RE: Debian 12 cloud image SSH key

@hypernoob That's just the key's name, I use keys with long complicated names too and had no problem. What did ssh -vv tell you?

@hypernoob I suggest this procedure instead:

• Get the Debian genericcloud QCOW2 image off of here: https://cdimage.debian.org/images/cloud/
• Convert to VHD: qemu-img convert -O vpc debian-12-genericcloud-amd64.qcow2 debian-12-genericcloud-amd64.vhd
• Import the converted VHD into XO
• Attach to empty Debian VM, set to boot from hard drive and convert to template
• Create new VMs from this template, adding your ssh keys and guest agent in cloud config if desired:

#cloud-config
hostname: {name}
ssh_authorized_keys:
  - ssh-rsa ...
apt:
  sources:
    xen-guest-agent:
      filename: xen-guest-agent.list
      source: deb [trusted=yes] https://gitlab.com/api/v4/projects/xen-project%252Fxen-guest-agent/packages/generic/deb-amd64/ release/
      append: false
packages:
  - xen-guest-agent

The same procedure will work with Ubuntu, Alma and other cloud images.

@moterpent It sounds more like a firmware issue when trying to create new Boot#### UEFI variables rather than running out of disk space. It might help to delete some existing OS boot entries before attempting to install.

@Pierre-Briec You can try something like Mailjet.

@bberndt Both the Citrix and XCP-ng Windows drivers require several reboots to upgrade because they are stateful and need to keep track of changes in the bus driver. They do have an "autoreboot" feature that will take care of the reboots by themselves based on a registry value. You can refer to our update guide for more details. Though I do hope to find a way to reduce excessive reboots eventually.

Often its completely offline, and an Admin needs to get on the VPN, log in to XO or XCP-center, and go to the VM console, and reboot, and or put the IP information back in to a new virtual ethernet interface.

Static IP loss was a bug and shouldn't happen any more with the new Citrix drivers.

@AlexQuorum Yes that's the one I was referring to. Citrix = XenServer, they just rebranded a few times.

@AlexQuorum Xeniface 9.1.10.87 is a vulnerable version. Do you have the Manage drivers via Windows Update option enabled? If so you should be able to get the newest drivers by just running Windows Update. Some drivers may also be found in Optional updates - Driver updates.

@TheNorthernLight Yes. Be sure to use the legacy mitigation script linked here (not the ones linked elsewhere) as it's the only one that works on Server 2012 R2. If you're using XO 5.107.2 or later, you can also set the HIDE_XSA468 tag to hide the alert.

@TheNorthernLight New drivers are not compatible with 2012R2 any more (MS killed support for building drivers on 2012R2 some time ago). You can try our legacy mitigation script.

@MK.ultra Do you have the "Manage Citrix PV drivers via Windows Update" option enabled on these VMs? If so they'll need to be updated via Windows Update. If not, try XenClean to remove all the existing drivers and install clean 9.4.1 ones.

Hi all,

I've uploaded a version of the mitigation script Install-XSA468Workaround-Win7.ps1 with unofficial support for down to Windows 7/2008R2 and 8/8.1/2012/2012R2.

Reminder: this is purely unofficial support and not tested on all listed OSes yet. The mitigation script itself is meant as a last resort only when you absolutely cannot update; it does not mitigate all vulnerabilities and it does not replace updating your drivers.

@Tristis-Oris @TrapoSAMA

@TrapoSAMA Where did you get the fixed Xen drivers from? Please see my answer below.

@Tristis-Oris I don't think there's any fixed drivers out there that works on 2012/2012R2. (Microsoft killed support for that some time ago in their new Windows driver kit, and support for Windows 8 was removed upstream since Nov 2023)

Seeing that 2012/2012R2 are still quite popular I'll try to make a mitigation script for those.

@TrapoSAMA Windows Server 2012/2012R2 are no longer supported by our (XCP-ng) drivers nor by XenServer drivers.

@flakpyro What do you get from this command?

xe vm-param-get uuid=<uuid> param-name=PV-drivers-version

@stormi It sounds like the issue we encountered in CI with the management agent not restoring version numbers after migration.

@conitrade-as This is a known issue when upgrading from XS WinPV 9.3.0 and below: https://support.citrix.com/s/article/CTX235403-updates-to-xenserver-vm-tools-for-windows-for-xenserver-and-citrix-hypervisor

@conitrade-as @DustinB Thanks, reported the template issue to XO team.

@conitrade-as I saw that on your Windows 10 VM, the "Manage Citrix PV drivers via Windows Update" option is enabled. That one might have needed a Windows Update to install the fixed drivers. Do you have that option enabled in other VMs?

@DustinB Do you have the newest pool updates? The warning depends on that.

@conitrade-as The XAPI update was backported to 8.2.1 LTS so you could update your hosts for the new display.

@DustinB If you're coming from old XenServer tools to new, no need to uninstall.

@conitrade-as Installing the XenServer 9.4.1 tools and rebooting (a couple times) will be enough. Do your VMs show as vulnerable (red) or unable to detect (orange)? There are some new host XAPI updates for correcting driver version reporting that are needed for the XO feature to work.