Added

- Added support for GICv2.

Fixed

- Fixed CVE-2019-18960 - Fixed a logical error in bounds checking performed
  on vsock virtio descriptors.
- Fixed #1283 - Can't start a VM in AARCH64 with vcpus number more than 16.
- Fixed #1088 - The backtrace are printed on `panic`, no longer causing a
  seccomp fault.
- Fixed #1375 - Change logger options type from Value to Vec<LogOption> to
  prevent potential unwrap on None panics.
- Fixed #1436 - Raise interrupt for TX queue used descriptors
- Fixed #1439 - Prevent achieving 100% cpu load when the net device rx is
  throttled by the ratelimiter
- Fixed #1437 - Invalid fields in rate limiter related API requests are
  now failing with a proper error message.
- Fixed #1316 - correctly determine the size of a virtio device backed
  by a block device.
- Fixed #1383 - Log failed api requests.

Changed

- Decreased release binary size by 10%.

Fixed

* Fixed a logical error in bounds checking performed on vsock virtio
  descriptors (CVE-2019-18960).

Fixed

* Fixed a logical error in bounds checking performed on vsock virtio
  descriptors (CVE-2019-18960).

Added

* New command-line parameter for `firecracker`, named `--no-api`, which
  will disable the API server thread. If set, the user won't be able to send
  any API requests, neither before, nor after the vm has booted. It must be
  paired with `--config-file` parameter. Also, when API server is disabled,
  MMDS is no longer available now.
* New command-line parameter for `firecracker`, named `--config-file`, which
  represents the path to a file that contains a JSON which can be used for
  configuring and starting a microVM without sending any API requests.
* The jailer adheres to the "end of command options" convention, meaning
  all parameters specified after `--` are forwarded verbatim to Firecracker.
* Added `KVM_PTP` support to the recommended guest kernel config.
* Added entry in FAQ.md for Firecracker Guest timekeeping.

Changed

* Vsock API call: `PUT /vsocks/{id}` changed to `PUT /vsock` and no longer
  appear to support multiple vsock devices. Any subsequent calls to this API
  endpoint will override the previous vsock device configuration.
* Removed unused 'Halting' and 'Halted' instance states.

Fixed

* Fixed serial console on aarch64 (GitHub issue #1147).
* Upon panic, the terminal is now reset to canonical mode.
* Explicit error upon failure of vsock device creation.
* The failure message returned by an API call is flushed in the log FIFOs.
* Insert virtio devices in the FDT in order of their addresses sorted from
  low to high.
* Enforce the maximum length of the network interface name to be 16 chars as
  specified in the Linux Kernel.
* Changed the vsock property `id` to `vsock_id` so that the API client can be
  successfully generated from the swagger definition.

Added

* New device: virtio-vsock, backed by Unix domain sockets (GitHub issue #650).
  See `docs/vsock.md`.

Fixed

* Updated the documentation for integration tests.
* Fixed high CPU usage before guest network interface is brought up (GitHub
  issue #1049).
* Fixed an issue that caused the wrong date (month) to appear in the log.
* Fixed a bug that caused the seccomp filter to reject legit syscalls in some
  rare cases (GitHub issue #1206).
* Docs: updated the production host setup guide.
* Docs: updated the rootfs and kernel creation guide.

Removed
* Removed experimental support for vhost-based vsock devices.

Added

* New API call: `PATCH /machine-config/`, used to update VM configuration,
  before the microVM boots.
* Added an experimental swagger definition that includes the specification for
  the vsock API call.
* Added a signal handler for `SIGBUS` and `SIGSEGV` that immediately terminates
  the process upon intercepting the signal.
* Added documentation for signal handling utilities.
* Added [alpha] aarch64 support.
* Added metrics for successful read and write operations of MMDS, Net and Block devices.

Changed

* `vcpu_count`, `mem_size_mib` and `ht_enabled` have been changed to be mandatory
  for `PUT` requests on `/machine-config/`.
* Disallow invalid seccomp levels by exiting with error.

Fixed

* Incorrect handling of bind mounts within the jailed rootfs.
* Corrected the guide for `Alpine` guest setup.

Added

* Added [alpha] AMD support.
* New `devtool` command: `prepare_release`. This updates the Firecracker
  version, crate dependencies and credits in preparation for a new release.
* New `devtool` command: `tag`. This creates a new git tag for the specified
  release number, based on the changelog contents.
* New doc section about building with glibc.

Changed

* Dropped the JSON-formatted `context` command-line parameter from Firecracker
  in favor of individual classic command-line parameters.
* When running with `jailer` the location of the API socket has changed to
  `<jail-root-path>/api.socket` (API socket was moved _inside_ the jail).
* `PUT` and `PATCH` requests on `/mmds` with data containing any value type other
  than `String`, `Array`, `Object` will return status code 400.
* Improved multiple error messages.
* Removed all kernel modules from the recommended kernel config.

