RE: XenServer 8.0 - Major update due Q1 2019

I will add that I use XCP-ng at home; but, also in an enterprise virtual environment (without professional support right now, as we don't need it for Xen). We also use the Enterprise XOA, and have even had great success with Backup-ng for specific VMs we can't backup with other solutions. My qualm is that I could absolutely use some of those Enterprise features at home; but, alas, the licensing is WAY beyond my personal budget. The subscription model is the only way to go in this industry, or the very similar perpetual license with a yearly support subscription (neither all that different from each other from a cost perspective) - you can't maintain a team and ongoing development with "one time fees" (look how this has actually harmed Plex due to way too many lifetime passes being sold).

That said, the reliability and stability of the XCP-ng\XOA solutions across the board is at least equivalent to native Xenserver (which isn't necessarily an insult or a compliment - any of us who have used XenServer long enough know that it can be incredibly easy and downright simple to manage, or it can turn into an absolute disaster real quick). We also run native XenServer, and some VMware and Hyper-V in our environment.

Do I have ideas of where I'd like to see XCP-ng go? Absolutely. I don't think it's time for me to be pushing those while the team fleshes out the product per their initial goals and desires, however. Do I have extremely diverse experience that could be invaluable to the team in developing new features and capabilities? I'm sure; but, I'm not a developer, I'm an administrator\engineer. I understand coding, and can often talk the talk; but, it's not my cup of tea, for sure - I'm not sure I'd know where to start to assist those endeavors beyond asking actually questions.

I do hope that the XCP team's recent progress towards becoming an independent product is a success - sooner rather than later. They already have some big companies betting on them. I could go on for quite a while on subjects like this - if XCP-ng has an open position that pays roughly $100K/year for someone in the top 5% of skill and talent in the global IT\IS field, let me know.

cg I have a feeling that it may not actually even boot without messing with grub configuration if my experience serves me right.

MajorTom Oh, I'm fully aware. I'm an MCSE, a not-currently-active CISSP, and hold a handful of other certifications. I've been doing this for more than 25 years...makes me feel old. x.x

My home environment is pretty complex and extensive compared to most IT guys; but, my work environment, while impressive in its own right, is not usually something a lot of IT guys gawk at these days with the massive datacenters we're all used to. I've been lucky to end up at a business that, while under the same security requirements as those many times its size, has given me a lot of freedom to be directly and\or involved\in charge of pretty much everything from A to Z.

I have a lot of "unorthodox" IT experience as well - doing a lot with little kind of thing - hence my sometimes creative suggestions or recommendations; and, I only wish I could sell or give away half of what I have sitting on shelves in my computer lab downstairs so others can learn as much as I have.

apayne I am fully aware that this is a known issue. That portion of my question was more in alignment with "does the XCP team perhaps have any plans to implement a similar feature in XCP, that KVM has, that can "hide" the virtualization state from the VM itself?". I believe certain versions of vmWare also have this feature now. I know this plays into HVM vs. PV status of a VM; but, with KVM being able to implement something, perhaps the possibility for XCP-ng to come up with a solution is there as well. For the record, this is not for any AI or Terminal Services use - I'm looking more into the virtualized gaming\media space.

Interesting behavior I am seeing on a host. I moved a C420 from one host to another to free up some space for alternative GPUs in my 2U host.

After doing so, I cannot, for the life of me, get the C420 to show up in "GPUs" on this other host, for assignment. Of note, it normally shows up as a "AMD FirePro something", but, is not showing up at all now.

It shows up in lspci, I have verified it is not bound to a driver in dom0, it is on the list of "assignable devices" in xl, so, I'm at a bit of a loss. I have even tried assigning it manually to the VM through dom0 console, to no avail; although, it's possible my syntax is wrong, and, it's just not telling me.

I did follow the XenServer 7 PCI-passthrough guide just to be sure.

Any thoughts or suggestions would be helpful.

MajorTom Oh, I'm fully aware. I'm an MCSE, a not-currently-active CISSP, and hold a handful of other certifications. I've been doing this for more than 25 years...makes me feel old. x.x

My home environment is pretty complex and extensive compared to most IT guys; but, my work environment, while impressive in its own right, is not usually something a lot of IT guys gawk at these days with the massive datacenters we're all used to. I've been lucky to end up at a business that, while under the same security requirements as those many times its size, has given me a lot of freedom to be directly and\or involved\in charge of pretty much everything from A to Z.

I have a lot of "unorthodox" IT experience as well - doing a lot with little kind of thing - hence my sometimes creative suggestions or recommendations; and, I only wish I could sell or give away half of what I have sitting on shelves in my computer lab downstairs so others can learn as much as I have.

MajorTom I don't on any of the VMs providing services, no. I use a browser - one that is always up-to-date and has other security protections in place - on a specific VM designed solely for management of that environment. I would also consider myself to be a very savvy browser user. I have maybe only once or twice in 20 years come across something truly malicious, unexpectedly, while looking for something else - all other times were when I was intentionally looking for something malicious, and had taken appropriate steps otherwise. Either way, I certainly wasn't counting on just one security control at any time.

apayne Yep - those risers look very different from the ones used in the 720s. The 720s have power jacks near the top on the inside end - with some splitters, you can even plug in dual-jack video cards as long as you stay under the wattage limits. The ones in your R815 actually look very similar to the ones in the 2950 IIIs.

apayne I actually haven't taken any active approaches at the hardware level to the Spectre\Meltdown bugs beyond firmware\microcode updates. The scenarios in which those can be taken advantage of aren't nearly as critical as a lot of the fuss made it out to be. Don't get me wrong, they are absolutely something to be aware of, and mitigate where possible; but, I have taken the approach of ensuring my VMs, my network, and my edge is secure - if someone can't get into something and run something that takes advantage of the bug in the first place, that's all that really matters. I think those disabling hyper-threading are going to the extreme in believing they have something that vulnerable to attack (or that worth protecting) unless they're in government, military, or research where there may actually be a valid threat vector there.

apayne On the storage side, I've done time with FreeNAS, Nexenta, OpenFiler, etc. OpenFiler continues to be my favorite; but, it has not been updated in years. (not to mention actual SANs that I've worked with at work - DotHill, Dell\EMC, Quantum, etc.)

