@fx991 the SR scans can and have been helpful in detecting storage issues for me. Sometimes when my ISO library goes offline but XCP-ng has not detected the failure and still shows it as connected I usually notice it from the long running SR scans that get stuck.
The "Connection to VM console..." task is when you have a console window open to a VM or Host...hence the reason why you can't cancel/end it...if you want to get rid of it then close all open console windows
@FPIT ok, let me know about 1 & 2
@FPIT I would say to further troubleshoot the limited connectivity issues first...
A few things that jump to mind right away
This one is the least likely culprit
3) Is you host management configured to use DHCP?(based on the blank console, though it would not explain the connectivity issues unless DHCP is not providing all necessary information for the network)
I've seen that before where when you initially set the management IP via DHCP it breaks the console when the IP changes. XCP-ng does seem to register that the IP has changed and so it does not update the console URI.
We were able to resolve the issue by setting the IP statically on the XCP-ng node(I believe a reboot was also required). That updated the console's URI and it was working again in XCP-ng Center and XO.
@olivierlambert Awesome and thank you for the follow-up.
@olivierlambert said in Citrix Hypervisor 8.1 released:
Sadly I have no DVSC knowledge myself, so it would be great if you are able to explain in a kind of simple "high level specification" (eh "doing this in the UI with a screenshot, it does that") in a Github issue for SDN plugin, we might implement it on our side
A bit of good news is that the DVSC works out of the box with XCP-ng 8.0. Though I have not tested it in conjunction with the SDN plug-in. 
After importing the DVSC and adding it to the resource pool:
.1) Select the VM you want to apply security ACLs to
.2) Select "Access Control" and here you can create a network ACL policy to control traffic to and from the VM (by default there are no restrictions) 
.3) Apply your desired network security policy to the VM 
Results
Allows ping to 8.8.8.8 but blocks ping to 8.8.4.4 since it is not allowed in ACL policy
Allows access to HTTP web server as defined in the the VM network ACL policy and blocks access to the other 
Restricts SSH access to trusted hosts
I actually like the current implementation. I am currently using this setup to allow an admin user to have 2 accounts managed by one authentication back-end.
One account is a typical self-service user to consume resources according to ACL/Self-service rule sets
The other account is used to manage Admin features like backups and XO settings (environment with multiple admins who also consume resources from a shared pool with other departments/teams)
I use separate accounts so when admin users create VMs it can go to the appropriate self-service container. I hope any fixes to address the above concern doesn't completely remote this capability or at least adds another method of achieving this. 
@olivierlambert the idea of iptables for the VM, Ansible etc. were just other options I looked into as alternatives because DVSC was not my first choice option due to its limitations of only supporting IE and the "heavy" DVSC appliance
The specific feature that I wanted to use is the "Access Control policies" to achieve something similar to AWS security groups. https://docs.citrix.com/en-us/citrix-hypervisor/vswitch-controller/virtual-network-visibility.html#set-up-access-control-policies
@olivierlambert said in XO Hub Template: what do you want next?:
Do you have DHCP enabled on this network?
Its probably as @olivierlambert is indicating. I have some custom templates that originally were planned to work with static IPs but it was too cumbersome to use as the static IP information had to be passed in the user config settings which made it prone to errors from user input.
Until the cloud-init network config option works...DHCP is the way to go.
@stormi said in Updates announcements and testing:
FYI: https://support.citrix.com/article/CTX235404
"Important: Updating to this version of the driver removes the quiesced snapshots capability of the VM. If you are using quiesced snapshots and wish to retain this functionality, do not adopt these 9.0.0.x drivers."
They do not tell about crashing VMs though
I read the support article hoping for more details on how to "...retain this functionality, do not adopt these 9.0.0.x drivers." but the article does not mention that either.
I did not opt to install the new guest tools at any point. I only shutdown the VM to complete the host patches.
Also see the image below, unless it installs guest tools through a side channel that does not show in the Windows updates history.
Would simply disabling the "Windows Update tools" advanced option in XOA/XO stop it from adopting the new guest tools?
@olivierlambert at this time the only feature that I was interested in is the VM level access control list function
I was working on a plan to build a pool with an internal network and an external network connected directly to the Internet. I wanted a central solution for controlling IP and port access for VMs on the external network and after much research and planning I ended with the vSwitch controller despite its annoying dependency on IE.
The main reason I was planning to settle with the vSwitch controller was because of its ability to enforce the access control list policy. The other ideas I entertained were:
Set iptable rules within the VM....but if a user changes the rule set or disables the firewall then it no longer matches the approved/required policy
Use and automation tool like Ansible....but it also faces an issue if the user changes the rule set or disables the firewall within the VM
Searched for paid solutions(software and/or SaaS) that could achieve this task....I did find one solution that claimed to offer just that but it seems the company behind it is no longer active. I also found other solutions that offer it as part of a bigger $100K type solution that is currently out of scope budget wise
In the end I was planning to settle with the vSwitch controller because I found no other viable solution and it can enforce the rule set/policy outside of the VM's control space....until I saw the plans to deprecate the feature 
@akurzawa I also experienced an issue after the update as well. After the host rebooted and I tried turning on a Windows 10 VM it hung on the Windows boot screen.
I eventually force rebooted
Force shutdown + Change CPU and RAM (not sure if the resource adjustments helped of not)
Start VM and it came up in Windows recovery mode
In the windows recovery mode I just exited and it continued the boot process. This time it booted successfully but I was greeted with the below message upon login.
I had to use XCP-ng center to use keyboard shortcuts to select yes on the dialog box as mouse input was not working. After the restart everything is working as usual again.
I also have the Windows Updates based guest tools enabled on this VM.
@stormi I think this has to do with the new version of guest tools Citrix has pushed from their release of CH8.1. Checking the services they now show major version 9. Not sure if @akurzawa is facing the exact same issue or a variant of it?
I'm honestly looking forward to the removal of DMC. It has caused more issues for me than it offers benefits 
I can see how this can cause problems for those who relied on it to over subscribe memory resources though.
Also noticed they are deprecating the vSwitch Controller. 
@olivierlambert do you and the team have any plans to offer a solution that may fulfill some of the missing functions from the vSwitch Controller like VM Access Control List (ACL) rules or any other types of ACLs for network traffic as part of the SDN plug-in or some other plug-in?
I did the November 2019 updates for XCP-ng 8 on a standalone host as well as a 3 node cluster. No problems so far. 
@olivierlambert Awesome first start (pfSense 
), love the idea! Where is Ubuntu? 
Also I saw Alpine and the first thought that jumped to mind was a template for a vRouter. A lot of multi-tenant cloud platforms like Opennebula, CloudStack, etc offer virtual router images in their respective stores/hubs.
This use case pairs well with the introduction of the SDN controller and private networks. The vRouter template can be configured with 2 or more vifs. One vif to the WAN and the other vif to a SDN private network as the LAN. The vRouter can be the gateway device for the SDN private network routing traffic to the Internet or other external networks outside of the private network supporting NAT, ACLs, VPN, Load balancing, etc.
Some of these features would require more advanced integration with cloud-init like being able to provision IPs from the XO/XOA IP Pool to VMs. The pfSense template can be used to achieve the vRouter functionality as well but at a large disk footprint.
I have no specific use case for it right now but something to consider.
