Merge branch 'main' into vsock-latency-perf

Author: Manciukic

.cargo/audit.toml

@@ -1,7 +1,18 @@
 [advisories]
-# The `paste` dependency is transitively included via `gdbstub`.
-# While the crate is archived/unmaintained, the author considers it feature-complete
-# and functionally stable. gdbstub will be update once they migrate
-# to an alternative solution.
-# See https://github.com/daniel5151/gdbstub/issues/168
-ignore = ["RUSTSEC-2024-0436"]
+ignore = [
+    # The `paste` dependency is transitively included via `gdbstub`.
+    # While the crate is archived/unmaintained, the author considers it feature-complete
+    # and functionally stable. gdbstub will be update once they migrate
+    # to an alternative solution.
+    # See https://github.com/daniel5151/gdbstub/issues/168
+    "RUSTSEC-2024-0436",
+
+    # `rand` unsoundness when a custom logger re-enters `rand::rng()`/`thread_rng()`
+    # during ThreadRng reseeding. Firecracker is not affected:
+    # - uuid (1.23.0): does not enable `fast-rng` or `rng-rand` features, so it uses
+    #   `getrandom` directly and never calls into rand.
+    # - proptest: uses rand 0.9 with `default-features = false` and does not enable
+    #   the `thread_rng` feature, so the affected functions are not compiled in.
+    # See https://rustsec.org/advisories/RUSTSEC-2026-0097.html
+    "RUSTSEC-2026-0097",
+]

CHANGELOG.md

@@ -14,6 +14,16 @@ and this project adheres to
   support for Vsock Unix domain socket path overriding on snapshot restore. More
   information can be found in the
   [docs](docs/vsock.md/#unix-domain-socket-renaming).
+- [#5824](https://github.com/firecracker-microvm/firecracker/pull/5824): Add
+  optional rate limiting to serial console output, configurable via the
+  `rate_limiter` field on `PUT /serial`. A new metric is exposed under `uart`:
+  `rate_limiter_dropped_bytes`.
+- [#5799](https://github.com/firecracker-microvm/firecracker/pull/5799): Add
+  per-callsite rate limiting for error, warn, and info level log messages. Each
+  callsite independently allows up to 10 messages per 5-second window. When
+  logging resumes after suppression, a warn-level summary reports the count of
+  suppressed messages. A new `rate_limited_log_count` metric tracks the total
+  number of suppressed messages.
 
 ### Changed
 

docs/device-api.md

@@ -32,6 +32,7 @@ BadRequest - HTTP response.
 | `vsock`                   |    O     |       O        |      O       |        O         |     O      |      O       |     O      |      O      |     O      |
 | `entropy`                 |    O     |       O        |      O       |        O         |     O      |      O       |   **R**    |      O      |     O      |
 | `pmem/{id}`               |    O     |       O        |      O       |        O         |     O      |      O       |     O      |    **R**    |     O      |
+| `serial`                  |    O     |     **R**      |      O       |        O         |     O      |      O       |     O      |      O      |     O      |
 
 ## Input Schema
 
@@ -106,6 +107,8 @@ specification:
 |                           | path_on_host       |    O     |       O        |      O       |        O         |     O      |      O       |     O      |    **R**    |     O      |
 |                           | root_device        |    O     |       O        |      O       |        O         |     O      |      O       |     O      |    **R**    |     O      |
 |                           | read_only          |    O     |       O        |      O       |        O         |     O      |      O       |     O      |    **R**    |     O      |
+| `SerialConfig`            | serial_out_path    |    O     |       O        |      O       |        O         |     O      |      O       |     O      |      O      |     O      |
+|                           | rate_limiter       |    O     |       O        |      O       |        O         |     O      |      O       |     O      |      O      |     O      |
 | `MemoryHotplugConfig`     | total_size_mib     |    O     |       O        |      O       |        O         |     O      |      O       |     O      |      O      |   **R**    |
 |                           | slot_size_mib      |    O     |       O        |      O       |        O         |     O      |      O       |     O      |      O      |   **R**    |
 |                           | block_size_mi      |    O     |       O        |      O       |        O         |     O      |      O       |     O      |      O      |   **R**    |
@@ -115,7 +118,7 @@ specification:
 either virtio-block or vhost-user-block devices.
 
 \*\* The `TokenBucket` can be configured with any combination of virtio-net,
-virtio-block and virtio-rng devices.
+virtio-block, virtio-rng and serial devices.
 
 ## Output Schema
 

docs/prod-host-setup.md

@@ -27,17 +27,17 @@ recommended.
 
