XCP-ng 8.3 updates announcements and testing

gduperrey · 7 Mar 2025, 15:44

New update candidates for you to test!

A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.

edk2: Fix "Guest has not initialized the display (yet)." error.
intel-igc: Fix a possible update issue due to a recent package name change.
intel-microcode:
- Latest Intel release microcode-20250211:
  - Security updates for: INTEL-SA-01166, INTEL-SA-01213, INTEL-SA-01139, INTEL-SA-01228
  - Updates for multiple functional issues
  - Upstream update drops files for older Sapphire Rapids steppings, we kept the previous versions
netdata:
- Update to Netdata v1.47.5
  - Fix dmesg warnings due to setuid+capabilities on xenstat plugin
  - Improve systemd service restart with a custom script waiting for Netdata to be fully up-and-running before stopping it.
openssl: Add security fixes from upstream: CVE-2019-1547, CVE-2019-1551, CVE-2019-1563
qemu: Backport a security fixe (CVE-2023-3354) for QEMU VNC server vulnerability
r8125-module: Disable some performance functionalities in the driver (TXchecksum/SG/TSO) by default to workaround bugs on Windows Server 2022 guests. These can be re-enabled using 'ethtool -K eth0 tx on tso on sg on'
sm:
- Fix issue where users may encounter problems with HPE Nimble arrays: unable to mount iSCSI LUNs, non-functional or imperfect multipathing.
- Regarding Large Block driver, always enable the VG on the emulated device.
- Prevent corruption in the LINSTOR KV-store caused by a race condition between user calls and GC.
systemtap: No functional changes. Fix compilation for compatibility with new gcc version.
xapi: Re-enabled nested virtualization in 8.3, with the same limitations as in 8.2.
xcp-emu-manager: No functional changes, Fix rpm spec file for new cmake version
xcp-ng-release: Update cipher list in .curlrc
xcp-ng-xapi-plugins:
- Add new service plugin to manage (start, stop, ...) XCP-ng services
- Add a new ipmitool plugin to get information from ipmitool that:
  - Returns information about sensors
  - Returns ipmi lan information
xen:
- Re-enabled nested virtualization in 8.3, with the same limitations as in 8.2.
- Fix XSA-467 / CVE-2025-1713
xo-lite: update to version 0.8.0. For more information you can read latests posts on the Xen Orchestra blog: 0.7.1 & 0.8.0.

Regarding the nested virtualization, Xen-Orchestra is not yet updated to allow this in 8.3, even if we see the option in the advanced tab of the VM. They are working on it and this will come in a future update.

To actually enable the nested possibility, it must be done on the command line with xe.

Once your VM is created:

xe vm-param-set platform:nested-virt=true uuid=<vm-uuid>

To check this:

xe vm-param-get param-name=platform uuid=<vm-uuid>

You should have a line similar to below, with the nested-virt: true parameter visible:

nested-virt: true; timeoffset: 0; exp-nested-hvm: true; secureboot: false; device-model: qemu-upstream-compat; viridian: true; nx: true; acpi: 1; apic: true; pae:true; hpet:true

To deactivate it:

xe vm-param-remove param-name=platform param-key=nested-virt uuid=<vm-uuid>

For XOSTOR users:

See the description for sm above.

(Reminder: XOSTOR is still in beta stage on XCP-ng 8.3)

Optional packages:

Alternate Driver: Updated to newer version.
- atlantic-module-alt:
  - Update vendor version of driver 2.5.12
  - Disable LRO for reliable bridging per README
  - More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

edk2: 20220801-1.7.7.2.xcpng8.3
intel-igc: 5.10.226-2.xcpng8.3
intel-microcode: 20250127-1.xcpng8.3
netdata: 1.47.5-4.1.xcpng8.3
openssl: 1.0.2k-26.2.xcpng8.3
qemu: 4.2.1-5.2.10.1.xcpng8.3
r8125-module: 9.012.04-2.xcpng8.3
sm: 3.2.3-1.17.xcpng8.3
systemtap: 4.0-5.1.xcpng8.3
xapi: 24.19.2-1.10.xcpng8.3
xcp-emu-manager: 1.2.0-2.xcpng8.3
xcp-ng-release: 8.3.0-29
xcp-ng-xapi-plugins: 1.12.0-1.xcpng8.3
xen: 4.17.5-4.2.xcpng8.3
xo-lite: 0.8.0-1.xcpng8.3

Optional packages:

Alternate drivers:
- atlantic-module-alt: 2.5.12-1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~ 4/5 days

bleader · 7 Mar 2025, 16:09

Home host updated successfully, no issue.

flakpyro · 7 Mar 2025, 17:01

@gduperrey

installed on 2 test machines

Machine 1:
Intel Xeon E-2336
SuperMicro board.

