diff --git a/.gitignore b/.gitignore index 241727c..cc40b21 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/firecracker-1.4.0.tar.gz +/firecracker-1.4.1.tar.gz /kvm-bindings-e835920.tar.gz /micro_http-4b18a04.tar.gz diff --git a/firecracker-1.4.0-remove-aws-lc-rs.patch b/firecracker-1.4.0-remove-aws-lc-rs.patch deleted file mode 100644 index b58dc39..0000000 --- a/firecracker-1.4.0-remove-aws-lc-rs.patch +++ /dev/null @@ -1,113 +0,0 @@ -The AWS-LC project is yet another TLS library that was would have to be worked -into Fedora, while Firecracker only uses it for its randomness functions. The -reason stated for choosing AWS-LC is that Amazon might get it FIPS-certified -some day. This patch reverts 246a308ef6d1054f7551ebeee7f0191b8518d2ad to go -back to the original implementation with the rand crate instead. - ---- a/resources/seccomp/aarch64-unknown-linux-musl.json -+++ b/resources/seccomp/aarch64-unknown-linux-musl.json -@@ -104,7 +104,7 @@ - }, - { - "syscall": "getrandom", -- "comment": "getrandom is used by aws-lc library which we consume in virtio-rng" -+ "comment": "getrandom is used by virtio-rng to initialize the rand crate" - }, - { - "syscall": "accept4", -@@ -206,7 +206,16 @@ - }, - { - "syscall": "madvise", -- "comment": "Used by the VirtIO balloon device and by musl for some customer workloads. It is also used by aws-lc during random number generation. They setup a memory page that mark with MADV_WIPEONFORK to be able to detect forks. They also call it with -1 to see if madvise is supported in certain platforms." -+ "comment": "Used by the VirtIO balloon device and by musl for some customer workloads", -+ "args": [ -+ { -+ "index": 2, -+ "type": "dword", -+ "op": "eq", -+ "val": 4, -+ "comment": "libc::MADV_DONTNEED" -+ } -+ ] - }, - { - "syscall": "mmap", ---- a/resources/seccomp/x86_64-unknown-linux-musl.json -+++ b/resources/seccomp/x86_64-unknown-linux-musl.json -@@ -104,7 +104,7 @@ - }, - { - "syscall": "getrandom", -- "comment": "getrandom is used by aws-lc library which we consume in virtio-rng" -+ "comment": "getrandom is used by virtio-rng to initialize the rand crate" - }, - { - "syscall": "accept4", -@@ -206,7 +206,16 @@ - }, - { - "syscall": "madvise", -- "comment": "Used by the VirtIO balloon device and by musl for some customer workloads. It is also used by aws-lc during random number generation. They setup a memory page that mark with MADV_WIPEONFORK to be able to detect forks. They also call it with -1 to see if madvise is supported in certain platforms." -+ "comment": "Used by the VirtIO balloon device and by musl for some customer workloads", -+ "args": [ -+ { -+ "index": 2, -+ "type": "dword", -+ "op": "eq", -+ "val": 4, -+ "comment": "libc::MADV_DONTNEED" -+ } -+ ] - }, - { - "syscall": "mmap", ---- a/src/devices/Cargo.toml -+++ b/src/devices/Cargo.toml -@@ -6,7 +6,6 @@ - license = "Apache-2.0" - - [dependencies] --aws-lc-rs = "1.0.2" - derive_more = { version = "0.99.17", default-features = false, features = ["from"] } - event-manager = "0.3.0" - libc = "0.2.117" -@@ -15,6 +14,7 @@ - versionize = "0.1.10" - versionize_derive = "0.1.5" - vm-superio = "0.7.0" -+rand = "0.8.5" - - dumbo = { path = "../dumbo" } - logger = { path = "../logger" } ---- a/src/devices/src/virtio/rng/device.rs -+++ b/src/devices/src/virtio/rng/device.rs -@@ -5,8 +5,9 @@ - use std::sync::atomic::AtomicUsize; - use std::sync::Arc; - --use aws_lc_rs::rand; - use logger::{debug, error, IncMetric, METRICS}; -+use rand::rngs::OsRng; -+use rand::RngCore; - use rate_limiter::{RateLimiter, TokenType}; - use utils::eventfd::EventFd; - use utils::vm_memory::{GuestMemoryError, GuestMemoryMmap}; -@@ -27,7 +28,7 @@ - #[error("Bad guest memory buffer: {0}")] - GuestMemory(#[from] GuestMemoryError), - #[error("Could not get random bytes: {0}")] -- Random(#[from] aws_lc_rs::error::Unspecified), -+ Random(#[from] rand::Error), - } - - type Result = std::result::Result; -@@ -109,7 +110,7 @@ - } - - let mut rand_bytes = vec![0; iovec.len()]; -- rand::fill(&mut rand_bytes).map_err(|err| { -+ OsRng.try_fill_bytes(&mut rand_bytes).map_err(|err| { - METRICS.entropy.host_rng_fails.inc(); - err - })?; diff --git a/firecracker-1.4.0-remove-criterion.patch b/firecracker-1.4.0-remove-criterion.patch deleted file mode 100644 index e5f5aaa..0000000 --- a/firecracker-1.4.0-remove-criterion.patch +++ /dev/null @@ -1,24 +0,0 @@ -The build does not run benches, and the criterion crate is retired in Fedora. - ---- a/src/snapshot/Cargo.toml -+++ b/src/snapshot/Cargo.toml -@@ -12,9 +12,6 @@ - versionize_derive = "0.1.5" - thiserror = "1.0.32" - --[dev-dependencies] --criterion = { version = "0.4.0", default-features = false } -- - [[bench]] - name = "version_map" - harness = false ---- a/src/vmm/Cargo.toml -+++ b/src/vmm/Cargo.toml -@@ -35,7 +35,6 @@ - virtio_gen = { path = "../virtio_gen" } - - [dev-dependencies] --criterion = { version = "0.4.0", default-features = false } - device_tree = "1.1.0" - - [[bench]] diff --git a/firecracker-1.4.0-remove-device_tree.patch b/firecracker-1.4.0-remove-device_tree.patch deleted file mode 100644 index 952ad65..0000000 --- a/firecracker-1.4.0-remove-device_tree.patch +++ /dev/null @@ -1,33 +0,0 @@ -This crate is unmaintained for many years with license issues and deprecation -warnings, but it is only used for two aarch64 tests. - ---- a/src/vmm/Cargo.toml -+++ b/src/vmm/Cargo.toml -@@ -34,9 +34,6 @@ - utils = { path = "../utils" } - virtio_gen = { path = "../virtio_gen" } - --[dev-dependencies] --device_tree = "1.1.0" -- - [[bench]] - name = "cpu_templates" - harness = false ---- a/src/vmm/src/arch/aarch64/fdt.rs -+++ b/src/vmm/src/arch/aarch64/fdt.rs -@@ -497,6 +497,7 @@ - } - - #[test] -+ #[cfg(not(test))] - fn test_create_fdt() { - let regions = arch_memory_regions(layout::FDT_MAX_SIZE + 0x1000); - let mem = utils::vm_memory::test_utils::create_anon_guest_memory(®ions, false) -@@ -555,6 +556,7 @@ - } - - #[test] -+ #[cfg(not(test))] - fn test_create_fdt_with_initrd() { - let regions = arch_memory_regions(layout::FDT_MAX_SIZE + 0x1000); - let mem = utils::vm_memory::test_utils::create_anon_guest_memory(®ions, false) diff --git a/firecracker-1.4.0-upgrade-linux-loader.patch b/firecracker-1.4.0-upgrade-linux-loader.patch deleted file mode 100644 index 0b3d2f1..0000000 --- a/firecracker-1.4.0-upgrade-linux-loader.patch +++ /dev/null @@ -1,25 +0,0 @@ -This backports 0ccc09a4fca700a33055fc93e762ed0ca134a7aa which notes that the -linux-loader and vm-memory