 Firecracker implements the 8250 serial device, which is visible from the guest
 side and is tied to the Firecracker/non-daemonized jailer process stdout.
-Without proper handling, because the guest has access to the serial device, this
-can lead to unbound memory or storage usage on the host side. Firecracker does
-not offer users the option to limit serial data transfer, nor does it impose any
-restrictions on stdout handling. Users are responsible for handling the memory
-and storage usage of the Firecracker process stdout. We suggest using any
-upper-bounded forms of storage, such as fixed-size or ring buffers, using
-programs like `journald` or `logrotate`, or redirecting to `/dev/null` or a
-named pipe. Furthermore, we do not recommend that users enable the serial device
-in production. To disable it in the guest kernel, use the `8250.nr_uarts=0` boot
-argument when configuring the boot source. Please be aware that the device can
-be reactivated from within the guest even if it was disabled at boot.
+Without proper handling, because the guest has access to the serial device. This
+can lead to unbound memory or storage usage on the host side. Users are
+responsible for handling the memory and storage usage of the Firecracker process
+stdout. We recommend using the rate limiter for the serial data transfer that
+Firecracker offers or any upper-bounded forms of storage, such as fixed-size or
+ring buffers, using programs like `journald` or `logrotate`, or redirecting to
+`/dev/null` or a named pipe. Furthermore, we do not recommend that users enable
+the serial device in production. To disable it in the guest kernel, use the
+`8250.nr_uarts=0` boot argument when configuring the boot source. Please be
+aware that the device can be reactivated from within the guest even if it was
+disabled at boot.
 
 If Firecracker's `stdout` buffer is non-blocking and full (assuming it has a
 bounded size), any subsequent writes will fail, resulting in data loss, until

src/firecracker/src/api_server/mod.rs

@@ -17,7 +17,8 @@ use parsed_request::{ParsedRequest, RequestAction};
 use serde_json::json;
 use utils::time::{ClockType, get_time_us};
 use vmm::logger::{
-    METRICS, ProcessTimeReporter, debug, error, info, update_metric_with_elapsed_time, warn,
+    METRICS, ProcessTimeReporter, debug, error_unrestricted, info_unrestricted,
+    update_metric_with_elapsed_time, warn_unrestricted,
 };
 use vmm::rpc_interface::{ApiRequest, ApiResponse, VmmAction};
 use vmm::seccomp::BpfProgramRef;
@@ -81,7 +82,7 @@ impl ApiServer {
         }
 
         server.start_server().expect("Cannot start HTTP server");
-        info!("API server started.");
+        info_unrestricted!("API server started.");
 
         // Store process start time metric.
         process_time_reporter.report_start_time();
@@ -98,7 +99,7 @@ impl ApiServer {
                 }
                 Err(err) => {
                     // print request error, but keep server running
-                    error!("API Server error on retrieving incoming request: {}", err);
+                    error_unrestricted!("API Server error on retrieving incoming request: {}", err);
                     continue;
                 }
             };
@@ -108,7 +109,7 @@ impl ApiServer {
                 let response = server_request
                     .process(|request| self.handle_request(request, request_processing_start_us));
                 if let Err(err) = server.respond(response) {
-                    error!("API Server encountered an error on response: {}", err);
+                    error_unrestricted!("API Server encountered an error on response: {}", err);
                 };
 
                 let delta_us = get_time_us(ClockType::Monotonic) - request_processing_start_us;
@@ -131,13 +132,13 @@ impl ApiServer {
                     }
                 };
                 if let Some(message) = parsing_info.take_deprecation_message() {
-                    warn!("{}", message);
+                    warn_unrestricted!("{}", message);
                     response.set_deprecation();
                 }
                 response
             }
             Err(err) => {
-                error!("{:?}", err);
+                error_unrestricted!("{:?}", err);
                 err.into()
             }
         }
@@ -179,7 +180,7 @@ impl ApiServer {
         {
             let elapsed_time_us =
                 update_metric_with_elapsed_time(metric, request_processing_start_us);
-            info!("'{}' API request took {} us.", action, elapsed_time_us);
+            info_unrestricted!("'{}' API request took {} us.", action, elapsed_time_us);
         }
         response
     }

src/firecracker/src/api_server/parsed_request.rs

@@ -6,7 +6,7 @@ use std::fmt::Debug;
 use micro_http::{Body, Method, Request, Response, StatusCode, Version};
 use serde::ser::Serialize;
 use serde_json::Value;
-use vmm::logger::{Level, error, info, log_enabled};
+use vmm::logger::{Level, error_unrestricted, info_unrestricted, log_enabled};
 use vmm::rpc_interface::{VmmAction, VmmActionError, VmmData};
 
 use super::ApiServer;
@@ -71,7 +71,7 @@ impl TryFrom<&Request> for ParsedRequest {
             request_uri.as_str(),
             request.body.as_ref(),
         );
-        info!("The API server received a {description}.");
+        info_unrestricted!("The API server received a {description}.");
 
         // Split request uri by '/' by doing:
         // 1. Trim starting '/' characters
@@ -153,14 +153,14 @@ impl ParsedRequest {
     where
         T: ?Sized + Serialize + Debug,
     {
-        info!("The request was executed successfully. Status code: 200 OK.");
+        info_unrestricted!("The request was executed successfully. Status code: 200 OK.");
         let mut response = Response::new(Version::Http11, StatusCode::OK);
         response.set_body(Body::new(serde_json::to_string(body_data).unwrap()));
         response
     }
 
     pub(crate) fn success_response_with_mmds_value(body_data: &Value) -> Response {
-        info!("The request was executed successfully. Status code: 200 OK.");
+        info_unrestricted!("The request was executed successfully. Status code: 200 OK.");
         let mut response = Response::new(Version::Http11, StatusCode::OK);
         let body_str = match body_data {
             Value::Null => "{}".to_string(),
@@ -176,7 +176,9 @@ impl ParsedRequest {
         match request_outcome {
             Ok(vmm_data) => match vmm_data {
                 VmmData::Empty => {
-                    info!("The request was executed successfully. Status code: 204 No Content.");
+                    info_unrestricted!(
+                        "The request was executed successfully. Status code: 204 No Content."
+                    );
                     Response::new(Version::Http11, StatusCode::NoContent)
                 }
                 VmmData::MachineConfiguration(machine_config) => {
@@ -200,14 +202,14 @@ impl ParsedRequest {
             Err(vmm_action_error) => {
                 let mut response = match vmm_action_error {
                     VmmActionError::MmdsLimitExceeded(_err) => {
-                        error!(
+                        error_unrestricted!(
                             "Received Error. Status code: 413 Payload too large. Message: {}",
                             vmm_action_error
                         );
                         Response::new(Version::Http11, StatusCode::PayloadTooLarge)
                     }
                     _ => {
-                        error!(
+                        error_unrestricted!(
                             "Received Error. Status code: 400 Bad Request. Message: {}",
                             vmm_action_error
                         );

src/firecracker/src/api_server/request/serial.rs

@@ -21,6 +21,8 @@ pub(crate) fn parse_put_serial(body: &Body) -> Result<ParsedRequest, RequestErro
 mod tests {
     use std::path::PathBuf;
 
+    use vmm::vmm_config::TokenBucketConfig;
+
     use super::*;
     use crate::api_server::parsed_request::tests::vmm_action_from_request;
 
@@ -30,6 +32,28 @@ mod tests {
 
         let expected_config = SerialConfig {
             serial_out_path: Some(PathBuf::from("serial")),
+            rate_limiter: None,
+        };
+        assert_eq!(
+            vmm_action_from_request(parse_put_serial(&Body::new(body)).unwrap()),
+            VmmAction::ConfigureSerial(expected_config)
+        );
+    }
+
+    #[test]
+    fn test_parse_put_serial_with_rate_limiter() {
+        let body = r#"{
+            "serial_out_path": "serial",
+            "rate_limiter": {"size": 1024, "one_time_burst": 65536, "refill_time": 1000}
+        }"#;
+
+        let expected_config = SerialConfig {
+            serial_out_path: Some(PathBuf::from("serial")),
+            rate_limiter: Some(TokenBucketConfig {
+                size: 1024,
+                one_time_burst: Some(65536),
+                refill_time: 1000,
+            }),
         };
         assert_eq!(
             vmm_action_from_request(parse_put_serial(&Body::new(body)).unwrap()),

src/firecracker/src/api_server_adapter.rs

@@ -8,7 +8,7 @@ use std::sync::{Arc, Mutex};
 use std::thread;
 
 use event_manager::{EventOps, Events, MutEventSubscriber, SubscriberOps};
-use vmm::logger::{ProcessTimeReporter, error, info, warn};
+use vmm::logger::{ProcessTimeReporter, error_unrestricted, info_unrestricted, warn_unrestricted};
 use vmm::rpc_interface::{
     ApiRequest, ApiResponse, BuildMicrovmFromRequestsError, PrebootApiController,
     RuntimeApiController, VmmAction,
@@ -115,20 +115,20 @@ impl MutEventSubscriber for ApiServerAdapter {
                     }
                 }
                 Err(TryRecvError::Empty) => {
-                    warn!("Got a spurious notification from api thread");
+                    warn_unrestricted!("Got a spurious notification from api thread");
                 }
                 Err(TryRecvError::Disconnected) => {
                     panic!("The channel's sending half was disconnected. Cannot receive data.");
                 }
             };
         } else {
-            error!("Spurious EventManager event for handler: ApiServerAdapter");
+            error_unrestricted!("Spurious EventManager event for handler: ApiServerAdapter");
         }
     }
 
