RE: Epyc VM to VM networking slow

The fix, which was proposed as a test to resolve some of the issues encountered, has been integrated into an official update candidate which will be released to everyone next time we publish updates. For more information on this update, you can consult the following post: https://xcp-ng.org/forum/post/96135

The kernel RPM integrating the patch is now available on the xcp-ng-testing repo. So you can already upgrade and use it. To do this, here are the commands:

yum clean metadata --enablerepo=xcp-ng-testing
yum update kernel --enablerepo=xcp-ng-testing
reboot

It will be released to all our users in an upcoming security update or update train. We don't have a date yet.

Updates published: https://xcp-ng.org/blog/2025/07/03/july-2025-security-and-maintenance-update-for-xcp-ng-8-3-lts/

Thank you for the tests!

New update candidates for you to test!

As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.

The moment to release such a batch has come, so here they are, ready for user tests before the final release.

• XAPI:
  • Synced with XS82ECU1074
    • Enhancement: robustification of the command xe host-emergency-ha-disable
    • Correction of different issues:
      • Performing a hard shutdown of a VM may hang due to unnecessary RBCA permission checks. An icon (yellow triangle) may then be displayed on some management applications, indicating that the shutdown process did not complete successfully.
      • Canceling a hard shutdown of a hung VM fails because the cancel function only checks for proper shutdowns.
      • Migrating VMs from 8.2.1 to 8.3 with the xe vm-migrate command may fail with the error 'Failure: Unknown tag/contents'.
      • You may encounter a 500 error (internal server error) when trying to retrieve RRD measurements from a powered off virtual machine.
• xsconsole:
  • Synced with XS82ECU1074: Fix for a time-out when creating an iSCSI SR.
• guest-templates-json:
  • Add generic templates for Linux BIOS and UEFI
  • Synced with XS82ECU1085:
    • Oracle 8 requires minimum 2 vCPUS.
    • Added template for Ubuntu 24.04
• sm:
  • Synced with XS82ECU1075
    • Updated multipath.conf for several SANs
    • Fix for CA-393194: Find the real PV in a VG before removing the VG.
• blktap: Synced with XS82ECU1075: Improvements on coalesce performance.
• curl: Backport fixes for several CVE: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, CVE-2024-6197, CVE-2024-7264
• openssl: Update to version 1.0.2k-26 from CentOS 7 updates and backports of available CVE fixes from openssl upstream. Update from CentOS 7 Includes fixes for CVE-2021-3712, CVE-2022-2078 and CVE-2023-0286. Backport are fixing CVE-2019-1547, CVE-2019-1551 and CVE-2019-1563.
• xs-openssl: Rebased on version 1.1.1k-12 from CentOS 8 Stream. Include fixes for CVE-2023-5678, CVE-2023-3446, CVE-2023-3817 and a proper fix for CVE-2020-25659.
• zstd: Update to version 1.5.5 to avoid an extremely rare cases of corruption
• xcp-ng-xapi-plugins: Enhance error reporting when a command run on a host fails.
• xenserver-status-report: Update to latest version, synced with XS82ECU1058
• python-defusedxml: Added as a new dependency of xenserver-status-report.
• Alternate Drivers: Updated to newer versions.
  • intel-i40e-alt: From version 2.22.20-3.1 to 2.22.20-5.1
  • mellanox-mlnxen-alt: From version 5.9.0.5.5.0-1.1 to 5.9.0.5.5.0-1.2
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).
• New alternate driver mlx4-modules-alt: To resolve some issues with CX3 cards and SR-IOV, we added an updated version 4.9-7.1.0.0-LTS of this driver.
• kernel-alt: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.

As a dependency of XOSTOR:

• http-nbd-transfer:
  • Try to open device and start HTTP server before notifying the user
  • Install pyc and pyo files

