-
Notifications
You must be signed in to change notification settings - Fork 2k
Description
Feature Tracker
This is a feature tracking issue for the work to enable Firecracker users to safely and efficiently use snapshots [1] by adding VMGenId counter as a back-end to SysGenID [2].
Describe the desired solution
We are starting by researching how to implement VMGenID via ACPI but without adding PCI support to Firecracker.
Describe possible alternatives
We will look at other options if VMGenId via ACPI is not feasible for some reason.
If we don't implement this, Linux guests can still drive SysGenId from users-space, though this may not work for all use cases, and induces latency upon snapshot restore.
Additional context
See [1] and [2].
Checks
- Have you searched the Firecracker Issues database for similar requests?Have you read all the existing relevant Firecracker documentation?Have you read and understood Firecracker's core tenets?To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.
[1] https://github.com/firecracker-microvm/firecracker/blob/master/docs/snapshotting/snapshot-support.md#snapshot-security-and-uniqueness
[2] https://www.spinics.net/lists/kernel/msg3842154.html; https://www.spinics.net/lists/kernel/msg3842155.html; https://www.spinics.net/lists/kernel/msg3842157.html
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Activity
[-][Feature] #snapsafe support via VMGenID on ACPI[/-][+][Snapshotting] #snapsafe support via VMGenID on ACPI[/+][-][Snapshotting] #snapsafe support via VMGenID on ACPI[/-][+][Snaps] #snapsafe support via VMGenID on ACPI[/+]bchalios commentedon Mar 21, 2023
After long discussions, we are focusing into supporting #snapsafety through an extension on the virtio-rng device[1] which will allow VMM to report snapshot-related events to guests.
We have in-flight an RFC patch for supporting this in the Linux kernel [2] which is currently under discussion with the community and a PoC[3] that implements this in Firecracker.
[1] https://www.mail-archive.com/virtio-dev@lists.oasis-open.org/msg09016.html
[2] https://lore.kernel.org/lkml/20230131145543.86369-1-bchalios@amazon.es/
[3] https://github.com/bchalios/firecracker/tree/feat_snapsafety
JonathanWoollett-Light commentedon Dec 11, 2023
We are still working on it, re-opening to indicate this.
zulinx86 commentedon Mar 11, 2024
ACPI support may solve issue #1601.
bchalios commentedon May 13, 2024
PRs #4428 and #4487 added support for ACPI and VMGenID, respectively, on x86 platforms. Once we add support for kernel 6.1, Firecracker will officially support VMGenID on x86 platforms.
For Aarch64 systems, we went a different way. Since we already use Device Tree to boot Firecracker microVMs, we sent out a patch set to Linux: https://lore.kernel.org/lkml/20240419224020.780377-1-Jason@zx2c4.com/ that adds device tree bindings for the VMGenID device and extend the driver so that it can probe the device via them. This should land in Linux kernel 6.10.
bchalios commentedon Apr 23, 2025
I will resolve this, since we have added support for VMGenID both for x86_64 and Aarch64. We will continue monitoring Linux and userspace projects for any new features that augment snapshot safety related functionality and add support for those in Firecracker as they appear.