Fixed

* Corrected the seccomp filter when building with glibc.

Removed

* Removed the `seccomp.bad_syscalls` metric.

Fixed

* Corrected the conditional compilation of the seccomp rule for madvise.

Fixed

* A madvise call issued by the musl allocator was added to the seccomp
whitelist to prevent Firecracker from terminating abruptly when
allocating memory in certain conditions.

Added

* New API action: SendCtrlAltDel, used to initiate a graceful shutdown,
  if the guest has driver support for i8042 and AT Keyboard. See
  [the docs](docs/api_requests/actions.md#sendctrlaltdel) for details.
* New metric counting the number of egress packets with a spoofed MAC:
  `net.tx_spoofed_mac_count`.
* New API call: `PATCH /network-interfaces/`, used to update the rate limiters
  on a network interface, after the start of a microVM.

Changed

* Added missing `vmm_version` field to the InstanceInfo API swagger
  definition, and marked several other mandatory fields as such.
* New default command line for guest kernel:
  `reboot=k panic=1 pci=off nomodules 8250.nr_uarts=0
  i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd`.

Fixed

* virtio-blk: VIRTIO_BLK_T_FLUSH now working as expected.
* Vsock devices can be attached when starting Firecracker using the jailer.
* Vsock devices work properly when seccomp filtering is enabled.

Added

* Documentation for development environment setup on AWS in
  `dev-machine-setup.md`.
* Documentation for microVM networking setup in `docs/network-setup.md`.
* Limit the maximum supported vCPUs to 32.

Changed

* Log the app version when the `Logger` is initialized.
* Pretty print panic information.
* Firecracker terminates with exit code 148 when a non-whitelisted syscall
  is intercepted.

Fixed

* Fixed build with the `vsock` feature.

Added

* Documentation for Logger API Requests in `docs/api_requests/logger.md`.
* Documentation for Actions API Requests in `docs/api_requests/actions.md`.
* Documentation for MMDS in `docs/mmds.md`.
* Flush metrics on request via a PUT `/actions` with the `action_type`
  field set to `FlushMetrics`.

Changed

* Updated the swagger definition of the `Logger` to specify the required fields
  and provide default values for optional fields.
* Default `seccomp-level` is `2` (was previously 0).
* API Resource IDs can only contain alphanumeric characters and underscores.

Fixed

* Seccomp filters are now applied to all Firecracker threads.
* Enforce minimum length of 1 character for the jailer ID.
* Exit with error code when starting the jailer process fails.

Removed

* Removed `InstanceHalt` from the list of possible actions.

Added
* The `/logger` API has a new field called `options`. This is an array of
  strings that specify additional logging configurations. The only supported
  value is `LogDirtyPages`.
* When the `LogDirtyPages` option is configured via `PUT /logger`, a new metric
  called `memory.dirty_pages` is computed as the number of pages dirtied by the
  guest since the last time the metric was flushed.
* Log messages on both graceful and forceful termination.
* Availability of the list of dependencies for each commit inside the code base.
* Documentation on vsock experimental feature and host setup recommendations.

Changed
* `PUT` requests on `/mmds` always return 204 on success.
* `PUT` operations on `/network-interfaces` API resources no longer accept
  the previously required `state` parameter.
* The jailer starts with `--seccomp-level=2` (was previously 0) by default.
* Log messages use `anonymous-instance` as instance id if none is specified.

Fixed
* Fixed crash upon instance start on hosts without 1GB huge page support.
* Fixed "fault_message" inconsistency between Open API specification and
  code base.
* Ensure MMDS compatibility with C5's IMDS implementation.
* Corrected the swagger specification to ensure `OpenAPI 2.0` compatibility.

Firecracker v0.11.0

Added
* Apache-2.0 license
* Docs:
  * CHARTER.md
  * CONTRIBUTE.md
  * docs/design.md
  * docs/getting-started.md
  * SECURITY-POLICY.md
  * SPECIFICATION.md
* [EXPERIMENTAL] vhost-based vsock implementation.

Changed
* Improved MMDS network stack performance
* If the logging system is not yet initialized (via `PUT /logger`), log events
  are now sent to stdout/stderr.
* Moved the `instance_info_fails` metric under `get_api_requests`
* Improved [readme](README.md) and added links to more detailed information,
  now featured in subject-specific docs.

Fixed
* Fixed bug in the MMDS network stack, that caused some RST packets to be sent
  without a destination.
* Fixed bug in `PATCH /drives`, whereby the ID in the path was not checked
  against the ID in the body.

[0.10.1]

Fixed:

- The Swagger definition was corrected.

Firecracker v0.10.0

Added
* Each Firecracker process has an associated microVM Metadata Store (MMDS).
  Its contents can be configured using the `/mmds` API resource.

Changed
* The boot source is specified only with the `kernel_image_path` and
  the optional parameter `boot_args`. All other fields are removed.
* The `path_on_host` property in the drive specification is now marked as
  *mandatory*.
* PATCH drive only allows patching/changing the `path_on_host` property.
* All PUT and PATCH requests return the status code 204.
* CPUID brand string (aka model name) now includes the host CPU frequency.
* API requests which add guest network interfaces have an additional parameter,
  `allow_mmds_requests` which defaults to `false`.
* Stopping the guest (e.g. using the `reboot` command) also terminates the
  Firecracker process. When the Firecracker process ends for any reason,
  (other than `kill -9`), metrics are flushed at the very end.
* On startup `jailer` closes all inherited file descriptors based on
  `sysconf(_SC_OPEN_MAX)` except input, output and error.
* The microVM ID prefixes each Firecracker log line. This ID also appears
  in the process `cmdline` so it's now possible to `ps | grep <ID>` for it.

Added

* Seccomp filtering is configured via the --seccomp-level jailer
parameter.
* Firecracker logs the starting addresses of host memory areas provided
as guest memory slots to KVM.
* The metric `panic_count` gets incremented to signal that a panic has
occurred.
* Firecracker logs a backtrace when it crashes following a panic.
* Added basic instrumentation support for measuring boot time.

Changed

* `StartInstance` is a synchronous API request (it used to be an
asynchronous request).

Fixed

* Ensure that fault messages sent by the API have valid JSON bodies.
* Use HTTP response code 500 for internal Firecracker errors, and 400
for user errors on InstanceStart.
* Serialize the machine configuration fields to the correct data types
(as specified in the Swagger definition).
* NUMA node assignment is properly enforced by the jailer.
* The `is_root_device` and `is_read_only` properties are now marked as
required in the Swagger definition of `Drive` object properties.

Removed

* `GET` requests on the `/actions` API resource are no longer supported.
* The metrics associated with asynchronous actions have been removed.
* Remove the `action_id` parameter for `InstanceStart`, both from the
URI and the JSON request body.

Firecracker v0.7.0 release

Added
* Rate limiting functionality allows specifying an initial one time
  burst size.
* Firecracker can now boot from an arbitrary boot partition by
  specifying its unique id in the driver's API call.
* Block device rescan is triggered via a PUT /actions with the
  drive ID in the action body's payload field and the action_type
  field set to BlockDeviceRescan.

Changed
* Removed `noapic` from the default guest kernel command line.
* The action_id parameter is no longer required for synchronous PUT
  requests to /actions.
* PUT requests are no longer allowed on /drives resources after the
  guest has booted.

Fixed
* Fixed guest instance kernel loader to accelerate vCPUs launch and
  consequently guest kernel boot.
* Fixed network emulation to improve IO performance.

Added

* Firecracker uses two different named pipes to record human readable logs and
  metrics, respectively.

Changed

* Seccomp filtering can be enabled via setting the `USE_SECCOMP` environment
  variable.
* It is possible to supply only a partial specification when attaching a rate
  limiter (i.e. just the bandwidth or ops parameter).
* Errors related to guest network interfaces are now more detailed.

Fixed

* Fixed a bug that was causing Firecracker to panic whenever a PUT request
  was sent on an existing network interface.
* The id parameter of the jailer is required to be an RFC 4122-compliant UUID.
* Fixed an issue which caused the network RX rate limiter to be more
  restrictive than intended.
* API requests which contain unknown fields will generate an error.
* Fixed an issue related to high CPU utilization caused by improper
  KVM PIT configuration.
* It is now possible to create more than one network tun/tap interface
  inside a jailed Firecracker.

Added

* Added metrics for API requests, VCPU and device actions for the serial
  console (UART), keyboard (i8042), block and network devices. Metrics are
  logged every 60 seconds.
* A CPU features template for C3 is available, in addition to the one for T2.
* Seccomp filters restrict Firecracker from calling any other system calls than
  the minimum set it needs to function properly. The filters are enabled by
  setting the `USE_SECCOMP` environment variable to 1 before running
  Firecracker.
* Firecracker can be started by a new binary called `jailer`. The jailer takes
  as command line arguments a unique ID, the path to the Firecracker binary,
  the NUMA node that Firecracker will be assigned to and a uid and gid for
  Firecracker to run under. It sets up a chroot environment and a cgroup and
  calls exec to morph into Firecracker.

Changed

* In case of failure, the metrics and the panic location are logged before
  aborting.
* Metric values are reset with every flush.
* `CPUTemplate` is now called `CpuTemplate` in order to work seamlessly with
  the swagger code generator for Go.
* `firecracker-beta.yaml` is now called `firecracker.yaml`.

Fixed
* Handling was added for several untreated KVM exit scenarios, which could have
  led to panic.
* Fixed a bug that caused Firecracker to crash when attempting to disable the
  IA32_DEBUG_INTERFACE MSR flag in the T2 CPU features.

Removed

* Removed a leftover file generated by the logger unit tests.
* Removed `firecracker-v1.0.yaml`.