XCP-ng 8.3 updates announcements and testing

marcoi

updates done on my two main servers and one dev box i happen to power on today. so far so good.

PS: Any way to get the following included on the next update for networking? I need it to run a scenario with opnsense vm. right now i have a script i run manually after rebooting the server.

ovs-ofctl add-flow xenbr3 "table=0, dl_dst=01:80:c2:00:00:03, actions=flood"

thanks

acebmxer

@stormi

In regards to UEFI Secure boot in recent update.

from pool master host.

[19:09 xcp-ng-qhfpcnmb ~]# rpm -q varstored
varstored-1.2.0-3.4.xcpng8.3.x86_64

8.3 with varstored >= 1.2.0-3.4
Secure Boot is ready to use on new VMs without extra configuration. Simply activate Secure Boot on your VMs, and they will be provided with an appropriate set of default Secure Boot variables.

We will keep updating the default Secure Boot variables with future updates from Microsoft. If you don't want this behavior, you can lock in these variables by using the Manually Install the Default UEFI Certificates procedure.

So new vms nothing is needed to be done. But what about existing vms windows or linux? It it was stated I apologize if i missed it.

dinhngtu

@acebmxer The Recommended actions section of the guest Secure Boot docs has been updated with our latest recommendations. In short, VMs existing prior to the varstored update will need to have their Secure Boot certificates updated with the Propagate certificates button.

acebmxer

@dinhngtu thank must have read that part with my eyes closed or something.

stormi

@marcoi I don't have enough context to reply. You should open a new thread to discuss it, with details about your needs (always better to explain the needs before the technical solution).

shorian

Is there any intent to publish the latest xcp-ng 'release' with an XOSTOR iso ? There's an iso for the non-XOSTOR version (xcp-ng-8.3.0-20250606.2.iso) released on 18 Dec 2025, but the latest iso with xostor comparability is xcp-ng-8.3.0-20250616-linstor-upgradeonly.iso released in 16 June 2025.

Reason for asking is the last incremental upgrade on 18th Dec partially failed on our pool master and so we need to do a 'clean' upgrade, however there are XOSTOR disks on that machine, and doing a network upgrade after a partial failure and regardless with xostor - is not advised / achievable.

Thank you!

stormi

@shorian Do you mean that you have hosts with XOSTOR that can't boot the installer due to broadcom drivers crashing? That's the only issue the updated ISO addresses.

shorian

@stormi All our hosts were fully patched. We then went through the upgrade of Dec 19th. Two (single server) pools updated fine, the master for the primary pool then failed after patching but on reboot - this machine happens to have XOSTOR so doing the upgrade manually and recovering via the ISO is not an option as the ISO is not XOSTOR compatible and the other options available to us (network update etc) are not permitted by the installer due to XOSTOR. We're not using the Broadcom drivers.

Installer recognises the old installation, that install was patched and it was the reboot after that caused the problem (no idea why or how) so reluctant to 'upgrade' to the previous install given the patch had completed except for the final reboot.

It might be that we can 'refresh' the install using the older version but was nervous of doing so given we'd end up with (potentially) a mash-up of versions of drivers versus data.

marcoi

@stormi The original thread is here
https://xcp-ng.org/forum/topic/10374/xcp-with-opnsense-vm-running-att-bypass-is-vlan-0-network-possible/14?_=1766094991961

marcoi

also noticed a new issue- seems like changes i had in the /etc/xensource/usb-policy.conf file for usb was lost during the upgrade.

I have some usb comm devices i use with a home assistant VM and they were gone post the upgrade.

anyway to make those change last post upgrade? Maybe make then options in gui so a config file can always be reflective of gui settings?

shorian

@stormi As a footnote to earlier message, we tried using the previous iso image (xcp-ng-8.3.0-20250616-linstor-upgradeonly.iso) to see if things would magically work out but it results in an unrecoverable error - "Cannot upgrade host with LINSTOR 1.29.2-1.e17_9, upgrade repository has versions 1.29.0-1.e17_9. Please make sure your pool is uptodate [sic - typo in error message] and use the latest dedicated ISO."

So yes, afraid I'm after an iso with 1.29.2...

stormi

@shorian I might have one for you. Can you open a new thread?

stormi

@marcoi Let's move the discussion back there then

stormi

@marcoi said in XCP-ng 8.3 updates announcements and testing:

also noticed a new issue- seems like changes i had in the /etc/xensource/usb-policy.conf file for usb was lost during the upgrade.

I have some usb comm devices i use with a home assistant VM and they were gone post the upgrade.

anyway to make those change last post upgrade? Maybe make then options in gui so a config file can always be reflective of gui settings?

