple
memory slots. This affected VMs using memory hot-plugging or
any x86 VMs with a memory size larger than 3GiB.
- #5739: Fixed validation of TCP SYN options length when MMDS
is enabled.
* Fri Feb 27 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.14.2:
* Fixed
- #5698: Fixed the possible ENXIO error which could occur
during file open operation if the underlying file is FIFO
without active readers already attached.
- #5705: Fixed a bug that caused Firecracker to corrupt the
memory files of differential snapshots for VMs with multiple
memory slots. This affected VMs using memory hot-plugging or
any x86 VMs with a memory size larger than 3GiB.
* Tue Jan 20 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.14.1:
* Changed
- #5631: Update binary copy process inside Jailer to disallow
symlinks and hardlinks at the destination path and change
ownership of the copied binary to the specified uid/gid.
* Sun Dec 21 2025 Andrea Manzini <andrea.manzini@suse.com>
- Update to version 1.14.0:
* Added support for virtio-pmem devices. See documentation for
more info
* Added support for memory hot-plugging through the virtio-mem
device
* Added support for virtio-balloon free page reporting and
hinting
* Balloon stats now supports guest kernel >= 6.12, adding metrics
on guest OOM kills, memory allocation stalls, and memory
scan/reclaim info.
* Removed the rx_partial_writes, tx_partial_reads,
sync_response_fails, sync_vmm_send_timeout_count,
deprecated_cmd_line_api_calls, log_fails and
* device_events metrics, as they were never incremented.
* Fixed typo in Swagger definition of MmdsConfig
* imds_comat. This caused auto-generated clients to create bad
requests.
* Fixed Intel AMX enabling for kernels that support dynamic
XSTATE features for userspace applications but not for KVM
guests (e.g. kernel versions >= 5.16 and < 5.17).
* Fixed a bug causing a read/write from an iovec to be duplicated
when receiving an error on an iovec other than the first
* Fixed a watchdog soft lockup bug on microVMs restored from
snapshots by calling KVM_KVMCLOCK_CTRL ioctl before resuming
* Fixed a cache coherency issue on non-FWB aarch64 platforms
* Tue Sep 02 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.13.1:
* Fixed
- #5418: Fixed typo in Swagger definition of MmdsConfig, where
the property imds_compat was spelled as imds_comat. This
caused auto-generated client to create bad requests.
* Fri Aug 29 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.13.0:
* Added
- #5139: Added support for PVTime. This is used to support
steal time on ARM machines.
- #5175: Allow including a custom cpu template directly in the
json configuration file passed to --config-file under the
cpu_config key.
- #5274: Allow taking diff snapshots even if dirty page
tracking is disabled, by using mincore(2) to overapproximate
the set of dirty pages. Only works if swap is disabled.
- #5290: Extended MMDS to support the EC2 IMDS-compatible
session token headers (i.e. "X-aws-ec2-metadata-token" and
"X-aws-ec2-metadata-token-ttl-seconds") alongside the
MMDS-specific ones.
- #5290: Added mmds.rx_invalid_token and mmds.rx_no_token
metrics to track the number of GET requests that were
rejected due to token validation failures in MMDS version 2.
These metrics also count requests that would be rejected in
MMDS version 2 when MMDS version 1 is configured. They helps
users assess readiness for migrating to MMDS version 2.
- #5310: Added an optional imds_compat field (default to false
if not provided) to PUT requests to /mmds/config to enforce
MMDS to always respond plain text contents in the IMDS format
regardless of the Accept header in requests. Users need to
regenerate snapshots.
- #5364: Added PCI support in Firecracker. PCI support is
optional. Users can enable it passing the --enable-pci flag
when launching the Firecracker process. When Firecracker
process is launched with PCI support, it will create all
VirtIO devices using a PCI VirtIO transport. If not enabled,
Firecracker will use the MMIO transport instead.
* Changed
- #5165: Changed Firecracker snapshot feature from developer
preview to generally available. Incremental snapshots remain
in developer preview.
- #5282: Updated jailer to no longer require the executable
file name to contain firecracker.
- #5290: Changed MMDS to validate the value of
"X-metadata-token-ttl-seconds" header only if it is a PUT
request to /latest/api/token, as in EC2 IMDS.
