XCP-ng

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    Updates announcements and testing

    News
    61
    542
    192499
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stormi
      stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by

      To people not having updated their hosts yet with the latest update: wait a few more days! There's a kernel security update on its way, so you'll probably want to reboot only then.

      Note that the security update will be mostly useful for people who put their hosts on a network that is reachable from a potential attacker.

      1 Reply Last reply Reply Quote 1
      • stormi
        stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by stormi

        The new kernel update candidate is available. As usual, I need some feedback before I can push it to everyone.

        Citrix advisory: https://support.citrix.com/article/CTX256725

        • XCP-ng 7.5: install it with yum update kernel --enablerepo='xcp-ng-updates_testing'
        • XCP-ng 7.6: install it with yum update kernel --enablerepo='xcp-ng-updates_testing'
        • XCP-ng 8.0 beta/RC1: simply yum update

        It is a security update. A distant attacker could manage to crash your host or raise its memory usage significantly with specially crafted network requests. Hosts isolated from public networks are safe, unless the attacker managed to get into your private network.

        Reboot required (we do not support live patching at the moment, due to a closed source component in XenServer / Citrix Hypervisor).

        Edit: update pushed: https://xcp-ng.org/blog/2019/07/12/xcp-ng-security-bulletin-kernel-update-sack-vulnerability/

        1 Reply Last reply Reply Quote 0
        • stormi
          stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by

          Anyone available to test the security update on 7.5 and/or 7.6? It is a security update, so quite urgent.

          1 Reply Last reply Reply Quote 0
          • C
            cnaumer last edited by

            Installed it a view minutes ago. Will report back.

            1 Reply Last reply Reply Quote 1
            • C
              cnaumer last edited by

              Updated 3 hosts and so far no Problems. Transferred some machines etc no bad effects.

              1 Reply Last reply Reply Quote 1
              • stormi
                stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by stormi

                Hello everyone. I'm back from holidays with update candidates that need testing!

                XCP-ng 7.6

                xcp-ng-xapi-plugins

                yum update xcp-ng-xapi-plugins --enablerepo=xcp-ng-updates_testing
                

                This is the most important update. It fixes host memory consumption issues that could go as far as crashing several hosts at the same time (especially if EPEL repositories were active, which shouldn't be the case but often was prior to XCP-ng 8.0 where they are already present but disabled by default). Already fixed in XCP-ng 8.0.

                Post-install: xe-toolstack-restart

                microcode_ctl

                yum update microcode_ctl --enablerepo=xcp-ng-updates_testing
                

                Microcode update for the SandyBridge family of CPUs regarding the MDS attacks.

                Post-install: reboot if you want it to be taken into account.

                xcp-ng-pv-tools

                yum update xcp-ng-pv-tools --enablerepo=xcp-ng-updates_testing
                

                Linux guest tools: support for SLES 15 SP1, updated README, support for recent CoreOS.

                Post-install: nothing to do.

                xen

                yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-updates_testing
                

                Avoids possible memory corruption when forcibly shutting down a VM with AMD MxGPU attached. Or when the guest crashes.

                Post-install: reboot to apply the changes.

                XCP-ng 8.0

                xen + guest templates

                yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools guest-templates-json guest-templates-json-data-windows guest-templates-json-data-xenapp guest-templates-json-data-linux guest-templates-json-data-other --enablerepo=xcp-ng-testing
                

                Avoid doing that on several hosts of the same pool at the same time, because the guest-template-json* updates will need to update the XAPI database at the same time. The /usr/bin/create-guest-templates tool that is called post-update is not designed to run concurrently (thanks to Silmaril on IRC for finding out at the cost of a broken XAPI database).

                Changes:

                • same fix as in XCP-ng 7.6 regarding VMs with AMD MxGPU attached
                • fix a host crash that can occur when you force-shutdown a Windows VM that is in an unclean state
                • Windows VMs could hang for more than a minute after live migration
                • Windows VMs with the viridian_reference_tsc flag enabled could crash during live migration. This fix opens the door to possible performance improvements for your Windows VMs, because following that fix now Citrix advises to set viridian_reference_tsc and viridian_stimer flags to true for better performance.
                • Updated Windows VM templates with new default settings that set viridian_* to true.

                Post-install:

                • reboot the host to apply the xen changes
                • consider modifying your existing Windows VM settings for possible better performance. See "After installing this hotfix" in https://support.citrix.com/article/CTX258320

                microcode_ctl

                yum update microcode_ctl --enablerepo=xcp-ng-testing
                

                Microcode update for the SandyBridge family of CPUs regarding the MDS attacks. XCP-ng 8.0 already contained updated microcodes from Intel when released, before Citrix released a hotfix, but their update contains one additional file so we synced with their package.

                Post-install: reboot if you want it to be taken into account.

                What we need

                As usual, Vates tests the updates internally, but we also rely on the community to widen the test cases and hardware tested, so we need you to install the updates and give us feedback, either positive or negative, before we can consider pushing those updates to everyone!

