XCP-ng 8.2 updates announcements and testing

gduperrey

New update candidates for you to test!

A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.

• iperf3: Upgrade to version 3.9-13 from CentOS 7
  • Includes a security fix for CVE-2023-38403
• kernel: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.
• linux-firmware: Update AMD microcode to the 2024-11-21 drop
  • Updates firmware for families 17h and 19h CPUs
• netdata: Fixed an issue that could occur when quickly uninstalling the package, right after an unfinished installation, and leave a service in an undetermined status.
• openssh:
  • Synchronized with hotfix XS82ECU1072 from Citrix.
  • Security fix for CVE-2024-6387
• socat: Update the package to version 1.7.4.1 which includes a fix for a buffer overflow and security fixes.
• sudo: Synchronized with hotfix XS82ECU1072 from Citrix.
  • intel-igc: This driver replaces igc-module to maintain consistency with the change made in this direction in 8.3.
• vendor-drivers: Updated to pull intel-igc instead of igc-module, following the package renaming.
• xcp-ng-deps: Added vim-minimal as a dependency, so it is always present on XCP-ng systems.
• xcp-ng-release:
  • Synchronized with hotfix XS82ECU1072 from Citrix.
  • Upstream changelog: "Start dhclient on iSCSI BFS interfaces".
• xenserver-status-report:
  • Synchronized with hotfix XS82ECU1072 from Citrix.
  • Update from version 1.3.16-3 to 1.3.17

Optional packages:

• Alternate Driver: Updated to newer version.
  • broadcom-bnxt-en-alt: From version 1.10.2_227.0.130.0 to 1.10.3_231.0.162.0
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• intel-igc: 5.10.214-3.1.xcpng8.2
• iperf3: 3.9-13.xcpng8.2
• kernel: 4.19.19-7.0.23.2.xcpng8.2
• linux-firmware: 20190314-11.2.xcpng8.2
• netdata: 1.19.0-6.xcpng8.2
• openssh: 7.4p1-23.3.1.xcpng8.2
• socat: 1.7.4.1-6.xcpng8.2
• sudo: 1.9.15-4.1.xcpng8.2
• vendor-drivers: 1.0.2-1.7.xcpng8.2
• xcp-ng-deps: 8.2.0-13
• xcp-ng-release: 8.2.1-14
• xenserver-status-report: 1.3.17-1.xcpng8.2

Optional packages:

• Alternate drivers:
  • broadcom-bnxt-en-alt: 1.10.3_231.0.162.0-1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

JeffBerntsen

Installed and seems to be working well on my test systems.

Andrew

@gduperrey Updates installed and working on busy hosts/pools.

NielsH

Hi all,

A little while ago XSA-466 came out. I couldn't find this on the forum / blog and would like to double-check whether xcp-ng is still vulnerable or not.

The post is here: https://xenbits.xen.org/xsa/advisory-466.html

I believe the fix for this would need to be in the xcp-ng host kernel?

Cheers!
Niels

bleader

Hello @NielsH, no, that XSA is on the guest side, the fixes will be in the kernel used by the guest, unless we missed something, there is currently nothing to be done on the host kernel side.

NielsH

@bleader said in XCP-ng 8.2 updates announcements and testing:

Hello @NielsH, no, that XSA is on the guest side, the fixes will be in the kernel used by the guest, unless we missed something, there is currently nothing to be done on the host kernel side.

Hi @bleader
Thanks for your response!

As these vulnerabilities are sometimes very unclear impact-wise; could you perhaps clarify for me:
Does this mean an untrusted VM, that chooses not to run this kernel, could potentially cause harm for the host or to other VMs?

Or is the impact only within the context of the VM, i.e. guest user processes might be able to read data from other processes only inside that VM?

Thanks again!

bleader

To be honnest, I'm unsure, generally the XSAs have pretty clear impact description, here it just states:

resulting in e.g. guest user processes
being able to read data they ought not have access to.

No detail here if that's only inside the guest or if it could maybe reach data outside its domain scope. So I would not be able to say, but generally it is pretty clear in XSAs when there is a risk of accessing other guests data, my assumption would be that this is only inside the guest domain.

Andrew

@bleader I'll guess it's a VM guest process to process memory issue as the Xen patch is just for documentation of the issue.

The patch to Xen is simply a documentation update to clarify that an OS author
might not want to use a hypercall page.

gduperrey

New update candidates for you to test!