I am currently running a single "true-Synology" device (4x 3.5" 3TB WD Reds in SHR) for archive\backup, and, my main storage array is a home-built XPEnology appliance - 24x 2.5" 1TB WD Red drives in a RAID 6, with a 512GB SSD cache. I built this on a SuperMicro 24+2 disk array chassis (I can get the exact model if needed.). I didn't spend more than a couple hundred bucks on the chassis, and acquired almost all the disks for "free". I have been happy with both Synology and XPEnology from a capability and performance perspective - I can pull nearly 300 MB/s over my storage fabric, which isn't too bad for a home array running on RAID 6 with 30 active VMs.

I am exporting iSCSI LUNs over multiple targets (with multi-pathing); but, it also provides NFS shares (among all the other Synology capabilities). This runs over redundant storage fabric (a couple of Brocades) for 4x 1GBe uplinks at the storage side, and 4x 1GBe uplinks at my XCP-ng host. I have a couple servers for backup; but, typically run only the single main server for most workloads, and a cluster of 3x laptops running Sophos nodes on XCP-ng for my edge.

Are you sure that R815 doesn't have some external GPU power connectors hidden along the PCIe backplanes?

apayne Yep. I ran into this issue both at work and at home - we got a really sweet deal on some 1060 Tis - tried to use them in some VMs, came to the realization that NVIDIA had locked them out in the drivers. We IT guys at least got a "nice" GPU out of it in the end - I use mine alongside my 1070 as a dedicated PhysX GPU, that also drives a couple secondary monitors for social stuff and hardware monitoring. I'll see if I can find that thread.

A side note - if you get yourself something like a Dell R720 (or most of their other 2U servers), then you will have ports for external GPU power. You'll still be limited wattage-wise; but, to a lesser extent.

apayne Oh, no. That includes the 1030. You can't get non-virtualization-detecting drivers for anything 1030 and above. I guess the way I typed that the first time could come across as "only those above the 1030". I've tried the 1030, the 1060 [Ti], and the 1070 to no avail. I'm quite certain the 1080 [Ti] and 1050 [Ti] aren't going to be any different than the others.

I'm currently using a couple of spare Radeon 5600 series in my server for testing - the power consumption vs. performance is not going to be worth it at all.

olivierlambert There are a number of different ways it can be done, evidently; however, there are some inherent variables involved that are way beyond my scope of expertise. I've linked a couple articles\posts below that go into more detail, and, also provide additional resources discussing this topic. I find it very intriguing; but, it certainly can become the deep end of the pool very quickly.

https://forum.proxmox.com/threads/hide-vm-from-guest.34905/
https://stackoverflow.com/questions/154163/detect-virtualized-os-from-an-application
https://kb.vmware.com/s/article/1009458

I believe the second link provides the most additional resources discussing "No Pill\Red Pill\Blue Pill" scenarios. The third link is vmWare's official resource on detection, the first one is a thread discussing the possibilities of hiding the hypervisor from a VM. It seems, according to one thread response on the first link, that KVM may mask the hypervisor present bit as its way of hiding the VM (at least it starts with that).

apayne Honestly, it could be Linux or Windows for the gaming side - doesn't really matter (although, with Steam, Windows is preferred), as the concept is to use it with something like a Steam box or mobile client akin to Steam's streaming client. The ideal scenario is still to have some good "oomph" in the GPU on the back-end. NVIDIA's driver implementation from a VM essentially bars you from using anything modeled higher than a 1030; and, I've read a few places that finding stable older drivers for even their 900 series can be difficult from a VM perspective. AMD is an option, of course; but, the idle [and under load] power consumption and cooling requirements of an AMD card vs. an NVIDIA are quite different - especially in a server setting (even moreso in a cost-sensitive home environment - which is part of my use case). My server runs 24x7 regardless, and is battery and generator-backed. My gaming rig consumes as much electricity on its own as my entire server, switching, and storage infrastructure in a half-rack. If I can utilize the already-on server infrastructure to provide even half of my gaming needs, the power savings are well worth it.

For the media side, it could still be Linux or Windows; but, my use case revolves around time\latency-sensitive media encoding\decoding (think Plex and\or DVR for reference) of very high quality video - a GPU would do wonders for this.

apayne I am fully aware that this is a known issue. That portion of my question was more in alignment with "does the XCP team perhaps have any plans to implement a similar feature in XCP, that KVM has, that can "hide" the virtualization state from the VM itself?". I believe certain versions of vmWare also have this feature now. I know this plays into HVM vs. PV status of a VM; but, with KVM being able to implement something, perhaps the possibility for XCP-ng to come up with a solution is there as well. For the record, this is not for any AI or Terminal Services use - I'm looking more into the virtualized gaming\media space.