     fn init(&mut self, ops: &mut EventOps) {
         if let Err(err) = ops.add(Events::new(&self.api_event_fd, EventSet::IN)) {
-            error!("Failed to register activate event: {}", err);
+            error_unrestricted!("Failed to register activate event: {}", err);
         }
     }
 }
@@ -174,7 +174,7 @@ pub(crate) fn run_with_api(
             return Err(ApiServerError::FailedToBindAndRunHttpServer(err));
         }
     };
-    info!("Listening on API socket ({bind_path:?}).");
+    info_unrestricted!("Listening on API socket ({bind_path:?}).");
 
     let api_kill_switch_clone = api_kill_switch
         .try_clone()

src/firecracker/src/main.rs

@@ -28,9 +28,10 @@ use utils::validators::validate_instance_id;
 use vmm::arch::host_page_size;
 use vmm::builder::StartMicrovmError;
 #[cfg(feature = "fuzzing")]
-use vmm::logger::warn;
+use vmm::logger::warn_unrestricted;
 use vmm::logger::{
-    LOGGER, LoggerConfig, METRICS, ProcessTimeReporter, StoreMetric, debug, error, info,
+    LOGGER, LoggerConfig, METRICS, ProcessTimeReporter, StoreMetric, debug, error_unrestricted,
+    info_unrestricted,
 };
 use vmm::persist::SNAPSHOT_VERSION;
 use vmm::resources::VmResources;
@@ -106,13 +107,13 @@ impl From<MainError> for FcExitCode {
 fn main() -> ExitCode {
     let result = main_exec();
     if let Err(err) = result {
-        error!("{err}");
+        error_unrestricted!("{err}");
         eprintln!("Error: {err:?}");
         let exit_code = FcExitCode::from(err) as u8;
-        error!("Firecracker exiting with error. exit_code={exit_code}");
+        error_unrestricted!("Firecracker exiting with error. exit_code={exit_code}");
         ExitCode::from(exit_code)
     } else {
-        info!("Firecracker exiting successfully. exit_code=0");
+        info_unrestricted!("Firecracker exiting successfully. exit_code=0");
         ExitCode::SUCCESS
     }
 }
@@ -135,9 +136,9 @@ fn main_exec() -> Result<(), MainError> {
         // We're currently using the closure parameter, which is a &PanicInfo, for printing the
         // origin of the panic, including the payload passed to panic! and the source code location
         // from which the panic originated.
-        error!("Firecracker {}", info);
+        error_unrestricted!("Firecracker {}", info);
         if let Err(err) = stdin.lock().set_canon_mode() {
-            error!(
+            error_unrestricted!(
                 "Failure while trying to reset stdin to canonical mode: {}",
                 err
             );
@@ -147,7 +148,7 @@ fn main_exec() -> Result<(), MainError> {
 
         // Write the metrics before aborting.
         if let Err(err) = METRICS.write() {
-            error!("Failed to write metrics while panicking: {}", err);
+            error_unrestricted!("Failed to write metrics while panicking: {}", err);
         }
     }));
 
@@ -329,10 +330,10 @@ fn main_exec() -> Result<(), MainError> {
             module,
         })
         .map_err(MainError::LoggerInitialization)?;
-    info!("Running Firecracker v{FIRECRACKER_VERSION}");
+    info_unrestricted!("Running Firecracker v{FIRECRACKER_VERSION}");
 
     #[cfg(feature = "fuzzing")]
-    warn!(
+    warn_unrestricted!(
         "This Firecracker binary was built with the `fuzzing` feature enabled. This disables \
          security-critical randomness and relaxes error handling. DO NOT use in production."
     );
@@ -537,12 +538,12 @@ pub fn enable_ssbd_mitigation() {
 
     if ret < 0 {
         let last_error = std::io::Error::last_os_error().raw_os_error().unwrap();
-        error!(
+        error_unrestricted!(
             "Could not enable SSBD mitigation through prctl, error {}",
             last_error
         );
         if last_error == libc::EINVAL {
-            error!("The host does not support SSBD mitigation through prctl.");
+            error_unrestricted!("The host does not support SSBD mitigation through prctl.");
         }
     }
 }
@@ -604,7 +605,7 @@ fn build_microvm_from_json(
     )
     .map_err(BuildFromJsonError::StartMicroVM)?;
 
-    info!("Successfully started microvm that was configured from one single json");
+    info_unrestricted!("Successfully started microvm that was configured from one single json");
 
     Ok(vmm)
 }