XCP-ng 8.3 betas and RCs feedback 🚀

stormi

@ecoutinho You can enable TLS verification on the pool then join the new host. Or disable it on the new host but that's a downgrade of this new security feature meant to protect against MITM attacks.

ecoutinho

@stormi Thanks for your suggestions. I've tried to enable it on the pool:

# xe pool-enable-tls-verification
This operation is not supported during an upgrade.

I have to finish the upgrade of the other hosts before enabling it on the pool.

As for disabling it on the new host, I didn't find any way to do it permanently. I just found the host-emergency-disable-tls-verification option, which does not disable it completely, and doesn't allow to add it to a pool without TLS verification. Would you clarify how to disable it on the new host?

I will enable it on the pool when the upgrade is finished.

stormi

@ecoutinho I don't see a way to disable TLS verification, but anyway I wouldn't join a host to a pool which is currently being upgraded. I even suspect XAPI would refuse.

ecoutinho

@stormi OK, thanks, I'll finish upgrading the other hosts.

stormi

@brezlord If you haven't reinstalled it yet, yes, we could use more information about the host, the PCI passthrough setup on it, how the error is triggered exactly, and various logs. And/or a support tunnel to have a look by ourselves.

BenjiReis

@brezlord Can you sahre the value you put in the xen-cmdline on 8.2?

I think the XAPI awaits this format: xen-pciback.hide=(pci-id1)(pci-id2)... and will fail the value doesn't match this format.

brezlord

@BenjiReis Sorry I have destroyed the host and loaded a fresh install of 8.3. If you'd like I can install 8.2 on a host and pass through a pci device via the cmd then upgrade to 8.3 and see if the error is reproducible.

BenjiReis

@brezlord If it's not to much a bother that would be great yeah.
Comparing the xen-cmdline when doing the passthrough manually on 8.2 VS how it looks on 8.3 and when done via the XAPI.

stormi

I'm pushed a new set of updates, hopefully the last one before the release of XCP-ng 8.3.0 RC2, which itself should be followed shortly by the release of XCP-ng 8.3.0 itself.

Main packages

• intel-microcode-20240717-1.xcpng8.3: updated microcode for Intel vulnerabilities
• sm-3.2.3-1.4.xcpng8.3: fix the cause of a warning displayed during update, and restore changes that we had removed because they were suspected to cause issues in some cases with iSCSI, but revealed themselves necessary to support another kind of setup.
• vim-7.4.629-8.el7_9 (which provides vim-minimal, installed by default): bugfixes and security fixes
• xapi-24.19.2-1.3.xcpng8.3: Fixes an issue where new fields in XAPI DB for certificate fingerprints were not populated, which under some circumstances caused joining new hosts to a pool fail.
• xcp-ng-release-8.3.0-28:
  • Update repository files for CentOS and EPEL.
  • Point at repo.vates.tech for CentOS since mirrorlist.centos.org was cut
  • Add "(EOL)" to repo descriptions for EOL repos
  • Drop unused repos

Optional package

• kernel-alt-4.19.316+1-2.xcpng8.3: Enable CONFIG_X86_AMD_PLATFORM_DEVICE in kernel config
• ldns-1.7.0-21.xcpng8.3 + libreswan-4.12-2.3.1.xcpng8.3: security updates

Ajmind 0

On my 8.3 test pool I am unable to create SR ISO libary (SMB/cifs).

On my production pools with XCP-NG 8.2.x it does work as expected.

olivierlambert

Can you provide a bit more details? Errors and such.

Ajmind 0

@olivierlambert
yes I can

on dom0:

mount -t cifs --verbose -o username=admin,password=******** //192.168.1.202/iso /mnt/test
mount.cifs kernel mount options: ip=192.168.1.202,unc=\\192.168.1.202\iso,user=admin,pass=********
mount error(112): Host is down

XCP-NG Center:

Creating ISO SR 'SMB ISO library' on 'IT1HALIZARD-TEST1'
Unable to mount the directory specified in device configuration request	it1xcp-ng-test-slave1	Sep 5, 2024 12:59 PM	Dismiss

XO from Sources:

sr.createIso
{
  "host": "c1f34b07-c4dc-4584-8bc0-a01bcec81c5b",
  "nameLabel": "test",
  "nameDescription": "test",
  "path": "\\\\192.168.1.202\\public\\iso",
  "type": "smb",
  "user": "admin",
  "password": "* obfuscated *"
}
{
  "code": "SR_BACKEND_FAILURE_222",
  "params": [
    "",
    "Could not mount the directory specified in Device Configuration [opterr=mount error(112): Host is down
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)]",
    ""
  ],
  "call": {
    "method": "SR.create",
    "params": [
      "OpaqueRef:cee521f7-dc00-5d91-1499-6143d2fd0040",
      {
        "type": "cifs",
        "username": "admin",
        "cifspassword": "* obfuscated *",
        "location": "//192.168.1.202/public/iso"
      },
      0,
      "test",
      "test",
      "iso",
      "iso",
      true,
      {}
    ]
  },
  "message": "SR_BACKEND_FAILURE_222(, Could not mount the directory specified in Device Configuration [opterr=mount error(112): Host is down
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)], )",
  "name": "XapiError",
  "stack": "XapiError: SR_BACKEND_FAILURE_222(, Could not mount the directory specified in Device Configuration [opterr=mount error(112): Host is down
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)], )
    at Function.wrap (file:///srv/xen-orchestra/packages/xen-api/_XapiError.mjs:16:12)
    at file:///srv/xen-orchestra/packages/xen-api/transports/json-rpc.mjs:38:21
    at runNextTicks (node:internal/process/task_queues:60:5)
    at processImmediate (node:internal/timers:447:9)
    at process.callbackTrampoline (node:internal/async_hooks:128:17)"
}

The SR is mounted on our production pools.

olivierlambert

Well, clearly, as it comes from 2 different systems (XOA and XCP-ng) you have an issue to reach this IP address. It's simply not up and running or not connected to this IP (or blocked) from XCP-ng/XO perspective.

steff22

Don't know if this is the right place for this forum post.

But is it possible to pass through Usb keyboard, mouse or bluetooth adapter to a vm? None of these things appear in Xen Orchestra.

Smart house z-wave usb stick appears right away in Xen Orchestra

Or must I buy a usb to pcie card and passthrough this to vm to make it work

olivierlambert

I think yes, but probably need some tinkering in the USB script filtering some devices for security reasons. It's documented: https://docs.xcp-ng.org/compute/#passing-through-keyboards-and-mice

steff22

@olivierlambert ok thanks

Ajmind 0

@olivierlambert

you are right

The standard gateway has blocked access of NAS.

Could be closed.

CJ

Is there a way to track the progress of applying patches to a host? I'm updating the master of one of my pools and it dropped out of XO and hasn't come back yet. I don't recall applying patches to take this long normally.

olivierlambert

Yes, you can check the yum history for example, eg yum history list

CJ

@olivierlambert I'm seeing 27 EE which seems to indicate that it worked but there was an error?

I have had XO display errors when performing updates but there's currently nothing in the logs and the pool still isn't showing up.

Using yum history info it appears to output EE whenever the scriptlet has an output. In this case it returned ok and I also have lines regarding disabling the repos.

Now I'm getting UND_ERR_SOCKET as an error on the Servers page. If I disable and then enable the server, I get write ECONNRESET.