This one is known. I had opened an issue about it, but it didn't get much traction yet. We also have a related item in our backlog, but it's a matter of finding resources to handle it.

https://github.com/xapi-project/xen-api/issues/4935

stormi created this issue in xapi-project/xen-api

open Packaging: xapi-core RPM updates overwrite custom user config in usb-policy.conf #4935

shorian

@stormi https://xcp-ng.org/forum/post/101015 V kind, thanks

olivierlambert

@stormi Yes, I'm also affected in here, due to an USB device that's disabled by default.

gb.123

@olivierlambert

I did post an alternative script here:
https://xcp-ng.org/forum/topic/8620/usb-passthrough-override-script-to-ensure-usb-policy-conf-consistency

But it was later removed due to request by @stormi .

I'm currently using my script which basically backs up your settings and overrides the default one (after backing it up on first install) on every boot. I know its a crude way to handle but it was only meant to be temporary till you guys find a solution.

I have reposted it.

Please note : Issues caused by this script (if any) shall not be covered by the XCP-NG Support Team 

stormi

@gb.123 Please mention in your post that any issue caused by this script will not be covered by official support. The concerns I voiced then still hold.

gb.123

@stormi

Great Idea!
Post updated !

Update: I also added 'Automatic Backup' which backs up your original file in case something goes wrong.

gduperrey

New security and maintenance update candidates for you to test!

Security vulnerabilities have been detected and fixed for xen and varstored. We also publish other non-urgent updates which we had in the pipe for the next update release.

Security updates:

• xen:

  • XSA-477 / VSA-2026-001: A buffer overflow in the Xen shadow tracing code could allow a DomU virtual machine to crash Xen, or potentially escalate privileges.
  • XSA-479 / VSA-2026-003: Some Xen optimizations to avoid clearing internal CPU buffers when not required could allow one guest to leak data of another guest. A mitigation can be applied without the fix by rebooting vulnerable Xen with "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line at the cost of decreased performances.

• varstored:

  • XSA-478 / VSA-2026-002: Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer. An attacker with kernel level access in a VM can escalate privilege via gaining code execution within varstored.

Maintenance updates:

• guest-templates-json:

  • Update VM template labels
  • Sync RHEL10 template with XenServer's

• intel-microcode:

  • Update to publicly released microcode-20251111
  • Updates for multiple functional issues

• kernel: Bug fixes in the NFS and NBD stacks for various deadlocks and other race conditions.

• qemu: Backport for CVE-2021-3929, fixing a DMA reentrancy flaw in NVMe emulation, that could lead to use-after-free from a malicious guest and potential arbitrary code execution.

• smartmontools: Update to minor release 7.5

• swtpm: Synchronize with release 0.7.3-12 from XenServer. No functional changes.

• xapi: Fix regression on dynamic memory management during live migration, causing VMs not to balloon down before the migration.

• xcp-ng-release: Prevent remote syslog from being overwritten by system updates.

XOSTOR
In addition to the changes in common packages, the following XOSTOR-specific packages received updates:

• drbd: Reduces the I/O load and time during resync.
• drbd-reactor: Misc improvements regarding drbd-reactor and events
• linstor:
  • Resource delete: Fixed rare race condition where a delayed DRBD event causes "resource not found" ErrorReports
  • Misc changes to robustify LINSTOR API calls and checks

If you are using Xostor, please refer to our documentation for the update method.

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• guest-templates-json: 2.0.15-1.1.xcpng8.3
• intel-microcode: 20251029-1.xcpng8.3
• kernel: 4.19.19-8.0.44.1.xcpng8.3
• qemu: 4.2.1-5.2.15.2.xcpng8.3
• smartmontools: 7.5-1.xcpng8.3
• swtpm: 0.7.3-12.xcpng8.3
• xapi: 25.33.1-2.3.xcpng8.3
• xcp-ng-release: 8.3.0-36
• xcp-python-libs: 3.0.10-1.1.xcpng8.3
• xen: 4.17.5-23.2.xcpng8.3
• varstored: 1.2.0-3.5.xcpng8.3

XOSTOR

• drbd: 9.33.0-1.el7_9
• drbd-reactor: 1.9.0-1
• kmod-drbd: 9.2.16-1.0.xcpng8.3
• linstor: 1.33.0~rc.2-1.el8
• linstor-client: 1.27.0-1.xcpng8.3
• python-linstor: 1.27.0-1.xcpng8.3
• xcp-ng-linstor: 1.2-4.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

2 days max.