- #5290: Changed MMDS version 1 to support the session oriented
method as in version 2, allowing easier migration to version
2. Note that MMDS version 1 accepts a GET request even with
no token or an invalid token so that existing workloads
continue to work.
* Deprecated
- #5274: Deprecated the enable_diff_snapshots parameter of the
/snapshot/load API. Use track_dirty_pages instead.
* Removed
- #5411: Removed official support for Intel Skylake instances.
Firecracker will continue to work on those instances, but we
will no longer perform automated testing on them.
* Fixed
- #5222: Fixed network and rng devices locking up on hosts with
non 4K pages.
- #5226: Fixed MMDS to set Content-Type header correctly (i.e.
Content-Type: text/plain for IMDS-formatted or error
responses and Content-Type: application/json for
JSON-formatted responses).
- #5260: Fixed a bug allowing the block device to starve all
other devices when backed by a sufficiently slow drive.
- #4207: Fixed GSI numbering on aarch64 to correctly allow up
to 96 devices being attached simultaneously.
- #5290: Fixed MMDS to reject PUT requests containing
X-Forwarded-For header regardless of its casing (e.g.
x-forwarded-for).
- #5328: Fixed MMDS to set the token TTL header (i.e.
"X-metadata-token-ttl-seconds" or
"X-aws-ec2-metadata-token-ttl-seconds") in the response to
"PUT /latest/api/token", as EC2 IMDS does.
* Wed Jun 25 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.12.1:
* Fixed
- #5277: Fixed a bug allowing the block device to starve all
other devices when backed by a sufficiently slow drive.
* Fri May 09 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.12.0:
* Added
- #5048: Added support for PVH boot mode. This is used when an
x86 kernel provides the appropriate ELF Note to indicate that
PVH boot mode is supported. Linux kernels newer than 5.0
compiled with CONFIG_PVH=y set this ELF Note, as do FreeBSD
kernels.
- #5065 Added support for Intel AMX (Advanced Matrix
Extensions). To be able to take and restore a snapshot of
Intel AMX state, Xsave is used instead of kvm_xsave, so users
need to regenerate snapshots.
- #4731: Added support for modifying the host TAP device name
during snapshot restore.
- #5146: Added Intel Sapphire Rapids as a supported and tested
platform for Firecracker.
- #5148: Added ARM Graviton4 as a supported and tested platform
for Firecracker.
* - Changed
- #5118: Cleared WAITPKG CPUID bit in CPUID normalization. The
feature enables a guest to put a physical processor into an
idle state, which is undesirable in a FaaS environment since
that is what the host wants to decide.
- #5142: Clarified what CPU models are supported by each
existing CPU template. Firecracker exits with an error if a
CPU template is used on an unsupported CPU model.
* Deprecated
- #4948: Deprecated the page_size_kib field in the UFFD
handshake, and replaced it with a page_size field. The
page_size_kib field is misnamed, as the value Firecracker
sets it to is actually the page size in bytes, not KiB. It
will be removed in Firecracker 2.0.
* Fixed
- #5074 Fix the SendCtrlAltDel command not working for
ACPI-enabled guest kernels, by dropping the i8042.nopnp
argument from the default kernel command line Firecracker
constructs.
- #5122: Keep the UFFD Unix domain socket open to prevent the
race condition between the guest memory mappings message and
the shutdown event that was sometimes causing arrival of an
empty message on the UFFD handler side.
- #5143: Fixed to report process_startup_time_us and
process_startup_time_cpu_us metrics for api_server right
after the API server starts, while previously reported before
applying seccomp filter and starting the API server. Users
may observe a bit longer startup time metrics.
* Dependencies
- build(deps): Bump the firecracker group with 4 updates
- build(deps): Bump the firecracker group across 1 directory
with 8 updates
- chore: update bincode to 2.0
- build(deps): Bump the firecracker group with 13 updates
- chore: bump devctr version
- build(deps): Bump the firecracker group across 1 directory
with 33 updates
- chore: Update fingerprint
* Thu Apr 17 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- BuildRequire cargo and rust without the constraint for 1.82
* Tue Mar 18 2025 opensuse_buildservice@ojkastl.de
- Update to version 1.11.0:
* Added
- #4987: Reset physical counter register (CNTPCT_EL0) on VM
startup. This avoids VM reading the host physical counter
value. This is only possible on 6.4 and newer kernels. For
older kernels physical counter will still be passed to the
guest unmodified. See more info here
- #5088: Added AMD Genoa as a supported and tested platform for
Firecracker.