                MajorTom C 2 Replies Last reply Reply Quote 2
                • MajorTom
                  MajorTom @stormi last edited by MajorTom

                  @stormi said in Updates announcements and testing:

                  XCP-ng 7.6

                  [...]

                  microcode_ctl

                  yum update microcode_ctl --enablerepo=xcp-ng-updates_testing
                  

                  Microcode update for the SandyBridge family of CPUs regarding the MDS attacks.

                  Post-install: reboot if you want it to be taken into account.

                  xcp-ng-pv-tools

                  yum update microcode_ctl --enablerepo=xcp-ng-updates_testing
                  

                  I guess that above command for xcp-ng-pv-tools should not be the same as the one for microcode_ctl

                  XCP-ng 8.0

                  [...]

                  microcode_ctl

                  yum update microcode_ctl --enablerepo=xcp-ng-updates_testing
                  

                  This command returns error:

                  # yum update microcode_ctl --enablerepo=xcp-ng-updates_testing
                  Loaded plugins: fastestmirror
                  
                  
                  Error getting repository data for xcp-ng-updates_testing, repository not found
                  

                  I guess it meant to be:

                  # yum update microcode_ctl --enablerepo=xcp-ng-testing
                  

                  as this worked for me.

                  HTH

                  MajorTom stormi 2 Replies Last reply Reply Quote 0
                  • MajorTom
                    MajorTom @MajorTom last edited by

                    I installed all these updates for 8.0 and rebooted the host.

                    The reboot was extraordinary long. The time from shutting ssh session to getting ping packets back again was about 8 minutes. I don't know what it was doing during all this time as I rebooted remotely.

                    So I rebooted once more to see whether the boot time would be so long again.
                    This time it was only 1 minutes 46 seconds.

                    The VMs seem to run OK so far, but it's just a test host with two VMs doing almost nothing, so I don't know for sure :-).

                    1 Reply Last reply Reply Quote 1
                    • stormi
                      stormi Vates πŸͺ XCP-ng Team πŸš€ @MajorTom last edited by

                      @MajorTom thanks, I've fixed the post

                      1 Reply Last reply Reply Quote 0
                      • C
                        cnaumer @stormi last edited by

                        @stormi Installed the updates in our test pool. Until now everything is working. VM migration etc. Also set viridian flags as advised ( xoa vm has this set also? is this OK?)
                        Regards

                        Christian

                        C 1 Reply Last reply Reply Quote 0
                        • olivierlambert
                          olivierlambert Vates πŸͺ Co-Founder🦸 CEO πŸ§‘β€πŸ’Ό last edited by

                          I think Viridian will only have an effect on Windows VMs.

                          1 Reply Last reply Reply Quote 0
                          • stormi
                            stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by

                            Thanks to those who tested. Still interested in feedback, including on XCP-ng 7.6.

                            1 Reply Last reply Reply Quote 0
                            • stormi
                              stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by

                              I'll need at least one tester for the latest update candidates on XCP-ng 7.6, and one for 8.0.

                              MajorTom 1 Reply Last reply Reply Quote 0
                              • C
                                cnaumer last edited by

                                OK. Installed it on our last 7.6 server. Reboot was OK. VMs run fine. As this is a test host I cannot test more. It runs on AMD so the microcode_ctl should do nothing on our server.

                                stormi 1 Reply Last reply Reply Quote 1
                                • stormi
                                  stormi Vates πŸͺ XCP-ng Team πŸš€ @cnaumer last edited by

                                  @cnaumer Thanks, this is good enough for me at this stage of the testing, so I can push the 7.6 updates now thanks to you!

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cnaumer @cnaumer last edited by

                                    @cnaumer said in Updates announcements and testing:

                                    @stormi Installed the updates in our test pool. Until now everything is working. VM migration etc. Also set viridian flags as advised ( xoa vm has this set also? is this OK?)
                                    Regards

                                    Christian

                                    This was an 8.0 pool here. Just to clarify this.

                                    1 Reply Last reply Reply Quote 1
                                    • MajorTom
                                      MajorTom @stormi last edited by

                                      @stormi said in Updates announcements and testing:

                                      I'll need at least one tester for the latest update candidates on XCP-ng 7.6, and one for 8.0.

                                      At 8.0:
                                      I did yum update, but there are only new versions of guest-templates-json*, so can't quite see anything to check.

                                      Just in case I rebooted the host. The reboot took about 1 minute 40 seconds which i s OK for this host.

                                      The test VMs started OK as well.

                                      1 Reply Last reply Reply Quote 0
                                      • olivierlambert
                                        olivierlambert Vates πŸͺ Co-Founder🦸 CEO πŸ§‘β€πŸ’Ό last edited by

                                        That's enough to check if everything is fine πŸ™‚

                                        1 Reply Last reply Reply Quote 0
                                        • stormi
                                          stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by

                                          So I have pushed the updates described in https://xcp-ng.org/forum/post/16360 to XCP-ng 7.6 and 8.0 repositories. Thanks for the tests.

                                          1 Reply Last reply Reply Quote 0
                                          • stormi
                                            stormi Vates πŸͺ XCP-ng Team πŸš€ last edited by

                                            Blog post about the latest updates: https://xcp-ng.org/blog/2019/09/13/software-updates-for-xcp-ng-7-6-and-8-0/

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post