RE: High Fan Speed Issue on Lenovo ThinkSystem Servers

The kernel RPM integrating the patch is now available on the xcp-ng-testing repo. So you can already upgrade and use it. To do this, here are the commands:

yum clean metadata --enablerepo=xcp-ng-testing
yum update kernel --enablerepo=xcp-ng-testing
reboot

It will be released to all our users in an upcoming security update or update train. We don't have a date yet.

New update candidates for you to test!

As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.

The moment to release such a batch has come, so here they are, ready for user tests before the final release.

• XAPI:
  • Synced with XS82ECU1074
    • Enhancement: robustification of the command xe host-emergency-ha-disable
    • Correction of different issues:
      • Performing a hard shutdown of a VM may hang due to unnecessary RBCA permission checks. An icon (yellow triangle) may then be displayed on some management applications, indicating that the shutdown process did not complete successfully.
      • Canceling a hard shutdown of a hung VM fails because the cancel function only checks for proper shutdowns.
      • Migrating VMs from 8.2.1 to 8.3 with the xe vm-migrate command may fail with the error 'Failure: Unknown tag/contents'.
      • You may encounter a 500 error (internal server error) when trying to retrieve RRD measurements from a powered off virtual machine.
• xsconsole:
  • Synced with XS82ECU1074: Fix for a time-out when creating an iSCSI SR.
• guest-templates-json:
  • Add generic templates for Linux BIOS and UEFI
  • Synced with XS82ECU1085:
    • Oracle 8 requires minimum 2 vCPUS.
    • Added template for Ubuntu 24.04
• sm:
  • Synced with XS82ECU1075
    • Updated multipath.conf for several SANs
    • Fix for CA-393194: Find the real PV in a VG before removing the VG.
• blktap: Synced with XS82ECU1075: Improvements on coalesce performance.
• curl: Backport fixes for several CVE: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, CVE-2024-6197, CVE-2024-7264
• openssl: Update to version 1.0.2k-26 from CentOS 7 updates and backports of available CVE fixes from openssl upstream. Update from CentOS 7 Includes fixes for CVE-2021-3712, CVE-2022-2078 and CVE-2023-0286. Backport are fixing CVE-2019-1547, CVE-2019-1551 and CVE-2019-1563.
• xs-openssl: Rebased on version 1.1.1k-12 from CentOS 8 Stream. Include fixes for CVE-2023-5678, CVE-2023-3446, CVE-2023-3817 and a proper fix for CVE-2020-25659.
• zstd: Update to version 1.5.5 to avoid an extremely rare cases of corruption
• xcp-ng-xapi-plugins: Enhance error reporting when a command run on a host fails.
• xenserver-status-report: Update to latest version, synced with XS82ECU1058
• python-defusedxml: Added as a new dependency of xenserver-status-report.
• Alternate Drivers: Updated to newer versions.
  • intel-i40e-alt: From version 2.22.20-3.1 to 2.22.20-5.1
  • mellanox-mlnxen-alt: From version 5.9.0.5.5.0-1.1 to 5.9.0.5.5.0-1.2
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).
• New alternate driver mlx4-modules-alt: To resolve some issues with CX3 cards and SR-IOV, we added an updated version 4.9-7.1.0.0-LTS of this driver.
• kernel-alt: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.

As a dependency of XOSTOR:

• http-nbd-transfer:
  • Try to open device and start HTTP server before notifying the user
  • Install pyc and pyo files

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• blktap: 3.37.4-4.1.xcpng8.2
• curl: 8.6.0-2.2.xcpng8.2
• forkexecd: 1.18.3-12.1.xcpng8.2
• gpumon: 0.18.0-20.1.xcpng8.2
• guest-templates-json: 1.10.7-1.2.xcpng8.2
• http-nbd-transfer: 1.4.0-1.xcpng8.2
• message-switch: 1.23.2-19.1.xcpng8.2
• ocaml-rrd-transport: 1.16.1-17.1.xcpng8.2
• ocaml-rrdd-plugin: 1.9.1-17.1.xcpng8.2
• ocaml-tapctl: 1.5.1-17.1.xcpng8.2
• ocaml-xcp-idl: 1.96.7-6.1.xcpng8.2
• ocaml-xen-api-client: 1.9.0-20.1.xcpng8.2
• ocaml-xen-api-libs-transitional: 2.25.7-1.1.xcpng8.2
• openssl: 1.0.2k-26.2.xcpng8.2
• python-defusedxml: 0.7.1-1.xcpng8.2
• rrd2csv: 1.2.6-17.1.xcpng8.2
• rrdd-plugins: 1.10.9-14.1.xcpng8.2
• sm: 2.30.8-13.1.xcpng8.2
• sm-cli: 0.23.0-63.1.xcpng8.2
• squeezed: 0.27.0-20.1.xcpng8.2
• varstored-guard: 0.6.2-17.xcpng8.2
• vhd-tool: 0.43.0-20.1.xcpng8.2
• wsproxy: 1.12.0-21.xcpng8.2
• xapi: 1.249.38-1.11.xcpng8.2
• xapi-nbd: 1.11.0-19.1.xcpng8.2
• xapi-storage: 11.19.0_sxm2-19.xcpng8.2
• xapi-storage-script: 0.34.1-18.1.xcpng8.2
• xcp-networkd: 0.56.2-17.xcpng8.2
• xcp-rrdd: 1.33.4-6.1.xcpng8.2
• xenopsd: 0.150.19-5.1.xcpng8.2
• xenserver-status-report: 1.3.16-3.xcpng8.2
• xcp-ng-xapi-plugins: 1.10.1-1.xcpng8.2
• xs-opam-repo: 6.35.13-4.xcpng8.2
• xs-openssl: 1.1.1k-12.3.xcpng8.2
• xsconsole: 10.1.13.1-2.1.xcpng8.2
• zstd: 1.5.5-1.el7

