-
haha my "gut feeling" approved
-
@gduperrey said in Updates announcements and testing:
New Update Candidates (xen, xapi, templates)
- Xen: Enable AVX-512 by default for EPYC Zen4 (Genoa)
- Xapi: Redirect http requests on the host webpage to https by default.
- Guest templates:
- Add the following templates: RHEL 9, AlmaLinux 9, Rocky Linux 9, CentOS Stream 8 & 9, Oracle Linux 9
Test on XCP-ng 8.2
From an up to date host:
For Xen, Xapi and Guest templates:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools xapi-core xapi-tests xapi-xe guest-templates-json guest-templates-json-data-linux guest-templates-json-data-other guest-templates-json-data-windows --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.4-9.29.1.xcpng8.2
- xapi-*: 1.249.26-2.2.xcpng8.2
- guest-templates-json-*: 1.9.6-1.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
No precise ETA, but the sooner the feedback the better.
Hello,
Is there any update on the ETA for this? Since it has been almost a month. We'll do the xcp-ng updates again soon and if these patches are close to release we will wait for them to prevent double work.
Cheers,
Niels -
@NielsH We'll wait for the next security update, to ship them together. When exactly security updates are released can't always be predicted or disclosed.
-
New Security Update Candidates (Xen, microcode, ...)
Components are updated to fix vulnerabilities:
- Xen is updated to fix XSA-426. It also includes the previous change which had not been released yet: Enable AVX-512 by default for EPYC Zen4 (Genoa)
- Intel and AMD microcode is updated for various devices:
- Intel update (which in turn links to the advisories)
- AMD advisory
We will also release at the same time:
xcp-ng-release-*
: fixes benign but annoying fcoe-related error messages at boot
And an update candidate which has been tested previously:
- Guest templates: added RHEL 9, AlmaLinux 9, Rocky Linux 9, CentOS Stream 8 & 9, Oracle Linux 9.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "guest-templates-*" "xen-*" microcode_ctl linux-firmware "xcp-ng-release-*" --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.4-9.29.2.xcpng8.2
- microcode_ctl: 2.1-26.xs23.1.xcpng8.2
- linux-firmware: 20190314-5.1.xcpng8.2
- guest-templates-json-*: 1.9.6-1.2.xcpng8.2
- xcp-ng-release-*: 8.2.1-6
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
48h
-
@stormi I'm running the update on all 8.2.1 hosts. No problems so far.
-
No problem here either on my home lab
-
The update was published earlier today: https://xcp-ng.org/blog/2023/02/20/february-2023-security-update/
-
-
I noticed the there are updates to the Windows Templates. Clicking the or "EYE" in XOA, and the Description for "guest-templates-json-data-windows" seemed a tad smidgeon "buggy". Is that due to git revision description and there were no actual changes to Windows Templates?
Changelog Patch guest-templates-json-data-windows Date January 6, 2023 at 6:00 AM Author Gael Duperrey <gduperrey@vates.fr> - 1.9.6-1.2 Description - Add templates for rhel 9, CentOS Stream 8 and 9, Almalinux 9, Rockylinux 9, Oracle linux 9
guest-templates-json Creates the default guest templates 1.9.6 1.2.xcpng8.2 29.21 KiB guest-templates-json-data-linux Contains the default Linux guest templates 1.9.6 1.2.xcpng8.2 18.68 KiB guest-templates-json-data-other Contains the default other guest templates 1.9.6 1.2.xcpng8.2 11.86 KiB guest-templates-json-data-windows Contains the default Windows guest templates 1.9.6 1.2.xcpng8.2 14.38 KiB
-
@rjt
These rpms come from the same source rpm and, therefore, from the same SPEC file. So when we build it for changes, the Windows one is built too, even if there is no change on the Windows side.
On this revision, we only add new templates for RHEL 9, AlmaLinux 9, Rocky Linux 9, CentOS Stream 8 and 9, and Oracle Linux 9.
There weren't any changes to the Windows templates. -
New Security Update Candidates (Xen)
Xen is being updated to mitigate some vulnerabilities:
-
XSA-427: "Guests running in shadow mode and being subject to migration or snapshotting may be able to cause Denial of Service and other problems, including escalation of privilege". This vulnerability concerns old platforms (Nehalem/Bulldozer families and older) which do not have Hardware Assisted Paging facilitie (EPT/NPT), or modern platforms where this extension is disabled by the firmware or the system software. This also concerns PV guests, which are not officially supported anymore in XCP-ng.
-
XSA-428: "Entities controlling HVM guests can run the host out of resources or stall execution of a physical CPU for effectively unbounded periods of time, resulting in a Denial of Servis (DoS) affecting the entire host. Crashes, information leaks, or elevation of privilege cannot be ruled out".
On the platforms managed by XCP-ng software, with regard of this vulnerability, we would rather talk of "reduction in defence in depth", as the only entity controlling HVM guests is a trusted software (QEMU) running in a trusted domain (dom0). -
XSA-429: The patch completes the original Spectre/Meltdown mitigation work(XSA-254). A malicious PV guest might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Only AMD and Hygon CPUs which offer SMEP/SMAP facilities are affected. Although PV guests are not officially supported in XCP-ng, we also included a fix for this vulnerability.
Components are also updated to add bugfixes and enhancements:
- Xen
- Update to Xen 4.13.5
- Initial Sapphire Rapids support
- Fix memory corruption issues in the Ocaml bindings.
- On xenstored live update, validate the config file before launching into the new xenstored
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.5-9.30.3.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
-
@gduperrey Installed on 8.2 systems and running ok on home lab and other secondary machines. No issues before or after update. No Sapphire Rapids CPUs. Ran same update on 8.3 by mistake on a test machine but it's running ok too.
-
what is the kernel version of the latest XCP-ng?
-
Looks like some of the testers who used to test the update candidates moved their test hosts to the 8.3 alpha release. Thanks @Andrew for staying true to the job
-
@maxcuttins Is the question related to the testing of update candidates?
-
Latest updates seem to be working fine in my test lab as well.
-
Update published. Thanks for the tests!
https://xcp-ng.org/blog/2023/03/23/march-2023-security-update/
-
@stormi not really I would say.
I'm stick to version 8.0 and I'm planning to upgrade.
So I'm trying to understand which kernel I'll find in the next release.PS: Upgrade is a pain because I need to remember that CEPH NBD share storage are not preserved during upgrade and so, those config file will be erased, I'll need to restore in order to have back my VDIs.
-
@maxcuttins Ok. Then let's discuss this in another thread and leave the current one for testing update candidates.
-
@gduperrey XO (current source) rolling pool update did its job.
-
Hello here! I hope you are ready, because we'll have a train of update candidates for you to test shortly