100% agree, "stacked" tags are great. @lsouai-vates can you pass the word because I think XO 6 team isn't aware of those "stacked" tags in XO 5

Excellent news! Thanks for the feedback

Hi, As the message said, please reach out to us, you can use the contact form https://vates.tech/contact We'll be happy to discuss and assist in your evaluation

Hi, To start, it's good to read: https://docs.vates.tech/security/ Especially https://docs.vates.tech/security/#contact--disclosure Then, I can answer here directly: we are not affected since Redis is only listening locally, therefore it's not exposed outside XO. There's nothing interesting to do with that CVE, because in order to use it, you already must be a privileged user.

@tc-atwork thanks for post, i wasnt able to get xo6 setup as i havent had time to play with it. I look forward to when it released. For now I just keep using xo-lite to open the console window.

@dfrizon said in How to protect a VM and Disks from accidental exclusion: @olivierlambert The idea is to block the VM and exclusion disks even by root itself, and make it possible only via command line in the console. That's why I started the post by mentioning the command... We dream of the day when MFA authentication will be required to delete a VM... How would you prevent the root account from taking action..... that is the absolute opposite permission set of root, as if there is an account with even more permissions than root. You can use permission sets and move your team who are deleting powered off VM's that are protected from accidental deletion into a group that doesn't have the permission to delete VMs, at the same time, remove their permissions from deleting items from your SR. I think that would solve your problem, and doesn't cause any logical permission issues like above.