Optional packages:

• kernel-alt: 4.19.265-2.xcpng8.2
• Alternates drivers:
  • intel-i40e-alt: 2.22.20-5.1.xcpng8.2
  • mellanox-mlnxen-alt: 5.9_0.5.5.0-1.2.xcpng8.2

New optional package:

• mlx4-modules-alt: 4.9_7.1.0.0-1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~1 week.

The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/11/04/november-2022-security-update/

Update published: https://xcp-ng.org/blog/2025/01/23/january-2025-maintenance-update-for-xcp-ng-8-3/

Thank you for the tests!

New update candidates for you to test!

A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.

• amd-microcode: Update AMD microcode to the 2024-11-21 drop
  • Updates firmware for families 17h and 19h CPUs. For the first time, AMD published updates for non-server CPUs. One can assume that they started supporting microcode update for these, contrarily to what they did in the past, and that these updates thus fix various bugs and vulnerabilities. This is only (sensible) speculation at the moment, though.
• grub: Backport VLAN networking support for UEFI PXE boot.
• iperf3: Upgrade to version 3.9-13 from CentOS 7
  • Includes a security fix for CVE-2023-38403
• kernel: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.
• kexec-tools: Backport of a patch removing kernel_version(). Fixing a bug for kernel with a patchlevel greater than 255.
• netdata: Fixed an issue that could occur when quickly uninstalling the package, right after an unfinished installation, and leave a service in an undetermined status.
• slang: Fixed display and input issues in optional package mc.
• sm: Contains a fix for leaf coalesce where the size of the leaf to coalesce was wrongly computed before deciding if it was a live coalesce or not, it resulted in some leaf having too much data to coalesce not successing the live coalesce and staying in this state indefinitely.
• xapi:
  • Fixed a malfunction related to the absence of a certificate, which could cause a loop.
  • Fixed and improved various points in IPv6, related to management, reboot and re-initialization.
• xo-lite: Update to version 0.6.0. For more details, you can consult the blog post on the latest release of Xen Orchestra.

Optional packages:

• kernel-alt: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.
• socat: Update the package to version 1.7.4.1 which includes a fix for a buffer overflow and security fixes.
• traceroute: Updated to version 2.1.5.
• Alternate Drivers: Updated to newer versions.
  • broadcom-bnxt-en-alt: From version 1.10.2_227.0.130.0 to 1.10.3_231.0.162.0
  • intel-i40e-alt: From version 2.22.20-3.1 to 2.26.8
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• amd-microcode: 20240503-1.1.xcpng8.3
• grub: 2.06-4.0.2.1.xcpng8.3
• iperf3: 3.9-13.xcpng8.3
• kernel: 4.19.19-8.0.37.1.xcpng8.3
• kexec-tools: 2.0.15-20.1.xcpng8.3
• netdata: 1.44.3-1.2.xcpng8.3
• slang: 2.3.2-11.xcpng8.3
• sm: 3.2.3-1.13.xcpng8.3
• xapi: 24.19.2-1.9.xcpng8.3
• xo-lite: 0.6.0-1.xcpng8.3

Optional packages:

• kernel-alt: 4.19.322+1-1.xcpng8.3
• socat: 1.7.4.1-6.xcpng8.3
• traceroute: 2.1.5-2.xcpng8.3
• Alternate drivers:
  • broadcom-bnxt-en-alt: 1.10.3_231.0.162.0-1.xcpng8.3
  • intel-i40e-alt: 2.26.8-1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