Machine 2:
Minisforum MS-01
i9-13900H
32 GB Ram
Using Intel X710 onboard NIC

Both machines installed fine and all VMs came up without issue after.

XCP-ng-JustGreat · 9 Mar 2025, 03:57

Latest test updates were applied to three-node home lab pool (3 x Dell OptiPlex SFF 7040 i7-6700/48GB RAM/256GB NVMe boot drive/TrueNAS Core 10Gbps-attached NFS shared storage) without incident. VMs appear to running normally, live migration between hosts works fine and no apparent problems so far.

abudef · 9 Mar 2025, 11:34

The update went fine and everything is working fine.

@gduperrey said in XCP-ng 8.3 updates announcements and testing:

xapi: Re-enabled nested virtualization in 8.3, with the same limitations as in 8.2.

Since I keep bothering with nested virtualization here on the forum, I of course immediately tried the support in 8.3

Setup:

HW XCP-ng 8.3
- Nested XCP-ng 8.3
- - Windows Server 2025
- - Debian 12.9

Windows installation on the nested hypervisor went ok and the system seems to be working fine.
The problem occurred with Debian. ISO 12.9 netistall, UEFI was used. The system boots up and shows the notorious install screen: Graphic install, Install ... Regardless of the type of installation chosen, immediately after starting it, nested hypervisor XCP-ng 8.3 crashes and reboots. By the way, this problem with Debian is also on VMware - if I use nested XCP-ng 8.3 there, the Debian installation crashes it just the same.

TeddyAstie · 3 Oct 2025, 00:47

@abudef Note that even with this update, nested virtualization is still not really supported in XCP-ng 8.3.
It's there, you can enable it at your own risk. It broke due to some change in XAPI (even though Xen hypervisor had "support" for it).
It never actually got removed from Xen hypervisor (it was marked experimental in Xen 4.13 used in XCP-ng 8.2, it is also the case for Xen 4.17), although nothing really changed, it still has the same issues and limitations as said.

The current state of nested virtualization in Xen is quite clumsy and there are future plans to remake it properly from ground without taking shortcuts and have proper tests to back it.

Aside that, after some experiments, it seems that mostly nested EPT is incomplete/buggy, so your L1 hypervisor should not rely on it. You should add hap=0 to nested XCP-ng Xen cmdline. Beware that it will imply a pretty large performance hit, but I had more consistent results with this.
I am quite suprised that Windows works while Linux don't, maybe it is somewhat related to PV drivers ?

ph7 · 10 Mar 2025, 09:44

@gduperrey

I updated my test host and all seems to work fine.
But I have 1 question:
Do I need to disable the testing repo or is it removed at the reboot?

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

[10:33 x1 ~]# yum repolist 
Inlästa insticksmoduler: fastestmirror
Loading mirror speeds from cached hostfile
Excluding mirror: updates.xcp-ng.org
 * xcp-ng-base: mirrors.xcp-ng.org
Excluding mirror: updates.xcp-ng.org
 * xcp-ng-updates: mirrors.xcp-ng.org
förråds-id                                 förrådsnamn                                           status
xcp-ng-base                                XCP-ng Base Repository                                4 376
xcp-ng-updates                             XCP-ng Updates Repository                               125
repolist: 4 501

dthenot · 10 Mar 2025, 09:57

@ph7 It's only enabled for the two yum command with the --enablerepo explicitly used.
It's disabled in the config otherwise.
No need to do anything

gduperrey · 12 Mar 2025, 10:40

Update published: https://xcp-ng.org/blog/2025/03/12/march-2025-maintenance-update-for-xcp-ng-8-3/

Thank you for the tests!

manilx · 12 Mar 2025, 14:10

@gduperrey 1 HomeLab-Pool (via cli: yum update and reboot), 3 Business-Pools (via RPU), total 7 servers updated without issues.

bvitnik · 14 Mar 2025, 15:59

@TeddyAstie Is the list of "issues and limitations" of nested virtualization under Xen documented somewhere?

stormi · 14 Mar 2025, 16:07

@bvitnik It's better to consider it as working by chance in some scenarios, but I think Teddy can give you details

archw · 15 Mar 2025, 23:47

@gduperrey
Is a reboot required for this batch of updates?