* - Changed
- #4913: Removed unnecessary fields (max_connections and
max_pending_resets) from the snapshot format, bumping the
snapshot version to 5.0.0. Users need to regenerate
snapshots.
- #4926: Replace underlying implementation for seccompiler from
in house one in favor of libseccomp which produces smaller
and more optimized BPF code.
* - Fixed
- #4921: Fixed swagger CpuConfig definition to include missing
aarch64-specific fields.
- #4916: Fixed IovDeque implementation to work with any host
page size. This fixes virtio-net device on non 4K host
kernels.
- #4991: Fixed mem_size_mib and track_dirty_pages being
mandatory for all PATCH /machine-config requests. Now, they
can be omitted which leaves these parts of the machine
configuration unchanged.
- #5007: Fixed watchdog softlockup warning on x86_64 guests
when a vCPU is paused during GDB debugging.
- #5021 If a balloon device is inflated post UFFD-backed
snapshot restore, Firecracker now causes remove UFFD messages
to be sent to the UFFD handler. Previously, no such message
would be sent.
- #5034: Fix an integer underflow in the jailer when computing
the value it passes to Firecracker's --parent-cpu-time-us
values, which caused development builds of Firecracker to
crash (but production builds were unaffected as underflows do
not panic in release mode).
- #5045: Fixed an issue where firecracker intermittently
receives SIGHUP when using jailer with --new-pid-ns but
without --daemonize.
- #4995: Firecracker no longer overwrites CPUID leaf 0x80000000
when running AMD hardware, meaning the guest can now discover
a greater range of CPUID leaves in the extended function
range (this range is host kernel dependent).
- #5046: Retry KVM_CREATE_VM on EINTR that occasionally happen
on heavily loaded hosts to improve reliability of microVM
creation.
- #5052: Build the empty seccomp policy as default for debug
builds to avoid crashes on syscalls introduced by debug
assertions from Rust 1.80.0.
* Mon Dec 02 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.10.1:
* chore: bump version to 1.10.1
* chore: Bump snapshot version
* Mon Nov 11 2024 kskarthik@disroot.org
- Update to version 1.10.0:
* Added
- #4834: Add VIRTIO_NET_F_RX_MRGBUF support to the virtio-net
device. When this feature is negotiated, guest virtio-net
driver can perform more efficient memory management which in
turn improves RX and TX performance.
- #4460: Add a call to KVM_KVMCLOCK_CTRL after pausing vCPUs on
x86_64 architectures. This ioctl sets a flag in the KVM state
of the vCPU indicating that it has been paused by the host
userspace. In guests that use kvmclock, the soft lockup
watchdog checks this flag. If it is set, it won't trigger the
lockup condition. Calling the ioctl for guests that don't use
kvmclock will fail. These failures are not fatal. We log the
failure and increase the vcpu.kvmclock_ctrl_fails metric.
- #4869: Added support for Aarch64 systems which feature CPU
caches with a number of sets higher than u16::MAX.
- #4797, #4854: Added GDB debugging support for a microVM guest
kernel. Please see our GDB debugging documentation for more
information.
* Changed
- #4844: Upgrade virtio-net device to use readv syscall to
avoid unnecessary memory copies on RX path, increasing the RX
performance.
* Removed
- #4804: Drop Support for guest kernel 4.14. Linux 4.14 reached
end-of-life in January 2024 The minimum supported guest
kernel now is 5.10
* Fixed
- #4796: Fixed Vsock not notifying guest about
TRANSPORT_RESET_EVENT event after snapshot restore. This
resulted in guest waiting indefinitely on a connection which
was reset during snapshot creation.
- #4790: v1.9.0 was missing most of the debugging information
in the debuginfo file, due to a change in the Cargo defaults.
This has been corrected.
- #4826: Add missing configuration of tap offload features when
restoring from a snapshot. Setting the features was
previously moved from net device creation to device
activation time, but it was not reflected in the restore
path. This was leading to inability to connect to the
restored VM if the offload features were used.
