RE: Adding new host to pool fails - Stunnel SSL certiticate verification failure

Yes, if the file is empty, it is expected to the openssl x509 command to fail.
Does is it the same on the master ?

Just my 2 cents, but with SSL involved time is important: could you check the date is accurate on the two hosts ?

having the output of the following commands might help too:

• stat /etc/stunnel/xapi-stunnel-ca-bundle.pem
• openssl x509 -in /etc/stunnel/xapi-stunnel-ca-bundle.pem -noout -text

please note that blacklisting ESP modules will break IPsec, and encrypted private tunnels rely on it.

This is a problem with the CLI, the parameter is not read and instead an empty string is used. The same situation happens with sr-introduce.

It should be a very quick fix, I don't know why it was done since the beginning.

I've opened the PRs upstream:
https://github.com/xapi-project/xen-api/pull/7066
https://github.com/xapi-project/xen-api/pull/7067

psafont opened this pull request in xapi-project/xen-api

closed xapi-cli-server: set name description for SRs, when given #7066

psafont opened this pull request in xapi-project/xen-api

closed xapi-cli-server: set name description for SRs, when given (8.3) #7067

Bonjour,

Apparemment, la valeur vient de la xapi :

$ xe host-list params=uuid,software-version
uuid ( RO)                : 9940971b-45f6-4225-aaef-ddb0668e3734
    software-version (MRO): product_version: 8.3.0; product_version_text: 8.3; product_version_text_short: 8.3; platform_name: XCP; platform_version: 3.4.0; product_brand: XCP-ng; xapi: 26.1; build_number: 8.3.0; git_id: 3; hostname: localhost; date: 20260430T09:28:41Z; dbv: 0.0.1; xapi_build: 26.1.3; xen: 4.17.6-6; linux: 4.19.0+1; xencenter_min: 2.21; xencenter_max: 2.21; network_backend: openvswitch; db_schema: 5.793


uuid ( RO)                : 5f16a481-103e-4ca8-a0e2-b708d2c26437
    software-version (MRO): product_version: 8.3.0; product_version_text: 8.3; product_version_text_short: 8.3; platform_name: XCP; platform_version: 3.4.0; product_brand: XCP-ng; xapi: 26.1; build_number: 8.3.0; git_id: 3; hostname: localhost; date: 20260430T09:28:41Z; dbv: 0.0.1; xapi_build: 26.1.3; xen: 4.17.6-6; linux: 4.19.0+1; xencenter_min: 2.21; xencenter_max: 2.21; network_backend: openvswitch; db_schema: 5.793

qui prend l'information depuis le fichier /etc/xensource-inventory (sur le host):

# grep BUILD_NUMBER /etc/xensource-inventory
BUILD_NUMBER='8.3.0'

Ce fichier est mis à jour par le script de post-config du package rpm xcp-ng-release (voir le script utilisé ici)

La valeur a été mise à jour la dernière fois en 2023 (voir le changelog pour 8.3.0-13).
La valeur acutelle est définie dans la variable BUILD_NUMBER rpm variable du package.

Cela veut dire que le host avec Build number = cloud ne semble pas à jour ? Pouvez-vous vérifier la version installée du package xcp-ng-release, en utilisant la commande rpm -q xcp-ng-release ?

Copy Fail is documented in VSA-2026-013, we don't have one for Dirty Frag yet as we're still investigating XCP-ng side regarding it.

For XOA, unattended updates should have installed the patched debian kernel, you just need to reboot it.

Debian security tracker states they are both fixed:

• https://security-tracker.debian.org/tracker/CVE-2026-31431
• https://security-tracker.debian.org/tracker/CVE-2026-43284