Run Cloud Virtual Machines Securely and Efficiently

Secure 🔒

Minimal emulated devices and implemented in Rust to avoid many common security issues

Fast ⚡️

Boot to userspace in less than 100ms with direct kernel boot

🪟 & 🐧

Supports running modern Linux and Windows guests

Kata Containers

Supported by Kata Containers for running secure containerised workloads

Powerful REST API

Programmatically control the lifecyle of the VM using an HTTP API

Slim

Minimal memory overhead for dense deployments

Cross platform

Runs on both x86-64 and aarch64

Broad device support

Support for wide range of paravirtualised devices and physical device passthrough

Live migration

Migrate VMs from one host to another without interruption

Get Involved:

Cloud Hypervisor is governed openly as part of the Linux Foundation and supported by multiple organisations:

Alibaba
AMD
Ampere
ARM
ByteDance
Intel
Microsoft
Tencent Cloud

Join our Slack community: Invite

Participate in our community activities: Slack channel

Check out and participate in our roadmap on GitHub

For full details of our governance model please see our community repository on GitHub and our founding charter.

For bug reports please use GitHub isssues; for broader community discussions please use our mailing list

Latest news from Cloud Hypervisor project:

Cloud Hypervisor v41.0 Released!

Posted August 16, 2024 by Cloud Hypervisor Team ‐ 2 min read

This release has been tracked in our roadmap project as iteration v41.0. The following user visible changes have been made:

Experimental “Pvmemcontrol” Support

VMM support has been added for this experimental functionality (requires currently out of tree Linux kernel patches) to allow guests to control its physical memory properties to allow optimisations and security features. (#6318, #6467)

Sandboxing With Landlock Support

Support for restricting the VMM process using the Linux kernel “Landlock” API has been added - this can be used to restrict the files (and the read/write permissions) that the VMM process can access. This adds another layer of security alongside the existing sycall filters (seccomp) - this can be enabled with --landlock and fully documentated. (#5170)

Notable Performance Improvements

Reduced heap allocations in virtio-net via the use of a cache of Iovec structures (#6636)
Notification suppression ("EVENT_IDX") support has been added to virtio-block giving a 60% improvement in single queue block throughput and IOPs performance (#6580)
Correct size used for status field in virtio-block state (#6586)

Notable Bug Fixes

Avoid panic on out-of-bounds PCI MSI-X access (#6657)
Fix undefined behaviour on AArch64 leading to wrong optimisation on KVM API access (#6647)
Rust v1.80.0 added use of fcntl syscall on debug assertions so this is now included in the virtio-device seccomp filters for tests that use this (#6648)
Short reads are now handled correctly in the virtio-vsock device (#6621)
Fix undefined behaviour on TTY ioctl leading to wrong optimisation (#6568)

Contributors

Many thanks to everyone who has contributed to our release:

Alyssa Ross hi@alyssa.is
Bo Chen chen.bo@intel.com
Changyuan Lyu changyuanl@google.com
Jinank Jain jinankjain@microsoft.com
Julian Stecklina julian.stecklina@cyberus-technology.de
Muminul Islam muislam@microsoft.com
Nuno Das Neves nudasnev@microsoft.com
Praveen K Paladugu prapal@linux.microsoft.com
Rob Bradford rbradford@rivosinc.com
Songqian Li sionli@tencent.com
Wei Liu liuwe@microsoft.com
Yuanchu Xie yuanchu@google.com
ihciah ihciah@gmail.com
wuxinyue wuxinyue.wxy@antgroup.com

Download

See the GitHub Release for the release assets.