Removing support for 32-bit PV guests
Our latest security update for XCP-ng 8.2 removed support for 32-bit paravirtualized (PV) guest. Let's see what it means and what you can do if you have them.
If you still have 32-bit PV guests, you will need to take action before (ideally) applying the update. If you already applied the update, there are still solutions for you.
Removed support for 32 bit PV guests
Official support for PV guests stopped with the release of XCP-ng 8.1, on 2020-03-31.
As we wrote in the release notes for XCP-ng 8.1:
* PV guests are not supported anymore.
* Existing guests will still run... For now...
* Due to how 32-bit PV guests work, keeping them functioning on newer hardware with newer features comes with an increasing performance cost.
* Security issues related to PV guests may be or not be fixed. There is no guarantee about fixes.
In order to gain back 5% to 10% better performance in dom0, support for 32-bit PV guests was now entirely removed. In addition to the performance penalty on the controller domain, 32-bit PV also had unfixed vulnerabilities related to speculative attacks.
64-bit PV guests will still run ("for now..."), but as we already did in the past, we strongly advise to convert them to HVM as soon as possible.
How to check if I still have 32-bit PV guests?
You can use Xen Orchestra with the search filter virtualizationMode:pv 32-bit
. This will automatically display all PV guests originally based on 32-bit PV template.
I still have 32-bit PV guests, what should I do?
Converting them to HVM before you update your pool is the best, future-proof and more secure way to go. Our support can assist you in this.
The conversion steps usually are as follows:
- Check the kernel supports Xen extensions. CentOS 6 does, for example. Some older distros don't. If they don't, extra steps will be needed to install a compatible kernel.
- Backup and/or snapshot the VM to have a fallback.
- Modify the grub configuration to remove
console=hvc0
from the kernel boot parameters. - If the boot loader is not installed on the VM's MBR, install it.
- Turn the VM Off.
- Set the boot mode to HVM in Xen Orchestra's "Advanced" tab of the VM view.
- Start the VM.
Alternatively, there exists a feature called PV shim that will run your PV guest inside a PVH VM. It is a supported approach but has a performance cost. Turn the VM off, and change the VM type: xe vm-param-set uuid=<VM UUID> domain-type=pv-in-pvh
.
In the worst case, if you have running 32-bit PV guests that you really can't reboot at any cost, you may re-enable 32 bit PV guest support with the following Xen command line option: pv=32
. Let us stress again that 32-bit PV has unfixed security vulnerabilities related to speculative channels issues in CPUs and should really be avoided.
Need help?
Remember that we can provide you some assistance, via our professional support. Please contact us if you need advice or help to convert your PV guests to HVM.
Alternatively, our forums are also a possiblity to get assistance from the community.