Andrew · 16 Mar 2025, 00:03

@archw Yes.

archw · 16 Mar 2025, 11:57

@Andrew
Thanks!

stormi · 25 Mar 2025, 10:32

@archw It's written in the blog post

archw · 25 Mar 2025, 10:53

@stormi I missed it!

gduperrey

New update candidates for you to test!

As we move closer to making XCP-ng 8.3 the new LTS release, taking over from XCP-ng 8.2.1, a first batch of updates is now available for user testing ahead of a future collective release. Details are provided below.

amd-microcode: Packaging and versioning update, but no actual changes in microcodes.
blktap: Fixes.
broadcom-bnxt-en: bug fix: "Backport patch to fix GSO type for HW GRO packets on 5750X chips"
busybox: backport fixes for CVE-2018-20679 and others.
gpumon: No major changes. Rebuild for dependency reasons.
guest-templates-json: Add templates for Windows server 2025 and Ubuntu 24.04. Remove "preview" from a few template names.
host-upgrade-plugin: Update to version 3.0.1 which transitions to python 3 and brings some fixes.
intel-i40e: Update to version 2.25.11
interface-rename: Sync with XenServer, but this only changes packaging details.
ipxe: Rebuild.
jemalloc: Updated to version 5.3.0.
lvm2: Fixes.
microsemi-smartpqi: Update to version 2.1.30_031
ncurses: Updated to upstream 6.4-20240309 revision. Some minor improvements.
net-snmp: Rebase on XenServer version 5.7.2-52, which incorporates fixes for CVE-2022-24805 and CVE-2022-24809
openssh: fix CVE-2025-26465
qemu: Rebuilt with new version of jemalloc.
qlogic-qla2xxx: Update to version 10.02.12.01_k
sm: (Storage manager):
- Logging improvements
- Minor fixes regarding race conditions
- Robustify snapshots and a few XAPI calls
- Send message to XAPI if the garbage collection process doesn't have enough space.
- Multipath configuration updates for some vendors.
- Preliminary work for future XOSTOR support and over 2TB VM disks.
sm-core-libs: fixes.
vmss: Synchronization with the latest package from XenServer, which replaces the use of a deprecated dependency (imp module) by another.
xapi:
- Update to version 24.39.1
- Many fixes and improvements, among which:
Improve logging during live storage migration
- Lengthy VDI migrations were mistakenly canceled upon reaching a 12-hour time limit.
- Faster starting VMs when they have multiple VIFs or in conditions where the database is under heavy load.
- High availability occasionally fails to process heartbeats in time when there are a lot of hosts in a pool. Consequently, the host that is unable to process heartbeats is flagged as offline and self-fences.
- IPv6-related fixes.
- Configurable threshold for updating last_active
- Many under the hood improvements or fixes.
- Added python dependencies for opentelemetry support: pyproject-rpm-macros, python-aiocontextvars, python-charset-normalizer, python-contextvars, python-deprecated, python-idna, python-immutables, python-opentelemetry, python-requests, python-typing-extensions, python-urllib3, python-wheel, python-wrapt, python3-setuptools.
xcp-ng-release:
- Sync with xenserver-release-8.4.0-14. (XCP-ng release number remains 8.3.0)
- Update dependencies between systemd services.
- Enable new RRDD plugins
xcp-python-libs: Sync with XenServer, but this only changes packaging details.
xen: Synchronization with package 4.17.5-6 from XenServer:
- Fix migration of VMs from XCP-ng 8.2 to XCP-ng 8.3 when the guest is using BHI_DIS_S
- Initial AMD Turin support
- Fix dom0 pIRQ limit calculation
- Fix emulation of BMI1/2 instructions
xenserver-status-report: Minor update to add scsi disk provisioning mode in the output from this debug tool.
xo-lite: As described in Xen Orchestra's blog, added VM creation page and form and Display vifs list in vm view and vifs information in side panel
xs-opam-repo: Update to version 6.86.0 as a dependency for xapi
xsconsole: Improved xenapi error handling & reintroduced Portable SR feature