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• blktap: 3.37.4-4.1.xcpng8.2
• curl: 8.6.0-2.2.xcpng8.2
• forkexecd: 1.18.3-12.1.xcpng8.2
• gpumon: 0.18.0-20.1.xcpng8.2
• guest-templates-json: 1.10.7-1.2.xcpng8.2
• http-nbd-transfer: 1.4.0-1.xcpng8.2
• message-switch: 1.23.2-19.1.xcpng8.2
• ocaml-rrd-transport: 1.16.1-17.1.xcpng8.2
• ocaml-rrdd-plugin: 1.9.1-17.1.xcpng8.2
• ocaml-tapctl: 1.5.1-17.1.xcpng8.2
• ocaml-xcp-idl: 1.96.7-6.1.xcpng8.2
• ocaml-xen-api-client: 1.9.0-20.1.xcpng8.2
• ocaml-xen-api-libs-transitional: 2.25.7-1.1.xcpng8.2
• openssl: 1.0.2k-26.2.xcpng8.2
• python-defusedxml: 0.7.1-1.xcpng8.2
• rrd2csv: 1.2.6-17.1.xcpng8.2
• rrdd-plugins: 1.10.9-14.1.xcpng8.2
• sm: 2.30.8-13.1.xcpng8.2
• sm-cli: 0.23.0-63.1.xcpng8.2
• squeezed: 0.27.0-20.1.xcpng8.2
• varstored-guard: 0.6.2-17.xcpng8.2
• vhd-tool: 0.43.0-20.1.xcpng8.2
• wsproxy: 1.12.0-21.xcpng8.2
• xapi: 1.249.38-1.11.xcpng8.2
• xapi-nbd: 1.11.0-19.1.xcpng8.2
• xapi-storage: 11.19.0_sxm2-19.xcpng8.2
• xapi-storage-script: 0.34.1-18.1.xcpng8.2
• xcp-networkd: 0.56.2-17.xcpng8.2
• xcp-rrdd: 1.33.4-6.1.xcpng8.2
• xenopsd: 0.150.19-5.1.xcpng8.2
• xenserver-status-report: 1.3.16-3.xcpng8.2
• xcp-ng-xapi-plugins: 1.10.1-1.xcpng8.2
• xs-opam-repo: 6.35.13-4.xcpng8.2
• xs-openssl: 1.1.1k-12.3.xcpng8.2
• xsconsole: 10.1.13.1-2.1.xcpng8.2
• zstd: 1.5.5-1.el7

Optional packages:

• kernel-alt: 4.19.265-2.xcpng8.2
• Alternates drivers:
  • intel-i40e-alt: 2.22.20-5.1.xcpng8.2
  • mellanox-mlnxen-alt: 5.9_0.5.5.0-1.2.xcpng8.2

New optional package:

• mlx4-modules-alt: 4.9_7.1.0.0-1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~1 week.

The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/11/04/november-2022-security-update/

Hello,

We've added a card to our backlog to investigate this topic.

Update published: https://xcp-ng.org/blog/2025/01/23/january-2025-maintenance-update-for-xcp-ng-8-3/

Thank you for the tests!

New update candidates for you to test!

A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.

• amd-microcode: Update AMD microcode to the 2024-11-21 drop
  • Updates firmware for families 17h and 19h CPUs. For the first time, AMD published updates for non-server CPUs. One can assume that they started supporting microcode update for these, contrarily to what they did in the past, and that these updates thus fix various bugs and vulnerabilities. This is only (sensible) speculation at the moment, though.
• grub: Backport VLAN networking support for UEFI PXE boot.
• iperf3: Upgrade to version 3.9-13 from CentOS 7
  • Includes a security fix for CVE-2023-38403
• kernel: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.
• kexec-tools: Backport of a patch removing kernel_version(). Fixing a bug for kernel with a patchlevel greater than 255.
• netdata: Fixed an issue that could occur when quickly uninstalling the package, right after an unfinished installation, and leave a service in an undetermined status.
• slang: Fixed display and input issues in optional package mc.
• sm: Contains a fix for leaf coalesce where the size of the leaf to coalesce was wrongly computed before deciding if it was a live coalesce or not, it resulted in some leaf having too much data to coalesce not successing the live coalesce and staying in this state indefinitely.
• xapi:
  • Fixed a malfunction related to the absence of a certificate, which could cause a loop.
  • Fixed and improved various points in IPv6, related to management, reboot and re-initialization.
• xo-lite: Update to version 0.6.0. For more details, you can consult the blog post on the latest release of Xen Orchestra.

Optional packages:

• kernel-alt: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.
• socat: Update the package to version 1.7.4.1 which includes a fix for a buffer overflow and security fixes.
• traceroute: Updated to version 2.1.5.
• Alternate Drivers: Updated to newer versions.
  • broadcom-bnxt-en-alt: From version 1.10.2_227.0.130.0 to 1.10.3_231.0.162.0
  • intel-i40e-alt: From version 2.22.20-3.1 to 2.26.8
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• amd-microcode: 20240503-1.1.xcpng8.3
• grub: 2.06-4.0.2.1.xcpng8.3
• iperf3: 3.9-13.xcpng8.3
• kernel: 4.19.19-8.0.37.1.xcpng8.3
• kexec-tools: 2.0.15-20.1.xcpng8.3
• netdata: 1.44.3-1.2.xcpng8.3
• slang: 2.3.2-11.xcpng8.3
• sm: 3.2.3-1.13.xcpng8.3
• xapi: 24.19.2-1.9.xcpng8.3
• xo-lite: 0.6.0-1.xcpng8.3

Optional packages:

• kernel-alt: 4.19.322+1-1.xcpng8.3
• socat: 1.7.4.1-6.xcpng8.3
• traceroute: 2.1.5-2.xcpng8.3
• Alternate drivers:
  • broadcom-bnxt-en-alt: 1.10.3_231.0.162.0-1.xcpng8.3
  • intel-i40e-alt: 2.26.8-1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

New security update candidates (xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-326: Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored.
• XSA-419: Xenstore: Cooperating guests can create arbitrary numbers of nodes
• XSA-414: A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
• XSA-415: Xenstore: Guests can create orphaned Xenstore nodes
• XSA-416: Xenstore: Guests can cause Xenstore to not free temporary memory
• XSA-417: Xenstore: Guests can get access to Xenstore nodes of deleted domains
• XSA-418: Xenstore: Guests can crash xenstored via exhausting the stack
• XSA-420: Oxenstored 32->31 bit integer truncation issues. A malicious or buggy guest can write a packet into the xenstore ring which causes 32-bit builds of oxenstored to busy loop.
• XSA-421: Xenstore: Guests can create arbitrary number of nodes via transactions

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.27.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/14/october-2022-security-update/

Hello,

We have forwarded your questions internally, specifically to our storage team regarding a possible update to create an SR ISO on a SAN disk FC, and to our XAPI team regarding questions related to the RPU. We have also contacted the Xen-Orchestra team with questions about potential improvements to avoid the issues you encountered.

This has sparked discussions and reflection, but no conclusions have been reached yet.

In any case, thank you for sharing your experience

The update should now be available. You can view the announcement here: https://xcp-ng.org/blog/2026/01/29/january-2026-security-and-maintenance-updates-for-xcp-ng-8-3-lts/

So don’t hesitate to update it and confirm that it properly addresses the issue.

Thank you everyone for your tests and your feedback!

The updates are live now: https://xcp-ng.org/blog/2026/01/29/january-2026-security-and-maintenance-updates-for-xcp-ng-8-3-lts/

New security and maintenance update candidates for you to test!

Security vulnerabilities have been detected and fixed for xen and varstored. We also publish other non-urgent updates which we had in the pipe for the next update release.

Security updates:

• xen:

  • XSA-477 / VSA-2026-001: A buffer overflow in the Xen shadow tracing code could allow a DomU virtual machine to crash Xen, or potentially escalate privileges.
  • XSA-479 / VSA-2026-003: Some Xen optimizations to avoid clearing internal CPU buffers when not required could allow one guest to leak data of another guest. A mitigation can be applied without the fix by rebooting vulnerable Xen with "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line at the cost of decreased performances.

• varstored:

  • XSA-478 / VSA-2026-002: Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer. An attacker with kernel level access in a VM can escalate privilege via gaining code execution within varstored.

Maintenance updates:

• guest-templates-json:

  • Update VM template labels
  • Sync RHEL10 template with XenServer's

• intel-microcode:

  • Update to publicly released microcode-20251111
  • Updates for multiple functional issues

• kernel: Bug fixes in the NFS and NBD stacks for various deadlocks and other race conditions.

• qemu: Backport for CVE-2021-3929, fixing a DMA reentrancy flaw in NVMe emulation, that could lead to use-after-free from a malicious guest and potential arbitrary code execution.

• smartmontools: Update to minor release 7.5

• swtpm: Synchronize with release 0.7.3-12 from XenServer. No functional changes.

• xapi: Fix regression on dynamic memory management during live migration, causing VMs not to balloon down before the migration.

• xcp-ng-release: Prevent remote syslog from being overwritten by system updates.

XOSTOR
In addition to the changes in common packages, the following XOSTOR-specific packages received updates:

• drbd: Reduces the I/O load and time during resync.
• drbd-reactor: Misc improvements regarding drbd-reactor and events
• linstor:
  • Resource delete: Fixed rare race condition where a delayed DRBD event causes "resource not found" ErrorReports
  • Misc changes to robustify LINSTOR API calls and checks

If you are using Xostor, please refer to our documentation for the update method.

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• guest-templates-json: 2.0.15-1.1.xcpng8.3
• intel-microcode: 20251029-1.xcpng8.3
• kernel: 4.19.19-8.0.44.1.xcpng8.3
• qemu: 4.2.1-5.2.15.2.xcpng8.3
• smartmontools: 7.5-1.xcpng8.3
• swtpm: 0.7.3-12.xcpng8.3
• xapi: 25.33.1-2.3.xcpng8.3
• xcp-ng-release: 8.3.0-36
• xcp-python-libs: 3.0.10-1.1.xcpng8.3
• xen: 4.17.5-23.2.xcpng8.3
• varstored: 1.2.0-3.5.xcpng8.3

XOSTOR

• drbd: 9.33.0-1.el7_9
• drbd-reactor: 1.9.0-1
• kmod-drbd: 9.2.16-1.0.xcpng8.3
• linstor: 1.33.0~rc.2-1.el8
• linstor-client: 1.27.0-1.xcpng8.3
• python-linstor: 1.27.0-1.xcpng8.3
• xcp-ng-linstor: 1.2-4.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

2 days max.

To install XCP-ng tools from the ISO, simply use the following command:

bash /mnt/Linux/install.sh -d rhel -m 9

Source: https://docs.xcp-ng.org/vms/#derived-linux-distributions

Indeed, it's simply the version that isn't detected by the install.sh script, but the tools install correctly. This issue is present on all Red Hat 10 and derivatives.

An RPM package fixing this is in the pipe for XCP-ng 8.3, but I don't have a release date yet, even for testing. But it's in progress

Updates published: https://xcp-ng.org/blog/2025/10/23/october-2025-security-and-maintenance-update-for-xcp-ng-8-3-lts/

Thank you for the tests!

New update candidates for you to test! (adding to the previous batch again)

New updates join the previous batch of update candidates. They're the last ones.

A new XSA (Xen Security Advisory) was published on the 21th of October, and updates to Xen address the disclosed vulnerabilities. We also reverted a change in XAPI that we deemed risky.

Additionally, we also publish an updated Intel-Ice alternate driver.

• xen:

  • XSA-475 - Potential risks include Denial of Service (DoS) impacting the whole host, information exposure, or escalation of privileges. There are two vulnerabilities related to hypercalls in the Viridian code:
    • CVE-2025-58147: Out-of-bounds write in vpmask_set() from hypercalls using the HV_VP_SET Sparse format.
    • CVE-2025-58148: Out-of-bound read in send_ipi() from hypercalls using any format, that could lead to a wild vCPU pointer.

• xapi:

  • We reverted a change related to how rsyslog configuration is handled. The way XenServer handled the change seemed risky to us, we'll take the time to make it in a safer way.

Optional packages:

• Alternate Driver: Updated to newer version.
  • intel-ice-alt: Update driver sources to v1.17.2

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• xapi: 25.27.0-2.2.xcpng8.3
• xen: 4.17.5-20.2.xcpng8.3

Optional packages:

• Alternate drivers:
  • intel-ice-alt: 1.17.2-1.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

The kernel-alt is there for debugging purposes and should not be used during normal operation, especially if you want to maintain optimal performance.

Alternative driver versions may be offered instead of driver updates. This is the case for the Intel i40e. The default version is 2.25.11-2, and its alternative (-alt) version is 2.26.8-1. This is simply a more up-to-date version of the driver.

You can therefore try this version (which is independent of the kernel-alt). It installs over the default XCP-ng installation and therefore over the standard kernel:

yum install intel-i40e-alt

Hopefully this more up-to-date version will help you.

XCP-ng 8.2 has just reached its end of life, but the adventure continues with XCP-ng 8.3 (and other versions to come). You can read the communication on this point on our blog: https://xcp-ng.org/blog/2025/09/16/xcp-ng-8-2-lts-reached-its-end-of-life/

To continue benefiting from updates and developments, we invite you, if you haven't already done so, to upgrade your systems to XCP-ng 8.3.

A relevant thread has been around for quite some time if you want to participate in early testing of the updates: https://xcp-ng.org/forum/topic/9964/xcp-ng-8-3-updates-announcements-and-testing/

Updates published: https://xcp-ng.org/blog/2025/09/11/september-2025-security-update-for-xcp-ng-8-3-lts/

Thank you for the tests!