v1.4.0

Release overview

This release delivers major new capabilities around hardware passthrough, memory management, and observability, while continuing to strengthen stability and compatibility across environments. Key highlights include PCI passthrough for PVH guests, SR-IOV and network device passthrough, dynamic memory ballooning for better scheduling, and syscall forwarding to integrate with Falco and other eBPF-based tooling.

Additional improvements include flexible zone configuration (sysctl, kernel modules, addon injection), a slimmer installer, and expanded kernel support with BTF and Azure Linux. The release also addresses several critical bugs, including networking race conditions, anonymous pulls from nvcr.io, and Kubernetes job/init container exit handling.

GovCloud AMIs remain available, and there are no breaking changes from the previous release v1.3.0.

✨ What’s New

PCI Passthrough for PVH

  • Imported AMD’s work-in-progress implementation for PCI passthrough with PVH guests
  • Fixed issues with IOMMU configuration, MSI, and MSI-X for PVH PCI passthrough

SR-IOV & Device Passthrough

  • Added SR-IOV support with PCI devices
  • Added support for network device passthrough in zones

Memory Ballooning

  • Implemented dynamic host memory allocation/reclamation (currently disabled by default).
  • Kubelet will now report proper memory resources for scheduling pods

Syscall Forwarding with libscap

  • Zone kernel eBPF events now travel over IDM to the host
  • Enabled integration with Falco and other eBPF-based tooling

Zone Configuration

  • Allow setting sysctl options during zone setup
  • Allow auto-loading kernel modules on zone startup
  • Allow setting kernel module parameters
  • Added support for injecting addons via OCI images for workloads
  • Added support for setting custom MTU values for zone interfaces

Installer & Kernel

  • Optimized installer to pull smaller images
  • Added BTF support in the host kernel
  • Added support for Azure Linux

🐛 Bug Fixes

  • Fixed race condition during initial network setup in zones
  • Fixed panic when IDM channel is closed for client and zone
  • Fixed bug with anonymous pulls from nvcr.io
  • Fixed issue in tokio-tar where it could descend into nested tar files inside the root tar
  • Fixed jobs and init containers for Kubernetes due to exit codes that were not reported properly

Known issues

None reported in this release.

Upgrade notes

There are no known breaking changes in this release from the previous release v1.3.0.

Last updated on