* Thu Sep 26 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.9.0:
* Added
- #4687: Added VMGenID support for microVMs running on ARM
hosts with 6.1 guest kernels. Support for VMGenID via
DeviceTree bindings exists only on mainline 6.10 Linux
onwards. Users of Firecracker will need to backport the
relevant patches on top of their 6.1 kernels to make use of
the feature.
- #4732, #4733, #4741, #4746: Added official support for 6.1
microVM guest kernels.
* Changed
- nothing
* Deprecated
- Support for guest kernel 4.14 is now deprecated. We will
completely remove 4.14 support with Firecracker version v1.10
* Removed
- #4689: Drop support for host kernel 4.14. Linux 4.14 reached
end-of-life in January 2024. The minimum supported kernel now
is 5.10. Guest kernel 4.14 is still supported.
* Fixed
- 4680: Fixed an issue (#4659) where the virtio-net device
implementation would always assume the guest accepts all
VirtIO features the device offers. This is always true with
the Linux guest kernels we are testing but other kernels,
like FreeBSD make different assumptions. This PR fixes the
emulation code to set the TAP features based on the features
accepted by the guest.
- Update to version 1.8.0:
* Added
- #4428: Added ACPI support to Firecracker for x86_64 microVMs.
Currently, we pass ACPI tables with information about the
available vCPUs, interrupt controllers, VirtIO and legacy x86
devices to the guest. This allows booting kernels without
MPTable support. Please see our kernel policy documentation
for more information regarding relevant kernel
configurations.
- #4487: Added support for the Virtual Machine Generation
Identifier (VMGenID) device on x86_64 platforms. VMGenID is a
virtual device that allows VMMs to notify guests when they
are resumed from a snapshot. Linux includes VMGenID support
since version 5.18. It uses notifications from the device to
reseed its internal CSPRNG. Please refer to snapshot support
and random for clones documention for more info on VMGenID.
VMGenID state is part of the snapshot format of Firecracker.
As a result, Firecracker snapshot version is now 2.0.0.
* Changed
- #4492: Changed --config parameter of cpu-template-helper
optional. Users no longer need to prepare kernel, rootfs and
Firecracker configuration files to use cpu-template-helper.
- #4537 Changed T2CL template to pass through bit 27 and 28 of
MSR_IA32_ARCH_CAPABILITIES (RFDS_NO and RFDS_CLEAR) since KVM
consider they are able to be passed through and T2CL isn't
designed for secure snapshot migration between different
processors.
- #4537 Changed T2S template to set bit 27 of
MSR_IA32_ARCH_CAPABILITIES (RFDS_NO) to 1 since it assumes
that the fleet only consists of processors that are not
affected by RFDS.
- #4388: Avoid setting kvm_immediate_exit to 1 if are already
handling an exit, or if the vCPU is stopped. This avoids a
spurious KVM exit upon restoring snapshots.
- #4567: Do not initialize vCPUs in powered-off state upon
snapshot restore. No functional change, as vCPU
initialization is only relevant for the booted case (where
the guest expects CPUs to be powered off).
* Deprecated
- Firecracker's --start-time-cpu-us and --start-time-us
parameters are deprecated and will be removed in v2.0 or
later. They are used by the jailer to pass the value that
should be subtracted from the (CPU) time, when emitting the
start_time_us and start_time_cpu_us metrics. These parameters
were never meant to be used by end customers, and we
recommend doing any such time adjustments outside
Firecracker.
- Booting with microVM kernels that rely on MPTable on x86_64
is deprecated and support will be removed in v2.0 or later.
We suggest to users of Firecracker to use guest kernels with
ACPI support. For x86_64 microVMs, ACPI will be the only way
Firecracker passes hardware information to the guest once
MPTable support is removed.
* Fixed
- #4526: Added a check in the network TX path that the size of
the network frames the guest passes to us is not bigger than
the maximum frame the device expects to handle. On the TX
path, we copy frames destined to MMDS from guest memory to
Firecracker memory. Without the check, a mis-behaving
virtio-net driver could cause an increase in the memory
footprint of the Firecracker process. Now, if we receive such
a frame, we ignore it and increase Net::tx_malformed_frames
metric.