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

amd-microcode: 20241121-1.1.xcpng8.3
blktap: 3.55.4-1.1.xcpng8.3
broadcom-bnxt-en: 1.10.2_223.0.183.0-2.xcpng8.3
busybox: 1.22.1-7.xcpng8.3
gpumon: 24.1.0-32.1.xcpng8.3
guest-templates-json: 2.0.13-1.1.xcpng8.3
host-upgrade-plugin: 3.0.1-1.xcpng8.3
intel-i40e: 2.25.11-2.xcpng8.3
interface-rename: 2.0.6-1.1.xcpng8.3
ipxe: 20121005-1.0.7.xcpng8.3
jemalloc: 5.3.0-1.xcpng8.3
lvm2: 2.02.180-18.1.xcpng8.3
microsemi-smartpqi: 2.1.30_031-1.xcpng8.3
ncurses: 6.4-5.20240309.xcpng8.3
net-snmp: 5.7.2-52.1.xcpng8.3
openssh: 7.4p1-23.3.2.xcpng8.3
pyproject-rpm-macros: 1.8.0-4.1.xcpng8.3
python-aiocontextvars: 0.2.2-3.1.xcpng8.3
python-charset-normalizer: 2.1.0-4.1.xcpng8.3
python-contextvars: 2.4-3.1.xcpng8.3
python-deprecated: 1.2.14-3.1.xcpng8.3
python-idna: 3.3-4.xcpng8.3
python-immutables: 0.19-5.xcpng8.3
python-opentelemetry: 1.12.0-1
python-requests: 2.28.1-4.1.xcpng8.3
python-typing-extensions: 3.7.4.3-4.xcpng8.3
python-urllib3: 1.26.15-4.1.xcpng8.3
python-wheel: 0.31.1-5.el7_7
python-wrapt: 1.14.0-4.xcpng8.3
python3-setuptools: 40.4.1-1.0.1.xcpng8.3
qemu: 4.2.1-5.2.12.1.xcpng8.3
qlogic-qla2xxx: 10.02.12.01_k-1.xcpng8.3
sm: 3.2.12-3.1.xcpng8.3
sm-core-libs: 1.1.2-1.xcpng8.3
vmss: 1.2.1-1.xcpng8.3
xapi: 24.39.1-1.3.xcpng8.3
xcp-ng-release: 8.3.0-30
xcp-python-libs: 3.0.4-2.1.xcpng8.3
xen: 4.17.5-6.1.xcpng8.3
xenserver-status-report: 2.0.7-1.xcpng8.3
xo-lite: 0.9.1-1.xcpng8.3
xs-opam-repo: 6.86.0-1.1.xcpng8.3
xsconsole: 11.0.8-1.1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

flakpyro

@gduperrey

installed on 2 test machines

Machine 1:
Intel Xeon E-2336
SuperMicro board.

Machine 2:
Minisforum MS-01
i9-13900H
32 GB Ram
Using Intel X710 onboard NIC

Both machines installed fine and all VMs came up without issue after. My one test backup job also seemed to run without any issues.

dthenot

For people testing the QCOW2 preview, please be informed that you need to update with the QCOW2 repo enabled, if you install the new non QCOW2 version, you risk QCOW2 VDI being dropped from XAPI database until you have installed it and re-scanned the SR.
Dropping from XAPI means losing name-label, description and worse, the links to a VM for these VDI.
There should be a blktap, sm and sm-fairlock update of the same version as above in the QCOW2 repo.

If you have correctly added the QCOW2 repo linked here: https://xcp-ng.org/forum/post/90287

You can update like this:

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-qcow2
yum update --enablerepo=xcp-ng-testing,xcp-ng-qcow2
reboot

Versions:

blktap: 3.55.4-1.1.0.qcow2.1.xcpng8.3
sm: 3.2.12-3.1.0.qcow2.1.xcpng8.3