RE: [HELP] XCP-ng 4.17.5 dom0 kernel panic — page fault in TCP stack, crashdump attached

I think whatever solution suits you will work.

Personally, if I know there are issues with it, I would tend to disable it in the bios, to be sure nobody tries to use it later and waste their time, in a enterprise settings, that can be important.

One thing to keep in mind if keeping it, is that if you want to add other hosts to the pool, they will need to have similar network topology, so if you endup having eth0 and eth1 with your current management network on eth1, any new host should be able to have its management on eth1 as well. You may work around it with interface renaming, but that tends to get messy over time.

That being said, I'm unsure even removing the realtek nic from the bios will change the interface number now that eth1 exists already and is configured.

If you don't plan to add hosts to the pool, and don't have a team with people that may act on these machines in the future without being aware of this setup history, leaving it connected and disabling the port on switch should not be an issue.

@jivanpal We do not currently have any plans to support elliptic curve keys - this is a very sensitive topic given different governmental security requirements around the world.

Note that Let's Encrypt recommends a dual setup for this exact reason: "Our recommendation is to serve a dual-cert config, offering an RSA certificate by default, and a (much smaller) ECDSA certificate to those clients that indicate support." (https://letsencrypt.org/docs/integration-guide/)

@TITUS-MAXIMUS You are correct. Sorry, the command to run is /opt/xensource/libexec/xen-cmdline --get-dom0 xen-pciback.hide - does this return anything? what's the return code of the command?

Oh no in fact the discussion that I remember (just find it) was about why not accept SHA 384: https://github.com/xapi-project/xen-api/pull/6467

lindig opened this pull request in xapi-project/xen-api

closed CP-307865 accept SHA512 for custom server certs #6467

@jivanpal said in Installation: expecting an rsa key, any plans to support elliptic curve keys?:

uses an unsupported algorithm

The only supported algorithms are RSA 2048 and 4096. I'm not sure if there are good reason to not support ECDSA. I remembers some discussions about this, will try to find them.

@TITUS-MAXIMUS --get-dom0 being empty means no PCI devices were hidden from dom0 either, did you follow this step of the guide? https://docs.xcp-ng.org/compute/#2-tell-xcp-ng-not-to-use-this-device-id-for-dom0

@TITUS-MAXIMUS Could you please attach /var/log/xensource.log from the time of the error? Would be very useful to have a backtrace from where the error occurs

@dnikola said in [HELP] XCP-ng 4.17.5 dom0 kernel panic — page fault in TCP stack, crashdump attached:

Has anyone experienced similar page faults in the dom0 TCP stack on 4.19 kernels or XCP-ng 4.17.5?

Not that I know of.

Are there any known issues with network drivers on this kernel/hypervisor combo?

No, there can be issues with some drivers, you should have specified which network NICs and drivers you are using.

Would you recommend moving to a newer dom0 kernel or hypervisor build?

On XCP-ng, the latest version is 8.3 which you didn't specify in your post, but you're using the latest version of Xen, so I assume it is an up to date 8.3, so there is no newer build.

Could a memory issue cause this specific kind of page table inconsistency during a kernel panic?

Yes, it can be a bug in the the code, but it absolutely could be a hardware issues.

Any advice on additional debug steps or log files I should collect next time?

I would start by running a memtest on that host to make sure the memory is not having issues.

Do you know if there was a specific VM doing something specific at that time? We had some issues in the past with FreeBSD VMs using wireguard, but it does not look similar, and it should be fixed now.
What kind of guests were running on that host? linux, windows, some BSD based?
If running windows guests please be sure to have read this blog post and ensure to comply with the guidelines there.

From a quick look, I don't see anything obvious. Follow Olivier's suggestion first, if you still have issues after that, you can share an additional report using xen-bugtool -y. But please be sure to update your bios first, check your memory, and then do that.