- #4536: Make the first differential snapshot taken after a
full snapshot contain only the set of memory pages changed
since the full snapshot. Previously, these differential
snapshots would contain all memory pages. This will result in
potentially much smaller differential snapshots after a full
snapshot.
- #4578: Fix UFFD support not being forward-compatible with new
ioctl options introduced in Linux 6.6. See also
bytecodealliance/userfaultfd-rs#61.
- #4630: On x86_64, when taking a snapshot, if a vCPU has
MSR_IA32_TSC_DEADLINE set to 0, Firecracker will replace it
with the MSR_IA32_TSC value from the same vCPU. This is to
guarantee that the vCPU will continue receiving TSC
interrupts after restoring from the snapshot even if an
interrupt is lost when taking a snapshot.
- #4666: Fixed Firecracker sometimes restoring
MSR_IA32_TSC_DEADLINE before MSR_IA32_TSC. Now it always
restores MSR_IA32_TSC_DEADLINE MSR after MSR_IA32_TSC, as KVM
relies on the guest TSC for correct restoration of
MSR_IA32_TSC_DEADLINE. This fixed guests using the
TSC_DEADLINE hardware feature receiving incorrect timer
interrupts after snapshot restoration, which could lead to
them seemingly getting stuck in sleep-related syscalls (see
also #4099).
- Update to version 1.7.0:
* Added
- #4346: Added support to emit aggregate (minimum/maximum/sum)
latency for VcpuExit::MmioRead, VcpuExit::MmioWrite,
VcpuExit::IoIn and VcpuExit::IoOut. The average for these VM
exits is not emitted since it can be deduced from the
available emitted metrics.
- #4360: Added dev-preview support for backing a VM's guest
memory by 2M hugetlbfs pages. Please see the documentation
for more information
- #4490: Added block and net device metrics for file/tap access
latencies and queue backlog lengths, which can be used to
analyse saturation of the Firecracker VMM thread and
underlying layers. Queue backlog length metrics are flushed
periodically. They can be used to esimtate an average queue
length by request by dividing its value by the number of
requests served.
* Changed
- #4230: Changed microVM snapshot format version strategy.
Firecracker snapshot format now has a version that is
independent of Firecracker version. The current version of
the snapshot format is v1.0.0. From now on, the Firecracker
binary will define the snapshot format version it supports
and it will only be able to load snapshots with format that
is backwards compatible with that version. Users can pass the
- -snapshot-version flag to the Firecracker binary to see its
supported snapshot version format. This change renders all
previous Firecracker snapshots (up to Firecracker version
v1.6.0) incompatible with the current Firecracker version.
- #4449: Added information about page size to the payload
Firecracker sends to the UFFD handler. Each memory region
object now contains a page_size_kib field. See also the
hugepages documentation.
- #4501: Only use memfd to back guest memory if a
vhost-user-blk device is configured, otherwise use anonymous
private memory. This is because serving page faults of shared
memory used by memfd is slower and may impact workloads.
* Fixed
- #4409: Fixed a bug in the cpu-template-helper that made it
panic during conversion of cpu configuration with SVE
registers to the cpu template on aarch64 platform. Now
cpu-template-helper will print warnings if it encounters SVE
registers during the conversion process. This is because cpu
templates are limited to only modify registers less than 128
bits.
- #4413: Fixed a bug in the Firecracker that prevented it to
restore snapshots of VMs that had SVE enabled.
- #4414: Made PATCH requests to the /machine-config endpoint
transactional, meaning Firecracker's configuration will be
unchanged if the request returns an error. This fixes a bug
where a microVM with incompatible balloon and guest memory
size could be booted, due to the check for this condition
happening after Firecracker's configuration was updated.
- #4259: Added a double fork mechanism in the Jailer to avoid
setsid() failures occurred while running Jailer as the
process group leader. However, this changed the behaviour of
Jailer and now the Firecracker process will always have a
different PID than the Jailer process.
- #4436: Added a "Known Limitations" section in the Jailer docs
to highlight the above change in behaviour introduced in
PR#4259.
- #4442: As a solution to the change in behaviour introduced in
PR#4259, provided a mechanism to reliably fetch Firecracker
PID. With this change, Firecracker process's PID will always
be available in the Jailer's root directory regardless of
whether new_pid_ns was set.
- #4468: Fixed a bug where a client would hang or timeout when
querying for an MMDS path whose content is empty, because the
'Content-Length' header field was missing in a response.
- Update to version 1.6.0:
* Added
- #4145: Added support for per net device metrics. In addition
to aggregate metrics net, each individual net device will
emit metrics under the label "net_{iface_id}". E.g. the
associated metrics for the endpoint
"/network-interfaces/eth0" will be available under "net_eth0"
in the metrics json object.
- #4202: Added support for per block device metrics. In
addition to aggregate metrics block, each individual block
device will emit metrics under the label "block_{drive_id}".
E.g. the associated metrics for the endpoint
"/drives/{drive_id}" will be available under "block_drive_id"
in the metrics json object.
- #4205: Added a new vm-state subcommand to info-vmstate
command in the snapshot-editor tool to print MicrovmState of
vmstate snapshot file in a readable format. Also made the
vcpu-states subcommand available on x86_64.
- #4063: Added source-level instrumentation based tracing. See
tracing for more details.
- #4138, #4170, #4223, #4247, #4226: Added developer preview
only (NOT for production use) support for vhost-user block
devices. Firecracker implements a vhost-user frontend. Users
are free to choose from existing open source backend
solutions or their own implementation. Known limitation:
snapshotting is not currently supported for microVMs
containing vhost-user block devices. See the related doc page
for details. The device emits metrics under the label
"vhost_user_{device}_{drive_id}".
* Changed
- #4309: The jailer’s option --parent-cgroup will move the
process to that cgroup if no cgroup options are provided.
- Simplified and clarified the removal policy of deprecated API
elements to follow semantic versioning 2.0.0. For more
information, please refer to this GitHub discussion.
- #4180: Refactored error propagation to avoid logging and
printing an error on exits with a zero exit code. Now, on
successful exit “Firecracker exited successfully” is logged.
- #4194: Removed support for creating Firecracker snapshots
targeting older versions of Firecracker. With this change,
running ‘firecracker –version’ will not print the supported
snapshot versions.
- #4301: Allow merging of diff snapshots into base snapshots by
directly writing the diff snapshot on top of the base
snapshot’s memory file. This can be done by setting the
mem_file_path to the path of the pre-existing full snapshot.
* Deprecated
- #4209: rebase-snap tool is now deprecated. Users should use
snapshot-editor for rebasing diff snapshots.
* Fixed
- #4171: Fixed a bug that ignored the --show-log-origin option,
preventing it from printing the source code file of the log
messages.
- #4178: Fixed a bug reporting a non-zero exit code on
successful shutdown when starting Firecracker with --no-api.
- #4261: Fixed a bug where Firecracker would log
“RunWithApiError error: MicroVMStopped without an error:
GenericError” when exiting after encountering an emulation
error. It now correctly prints “RunWithApiError error:
MicroVMStopped with an error: GenericError”.
- #4242: Fixed a bug introduced in #4047 that limited the
- -level option of logger to Pascal-cased values (e.g.
accepting “Info”, but not “info”). It now ignores case again.
- #4286: Fixed a bug in the asynchronous virtio-block engine
that rendered the device non-functional after a PATCH request
was issued to Firecracker for updating the path to the
host-side backing file of the device.
- #4301: Fixed a bug where if Firecracker was instructed to
take a snapshot of a microvm which itself was restored from a
snapshot, specifying mem_file_path to be the path of the
memory file from which the microvm was restored would result
in both the microvm and the snapshot being corrupted. It now
instead performs a “write-back” of all memory that was
updated since the snapshot was originally loaded.
- Update to version 1.5.1:
* Added
- #4287: Document a caveat to the jailer docs when using the
- -parent-cgroup option, which results in it being ignored by
the jailer. Refer to the jailer documentation for a
workaround.
* Changed
- #4191: Refactored error propagation to avoid logging and
printing an error on exits with a zero exit code. Now, on
successful exit "Firecracker exited successfully" is logged.
* Fixed
- #4277: Fixed a bug that ignored the --show-log-origin option,
preventing it from printing the source code file of the log
messages.
- #4179: Fixed a bug reporting a non-zero exit code on
successful shutdown when starting Firecracker with --no-api.