@olivierlambert @McHenry What was the fix for this as one of our Windows 10 VMs backups have started to fail and rebooting the VM only takes less than 1 minute so not sure increasing the timeout is the issue. Here is the backup log entries: { "data": { "type": "VM", "id": "07767a82-3cc0-b2b7-e399-90793896a574", "name_label": "Windows10C" }, "id": "1760322641022", "message": "backup VM", "start": 1760322641022, "status": "failure", "tasks": [ { "id": "1760322641048", "message": "clean-vm", "start": 1760322641048, "status": "success", "tasks": [ { "id": "1760322641516", "message": "merge", "start": 1760322641516, "status": "success", "end": 1760323012896 } ], "warnings": [ { "data": { "path": "/xo-vm-backups/07767a82-3cc0-b2b7-e399-90793896a574/20251012T023042Z.json", "actual": 5475663872, "expected": 5477068288 }, "message": "cleanVm: incorrect backup size in metadata" } ], "end": 1760323013334, "result": { "merge": true } }, { "id": "1760323014314", "message": "snapshot", "start": 1760323014314, "status": "success", "end": 1760323016106, "result": "0b79d24f-a579-b669-50e1-412516276886" }, { "data": { "id": "2a4bc998-972d-4132-83ba-f3c67b860676", "isFull": false, "type": "remote" }, "id": "1760323016106:0", "message": "export", "start": 1760323016106, "status": "failure", "tasks": [ { "id": "1760323018513", "message": "transfer", "start": 1760323018513, "status": "success", "end": 1760323462425, "result": { "size": 7688159232 } }, { "id": "1760323472984", "message": "health check", "start": 1760323472984, "status": "failure", "tasks": [ { "id": "1760323480406", "message": "transfer", "start": 1760323480406, "status": "success", "end": 1760324685177, "result": { "size": 0, "id": "490d3623-4b1f-e4a4-4947-8062aa0e757c" } }, { "id": "1760324685178", "message": "vmstart", "start": 1760324685178, "status": "failure", "end": 1760325285289, "result": { "message": "timeout reached while waiting for OpaqueRef:5c4eef85-eebb-4480-826b-7bbe596f4349 to report the driver version through the Xen tools. Please check or update the Xen tools.", "name": "Error", "stack": "Error: timeout reached while waiting for OpaqueRef:5c4eef85-eebb-4480-826b-7bbe596f4349 to report the driver version through the Xen tools. Please check or update the Xen tools.\n at file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:275:23\n at new Promise (<anonymous>)\n at Xapi.waitObjectState (file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:259:12)\n at file:///opt/xen-orchestra/@xen-orchestra/backups/HealthCheckVmBackup.mjs:63:20\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" } } ], "end": 1760325289511, "result": { "message": "timeout reached while waiting for OpaqueRef:5c4eef85-eebb-4480-826b-7bbe596f4349 to report the driver version through the Xen tools. Please check or update the Xen tools.", "name": "Error", "stack": "Error: timeout reached while waiting for OpaqueRef:5c4eef85-eebb-4480-826b-7bbe596f4349 to report the driver version through the Xen tools. Please check or update the Xen tools.\n at file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:275:23\n at new Promise (<anonymous>)\n at Xapi.waitObjectState (file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:259:12)\n at file:///opt/xen-orchestra/@xen-orchestra/backups/HealthCheckVmBackup.mjs:63:20\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" } } ], "end": 1760325289511, "result": { "message": "timeout reached while waiting for OpaqueRef:5c4eef85-eebb-4480-826b-7bbe596f4349 to report the driver version through the Xen tools. Please check or update the Xen tools.", "name": "Error", "stack": "Error: timeout reached while waiting for OpaqueRef:5c4eef85-eebb-4480-826b-7bbe596f4349 to report the driver version through the Xen tools. Please check or update the Xen tools.\n at file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:275:23\n at new Promise (<anonymous>)\n at Xapi.waitObjectState (file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:259:12)\n at file:///opt/xen-orchestra/@xen-orchestra/backups/HealthCheckVmBackup.mjs:63:20\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" } }, { "data": { "id": "349e7130-da43-6550-e7c0-aa0a84102e0f", "isFull": false, "name_label": "Local storage", "type": "SR" }, "id": "1760323016107", "message": "export", "start": 1760323016107, "status": "failure", "tasks": [ { "id": "1760323017919", "message": "transfer", "start": 1760323017919, "status": "success", "end": 1760323463982, "result": { "size": 7688159232 } }, { "id": "1760323472984:0", "message": "health check", "start": 1760323472984, "status": "failure", "tasks": [ { "id": "1760323473002", "message": "copying-vm", "start": 1760323473002, "status": "success", "end": 1760325038087, "result": "OpaqueRef:0233c593-da90-4813-959b-46e4e679a662" }, { "id": "1760325038108", "message": "vmstart", "start": 1760325038108, "status": "failure", "end": 1760325638322, "result": { "message": "timeout reached while waiting for OpaqueRef:ca1c86dd-aafc-4f25-bd8c-89399771c004 to report the driver version through the Xen tools. Please check or update the Xen tools.", "name": "Error", "stack": "Error: timeout reached while waiting for OpaqueRef:ca1c86dd-aafc-4f25-bd8c-89399771c004 to report the driver version through the Xen tools. Please check or update the Xen tools.\n at file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:275:23\n at new Promise (<anonymous>)\n at Xapi.waitObjectState (file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:259:12)\n at file:///opt/xen-orchestra/@xen-orchestra/backups/HealthCheckVmBackup.mjs:63:20\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" } } ], "end": 1760325643426, "result": { "message": "timeout reached while waiting for OpaqueRef:ca1c86dd-aafc-4f25-bd8c-89399771c004 to report the driver version through the Xen tools. Please check or update the Xen tools.", "name": "Error", "stack": "Error: timeout reached while waiting for OpaqueRef:ca1c86dd-aafc-4f25-bd8c-89399771c004 to report the driver version through the Xen tools. Please check or update the Xen tools.\n at file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:275:23\n at new Promise (<anonymous>)\n at Xapi.waitObjectState (file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:259:12)\n at file:///opt/xen-orchestra/@xen-orchestra/backups/HealthCheckVmBackup.mjs:63:20\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" } } ], "end": 1760325643426, "result": { "message": "timeout reached while waiting for OpaqueRef:ca1c86dd-aafc-4f25-bd8c-89399771c004 to report the driver version through the Xen tools. Please check or update the Xen tools.", "name": "Error", "stack": "Error: timeout reached while waiting for OpaqueRef:ca1c86dd-aafc-4f25-bd8c-89399771c004 to report the driver version through the Xen tools. Please check or update the Xen tools.\n at file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:275:23\n at new Promise (<anonymous>)\n at Xapi.waitObjectState (file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:259:12)\n at file:///opt/xen-orchestra/@xen-orchestra/backups/HealthCheckVmBackup.mjs:63:20\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" } } ], "end": 1760325644170, "result": { "errors": [ { "message": "timeout reached while waiting for OpaqueRef:5c4eef85-eebb-4480-826b-7bbe596f4349 to report the driver version through the Xen tools. Please check or update the Xen tools.", "name": "Error", "stack": "Error: timeout reached while waiting for OpaqueRef:5c4eef85-eebb-4480-826b-7bbe596f4349 to report the driver version through the Xen tools. Please check or update the Xen tools.\n at file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:275:23\n at new Promise (<anonymous>)\n at Xapi.waitObjectState (file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:259:12)\n at file:///opt/xen-orchestra/@xen-orchestra/backups/HealthCheckVmBackup.mjs:63:20\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" }, { "message": "timeout reached while waiting for OpaqueRef:ca1c86dd-aafc-4f25-bd8c-89399771c004 to report the driver version through the Xen tools. Please check or update the Xen tools.", "name": "Error", "stack": "Error: timeout reached while waiting for OpaqueRef:ca1c86dd-aafc-4f25-bd8c-89399771c004 to report the driver version through the Xen tools. Please check or update the Xen tools.\n at file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:275:23\n at new Promise (<anonymous>)\n at Xapi.waitObjectState (file:///opt/xen-orchestra/@xen-orchestra/xapi/index.mjs:259:12)\n at file:///opt/xen-orchestra/@xen-orchestra/backups/HealthCheckVmBackup.mjs:63:20\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" } ], "message": "all targets have failed, step: writer.healthCheck()", "name": "Error", "stack": "Error: all targets have failed, step: writer.healthCheck()\n at IncrementalXapiVmBackupRunner._callWriters (file:///opt/xen-orchestra/@xen-orchestra/backups/_runners/_vmRunners/_Abstract.mjs:64:13)\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)\n at async IncrementalXapiVmBackupRunner._healthCheck (file:///opt/xen-orchestra/@xen-orchestra/backups/_runners/_vmRunners/_Abstract.mjs:94:5)\n at async IncrementalXapiVmBackupRunner.run (file:///opt/xen-orchestra/@xen-orchestra/backups/_runners/_vmRunners/_AbstractXapi.mjs:407:5)\n at async file:///opt/xen-orchestra/@xen-orchestra/backups/_runners/VmsXapi.mjs:166:38" } },