crates must be kept in sync. - ---- a/src/utils/Cargo.toml -+++ b/src/utils/Cargo.toml -@@ -13,7 +13,7 @@ - versionize = "0.1.10" - versionize_derive = "0.1.5" - vmm-sys-util = "0.11.0" --vm-memory = { version = "0.10.0", features = ["backend-mmap", "backend-bitmap"] } -+vm-memory = { version = "0.12.0", features = ["backend-mmap", "backend-bitmap"] } - - net_gen = { path = "../net_gen" } - ---- a/src/vmm/Cargo.toml -+++ b/src/vmm/Cargo.toml -@@ -13,7 +13,7 @@ - kvm-ioctls = "0.14.0" - lazy_static = "1.4.0" - libc = "0.2.117" --linux-loader = "0.8.1" -+linux-loader = "0.9.0" - log = "0.4.17" - serde = { version = "1.0.136", features = ["derive"] } - serde_json = "1.0.78" diff --git a/firecracker-1.4.1-remove-aws-lc-rs.patch b/firecracker-1.4.1-remove-aws-lc-rs.patch new file mode 100644 index 0000000..8bbd62d --- /dev/null +++ b/firecracker-1.4.1-remove-aws-lc-rs.patch @@ -0,0 +1,105 @@ +The AWS-LC project is yet another TLS library that was would have to be worked +into Fedora, while Firecracker only uses it for its randomness functions. The +reason stated for choosing AWS-LC is that Amazon might get it FIPS-certified +some day. This patch reverts 246a308ef6d1054f7551ebeee7f0191b8518d2ad to go +back to the original implementation with the rand crate instead. + +--- a/resources/seccomp/aarch64-unknown-linux-musl.json ++++ b/resources/seccomp/aarch64-unknown-linux-musl.json +@@ -104,7 +104,7 @@ + }, + { + "syscall": "getrandom", +- "comment": "getrandom is used by aws-lc library which we consume in virtio-rng" ++ "comment": "getrandom is used by virtio-rng to initialize the rand crate" + }, + { + "syscall": "accept4", +@@ -206,7 +206,16 @@ + }, + { + "syscall": "madvise", +- "comment": "Used by the VirtIO balloon device and by musl for some customer workloads. It is also used by aws-lc during random number generation. They setup a memory page that mark with MADV_WIPEONFORK to be able to detect forks. They also call it with -1 to see if madvise is supported in certain platforms." ++ "comment": "Used by the VirtIO balloon device and by musl for some customer workloads", ++ "args": [ ++ { ++ "index": 2, ++ "type": "dword", ++ "op": "eq", ++ "val": 4, ++ "comment": "libc::MADV_DONTNEED" ++ } ++ ] + }, + { + "syscall": "mmap", +--- a/resources/seccomp/x86_64-unknown-linux-musl.json ++++ b/resources/seccomp/x86_64-unknown-linux-musl.json +@@ -104,7 +104,7 @@ + }, + { + "syscall": "getrandom", +- "comment": "getrandom is used by aws-lc library which we consume in virtio-rng" ++ "comment": "getrandom is used by virtio-rng to initialize the rand crate" + }, + { + "syscall": "accept4", +@@ -206,7 +206,16 @@ + }, + { + "syscall": "madvise", +- "comment": "Used by the VirtIO balloon device and by musl for some customer workloads. It is also used by aws-lc during random number generation. They setup a memory page that mark with MADV_WIPEONFORK to be able to detect forks. They also call it with -1 to see if madvise is supported in certain platforms." ++ "comment": "Used by the VirtIO balloon device and by musl for some customer workloads", ++ "args": [ ++ { ++ "index": 2, ++ "type": "dword", ++ "op": "eq", ++ "val": 4, ++ "comment": "libc::MADV_DONTNEED" ++ } ++ ] + }, + { + "syscall": "mmap", +--- a/src/vmm/Cargo.toml ++++ b/src/vmm/Cargo.toml +@@ -6,7 +6,6 @@ + license = "Apache-2.0" + + [dependencies] +-aws-lc-rs = "1.0.2" + bitflags = "2.0.2" + derive_more = { version = "0.99.17", default-features = false, features = ["from", "display"] } + event-manager = "0.3.0" +--- a/src/vmm/src/devices/virtio/rng/device.rs ++++ b/src/vmm/src/devices/virtio/rng/device.rs +@@ -5,8 +5,9 @@ + use std::sync::atomic::AtomicUsize; + use std::sync::Arc; + +-use aws_lc_rs::rand; + use logger::{debug, error, IncMetric, METRICS}; ++use rand::rngs::OsRng; ++use rand::RngCore; + use rate_limiter::{RateLimiter, TokenType}; + use utils::eventfd::EventFd; + use utils::vm_memory::{GuestMemoryError, GuestMemoryMmap}; +@@ -27,7 +28,7 @@ + #[error("Bad guest memory buffer: {0}")] + GuestMemory(#[from] GuestMemoryError), + #[error("Could not get random bytes: {0}")] +- Random(#[from] aws_lc_rs::error::Unspecified), ++ Random(#[from] rand::Error), + } + + type Result = std::result::Result; +@@ -109,7 +110,7 @@ + } + + let mut rand_bytes = vec![0; iovec.len()]; +- rand::fill(&mut rand_bytes).map_err(|err| { ++ OsRng.try_fill_bytes(&mut rand_bytes).map_err(|err| { + METRICS.entropy.host_rng_fails.inc(); + err + })?; diff --git a/firecracker-1.4.1-remove-criterion.patch b/firecracker-1.4.1-remove-criterion.patch new file mode 100644 index 0000000..91ded15 --- /dev/null +++ b/firecracker-1.4.1-remove-criterion.patch @@ -0,0 +1,24 @@ +The build does not run benches, and the criterion crate is retired in Fedora. + +--- a/src/snapshot/Cargo.toml ++++ b/src/snapshot/Cargo.toml +@@ -12,9 +12,6 @@ + versionize_derive = "0.1.5" + thiserror = "1.0.32" + +-[dev-dependencies] +-criterion = { version = "0.4.0", default-features = false } +- + [[bench]] + name = "version_map" + harness = false +--- a/src/vmm/Cargo.toml ++++ b/src/vmm/Cargo.toml +@@ -39,7 +39,6 @@ + virtio_gen = { path = "../virtio_gen" } + + [dev-dependencies] +-criterion = { version = "0.4.0", default-features = false } + device_tree = "1.1.0" + proptest = { version = "1.0.0", default-features = false, features = ["std"] } + diff --git a/firecracker-1.4.1-remove-device_tree.patch b/firecracker-1.4.1-remove-device_tree.patch new file mode 100644 index 0000000..0a9373a --- /dev/null +++ b/firecracker-1.4.1-remove-device_tree.patch @@ -0,0 +1,31 @@ +This crate is unmaintained for many years with license issues and deprecation +warnings, but it is only used for two aarch64 tests. + +--- a/src/vmm/Cargo.toml ++++ b/src/vmm/Cargo.toml +@@ -39,7 +39,6 @@ + virtio_gen = { path = "../virtio_gen" } + + [dev-dependencies] +-device_tree = "1.1.0" + proptest = { version = "1.0.0", default-features = false, features = ["std"] } + + [[bench]] +--- a/src/vmm/src/arch/aarch64/fdt.rs ++++ b/src/vmm/src/arch/aarch64/fdt.rs +@@ -497,6 +497,7 @@ + } + + #[test] ++ #[cfg(not(test))] + fn test_create_fdt() { + let regions = arch_memory_regions(layout::FDT_MAX_SIZE + 0x1000); + let mem = utils::vm_memory::test_utils::create_anon_guest_memory(®ions, false) +@@ -555,6 +556,7 @@ + } + + #[test] ++ #[cfg(not(test))] + fn test_create_fdt_with_initrd() { + let regions = arch_memory_regions(layout::FDT_MAX_SIZE + 0x1000); + let mem = utils::vm_memory::test_utils::create_anon_guest_memory(®ions, false) diff --git a/firecracker-1.4.1-upgrade-linux-loader.patch b/firecracker-1.4.1-upgrade-linux-loader.patch new file mode 100644 index 0000000..94bd1e0 --- /dev/null +++ b/firecracker-1.4.1-upgrade-linux-loader.patch @@ -0,0 +1,25 @@ +This backports 0ccc09a4fca700a33055fc93e762ed0ca134a7aa which notes that the +linux-loader and vm-memory crates must be kept in sync. + +--- a/src/utils/Cargo.toml ++++ b/src/utils/Cargo.toml +@@ -13,7 +13,7 @@ + versionize = "0.1.10" + versionize_derive = "0.1.5" + vmm-sys-util = "0.11.0" +-vm-memory = { version = "0.10.0", features = ["backend-mmap", "backend-bitmap"] } ++vm-memory = { version = "0.12.0", features = ["backend-mmap", "backend-bitmap"] } + + net_gen = { path = "../net_gen" } + +--- a/src/vmm/Cargo.toml ++++ b/src/vmm/Cargo.toml +@@ -13,7 +13,7 @@ + kvm-ioctls = "0.14.0" + lazy_static = "1.4.0" + libc = "0.2.117" +-linux-loader = "0.8.1" ++linux-loader = "0.9.0" + log = "0.4.17" + rand = "0.8.5" + serde = { version = "1.0.136", features = ["derive"] } diff --git a/firecracker.spec b/firecracker.spec index ae9fe0e..e7f48a8 100644 --- a/firecracker.spec +++ b/firecracker.spec @@ -14,8 +14,8 @@ %endif Name: firecracker -Version: 1.4.0 -Release: 2%{?dist} +Version: 1.4.1 +Release: 1%{?dist} Summary: Secure and fast microVMs for serverless computing License: Apache-2.0 AND (Apache-2.0 OR BSD-3-Clause) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND BSD-3-Clause AND MIT AND Unicode-DFS-2016 @@ -34,12 +34,12 @@ Provides: bundled(crate(micro_http)) = 0.1.0^git4b18a04 # Edit crate dependencies to track what is packaged in Fedora. # These patches do not make sense to send upstream given their purpose. -Patch: %{name}-1.4.0-remove-aws-lc-rs.patch +Patch: %{name}-1.4.1-remove-aws-lc-rs.patch Patch: %{name}-1.4.0-remove-cargo_toml.patch -Patch: %{name}-1.4.0-remove-criterion.patch -Patch: %{name}-1.4.0-remove-device_tree.patch +Patch: %{name}-1.4.1-remove-criterion.patch +Patch: %{name}-1.4.1-remove-device_tree.patch Patch: %{name}-1.4.0-upgrade-kvm-ioctls.patch -Patch: %{name}-1.4.0-upgrade-linux-loader.patch +Patch: %{name}-1.4.1-upgrade-linux-loader.patch BuildRequires: cargo-rpm-macros >= 24 %if %defined cargo_target @@ -112,6 +112,9 @@ done %changelog +* Wed Aug 09 2023 David Michael - 1.4.1-1 +- Update to the 1.4.1 release. + * Mon Jul 24 2023 David Michael - 1.4.0-2 - Backport updates for the kvm-ioctls, linux-loader, and vm-memory crates. - Port arm64 to the new kvm-ioctls CPU register API. diff --git a/sources b/sources index 22a9cba..5a501b1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (firecracker-1.4.0.tar.gz) = a91505cf659a9604e8ea155b9bb875c59e74fa6eb65b5d7f1d6f9d37c18ab9246aa04871832bbe5dfeedd026afe4e9625193fe5212506338fe48bb87558e2d5b +SHA512 (firecracker-1.4.1.tar.gz) = 20d105b4ee87728f5d92921148dd507ed0e727100cf04320943af66dee4d169d572b40a54c288fabe2b57d7c08337cd9a0138601ad90c76338b4177786ca2ee5 SHA512 (kvm-bindings-e835920.tar.gz) = e9e713c72e5a7cdd05063ec273abb8ab54aec71519119e7fbe0e93923dea89e3987346a7a09a101f01ace911ef6ac0694febc131e45b84692592065fa82eb74c SHA512 (micro_http-4b18a04.tar.gz) = 883d76820b5ed3fa36cb8110bf34ca7fa9e345a9c4f5040f77f4a578cc86fdfde51bcb4fa4daf6ab371a67ed27bd36df38c710e884a59b85c672c2843c87d7d6