March 2025 Maintenance Update for XCP-ng 8.3

Gaël Duperrey -

New bugfixes, enhancement and security updates are available for XCP-ng 8.3.

📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

🔒 Security Updates

⚠️
Updated firmware is provided as a convenience to help mitigate hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.
  • openssl: backport security fixes from upstream:
    • CVE-2019-1547: when specifying OpenSSL EC groups explicitely it is possible to end up with no cofactor, leading to a fallback on a non side-channel resistant code path, this fixes that issue.
    • CVE-2019-1551: fixes an overflow bug in the x64_64 Montgomery squaring procedure.
    • CVE-2019-1563: this fixes a possibility, when receiving automated notification of the success or failure of a decryption attempt that an attacker could recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key.
  • qemu: fix CVE-2023-3354, which could cause QEMU to crash when handling multiple VNC connections. If an incorrect response is received while closing a connection, whether due to a bug or intentional manipulation, it could trigger this issue.
  • xen:
When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock.

✨ What changed

This update brings non-urgent bugfixes, compatibility improvements, as well as some small enhancements, to a variety of components.

sm

sm is the default Storage Management stack supported by the XAPI that contains a plugin set of different storage layers (NFS, ext4, LVM...).

  • Fix issue where users may encounter problems with HPE Nimble arrays: unable to mount iSCSI LUNs, non-functional or imperfect multipathing.
  • Regarding Large Block driver, always enable the VG on the emulated device.
  • Prevent corruption in the LINSTOR KV-store caused by a race condition between user calls and GC.

xcp-ng-xapi-plugins

  • Add a new service plugin to manage (start, stop, ...) XCP-ng services. This will be used by Xen Orchestra to handle XOSTOR software updates.
  • We've introduced a new ipmitool plugin within the xcp-ng-xapi-plugins package. This plugin enables Xen Orchestra to directly display sensor and IPMI LAN information, initially implemented to support hardware from our partner 2CRSI. This addition also opens potential for future integrations involving detailed hardware data visualization directly within Xen Orchestra.
Xen Orchestra 5.101
Discover the highlights of Xen Orchestra 5.101, from GFS retention and vTPM restore to enhanced UI features, CloudBase Init support, and more community-driven updates!
Xen Orchestra BlogOlivier Lambert

XEN & XAPI

Re-enabled nested virtualization in 8.3, with the same limitations as in 8.2.

Regarding the nested virtualization, Xen-Orchestra has not yet been updated to enable this in version 8.3, although the option is visible in the VM advanced tab. The Xen-Orchestra team is working on it and this will come in a future update.

To actually enable the nested possibility, it must be done on the command line with xe.

Once your VM is created:

xe vm-param-set platform:nested-virt=true uuid=<vm-uuid>

To check this:

xe vm-param-get param-name=platform uuid=<vm-uuid>

You should have a line similar to below, with the nested-virt: true parameter visible:

nested-virt: true; timeoffset: 0; exp-nested-hvm: true; secureboot: false; device-model: qemu-upstream-compat; viridian: true; nx: true; acpi: 1; apic: true; pae:true; hpet:true

To deactivate it:

xe vm-param-remove param-name=platform param-key=nested-virt uuid=<vm-uuid>
⚠️
Reminder: Nested virtualization is still an experimental feature (in 8.2 and 8.3). This option remains the same and therefore incomplete, with the same issues and limitations as before. We hope to be able to redevelop this feature later, but it is not possible to give more details or a deadline at this point.

🪲 Others bugfixes and improvements

  • edk2: fix "Guest has not initialized the display (yet)." error.
  • intel-igc: fix a possible update issue due to a recent package name change.
  • r8125-module: disable some performance functionalities in the driver (TXchecksum/SG/TSO) by default to workaround bugs on Windows Server 2022 guests. These can be re-enabled using 'ethtool -K eth0 tx on tso on sg on'
  • systemtap: no functional changes. Fix compilation for compatibility with new gcc version.
  • xcp-emu-manager: no functional changes, Fix rpm spec file for new cmake version
  • xcp-ng-release: update cipher list in .curlrc
  • xo-lite: update to version 0.8.0. For more information, you can read latests posts on the Xen Orchestra blog: 0.7.1 & 0.8.0.

⛃ XOSTOR

If you are using XOSTOR, be sure to read our documentation on updating it.

  • See the description for sm above, in the "What changed section".
⚠️
Reminder: XOSTOR is still in beta stage on XCP-ng 8.3

🔧 Optional packages

  • netdata: update to version 1.47.5
    • Fix dmesg warnings due to setuid+capabilities on xenstat plugin
    • Improve systemd service restart with a custom script waiting for Netdata to be fully up-and-running before stopping it.

🔗 Updates for an alternate driver

  • As explained in our documentation, XCP-ng occasionally provides alternate drivers for users who have issues with the main drivers installed with XCP-ng. We just released an update to a newer version:
    • atlantic-module-alt: