Categories

• News

  All news regarding Xen and XCP-ng ecosystem
  143 Topics

  4k Posts

  A

  @stormi I'm also getting error on some VMs while trying to export a disk and also trying to even start some VMs from NFS (that were fine before). xo-server[565]: 2026-05-13T02:53:15.746Z xo:api WARN admin | vm.start(...) [2s] =!> XapiError: INTERNAL_ERROR(xenopsd internal error: Storage_error ([S(Illegal_transition);[[S(Activated);S(RO)];[S(Activated);S(RW)]]])) xo-server[565]: 2026-05-13T02:53:40.652Z xo:api WARN admin | vm.start(...) [3s] =!> XapiError: SR_BACKEND_FAILURE_46(, The VDI is not available [opterr=VDI 399734eb-5965-4799-ac36-f6dd774db867 not detached cleanly], )
• XCP-ng

  Everything related to the virtualization platform

  • Compute
  • XO Lite
  • Migrate to XCP-ng
  • Hardware
  • Development
  1k Topics

  15k Posts

  R

  I want to correct something I said in my earlier post, now that I've done a deeper analysis of the exploit chain. I described the RxRPC component as being responsible for heap memory grooming, and suggested that without it a sophisticated attacker would need to find an alternative grooming technique. That framing was inaccurate, and I don't want it to create false reassurance in the community. Here is what's actually going on: RxRPC (CVE-2026-43500) was not added to the exploit chain to groom memory. It was added specifically to bypass Ubuntu's AppArmor policy, which blocks unprivileged user namespace creation by default. On Ubuntu, the ESP4 path requires unshare() to create a user namespace, and AppArmor prevents that — so the RxRPC path provides an alternative write primitive that doesn't need a namespace at all. XCP-ng dom0 has no AppArmor. It is built on a CentOS 7 base where unprivileged user namespace creation is permitted by default. This means the ESP4 path (CVE-2026-43284) works directly, without any namespace restriction to bypass and without needing RxRPC at all. The practical consequence: every supported XCP-ng installation (8.1, 8.2, 8.3) is fully exploitable via CVE-2026-43284 alone. The absence of rxrpc.ko does not provide protection on this platform. The older OS base actually makes the ESP4 path more straightforward to reach, not less. I'm holding off publishing my diagnostic tool to give the VATES team time to finalise their VSA and patches for XCP-ng. In the meantime, the interim mitigation stands as I described — with @semarie's important caveat: blacklisting esp4/esp6 will break IPsec and the SDN controller's encrypted private tunnels. Check your environment before applying it. And as I noted in my follow-up: this remains an LPE. If you have no unprivileged service accounts on dom0 (no Terraform, no monitoring agents, no central logging), your exposure is already limited. Audit what has shell access to dom0 and remove anything that doesn't strictly need it.
• Xen Orchestra

  All Xen Orchestra related questions/reports

  • Management
  • Advanced features
  • Backup
  • REST API
  • Infrastructure as Code
  3k Topics

  28k Posts

  L

  XOA Performance Test – Upgrading from 2 vCPU to 4 vCPU / 8GB RAM I wanted to share my experience because I was seeing unusually high CPU usage on my XOA VM during backup operations. Environment: XCP-ng pool with multiple hosts XOA running as a VM SSD RAID10 NFS storage Daily delta backups (~17 production VMs) Weekly backup jobs with Health Checks Backup window previously around 7 hours Symptoms before optimization: XOA CPU usage frequently close to 100% During backups, multiple backupWorker.mjs processes saturated available CPUs XOA felt sluggish while backups were running Backup jobs took significantly longer than expected htop showed worker processes fighting for CPU resources Original XOA VM configuration: 2 vCPU 4 GB RAM 1 socket / 2 cores Observed htop behavior during backups: /usr/local/lib/node_modules/xo-server/node_modules/@xen-orchestra/backups/backupWorker.mjs Several workers continuously consumed nearly all available CPU. IMPORTANT: Run the following commands via SSH directly on the XCP-ng Pool Master. Do NOT perform these changes through the Xen Orchestra GUI itself because you are modifying the XOA VM that is currently managing your environment. Otherwise you may lock yourself out or interrupt your own management session during the reconfiguration process. Connect to the Pool Master: ssh root@<POOL-MASTER-IP> First identify the XOA VM UUID: xe vm-list | grep -i xoa -B1 -A2 or: xe vm-list name-label="<YOUR-XOA-VM-NAME>" Example output: uuid ( RO): xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx name-label ( RW): XOA-Production power-state ( RO): running Copy the UUID for the following steps. Test procedure: I increased XOA resources to: New XOA configuration: 4 vCPU 8 GB RAM CPU topology: 1 socket / 4 cores Procedure used: Shutdown XOA VM xe vm-shutdown uuid=<XOA-VM-UUID> Wait a few seconds and verify status: xe vm-list uuid=<XOA-VM-UUID> params=name-label,power-state Set memory xe vm-memory-limits-set uuid=<XOA-VM-UUID> static-min=8GiB dynamic-min=8GiB dynamic-max=8GiB static-max=8GiB Increase vCPU count xe vm-param-set uuid=<XOA-VM-UUID> VCPUs-max=4 xe vm-param-set uuid=<XOA-VM-UUID> VCPUs-at-startup=4 Set CPU topology xe vm-param-set uuid=<XOA-VM-UUID> platform:cores-per-socket=4 Start XOA again xe vm-start uuid=<XOA-VM-UUID> Verification: xe vm-param-get uuid=<XOA-VM-UUID> param-name=VCPUs-max xe vm-param-get uuid=<XOA-VM-UUID> param-name=VCPUs-at-startup xe vm-param-get uuid=<XOA-VM-UUID> param-name=platform xe vm-list uuid=<XOA-VM-UUID> params=name-label,power-state Results from the same backup job: Before: Backup size: 10.58 GiB Transfer speed: 150.21 MiB/s Total duration: 3 minutes Health check transfer: 2 minutes After: Backup size: 10.71 GiB Transfer speed: 229.12 MiB/s Total duration: 2 minutes Health check transfer: 1 minute Measured improvement: Transfer throughput: +52% Backup duration: -33% Health check transfer: -50% After the upgrade, htop showed backup workers distributed across all available CPUs instead of saturating only two cores. Conclusion: For my environment the bottleneck was not: NFS Storage SSD RAID10 Host performance The bottleneck appears to have been XOA itself being underprovisioned. If you are running larger backup jobs, health checks, multiple workers, or backup-heavy environments, increasing XOA resources may provide a noticeable improvement. I still need to test the full nightly production run (~17 VMs), but initial results are very promising. Hope this helps someone.
• XOSTOR

  Our hyperconverged storage solution
  47 Topics

  745 Posts

  J

  @Mathieu-L linstor n l was included in my original post. All nodes were updated to May 2026 Security and Maintenance Updates for XCP-ng 8.3 LTS, all nodes were restarted. May 2026 Updates #2 for XCP-ng 8.3 LTS was released, and a couple days later I installed on all hosts. No host restarted. When xen04 was restarted, that is when this issue happened. I had used systemctl restart linstor-controller here (https://xcp-ng.org/forum/post/105309) to restart the controller.
• Non-English speakers

  • French (Français)
  • Turkish (Türk)
  • Portuguese (Português)
  35 Topics

  113 Posts

  O

  Ah excellente nouvelle Je passe le sujet en résolu !