May 2025 Maintenance Update for XCP-ng 8.3

New bugfixes, enhancement and non-urgent security updates are available for XCP-ng 8.3.

✅ Summary

This maintenance update for XCP-ng 8.3 includes routine updates to key components such as Xen, XAPI, the Storage Manager (sm), and various drivers and system components. While largely focused on stability, bug fixes, and long-term maintainability, it also introduces new guest OS templates and lays the groundwork for important upcoming features and transitions.

Ongoing improvements to hardware support, system behavior under load, and storage reliability help keep 8.3 in good shape as it heads toward its long-term support phase.

🔒 Security Fixes

While this group of updates does not include high-severity security fixes warranting a dedicated security bulletin, several components have been updated to address known vulnerabilities. Many of them do not affect XCP-ng in the typical use case and are fixed as defense in depth.

The following packages were updated to fix CVEs:

• rsync was updated to version 3.4.1, addressing CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747. The rsyncd configuration and systemd unit files now come in a separate package named rsyncd-daemon, not installed by default.
• curl was rebased on a newer RHEL 10 package (version 8.9.1), with an additional fix from our packagers for CVE-2024-8096.
• samba received fixes for two issues: CVE-2016-2124 and CVE-2021-44142.
• net-snmp was rebased to include upstream fixes for CVE-2022-24805 and CVE-2022-24809.
• busybox included backported fixes for CVE-2018-20679 and other lower-impact issues.
• cyrus-sasl was patched for CVE-2022-24407.
• openssh was updated to fix CVE-2025-26465.
• cifs-utils was refreshed with various low-priority fixes carried over from its RHEL9-based rebase, essentially to make future vulnerability patching easier.

✨ Updates to core components

Xen Hypervisor

The Xen hypervisor is a lightweight virtualization layer that manages hardware resources and allows multiple isolated virtual machines to run concurrently on the same physical server with high performance and strong security. It forms the core foundation of XCP-ng’s virtualization capabilities.

Changes in this update:

• Improved support for Zen 5, Diamond Rapids, and early AMD Turin support.
• Performance improvements, notably by leveraging recent hardware facilities to mitigate CPU vulnerabilities more efficiently, or by improving the implementation of software mitigations.
• Multiple stability fixes, among which:
  • Fix reboot/shutdown issues on AMD due to local APIC ESR interrupts
  • Fix booting in nested virtualization without vPMU. This fixes a crash when running XCP-ng nested inside VMware. Although not a supported scenario for production, it is useful for testing purposes.
• Fix migration of VMs from XCP-ng 8.2 to XCP-ng 8.3 when the guest is using BHI_DIS_S
• Workaround problematic hardware (e.g Cisco VIC UCSX-ML-V5D200GV2)
• IOMMU logic improvements and fixes.

XAPI

XAPI (Xen API) is the management toolstack in XCP-ng that handles all the behind-the-scenes work of creating, configuring, and controlling virtual machines and resources across hosts. It provides a comprehensive and secure API that Xen Orchestra leverages to let you manage your entire virtual environment.

Improvements:

• Improved logging during live storage migration to help track progress and issues better.
• Faster VM startup when using multiple virtual network interfaces (VIFs) or when the database is under heavy load.
• New metrics: IPMI DCMI power metrics.
• Parallelized some independent VM device operations to boost performance.
• Improved shell completion for the xe command-line interface.
• Exposed Windows guest Active Directory domain and host names via the API for better integration.
• Removed FCoE support gracefully when the driver is missing, as FCoE will be dropped in future versions.
• Added a new API call (get_all_where) for more flexible data queries.
• Improved handling and fixed startup for hosts reporting unusual NUMA distance matrices.

Bug Fixes:

• Various IPv6 fixes.
• Fixed premature cancellation of lengthy VDI migrations that hit a 12-hour timeout limit.
• Resolved a race condition during VM suspend that caused snapshots to become unresumable.
• Corrected CPU checks for halted VMs during cross-pool migration by moving these checks to the target host.
• Fixed multiple issues in the periodic scheduler and how XAPI handles RRD metrics, improving metric accuracy.
• Improved scanning of storage repositories (SR.scan) by avoiding database race conditions.
• Fixed incorrect reporting of PV driver versions from VMs to XAPI.
• Prevented hosts from wrongly showing as offline after NTP time adjustments.
• Removed attempts to restart a non-existent proprietary XenServer service (pvsproxy.service) on xcp-rrdd update, eliminating confusing error logs.
• Fixed various races and stability issues during live migration and live storage migration processes.
• Improved heartbeat processing and stability in large host pools to reduce false offline flags.
• Improved stability of XAPI startup and operation on hosts under heavy load or with unusual configurations.

sm

In XCP-ng, sm stands for Storage Manager. It’s the component responsible for managing storage repositories (SRs), which are the pools of disk space used to store virtual machine disks, snapshots, and other data.

• It received improvements in logging and snapshot robustness, fixes for race conditions, and better handling of multipath configurations for certain vendors.
• Preliminary groundwork was laid for future support of XOSTOR and VM disks larger than 2TB.

🧰 Updates to other components

Here's a non-exhaustive list of other components which are part of this update.

🔧 Driver updates

Several drivers received updates and fixes to enhance hardware compatibility and stability:

• intel-e1000e got a major backport update from Linux kernel 5.10.179 to support newer hardware and fix several issues.
• broadcom-bnxt-en patched to fix GSO handling on AMD 5750X chips.
• intel-i40e updated to version 2.25.11.
• intel-ice updated to version 1.15.5.
• microsemi-smartpqi updated to version 2.1.30_031.
• qlogic-qla2xxx updated to version 10.02.12.01_k.

🖥️ Templates and Guest OS Support

The guest templates were refreshed to include:

• Windows Server 2025
• Ubuntu 24.04 LTS

A few previously marked “preview” templates were promoted to regular status.

🔭 XO Lite

XO Lite is a lightweight, web-based interface built into XCP-ng that lets you manage your host and virtual machines directly from a browser—without needing to install Xen Orchestra (XO) separately. It will provide essential features like VM creation, control, and basic monitoring, making it ideal for quick tasks or minimal setups.

⚠️ XO Lite is not feature-complete yet. It is still in development.

We updated XO Lite to version 0.10.1. XO Lite changelogs are provided along with Xen Orchestra's release announcements.

🌠 What’s Next?

• 2TB+ disk support: While not part of this update train, it is under active development. A tech preview (alpha3) release will be made available shortly for those wishing to test over-2TB virtual disks. General availability is expected before the end of the year.
• LTS model for XCP-ng 8.3: As announced during the initial release in September 2024, and stated again in this blog post, XCP-ng 8.3 will soon enter a Long Term Support phase. This update train provides the foundation for that transition, which will also feature:
  • Refreshed installation ISOs
  • Full XOSTOR support on 8.3
  • Supported upgrade path from 8.2 with XOSTOR
• XCP-ng 8.2 End of Life: As a reminder, support for XCP-ng 8.2 will end 3 months after the release of the new 8.3 ISO images. Plan your migrations accordingly.