Added

• Added devtool build --ssh-keys flag to support fetching from private git repositories.
• Added option to configure block device flush.
• Added --new-pid-ns flag to the Jailer in order to spawn the Firecracker process in a new PID namespace.
• Added API metrics for GET, PUT and PATCH requests on /mmds endpoint.
• Added --describe-snapshot flag to Firecracker to fetch the data format version of a snapshot state file provided as argument.
• Added --no-seccomp parameter for disabling the default seccomp filters.
• Added --seccomp-filter parameter for supplying user-provided, custom filters.
• Added the seccompiler-bin binary that is used to compile JSON seccomp filters into serialized BPF for Firecracker consumption.
• Snapshotting support for GICv2 enabled guests.
• Added devtool install to deploy built binaries in /usr/local/bin or a given path.
• Added code logic to send VIRTIO_VSOCK_EVENT_TRANSPORT_RESET on snapshot creation, when the Vsock device is active. The event will close active connections on the guest.
• Added GET request on /vm/config that provides full microVM configuration as a JSON HTTP response.
• Added --resource-limit flag to jailer to limit resources such as: number of file descriptors allowed at a time (with a default value of 2048) and maximum size of files created by the process.

Changed

• Changed Docker images repository from DockerHub to Amazon ECR.
• Fixed off-by-one error in virtio-block descriptor address validation.
• Changed the PATCH request on /balloon/statistics to schedule the first statistics update immediately after processing the request.
• Deprecated the --seccomp-level parameter. It will be removed in a future release. Using it logs a runtime warning.
• Experimental gnu libc builds use empty default seccomp filters, allowing all system calls.

Fixed

• Fixed non-compliant check for the RTC device ensuring a fixed 4-sized data buffer.
• Unnecessary interrupt assertion was removed from the RTC. However, a dummy interrupt is still allocated for snapshot compatibility reasons.
• Fixed the SIGPIPE signal handler so Firecracker no longer exits. The signal is still recorded in metrics and logs.
• Fixed ballooning API definitions by renaming all fields which mentioned "MB" to use "MiB" instead.
• Snapshot related host files (vm-state, memory, block backing files) are now flushed to their backing mediums as part of the CreateSnapshot operation.
• Fixed the SSBD mitigation not being enabled on aarch64 with the provided prod-host-setup.md.
• Fixed the balloon statistics not working after a snapshot restore event.
• The utc_timestamp_ms now reports the timestamp in ms from the UTC UNIX Epoch, as the name suggests. It was previously using a monotonic clock with an undefined starting point.