This look great! Something I was missing. But unfortunately I get an authentication error as well. I do not get it running. I am using PowerShell 7.5 and I am using a cert that is singed by my own CA. This CA is included in the Windows cert store for trusted root certificates. With all browser this works fine. Hopefully someone has an idea?

Hi, I don't know if my question can be part of this thread. I apologize in advance... I bought a new system based on "AMD Ryzen 9 9950X" installed on "ASUS PRIME B850-PLUS-CSM". My target is to install two VM: linux based Ubuntu; Windows 11 In a possible future, I would like to install a graphic card for windows 11 CAD applications... I would like to ask if xcp-ng can run this environment... Thank you Claudio

I often wondered what's the general purpose of that option. As I only have 1 - 2 socket servers, I always choose 1 socket with x cores (mostly 2 - 8, not exeeding 1 real CPU). Also for historic reasons: Sockets have been limited, but not cores. Does it generally make any difference on Xen side/backend? VM OS might handle it different due to NUMA optimizations.

@andSmv Any news on a test build with the patch? I'm wondering if this issue is related and would love to be able to test.

@bleader Hi, After a restart of the entire host, port 6640 is now listed when I trigger ss. But, unfortunatly, tunnels are not working, every VM on this host loose connection to other in the same sdn network. Exemple with an ping between two hosts : 2025-10-09T12:22:54.781Z|00026|tunnel(handler1)|WARN|receive tunnel port not found (arp,tun_id=0x1f1,tun_src=192.0.0.1,tun_dst=192.0.0.3,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,gtpu_flags=0,gtpu_msgtype=0,tun_flags=key,in_port=33,vlan_tci=0x0000,dl_src=56:30:10:5c:4d:ad,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=192.168.10.10,arp_tpa=192.168.10.20,arp_op=1,arp_sha=56:30:10:5c:4d:ad,arp_tha=00:00:00:00:00:00) 2025-10-09T12:22:54.781Z|00027|ofproto_dpif_upcall(handler1)|INFO|Dropped 61 log messages in last 59 seconds (most recently, 1 seconds ago) due to excessive rate 2025-10-09T12:22:54.781Z|00028|ofproto_dpif_upcall(handler1)|INFO|received packet on unassociated datapath port 33 If I migrate the VM on the third host to another, network came back. This is very strange, because the network I've choose to test it is one of firt of all created, not last one, so it have worked before, and not now. I don't understand why and what to do...

@psafont Sounds good on point #1. On point #2 I agree LLA shouldn't be the primary management IPv6 address on the interface, but you could run into trouble by not having a LLA address assigned at all. All of the IPv6 standards assume a LLA is assigned to an interface running IPv6 for things like NDP or RA to work ergo mysterious things could break as a result of an LLA address not being assigned. Just spitballing here, but if you're concerned that only an LLA would be assigned to an interface then perhaps there could be logic to disable IPv6 for said management interface if no non-LLA address is assigned, or IPv4 could be preferred if only LLA addresses as assigned?

@olivierlambert Here's the new model. We've tried a few combinations and I think with TrueNAS shared storage this will now work well. [image: 1759787234216-f78178c0-3330-4233-8f9b-debc3c61a3e9-image.png]

@lsouai-vates