October 2022 Maintenance Update

New bugfixes and enhancement updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.
⚠️
If you haven't installed the 8.2.1 update yet and want to update through Xen Orchestra's Rolling Pool Update, make sure your XOA version is at least 5.69.2, otherwise VMs may fail to migrate.

Summary

We usually queue non-critical fixes or improvements for a grouped release, to avoid unnecessary maintenance tasks on your pools. This is one such grouped release.

If your hosts were up to date up until now, you may either install the updates now or skip them and wait for the next security updates to update all at once.

What changed

This update brings bugfixes, compatibility improvements, as well as some small enhancements to a variety of components: the linux kernel, XAPI, guest templates and more.

QEMU

  • Bugfix: if you add SR-IOV to a VM with GPU-Passthrough enabled, the VM doesn't boot.

Open vSwitch

  • Bugfix: the bond_updelay setting was ignored for LACP bonds.
  • Bugfix: timing issue potentially causing packet drops at LACP renegotiation.
  • Bugfix: spurious error messages were output to dead.letter

Xen

  • Bugfix: fix boot failures related to IOMMU on some hardware. Bug reported by XCP-ng users (forum thread), debugged on the forum and fixed by a Xen developer.
  • Bugfix: slow boot when VGA is enabled.

Intel Microcode

  • Updates Intel microcode to the IPU 2022.2 release.

Note: updating your hardware's firmware always remains the preferred way to update microcode, and will take precedence over the microcode we provide in XCP-ng.

XAPI

  • Improvement: new other-config:ethtool-advertise option added to the network commands. This allows setting the speed and duplex of a NIC as advertised by the auto-negotiation process.
  • Various issues fixed.

XCP-ng Guest Tools

  • Update to latest upstream code.
  • Fix detection of network interfaces whose name starts with enX.
  • Add support for RHEL 9 and derivatives (Almalinux 9, Rocky Linux 9, Centos Stream 9...). Templates for these were not added yet, but templates for version 8 will work.
  • For RPM-based distributions, switch the service to systemd by default (legacy RPMs are still provided for older systems without systemd).
  • ⚠️ The only tools that were updated are those provided by XCP-ng through the guest tools ISO image. Tools provided in the repositories of various Linux distributions are not maintained directly by us and are thus not updated as part of this update.

Note: installation instructions for the guest tools.

xs-openssl

  • OpenSSL was rebuilt without compression support. Although compression was not offered by default and the clients that connect to port 443 of XCP-ng hosts don't enable compression by default, it's better security-wise not to support it at all (due to CRIME).
  • Patch backported from RHEL 8's OpenSSL package, which fixes a potential denial of service: "CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates"

xcp-ng-xapi-plugins

  • Bugfix: when updating from Xen Orchestra, avoid installing updates from repositories that users may have enabled on XCP-ng in addition to our official update repositories (note: users should never enable additional repositories permanently).
  • Bugfix: in the updater plugin again, error handling was broken: whenever an error would occur (such as a network issue preventing it from installing the updates), another error would be raised from the error handler, and thus mask the actual reason for the initial error.

blktap

  • Received a fix backported from one of Citrix Hypervisor's hotfixes, which addresses a possible segmentation fault if you create a lot of snapshots at the same time.

sm ("Storage Manager")

  • We fixed an issue with local ISO SRs and mountpoints: creating a local ISO SR on a directory that is a mountpoint for another filesystem would unmount it. The patch was not accepted upstream because it touches legacy code that Citrix won't support, according to the developer who answered, but we considered it safe and useful enough to apply it to XCP-ng anyway.
  • The (experimental) MooseFS storage driver will now default to creating a subdirectory in the mounted directory, to avoid collision between several SRs using the same share.
  • The update also includes the followings fix from one of Citrix Hypervisor's hotfixes: CA-352880: when deleting an HBA SR remove the kernel devices
  • Two other fixes which are hard to explain in user terms and typically don't affect the majority of users.

References: