Personal Testimony - Edge Case #2 - Protectli hardware

So I woke up and saw this today:

https://xcp-ng.org/blog/2020/09/09/edge-case-2-protectli-hardware/

And a massive smile came across my face, because this is the solution I have cut my teeth on XCP-NG just over 2 years ago now, and is still reliably running my home and two person cybersecurity consultancy business with 9 VM's running 24/7, and another 3-4 VMs that we spin up whenever we need them.

Two years ago this month, I purchased a new Protectli model, the i5 7200u as a replacement system for my old and finally failed (blown caps) Firewall. While waiting for the shipment to arrive, I saw @olivierlambert give his presentation on forking Xen and the launch of XCP-NG. Already familiar with Xen through my previous employer (T-Mobile), I thought when my Protectli unit arrives, and before I launch it as a bare metal firewall on my network, I thought I'd try XCP-NG on it first. When I did, my mind was blown almost instantaneously for a few reasons.

First, there was a bit of a learning curve. I'd never actually installed / administrated a Xen server at my former employer - that wasn't our job. Specifying security requirements and performing pen-testing and audits of implementations was more our thing. Thanks in part to the members of the community that were here, and even Oliver himself (who graciously extended my XOA demo license & answered further technical questions I had) that learning curve was just weeks rather than months. And after some initial configuration experimentation and performance testing, I ended up launching our XCP-NG Protectli unit with a Firewall (pfSense) VM and our first completely virtualised DMZ. Fuller disclosure: I've run my own Email, Web and DNS servers from home since 1994. But this was the first time I've attempted to virtualise many of my servers running on bare metal. And I was so impressed, within a couple of months - I was virtualising nearly everything onto this box apart from my NAS units onto XCP-NG, including two RaspberryPi's. In fact, at the time, I made many jokes about how consolidating two very heavily loaded RaspberryPi 3B+ Units (sucking a total of 10+ watts) into XCP-NG on Protectli was resulting in electrical bill savings & huge performance gains on the apps that previously ran on those RPI's were now realised.

What was on those two RaspberryPi's? The master node of the first High Availability implementation of Home Assistant which I specifically built for monitoring, managing and automating my Nano Coral Reef and Marine Fish breeding farm, composed of 12 interconnected aquariums. It also controls our house too, but the aquarium aspect is really why I needed 99.7%+ uptime service availability. So I architected a high availability solution using RaspberryPi's that works in practice, not unlike the Space Shuttle or Dragon Crew Flight Systems computer. Each node is sanity checking the other nodes and ensuring it's still online and operating as expected. If any node drops off, freezes, locks up, or operates outside of designed parameters, one of the remaining 4 nodes on the network (each even on their own circuit breaker) will take over. Additionally each RaspberryPi functions as a GPIO / USB / I2C / Dallas 1-wire sensor input/output device - except the master Home Assistant node and a dedicated RPI for the SQL server, which was located in my office. And migrating this master node and related SQL to a VM on XCP-NG was easy-peezy, and required no changes to my High Availability design of Home Assistant. In fact, it brought new features even better assuring more resilient high availability features.

I'm not 100% sure of this, but via the Home Assistant forums, we are under the impression we have been operating one of the largest domestic installations of Home Assistant that exists out there. It controls over 80 electrical sockets, and another 68+ network controlled lights, over 20 different temp probes, two dozen+ electrical pumps (including 8 aquarium dosing pumps) , displays 10 residential security cameras, and streams another 10 public webcams at the local Dutch beaches (which my wife calls "Sunset Cams"), tracks overhead airplanes (as far as the coast of the UK) using ADS-B, tracks the International Space Station & crew members onboard (my wife works for the ISS), weather conditions, and much much more.

This solution also monitors my home-office network, once waking me up at 5am when one of my Cisco network switch's power supply failed. 15 minutes later, I'd had dropped in a cold-standby Cisco switch in it's place and was crawling back into bed. But the real life saver has been with the aquariums, whether it was reacting to overflow situations to Ground Fault Circuit failures (think ageing aquarium heaters that die / leak in the middle of the night) that result in unexpected power cuts (the aquariums have their own dedicated GFCI protected electrical circuits).

And of the 3 years we've had this Home Assistant solution (May 2017), 2 of those years the primary node has been running on XCP-NG on the Protectli hardware.

Originally, we started running XCP-NG on the Protectli with just 16GB of RAM and a 512GB SSD. Today, it's got 32GB of RAM and a 2TB SSD. The Protectli unit is wall mounted in my office and serves as a complete 100% replacement for all our former Cloud experiences, including Apple's iCloud / Office365 / GoogleDocs / WeTransfer / Dropbox / Maps and more. And we couldn't be more happy with this solution - so much so - my business partner and I are looking to launch a Edge based service using a similar combination of tools for the consumer / commercial market.

In March of this year, the Home Assistant Blog officially recognised my build and featured my implementation in the community spotlight.

https://www.home-assistant.io/blog/2020/03/15/community-highlights/

For those who are interested in my Home Assistant portion of the build, you can find full details on this epically long thread (TL;DR) here:
https://community.home-assistant.io/t/going-to-next-level-of-aquarium-automation-whos-with-me/18486
(There is a discrepancy in regards to the total number of aquariums - In Jan/Feb, we started shutting down several of my breeding and farming aquariums in the dedicated fish room because we are preparing for renovations in our house. Once those renovations are complete later this year, we'll be scaling back up to even more than 12 aquariums.)

If anyone has any questions about the Protectli hardware, let me know and I'll answer as best as I can.

And here's a couple of images about what I describe above, including 2 of my several aquariums - the 2.5 meter long Reef tank and a smaller dedicated anemone tank.

Finally, and again, many, many, many thanks to Oliver, the Vates Team and everyone in the XCP-NG community who has contributed to a most excellent OpenSource project. None of what I did here, would have been possible without all you contributing to this most epic effort.

PS - Oliver - if you're ever looking for enthusiastic and skilled XCP-NG resources, please let me know. Both my business partner (@bill-gertz - who's already contributed to the XCP-NG project with acme.sh improvements for OPNSense / pfSense implementations) and myself are more than capable and willing.

Well, it's been more than a week now and have only good news to report with running 7.6.

In fact, I'm rather stunned - as CPU usage / Load logging clearly demonstrates even significant performance gains on my my HomeLab production system (an i5 7200 Intel NUC-Like system with 6 Intel NICs & 24GB RAM / 500GB Samsung EVO SSD).

Running 4 Linux VMs / a BSD VM / a Windows10 VM on XCP-NG 7.5 - CPU perf was averaging around 25% & Load was around 0.4-5 average when under light load.

Now, running all those VMs on 7.6, CPU perf average has dropped to 10% and Load averages have also dropped to 0.1 - 0.15 under the same VM load as before.

My two other XCP-NG - a Disaster Recovery box and a Test Bed (a laptop from 2009) also appear to have realised similar performance gains as well.

I didn't see any mention of "performance gains" in this maintenance release, but I'm amazed and very impressed.

I did do complete fresh Installs on my production system & DR Box, and only did an upgrade on my Test Bed laptop. All 3 migrations to 7.6 went without a hitch.

Well done contributors and builders - well done indeed!

Absolutely, please be my guest.

BTW, if you're ever in the Netherlands and want to drop by The Hague for beer and a personal visit to see the whole setup, you have an invitation.

@badrAZ w00t! Thank you! I look forward to the update.

BTW, I went ahead and threw my updated XO CE into "production" here at home where it runs 10 VMs. So far no other issues seen by me. XCP-NG/XO.

Absolutely, please be my guest.

BTW, if you're ever in the Netherlands and want to drop by The Hague for beer and a personal visit to see the whole setup, you have an invitation.

So I woke up and saw this today:

https://xcp-ng.org/blog/2020/09/09/edge-case-2-protectli-hardware/

And a massive smile came across my face, because this is the solution I have cut my teeth on XCP-NG just over 2 years ago now, and is still reliably running my home and two person cybersecurity consultancy business with 9 VM's running 24/7, and another 3-4 VMs that we spin up whenever we need them.

Two years ago this month, I purchased a new Protectli model, the i5 7200u as a replacement system for my old and finally failed (blown caps) Firewall. While waiting for the shipment to arrive, I saw @olivierlambert give his presentation on forking Xen and the launch of XCP-NG. Already familiar with Xen through my previous employer (T-Mobile), I thought when my Protectli unit arrives, and before I launch it as a bare metal firewall on my network, I thought I'd try XCP-NG on it first. When I did, my mind was blown almost instantaneously for a few reasons.

First, there was a bit of a learning curve. I'd never actually installed / administrated a Xen server at my former employer - that wasn't our job. Specifying security requirements and performing pen-testing and audits of implementations was more our thing. Thanks in part to the members of the community that were here, and even Oliver himself (who graciously extended my XOA demo license & answered further technical questions I had) that learning curve was just weeks rather than months. And after some initial configuration experimentation and performance testing, I ended up launching our XCP-NG Protectli unit with a Firewall (pfSense) VM and our first completely virtualised DMZ. Fuller disclosure: I've run my own Email, Web and DNS servers from home since 1994. But this was the first time I've attempted to virtualise many of my servers running on bare metal. And I was so impressed, within a couple of months - I was virtualising nearly everything onto this box apart from my NAS units onto XCP-NG, including two RaspberryPi's. In fact, at the time, I made many jokes about how consolidating two very heavily loaded RaspberryPi 3B+ Units (sucking a total of 10+ watts) into XCP-NG on Protectli was resulting in electrical bill savings & huge performance gains on the apps that previously ran on those RPI's were now realised.

What was on those two RaspberryPi's? The master node of the first High Availability implementation of Home Assistant which I specifically built for monitoring, managing and automating my Nano Coral Reef and Marine Fish breeding farm, composed of 12 interconnected aquariums. It also controls our house too, but the aquarium aspect is really why I needed 99.7%+ uptime service availability. So I architected a high availability solution using RaspberryPi's that works in practice, not unlike the Space Shuttle or Dragon Crew Flight Systems computer. Each node is sanity checking the other nodes and ensuring it's still online and operating as expected. If any node drops off, freezes, locks up, or operates outside of designed parameters, one of the remaining 4 nodes on the network (each even on their own circuit breaker) will take over. Additionally each RaspberryPi functions as a GPIO / USB / I2C / Dallas 1-wire sensor input/output device - except the master Home Assistant node and a dedicated RPI for the SQL server, which was located in my office. And migrating this master node and related SQL to a VM on XCP-NG was easy-peezy, and required no changes to my High Availability design of Home Assistant. In fact, it brought new features even better assuring more resilient high availability features.

I'm not 100% sure of this, but via the Home Assistant forums, we are under the impression we have been operating one of the largest domestic installations of Home Assistant that exists out there. It controls over 80 electrical sockets, and another 68+ network controlled lights, over 20 different temp probes, two dozen+ electrical pumps (including 8 aquarium dosing pumps) , displays 10 residential security cameras, and streams another 10 public webcams at the local Dutch beaches (which my wife calls "Sunset Cams"), tracks overhead airplanes (as far as the coast of the UK) using ADS-B, tracks the International Space Station & crew members onboard (my wife works for the ISS), weather conditions, and much much more.

This solution also monitors my home-office network, once waking me up at 5am when one of my Cisco network switch's power supply failed. 15 minutes later, I'd had dropped in a cold-standby Cisco switch in it's place and was crawling back into bed. But the real life saver has been with the aquariums, whether it was reacting to overflow situations to Ground Fault Circuit failures (think ageing aquarium heaters that die / leak in the middle of the night) that result in unexpected power cuts (the aquariums have their own dedicated GFCI protected electrical circuits).

And of the 3 years we've had this Home Assistant solution (May 2017), 2 of those years the primary node has been running on XCP-NG on the Protectli hardware.

Originally, we started running XCP-NG on the Protectli with just 16GB of RAM and a 512GB SSD. Today, it's got 32GB of RAM and a 2TB SSD. The Protectli unit is wall mounted in my office and serves as a complete 100% replacement for all our former Cloud experiences, including Apple's iCloud / Office365 / GoogleDocs / WeTransfer / Dropbox / Maps and more. And we couldn't be more happy with this solution - so much so - my business partner and I are looking to launch a Edge based service using a similar combination of tools for the consumer / commercial market.

In March of this year, the Home Assistant Blog officially recognised my build and featured my implementation in the community spotlight.

https://www.home-assistant.io/blog/2020/03/15/community-highlights/

For those who are interested in my Home Assistant portion of the build, you can find full details on this epically long thread (TL;DR) here:
https://community.home-assistant.io/t/going-to-next-level-of-aquarium-automation-whos-with-me/18486
(There is a discrepancy in regards to the total number of aquariums - In Jan/Feb, we started shutting down several of my breeding and farming aquariums in the dedicated fish room because we are preparing for renovations in our house. Once those renovations are complete later this year, we'll be scaling back up to even more than 12 aquariums.)

If anyone has any questions about the Protectli hardware, let me know and I'll answer as best as I can.

And here's a couple of images about what I describe above, including 2 of my several aquariums - the 2.5 meter long Reef tank and a smaller dedicated anemone tank.

Finally, and again, many, many, many thanks to Oliver, the Vates Team and everyone in the XCP-NG community who has contributed to a most excellent OpenSource project. None of what I did here, would have been possible without all you contributing to this most epic effort.

PS - Oliver - if you're ever looking for enthusiastic and skilled XCP-NG resources, please let me know. Both my business partner (@bill-gertz - who's already contributed to the XCP-NG project with acme.sh improvements for OPNSense / pfSense implementations) and myself are more than capable and willing.

@badrAZ w00t! Thank you! I look forward to the update.

BTW, I went ahead and threw my updated XO CE into "production" here at home where it runs 10 VMs. So far no other issues seen by me. XCP-NG/XO.

@olivierlambert Thanks for asking.

I just grabbed a copy of XOA and I get the same issue / problem. Disk Used / Total is just blank on XOA and XO CE.

And XO CE version I just compiled and installed (on fresh Debian 10) today is:

Where the XOA version I just downloaded and used is:

Where as on my older version where Disk Used / Total was still displaying correctly was:

Also interesting note: Backups from the newest XO CE version did seem to otherwise work properly. It picked up on my existing Delta Backups where the former version left off - all performed as Delta updates of 10 VMs in just 4 minutes. And so far, no other oddness about this latest XO CE version seen.

Any ideas?

Did you ever figure out a solution to this problem? I just upgraded to the latest build of XOCE and also see the same problem - no Disk Used totals anymore. And I'm debating if I should go back to the older version of XO that worked without problems for the last several months or embrace the new one which has an obvious bug / problem.

Further's the case for OpenSource and XCP-NG, but still something for us all to keep our eyes on as it hits close to home.

https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/

Well, it's been more than a week now and have only good news to report with running 7.6.

In fact, I'm rather stunned - as CPU usage / Load logging clearly demonstrates even significant performance gains on my my HomeLab production system (an i5 7200 Intel NUC-Like system with 6 Intel NICs & 24GB RAM / 500GB Samsung EVO SSD).

Running 4 Linux VMs / a BSD VM / a Windows10 VM on XCP-NG 7.5 - CPU perf was averaging around 25% & Load was around 0.4-5 average when under light load.

Now, running all those VMs on 7.6, CPU perf average has dropped to 10% and Load averages have also dropped to 0.1 - 0.15 under the same VM load as before.

My two other XCP-NG - a Disaster Recovery box and a Test Bed (a laptop from 2009) also appear to have realised similar performance gains as well.

I didn't see any mention of "performance gains" in this maintenance release, but I'm amazed and very impressed.

I did do complete fresh Installs on my production system & DR Box, and only did an upgrade on my Test Bed laptop. All 3 migrations to 7.6 went without a hitch.

Well done contributors and builders - well done indeed!

First off, thanks to @Aimdev and @fjen for providing a good write up of the steps taken to get USB passthrough to work.

I followed them all pretty much with out any difficulty and with no errors on anything for a Broadcom Bluetooth USB card (Broadcom Corp._BCM2045B) that's built into my laptop I'd like to pass through to a Linux VM.

And I get all the way up to where the USB device is correctly presented in the XCP-ng Centre application, but the device doesn't [seem to] appear at the OS level in dmesg | grep usbcore or lusb outputs in my guest OS VM.

However, since I didn't any failure to start the vm or other errors, I had not executed the final command: xe vm-param-set uuid=<VM UUID> platform:device-model=qemu-upstream-compat

But since the Broadcom chip still didn't appear in the guest Linux VM, I shutdown the VM and then executed the above command with the VM UUID.

But after a restart, the VM still doesn't see the Broadcom USB device.

Any idea what could be up or suggestions where I need to dig?

@borzel Okay, I'll wait. I just was very much wanting to help test them. This whole system is a 'test system' for me to play with.

Enjoy your vacation.

@borzel said in [Test] XCP-ng 7.5.0 Windows PV-Drivers and Management Agent:

currently we don't have them

I'm confused now. I thought that's what I was installing....I am running XCP-ng 7.5 here. I haven't downloaded anything from Citrix at all.

Edited to add: Okay, I just went back and re-installed Windows10 from scratch and see I end up automatically with XenServer PV drivers. How do I get the XCP-ng pre-release PV drivers installed then?