Updates announcements and testing
@stormi can you please tell us more about this moosefs driver?
@martinb Not much. I'm waiting for the developers of MooseFS to contribute documentation about how to use it.
gskger last edited by
@stormi Did the update on my two host playlab, which worked well. Do not use secureboot/UEFI or QNAP, so this is more a regression test for the usual stuff. I tested Debian, Centos and Ubuntu VMs (create, live migrate with/-out guest tools (now at 7.20.0-8), start/stop/reboot, snapshot with/-out RAM and revert, storage migrate from/to shared and local SR) and restored a Windows 10 and a Debian VM from backup. As for now, everthing is working. I will see how backup runs tonight.
@stormi Installed all of the test updates on my three-host home-lab this weekend. Similar configuration to @gskger 3 x Dell OptiPlex 7040 SFF hosts and home-built FreeNAS server with separate physical 1Gb networks for management, storage and migration. I call it my "Tiny Cluster" due to its diminutive footprint. I use it for configuration prototyping. Intel VPRO AMT on Xen hosts and storage server enables headless console operation using MeshCommander (think poor man's iDRAC). All updates were installed without issue. Backups and restores seem to work just fine. Of special interest to me was the UEFI Secure Boot capabilities. Installed the x64 dbx.auth from uefi.org (I presume since XCP-ng is 64-bit that that was the correct choice. Probably should be made explicit in the instructions.) Seems to work perfectly. I tested with Windows 10-20H2 and Windows 10-21H1. Also tested with RHEL 8.4 which has built-in support for secure boot (Microsoft-signed bootloader shim) and that too "just works." The varstore-ls <VM-uuid> command shows PK, KEK, dbx and db in the store as expected. Stops unsigned bootloader as expected on unsupported OSes. Looks great! Thank you for all of the work you've put into it. I suspect designing and building emulated system firmware is not for the faint of heart . . . Very impressive!
Thanks for your feedback @gskger , as usual. For all your prompt help/feedback you always gave here, I really need to do what I said: we'll send you some XCP-ng/XO swag, @Marc-pezin will deal with that soon (he'll contact you in private chat).
I was testing with a main focus on uefistored and the Secure Boot support. I'm happy to report that my one secureboot VM¹ started up with full signature checking and everything. This is with a custom/in-house
Additional test cases:
- Export UEFI secureboot VM to OVA and re-importing it: SUCCESS
- Copying a secureboot VM within the same pool: SUCCESS
In both cases, the new VM successfully verified the bootloader.
¹ I had loaded my
uefistoredupdate, as I was already experimenting with secureboot.
New security updates (xen + microcode)
These security updates have higher priority than the update train above. You can install them if you had already installed the previous update candidates, or install them without installing the previous update candidates.
Citrix security bulletin: https://support.citrix.com/article/CTX316324
There's a new attack related to speculative code execution,
that's why there is updated microcode (both for Intel and AMD)Updated: actually, the microcode update is only for Intel and is not related to this specific attack. Whether your hardware is vulnerable or not depends on various things (model, Xen's strategy against previous vulnerabilities, which may or may not protect you already from the new vulnerability, depending of the hardware...).
Test on XCP-ng 8.2
yum update microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
- Version for microcode_ctl: 2.1-26.xs15.xcpng8.2
- Version for xen packages: 4.13.1-9.11.1.xcpng8.2
What to test
The main goal is to avoid obvious regressions, so test whatever you want. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
Between 24h and 36h.
@stormi No regressions so far on my test pool with both sets of test updates installed.
@stormi A bit late to the party again (must try harder ) as I have been moving my rack and my test host was not set up and main pool down to running on 2 hosts..... taking one more offline would make Ceph very unhappy!!!....
Anyway, both test updates applied to my test host and I haven't managed to break anything yet!!! So looks good from my point of view.
Many thanks for the prompt feedback on the security updates everyone!
I've pushed the release button (well, actually I ran
koji move v8.2-testing v8.2-updates xen-4.13.1-9.11.1.xcpng8.2 microcode_ctl-2.1-26.xs15.xcpng8.2. Don't try this at home.), and the security updates will be available within 5 minutes, identical to what you have tested.
I have not released the rest of the update train that is being tested (see this post), so let the testing continue!