Fixed

* Fixed race between vcpu initialization and emulation thread which could
  potentially lead to segmentation faults.
* Fixed the SSBD mitigation not being enabled on `aarch64` with the provided
  `prod-host-setup.md`, by force-enabling it.

Changed

* Changed Docker images repository from DockerHub to Amazon ECR.

Fixed

* Snapshot related host files (vm-state, memory, block backing files) are now
  flushed to their backing mediums as part of the CreateSnapshot operation.
* Fixed ballooning API definition by renaming all fields which mentioned "MB"
  to use "MiB" instead.

Added

* The jailer can now be configured to enter a preexisting network namespace,
and to run as a daemon.
* Enabled PATCH operations on /drives resources.

Changed

* The microVM id supplied to the jailer may now contain alphanumeric characters
and hyphens, up to a maximum length of 64 characters.
* Replaced the permissions property of /drives resources with a boolean.
* Removed the state property of /drives resources.

Fixed

* Fixed the SIGPIPE signal handler so Firecracker no longer exits. The signal
is still recorded in metrics and logs.

Fixed

* Fixed the SIGPIPE signal handler so Firecracker no longer exits. The signal
is still recorded in metrics and logs.

Fixed

* Fixed the reported used bytes for any virtio-block request.
* Fixed all virtio-block read/write operations to valid guest addresses
  with buffer length of 0 to result in no-op.

Fixed

* Fixed off-by-one error in virtio-block descriptor address validation.

Fixed

* Fixed off-by-one error in virtio-block descriptor address validation.

Fixed

* Fixed off-by-one error in virtio-block descriptor address validation.

Added

* Added optional `resume_vm` field to `/snapshot/load` API call.
* Added support for block rate limiter PATCH.
* Added devtool test `-c|--cpuset-cpus` flag for cpus confinement when tests
  run.
* Added devtool test `-m|--cpuset-mems` flag for memory confinement when tests
  run.
* Added the virtio traditional memory ballooning device.
* Added a mechanism to handle vCPU/VMM errors that result in process termination.
* Added incremental guest memory snapshot support.
* Added aarch64 snapshot support.

Changed

* Change the information provided in `DescribeInstance` command to provide microVM
  state information (Not started/Running/Paused) instead of whether it's started or not.
* Removed the jailer `--extra-args` parameter. It was a noop, having been
  replaced by the `--` separator for extra arguments.
* Changed the output of the `--version` command line parameter to include a list
  of supported snapshot data format versions for the firecracker binary.
* Increased the maximum number of virtio devices from 11 to 19.
* Added a new check that prevents creating v0.23 snapshots when more than 11
  devices are attached.
* If the stdout buffer is full and non-blocking, the serial writes no longer block.
  Any new bytes will be lost, until the buffer is freed. The device also logs these
  errors and increments the `uart.error_count` metric for each lost byte.

Fixed

* Fixed inconsistency in YAML file InstanceInfo definition

Fixed inconsistency in YAML file InstanceInfo definition

Fixed inconsistency in YAML file InstanceInfo definition

Added

- Added metric for throttled block device events.
- Added metrics for counting rate limiter throttling events.
- Added metric for counting MAC address updates.
- Added metrics for counting TAP read and write errors.
- Added metrics for counting RX and TX partial writes.
- Added metrics that measure the duration of pausing and resuming the microVM,
  from the VMM perspective.
- Added metric for measuring the duration of the last full snapshot created,
  from the VMM perspective.
- Added metric for measuring the duration of loading a snapshot, from the VMM
  perspective.
- Added metrics that measure the duration of pausing and resuming the microVM,
  from the API (user) perspective.
- Added metric for measuring the duration of the last full snapshot created,
  from the API (user) perspective.
- Added metric for measuring the duration of loading a snapshot, from the API
  (user) perspective.
- Added `track_dirty_pages` field to `machine-config`. If enabled, Firecracker
  can create incremental guest memory snapshots by saving the dirty guest pages
  in a sparse file.
- Added a new API call, `PATCH /vm`, for changing the microVM state (to
  `Paused` or `Resumed`).
- Added a new API call, `PUT /snapshot/create`, for creating a full snapshot.
- Added a new API call, `PUT /snapshot/load`, for loading a snapshot.
- Added new jailer command line argument `--cgroup` which allow the user to
  specify the cgroups that are going to be set by the Jailer.
- Added full support for AMD CPUs (General Availability). More details
  [here](README.md#supported-platforms).

Fixed

- Boot time on AMD achieves the desired performance (i.e under 150ms).