- #4271: Fixed a bug where Firecracker would log
"RunWithApiError error: MicroVMStopped without an error:
GenericError" when exiting after encountering an emulation
error. It now correctly prints "RunWithApiError error:
MicroVMStopped with an error: GenericError".
- #4270: Fixed a bug introduced in #4047 that limited the
- -level option of logger to Pascal-cased values (e.g.
accepting "Info", but not "info"). It now ignores case again.
- #4295: Fixed a bug in the asynchronous virtio-block engine
that rendered the device non-functional after a PATCH request
was issued to Firecracker for updating the path to the
host-side backing file of the device.
- Update to version 1.5.0:
* Added
- #3837: Added official support for Linux 6.1. See
prod-host-setup for some security and performance
considerations.
- #4045 and #4075: Added snapshot-editor tool for modifications
of snapshot files. It allows for rebasing of memory snapshot
files, printing and removing aarch64 registers from the
vmstate and obtaining snapshot version.
- #3967: Added new fields to the custom CPU templates. (aarch64
only) vcpu_features field allows modifications of vCPU
features enabled during vCPU initialization. kvm_capabilities
field allows modifications of KVM capability checks that
Firecracker performs during boot. If any of these fields are
in use, minimal target snapshot version is restricted to 1.5.
* Changed
- Updated deserialization of bitmap for custom CPU templates to
allow usage of '_' as a separator.
- Changed the strip feature of cpu-template-helper tool to
operate bitwise.
- Better logs during validation of CPU ID in snapshot
restoration path. Also Firecracker now does not fail if it
can't get CPU ID from the host or can't find CPU ID in the
snapshot.
- Changed the serial device to only try to initialize itself if
stdin is a terminal or a FIFO pipe. This fixes logged
warnings about the serial device failing to initialize if the
process is daemonized (in which case stdin is /dev/null
instead of a terminal).
- Changed to show a warning message when launching a microVM
with C3 template on a processor prior to Intel Cascade Lake,
because the guest kernel does not apply the mitigation
against MMIO stale data vulnerability when it is running on a
processor that does not enumerate FBSDP_NO, PSDP_NO and
SBDR_SSDP_NO on IA32_ARCH_CAPABILITIES MSR.
- Made Firecracker resize its file descriptor table on process
start. It now preallocates the in-kernel fdtable to hold
RLIMIT_NOFILE many fds (or 2048 if no limit is set). This
avoids the kernel reallocating the fdtable during Firecracker
operations, resulting in a 30ms to 70ms reduction of snapshot
restore times for medium to large microVMs with many devices
attached.
- Changed the dump feature of cpu-template-helper tool not to
enumerate program counter (PC) on ARM because it is
determined by the given kernel image and it is useless in the
custom CPU template context.
- The ability to create snapshots for an older version of
Firecracker is now deprecated. As a result, the version body
field in PUT on /snapshot/create request in deprecated.
- Added support for the /dev/userfaultfd device available on
linux kernels >= 6.1. This is the default for creating UFFD
handlers on these kernel versions. If it is unavailable,
Firecracker falls back to the userfaultfd syscall.
- Deprecated cpu_template field in PUT and PATCH requests on
/machine-config API, which is used to set a static CPU
template. Custom CPU templates added in v1.4.0 are available
as an improved iteration of the static CPU templates. For
more information about the transition from static CPU
templates to custom CPU templates, please refer to this
GitHub discussion.
- Changed default log level from Warn to Info. This results in
more logs being output by default.
* Fixed
- Fixed a change in behavior of normalize host brand string
that breaks Firecracker on external instances.
- Fixed the T2A CPU template not to unset the MMX bit
(CPUID.80000001h:EDX[23]) and the FXSR bit
(CPUID.80000001h:EDX[24]).
- Fixed the T2A CPU template to set the RstrFpErrPtrs bit
(CPUID.80000008h:EBX[2]).
- Fixed a bug where Firecracker would crash during boot if a
guest set up a virtio queue that partially overlapped with
the MMIO gap. Now Firecracker instead correctly refuses to
activate the corresponding virtio device.