New security update candidates (xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-326: Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored.
• XSA-419: Xenstore: Cooperating guests can create arbitrary numbers of nodes
• XSA-414: A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
• XSA-415: Xenstore: Guests can create orphaned Xenstore nodes
• XSA-416: Xenstore: Guests can cause Xenstore to not free temporary memory
• XSA-417: Xenstore: Guests can get access to Xenstore nodes of deleted domains
• XSA-418: Xenstore: Guests can crash xenstored via exhausting the stack
• XSA-420: Oxenstored 32->31 bit integer truncation issues. A malicious or buggy guest can write a packet into the xenstore ring which causes 32-bit builds of oxenstored to busy loop.
• XSA-421: Xenstore: Guests can create arbitrary number of nodes via transactions

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.27.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/14/october-2022-security-update/

New security update candidates (xen, linux-firmware, edk2, xapi)

Xen and XAPI are being updated to mitigate some vulnerabilities:

• XSA-410: Two privileged users in two guest VMs, in collaboration, can crash the host or make it unresponsive.
• XSA-411: Correct a flaw in XSA-226 that allows DoS attacks from guest kernels to harm the whole system.
• XSA-413: The management service on the host can become unresponsive or crash by the means of an unauthenticated user on the management network.

In this release, there are also the following fixes and improvements:

• XAPI, issues resolved:

  • When you had an active VIF connected on dom0, you couldn't delete that VIF or the associated network, including VLAN.
  • When certificates contain the \r character, the xe host-get-server-certificate command can incorrectly output it.

• xen, linux-firmware, edk2:

  • Issues resolved:
    • Sometimes a VM freezes when a graphics-intensive application run
    • Sometimes guest UEFI firmware hangs
  • Improvements:
    • AMD microcode is updated to version 2022-09-30
    • Improvements to Xen diagnostics.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update edk2 linux-firmware xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools forkexecd message-switch xapi-core xapi-tests xapi-xe xcp-rrdd xenopsd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing
reboot

Versions:

• edk2-20180522git4b8552d-1.4.6.xcpng8.2
• linux-firmware-20190314-5.xcpng8.2
• xen-*: 4.13.4-9.26.1.xcpng8.2
• forkexecd-1.18.1-1.1.xcpng8.2
• message-switch-1.23.2-3.2.xcpng8.2
• xapi-*: 1.249.26-2.1.xcpng8.2
• xcp-rrdd-1.33.0-6.1.xcpng8.2
• xenopsd-*: 0.150.12-1.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/05/october-2022-maintenance-update/

Update released. Thanks everyone for testing!

https://xcp-ng.org/blog/2022/05/16/may-2022-security-update/

This is not an XO behavior, but rather a Xapi behavior, and therefore a XCP-ng behavior.

When you join a host to a pool, the administrator password for the joining host is automatically changed to match the administrator password of the pool master.

Source

From a security perspective, this isn't a risk, because when you run a command on any of the hosts in a pool, the master responds. So, as long as you're connected to a pool member, you have access to the entire pool via xe commands.

@enrikSchmidt We don't currently offer regular ISO builds. The most recent ISOs are available.

The driver you're talking about is integrated into the kernel, and to my knowledge, there are no updates for it at the moment. @ndrew is currently working on an alternate driver package, but the PR seems to be waiting for his response.

This type of driver can be loaded at the beginning of the installation with an ISO by pressing F9 when the menu prompts. You can then load an additional driver for the installation, and install it on the future system later in the procedure when prompted.

As this is not an issue with the latest updates, I suggest you create a dedicated thread. This would give you better visibility and help from the community on this issue.

@lexanderK CI/QA is our testing and integration environment. We run a number of tests to validate that XCP-ng works properly with these new versions, before making them available to our testers in the testing repository.

New update candidates for you to test!

As we move closer to making XCP-ng 8.3 the new LTS release, taking over from XCP-ng 8.2.1, a first batch of updates is now available for user testing ahead of a future collective release. Details are provided below.