Changed

- The logger `level` field is now case-insensitive.
- Disabled boot timer device after restoring a snapshot.
- Enabled boot timer device only when specifically requested, by using the
  `--boot-timer` dedicated cmdline parameter.
- firecracker and jailer `--version` now gets updated on each devtool
  build to the output of `git describe --dirty`, if the git repo is available.
- MicroVM process is only attached to the cgroups defined by using `--cgroups`
  or the ones defined indirectly by using `--node`.

Fixed
- Limited serial device buffer size to maximum 64 bytes.

Added

- Added a new API call, `PUT /metrics`, for configuring the metrics system.
- Added `app_name` field in InstanceInfo struct for storing the application
  name.
- New command-line parameters for `firecracker`, named `--log-path`,
  `--level`, `--show-level` and `--show-log-origin` that can be used
  for configuring the Logger when starting the process. When using
  this method for configuration, only `--log-path` is mandatory.
- Added a [guide](docs/devctr-image.md) for updating the dev container image.
- Added a new API call, `PUT /mmds/config`, for configuring the
  `MMDS` with a custom valid link-local IPv4 address.
- Added experimental JSON response format support for MMDS guest applications
  requests.
- Added metrics for the vsock device.
- Added devtool strip command which removes debug symbols from the release
- Added the `tx_malformed_frames` metric for the virtio net device, emitted
  when a TX frame missing the VNET header is encountered.

Fixed

- Added `--version` flag to both Firecracker and Jailer.
- Return `405 Method Not Allowed` MMDS response for non HTTP `GET` MMDS
  requests originating from guest.
- Fixed folder permissions in the jail (#1802).
- Any number of whitespace characters are accepted after ":" when parsing HTTP
  headers.
- Potential panic condition caused by the net device expecting to find a VNET
  header in every frame.
- Potential crash scenario caused by "Content-Length" HTTP header field
  accepting negative values.
- Fixed #1754 - net: traffic blocks when running ingress UDP performance tests
  with very large buffers.

Changed
- Updated CVE-2019-3016 mitigation information in
  [Production Host Setup](docs/prod-host-setup.md)
- In case of using an invalid JSON as a 'config-file' for Firecracker,
  the process will exit with return code 152.
- Removed the `testrun.sh` wrapper.
- Removed `metrics_fifo` field from the logger configuration.
- Renamed `log_fifo` field from LoggerConfig to `log_path` and
  `metrics_fifo` field from MetricsConfig to `metrics_path`.
- `PATCH /drives/{id}` only allowed post-boot. Use `PUT` for pre-boot
  updates to existing configurations.
- `PATCH /network-interfaces/{id}` only allowed post-boot. Use `PUT` for
  pre-boot updates to existing configurations.
- Changed returned status code from `500 Internal Server Error` to
  `501 Not Implemented`, for queries on the MMDS endpoint in IMDS format, when
  the requested resource value type is unsupported.
- Allowed the MMDS data store to be initialized with all supported JSON types.
  Retrieval of these values within the guest, besides String, Array, and
  Dictionary, is only possible in JSON mode.
- `PATCH` request on `/mmds` before the data store is initialized returns
  `403 BadRequest`.
- Segregated MMDS documentation in MMDS design documentation and MMDS user
  guide documentation.

Fixed

- Fixed #1754 - net: traffic blocks when running ingress UDP performance tests
  with very large buffers.

Fixed

- Fixed #1754 - net: traffic blocks when running ingress UDP performance tests
  with very large buffers.

Fixed

* Added --version flag to both Firecracker and Jailer

Added

- Support for booting with an initial RAM disk image. This image can be
  specified through the new `initrd_path` field of the `/boot-source` API
  request.

Fixed

- Fixed #1469 - Broken GitHub location for Firecracker release binary.
- The jailer allows changing the default api socket path by using the extra
  arguments passed to firecracker.
- Fixed #1456 - Occasional KVM_EXIT_SHUTDOWN and bad syscall (14) during
  VM shutdown.
- Updated the production host setup guide with steps for addressing
  CVE-2019-18960.
- The HTTP header parsing is now case insensitive.
- The `put_api_requests` and `patch_api_requests` metrics for net devices were
  un-swapped.

Changed

- Removed redundant `--seccomp-level` jailer parameter since it can be
  simply forwarded to the Firecracker executable using "end of command
  options" convention.
- Removed `memory.dirty_pages` metric.
- Removed `options` field from the logger configuration.
- Decreased release binary size by ~15%.
- Changed default API socket path to `/run/firecracker.socket`. This path
  also applies when running with the jailer.
- Disabled KVM dirty page tracking by default.
- Removed redundant RescanBlockDevice action from the /actions API.
  The functionality is available through the PATCH /drives API.
  See `docs/api_requests/patch-block.md`.