- Fixed the T2CL CPU template to pass through security
mitigation bits that are listed by KVM as bits able to be
passed through. By making the most use of the available
hardware security mitigations on a processor that a guest is
running on, the guest might be able to benefit from
performance improvements.
- Fixed the T2S CPU template to set the GDS_NO bit of the
IA32_ARCH_CAPABILITIES MSR to 1 in accordance with an Intel
microcode update. To use the template securely, users should
apply the latest microcode update on the host.
- Fixed the spelling of the nomodule param passed in the
default kernel command line parameters. This is a breaking
change for setups that use the default kernel command line
which also depend on being able to load kernel modules at
runtime. This may also break setups which use the default
kernel command line and which use an init binary that
inadvertently depends on the misspelled param ("nomodules")
being present at the command line, since this param will no
longer be passed.
* Tue Oct 10 2023 Andrea Manzini <andrea.manzini@suse.com>
- Update to 1.4.1:
* Fixed a change in behavior of normalize host brand string that breaks
Firecracker on external instances.
* Fixed the T2A CPU template not to unset the MMX bit (CPUID.80000001h:EDX[23])
and the FXSR bit (CPUID.80000001h:EDX[24]).
* Fixed the T2A CPU template to set the RstrFpErrPtrs bit
(CPUID.80000008h:EBX[2]).
- Update to 1.4.0:
Added
* Added support for custom CPU templates allowing users to adjust vCPU features
exposed to the guest via CPUID, MSRs and ARM registers.
* Introduced V1N1 static CPU template for ARM to represent Neoverse V1 CPU
as Neoverse N1.
* Added support for the virtio-rng entropy device. The device is optional. A
single device can be enabled per VM using the /entropy endpoint.
* Added a cpu-template-helper tool for assisting with creating and managing
custom CPU templates.
Changed
* Set FDP_EXCPTN_ONLY bit (CPUID.7h.0:EBX[6]) and ZERO_FCS_FDS bit
(CPUID.7h.0:EBX[13]) in Intel's CPUID normalization process.
Fixed
* Fixed feature flags in T2S CPU template on Intel Ice Lake.
* Fixed CPUID leaf 0xb to be exposed to guests running on AMD host.
* Fixed a performance regression in the jailer logic for closing open file
descriptors.
* A race condition that has been identified between the API thread and the VMM
thread due to a misconfiguration of the api_event_fd.
* Fixed CPUID leaf 0x1 to disable perfmon and debug feature on x86 host.
* Fixed passing through cache information from host in CPUID leaf 0x80000006.
* Fixed the T2S CPU template to set the RRSBA bit of the IA32_ARCH_CAPABILITIES
MSR to 1 in accordance with an Intel microcode update.
* Fixed the T2CL CPU template to pass through the RSBA and RRSBA bits of the
IA32_ARCH_CAPABILITIES MSR from the host in accordance with an Intel microcode
update.
* Fixed passing through cache information from host in CPUID leaf 0x80000005.
* Fixed the T2A CPU template to disable SVM (nested virtualization).
* Fixed the T2A CPU template to set EferLmsleUnsupported bit
(CPUID.80000008h:EBX[20]), which indicates that EFER[LMSLE] is not supported.
- Update to 1.3.3:
* Fixed passing through cache information from host in CPUID leaf 0x80000006.
* Thu May 18 2023 Paolo Stivanin <info@paolostivanin.com>
- Update to 1.3.2:
Added
* Introduced T2CL (Intel) and T2A (AMD) CPU templates to provide
instruction set feature parity between Intel and AMD CPUs when using
these templates.
* Added Graviton3 support (c7g instance type).
Changed
* Improved error message when invalid network backend provided.
* Improved TCP throughput by between 5% and 15% (depending on CPU) by using
* scatter-gather I/O in the net device's TX path.
* Upgraded Rust toolchain from 1.64.0 to 1.66.0.
* Made seccompiler output bit-reproducible.
Fixed
* Fixed feature flags in T2 CPU template on Intel Ice Lake.
* A race condition that has been identified between the API thread and the VMM
thread due to a misconfiguration of the api_event_fd.
/usr/bin/firecracker /usr/bin/jailer /usr/bin/seccompiler-bin /usr/share/doc/packages/firecracker /usr/share/doc/packages/firecracker/README.md
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Apr 16 22:33:23 2026