v0.6.0
0.6.0 (2019-09-19)
This is a major feature release which introduces the concept of an "application
manifest", which enables support for multiple network and block devices.
This release removes the compile-time specialization of the "hvt" tender. While
this was a nice experiment, it is not practical for real-world deployment
scenarios where it is expected that the party supplying the tender (i.e. the
operator / user) will be different to the party supplying the unikernel (i.e.
the developer).
Due to these and other changes, both the public Solo5 APIs (as defined and
documented in solo5.h) and internal tenders/bindings ABI have changed.
Likewise, the build process for Solo5-based unikernels has changed, and
downstream projects will need to be updated.
Please refer to the following list of changes and the Solo5 documentation in
docs/ for details.
New features:
- Application manifest and support for multiple devices. New APIs have been
added and existing APIs changed. See solo5.h for details. A new tool,
"solo5-elftool" has been added to generate the binary application manifest
from JSON source. - New "spt" (sandboxed process tender) target, allows running Solo5-based
unikernels as user processes on Linux, using a minimal, strict seccomp-BPF
sandbox for isolation. Runs on the x86_64, aarch64 and ppc64le processor
architectures. - Compile-time specialization of the "hvt" (hardware virtualized tender) target
has been removed. Two variants of the "hvt" tender are built, "solo5-hvt" and
"solo5-hvt-debug" with support for GDB and guest coredumps where available. - Both the "hvt" and "spt" tenders and bindings now have an internal ABI
version, and this ABI version is embedded into the unikernel binary. Tenders
will not run a binary whose ABI version or target does not match. - Downsteam libOS projects using custom linker scripts for Solo5 will need to
be updated to handle the ELF NOTEs used to embed the ABI version and
application manifest in a Solo5 binary.
Security improvements:
- Stack smashing protection is now supported and all bindings, tenders and
other host tools are built with -fstack-protector-strong. This setting is
also passed down to MirageOS unikernels via OPAM/pkg-config. - On Linux, tenders are built with -z noexecstack to enforce a non-executable
stack. - Low memory, including the zero page, is now unmapped on "hvt", "spt" and
"virtio" targets. Tender-internal structures in this memory range are mapped
read-only. - Tests for W^X / guest-side page protections have been added and are enforced
on those targets where this is supported. - The ELF loader used by tenders has undergone extensive review and
re-factoring, and fixes for a number of potential security issues have been
put in place.
Other changes:
- The "hvt" tender now uses epoll(7) on Linux and kqueue(2) on the BSDs for
network I/O. - The "hvt" tender "--dumpcore" option now requires a directory, which must
exist at run time. - The printf() implementation used by bindings has been replaced with a much
better implementation from https://github.com/mpaland/printf. - The
solo5_set_tls_base()API has been added to give language runtimes that
wish to manipulate the architecture-specific TLS base register an interface
for it. - Many bug fixes, improvements and a lot of code review throughout.
- A C11 compiler is now required, to allow for the use of
_Static_assert().
Known issues:
- Full W^X support is currently only possible on the "spt" target. Partial
support is possible for the "hvt" target running on Linux/KVM hosts. (#303) - On OpenBSD, "hvt" operation with multiple network devices results in packet
loss. This appears to be a bug in kqueue(2) but we have no confirmation from
upstream. (#374)
Acknowledgements:
Thanks to the following new contributors to this release:
- Frithjof Schulze (@schulze)
- Haibo Xu (@xiaobo55x)
- Stefan Berger (@stefanberger)
And finally, a special thank you to C For C's Sake (@cfcs) for extensive code
review.