In addition to the previous updates, available for testing, here are some new, non-urgent ones, expected to be released in a few days. Below are the details about these.

• kernel:
  • Synchronized with hotfix XS82ECU1079
  • Occasionally, a host that crashes is unable to produce a crash dump and becomes inoperable until it is restarted.
• XAPI + xha:
  • Synchronized with hotfix XS82ECU1080 that fixes these issues:
    • High availability occasionally fails to process heartbeats in time when there are a lot of hosts in a pool. Consequently, the host that is unable to process heartbeats is flagged as offline and self-fences.
    • A virtual machine (VM) on the host that is restarted during or after a connectivity issue may become unresponsive or fail to start with the error message "an emulator required to run this VM failed to start" if there are problems connecting the pool coordinator to a host in the pool.
    • Resetting the connection can cause long-running VDI migrations to fail.
    • Current up-to-date RRD data is not included in the server status report.
• sm:
  • Fix VG activation in LargeBlockSR for non-NVMe devices meaning than 4KiB devices other than NVMe didn't work with the driver.

XOSTOR:

• drbd: Prevent a dead-lock in some situations, plus other improvements.
• linstor: Updated from version 1.21.1 to 1.29.0.
• http-nbd-transfer: improved for faster and more reliable HA.
• sm (specific release for XOSTOR):
  • Add the same fixe as in the common sm.
  • Update for latest linstor, drbd and http-nbd-transfer.
  • XOSTOR Fixes.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

If you are using Xostor on your test servers, be sure to read our documentation on updating Xostor. You will need to enable an additional repo. Replace the yum update command above with this one:

yum update --enablerepo=xcp-ng-testing,xcp-ng-linstor-testing

Versions

• forkexecd: 1.18.3-15.1.xcpng8.2
• gpumon: 0.18.0-23.1.xcpng8.2
• kernel: 4.19.19-7.0.24.1.xcpng8.2
• message-switch: 1.23.2-22.1.xcpng8.2
• ocaml-rrd-transport: 1.16.1-20.1.xcpng8.2
• ocaml-rrdd-plugin: 1.9.1-20.1.xcpng8.2
• ocaml-tapctl: 1.5.1-20.1.xcpng8.2
• ocaml-xcp-idl: 1.96.7-9.1.xcpng8.2
• ocaml-xen-api-client: 1.9.0-23.1.xcpng8.2
• ocaml-xen-api-libs-transitional: 2.25.7-4.1.xcpng8.2
• rrd2csv: 1.2.6-20.1.xcpng8.2
• rrdd-plugins: 1.10.9-17.1.xcpng8.2
• sm-cli: 0.23.0-66.1.xcpng8.2
• squeezed: 0.27.0-23.1.xcpng8.2
• varstored-guard: 0.6.2-20.xcpng8.2
• vhd-tool: 0.43.0-23.1.xcpng8.2
• wsproxy: 1.12.0-24.xcpng8.2
• xapi: 1.249.40-1.1.xcpng8.2
• xapi-nbd: 1.11.0-22.1.xcpng8.2
• xapi-storage: 11.19.0_sxm2-22.xcpng8.2
• xapi-storage-script: 0.34.1-21.1.xcpng8.2
• xcp-networkd: 0.56.2-20.xcpng8.2
• xcp-rrdd: 1.33.5-3.1.xcpng8.2
• xenopsd: 0.150.19-8.1.xcpng8.2
• xha: 10.3.1-3.1.xcpng8.2
• xs-opam-repo: 6.35.13-5.xcpng8.2

If you're using XOSTOR, there are these versions too:

• drbd: 9.28.0-1.el7
• drbd-reactor: 1.4.1-1
• kmod-drbd: 9.2.11-1.1.xcpng8.2
• linstor: 1.29.0-1.el7_9
• linstor-client: 1.23.0-1.xcpng8.2
• python-linstor: 1.23.0-1.xcpng8.2
• sm: 2.30.8-13.2.0.linstor.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better. It would be nice if you could specify in your feedback if you are using XOSTOR or not.

Test window before official release of the updates

~ 2 days

JeffBerntsen

It's installed and seems to be working well in my test pool so far, not using XOSTOR.

Andrew

@gduperrey Installed and working on a HA pool and other hosts, no XOSTOR.