XCP-ng 8.3 updates announcements and testing
-
@flakpyro said in XCP-ng 8.3 updates announcements and testing:
@stormi Installed on my usual test hosts (Intel Minisforum MS-01, and Supermicro running a Xeon E-2336 CPU). Also installed onto a 2 host AMD epyc pool. Updates went smooth, backups continue to function as before.
3 windows 11 VMs had secure boot enabled. In XOA i clicked "Copy pool's default UEFI certificates to the VM" after the update was complete. The VMs continued to boot without issue after.
If you want to go further with the test, you need to clear your pool's secure boot certificates (the ones you probably had installed in the past from XO to "set up the pool for Guest SB"), so that the new pool defaults become the ones we provided with the update.
Then you can try again propagating the certs to the VMs.
-
@stormi Update two pools with a total of six host (HP ProDesk 600 G6 and Dell Optiplex 9010) and two Dell R720 with GPUs. Update went smooth and no issues running for two days now (with backup and restore)
-
@stormi After pool update, XO Continuous Replication times dropped by 50%. Before, the hourly CR took about 14-15 minutes, after the update it takes about 7-8 minutes now. Most of the CR time is spent on setup of the VM for transfer, not the actual data transfer bandwidth. Normal delta backup times did not change (data transfer limited). No change/update in XO/hardware/network, just this XCP update.
-
@Andrew Nice. What kind of SR?
-
I can assume LVM based SR with a reasonable number of VDI, so metadata operation (mounting the VDI) took a lot of time.
-
@stormi Pool source SR is NFS. Destination has local EXT4. It's only around 70 VMs.
-
Then IDK why it's a lot faster -
@olivierlambert LVM also plays a role with such SRs, maybe that's it. Or it's another optimization. XAPI had some too.
-
New update candidates for you to test! (adding to the previous batch)
New updates join the previous batch of update candidates. I also take this opportunity to call for more feedback on the previous batch of updates, in particular on the changes mentioned in its "What to test" part. Anyway, installing this batch will also install the previous one.
Main changes:
- qemu: Fix BSODs on VMs having the Windows Server 2025 September update and emulated NVMe controllers
- xcp-ng-pv-tools: FINALLY, we could embed our own, signed, Windows Guest Tools in the guest tools ISO shipped with XCP-ng! See https://xcp-ng.org/blog/2025/10/10/signed-windows-pv-drivers-now-available/
- xcp-ng-xapi-plugins:
- Reworked sdncontroller plugin to properly support all network types:
- Standard networks on physical devices
- Bonded networks
- VLAN on top of either standard networks or bonds
- Private networks
- Support per-VIF rules, as well as network-wide rules (no UI in XO at this time, xo-cli recommended)
- Reworked sdncontroller plugin to properly support all network types:
Other changes:
Optional packages:
- netdata: Minor change in the systemd unit file to avoid minor log pollution. No functional change.
Test on XCP-ng 8.3
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
Versions:
qemu: qemu-4.2.1-5.2.12.2.xcpng8.3xcp-ng-pv-tools: xcp-ng-pv-tools-8.3-13.xcpng8.3xcp-ng-xapi-plugins: xcp-ng-xapi-plugins-1.15.0-1.xcpng8.3
Optional packages:
netdata: netdata-1.47.5-4.2.xcpng8.3
What to test
Normal use and anything else you want to test.
Additional focus can be given to:
- Everything we mentioned in the previous batch
- Make sure Windows+Linux VM installation and booting works on UEFI without PV drivers (that's when the NVMe emulated disks are used)
- XCP-ng's signed Windows Guest tools that are finally available on the guest tools ISO!
Known issues
XAPI's handling of remote logging remains to be fixed before the release.
So: don't attempt to set up remote logging yet. If you set it up previously, then it should continue to work.
Test window before official release of the updates
~5 days.
-
Sorry if this has been mentioned before.
You state to run the below command to test the updates.
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing rebootHow to revert changes if needed to? and/or how to switch back to normal repo?
-
@stormi Update (to the update) installed and running. Buggy Windows 2025 boots now with QEMU update.
-
Yay \o/ Thanks for the feedback
-
I also take this opportunity to call for more feedback on the previous batch of updates,
Well I updated a few days ago, tough I dont run much of the updated functions on my simple home lab, it all seems to work fine.
i7 gen 4 and NFSNow testing the new updates......
-
The new template for debian 13 is working in
XO-Lite
-
@stormi Updated the usual suspects (HP ProDesk 600 G6, Dell Optiplex 9010, Dell R720) with no problem. Host run as expected.
-
@acebmxer said in XCP-ng 8.3 updates announcements and testing:
@stormi
How to revert changes if needed to? and/or how to switch back to normal repo?The command only enables the testing repositories for the time of the update, so no need to disable them afterwards.
Reverting changes can be done with
yum downgrade, but it's not always doable. XAPI updates can come with an upgrade of the XAPI database. If you downgrade, then XAPI with detect that the database is too recent and will refuse to start.So, you can technically downgrade the files, but not the state.
-
Thanks for the reply back. Update when sucessfull. Windows Server 2025 iso now properly installs.
At work I was not able to install default certs for UEFI due to one failing to download. Run these updates and I was able to successfully install the certs to the host.
-
@stormi My "test/production" system, an HP DL165 is updated and running normally with the updated updates. Not seeing any change with secure boot VMs at all, i.e. working just fine.
-
New update candidates for you to test! (adding to the previous batch again)
New updates join the previous batch of update candidates. They're the last ones.
A new XSA (Xen Security Advisory) was published on the 21th of October, and updates to Xen address the disclosed vulnerabilities. We also reverted a change in XAPI that we deemed risky.
Additionally, we also publish an updated Intel-Ice alternate driver.
-
xen:- XSA-475 - Potential risks include Denial of Service (DoS) impacting the whole host, information exposure, or escalation of privileges. There are two vulnerabilities related to hypercalls in the Viridian code:
- CVE-2025-58147: Out-of-bounds write in vpmask_set() from hypercalls using the HV_VP_SET Sparse format.
- CVE-2025-58148: Out-of-bound read in send_ipi() from hypercalls using any format, that could lead to a wild vCPU pointer.
- XSA-475 - Potential risks include Denial of Service (DoS) impacting the whole host, information exposure, or escalation of privileges. There are two vulnerabilities related to hypercalls in the Viridian code:
-
xapi:- We reverted a change related to how rsyslog configuration is handled. The way XenServer handled the change seemed risky to us, we'll take the time to make it in a safer way.
Optional packages:
- Alternate Driver: Updated to newer version.
intel-ice-alt: Update driver sources to v1.17.2
Test on XCP-ng 8.3
yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates rebootThe usual update rules apply: pool coordinator first, etc.
Versions:
xapi: 25.27.0-2.2.xcpng8.3xen: 4.17.5-20.2.xcpng8.3
Optional packages:
- Alternate drivers:
intel-ice-alt: 1.17.2-1.xcpng8.3
What to test
Normal use and anything else you want to test.
Test window before official release of the updates
~2 days.
-
-
@gduperrey Works on my play-/homelab (HP ProDesk 600 G6, Dell Optiplex 9010). Can't update my Dell R720s GPU cluster at the moment, though.