• amd-microcode: Packaging and versioning update, but no actual changes in microcodes.
• blktap: Fixes.
• broadcom-bnxt-en: bug fix: "Backport patch to fix GSO type for HW GRO packets on 5750X chips"
• busybox: backport fixes for CVE-2018-20679 and others.
• gpumon: No major changes. Rebuild for dependency reasons.
• guest-templates-json: Add templates for Windows server 2025 and Ubuntu 24.04. Remove "preview" from a few template names.
• host-upgrade-plugin: Update to version 3.0.1 which transitions to python 3 and brings some fixes.
• intel-i40e: Update to version 2.25.11
• interface-rename: Sync with XenServer, but this only changes packaging details.
• ipxe: Rebuild.
• jemalloc: Updated to version 5.3.0.
• lvm2: Fixes.
• microsemi-smartpqi: Update to version 2.1.30_031
• ncurses: Updated to upstream 6.4-20240309 revision. Some minor improvements.
• net-snmp: Rebase on XenServer version 5.7.2-52, which incorporates fixes for CVE-2022-24805 and CVE-2022-24809
• openssh: fix CVE-2025-26465
• qemu: Rebuilt with new version of jemalloc.
• qlogic-qla2xxx: Update to version 10.02.12.01_k
• sm: (Storage manager):
  • Logging improvements
  • Minor fixes regarding race conditions
  • Robustify snapshots and a few XAPI calls
  • Send message to XAPI if the garbage collection process doesn't have enough space.
  • Multipath configuration updates for some vendors.
  • Preliminary work for future XOSTOR support and over 2TB VM disks.
• sm-core-libs: fixes.
• vmss: Synchronization with the latest package from XenServer, which replaces the use of a deprecated dependency (imp module) by another.
• xapi:
  • Update to version 24.39.1
  • Many fixes and improvements, among which:
• Improve logging during live storage migration
  • Lengthy VDI migrations were mistakenly canceled upon reaching a 12-hour time limit.
  • Faster starting VMs when they have multiple VIFs or in conditions where the database is under heavy load.
  • High availability occasionally fails to process heartbeats in time when there are a lot of hosts in a pool. Consequently, the host that is unable to process heartbeats is flagged as offline and self-fences.
  • IPv6-related fixes.
  • Configurable threshold for updating last_active
  • Many under the hood improvements or fixes.
  • Added python dependencies for opentelemetry support: pyproject-rpm-macros, python-aiocontextvars, python-charset-normalizer, python-contextvars, python-deprecated, python-idna, python-immutables, python-opentelemetry, python-requests, python-typing-extensions, python-urllib3, python-wheel, python-wrapt, python3-setuptools.
• xcp-ng-release:
  • Sync with xenserver-release-8.4.0-14. (XCP-ng release number remains 8.3.0)
  • Update dependencies between systemd services.
  • Enable new RRDD plugins
• xcp-python-libs: Sync with XenServer, but this only changes packaging details.
• xen: Synchronization with package 4.17.5-6 from XenServer:
  • Fix migration of VMs from XCP-ng 8.2 to XCP-ng 8.3 when the guest is using BHI_DIS_S
  • Initial AMD Turin support
  • Fix dom0 pIRQ limit calculation
  • Fix emulation of BMI1/2 instructions
• xenserver-status-report: Minor update to add scsi disk provisioning mode in the output from this debug tool.
• xo-lite: As described in Xen Orchestra's blog, added VM creation page and form and Display vifs list in vm view and vifs information in side panel
• xs-opam-repo: Update to version 6.86.0 as a dependency for xapi
• xsconsole: Improved xenapi error handling & reintroduced Portable SR feature

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• amd-microcode: 20241121-1.1.xcpng8.3
• blktap: 3.55.4-1.1.xcpng8.3
• broadcom-bnxt-en: 1.10.2_223.0.183.0-2.xcpng8.3
• busybox: 1.22.1-7.xcpng8.3
• gpumon: 24.1.0-32.1.xcpng8.3
• guest-templates-json: 2.0.13-1.1.xcpng8.3
• host-upgrade-plugin: 3.0.1-1.xcpng8.3
• intel-i40e: 2.25.11-2.xcpng8.3
• interface-rename: 2.0.6-1.1.xcpng8.3
• ipxe: 20121005-1.0.7.xcpng8.3
• jemalloc: 5.3.0-1.xcpng8.3
• lvm2: 2.02.180-18.1.xcpng8.3
• microsemi-smartpqi: 2.1.30_031-1.xcpng8.3
• ncurses: 6.4-5.20240309.xcpng8.3
• net-snmp: 5.7.2-52.1.xcpng8.3
• openssh: 7.4p1-23.3.2.xcpng8.3
• pyproject-rpm-macros: 1.8.0-4.1.xcpng8.3
• python-aiocontextvars: 0.2.2-3.1.xcpng8.3
• python-charset-normalizer: 2.1.0-4.1.xcpng8.3
• python-contextvars: 2.4-3.1.xcpng8.3
• python-deprecated: 1.2.14-3.1.xcpng8.3
• python-idna: 3.3-4.xcpng8.3
• python-immutables: 0.19-5.xcpng8.3
• python-opentelemetry: 1.12.0-1
• python-requests: 2.28.1-4.1.xcpng8.3
• python-typing-extensions: 3.7.4.3-4.xcpng8.3
• python-urllib3: 1.26.15-4.1.xcpng8.3
• python-wheel: 0.31.1-5.el7_7
• python-wrapt: 1.14.0-4.xcpng8.3
• python3-setuptools: 40.4.1-1.0.1.xcpng8.3
• qemu: 4.2.1-5.2.12.1.xcpng8.3
• qlogic-qla2xxx: 10.02.12.01_k-1.xcpng8.3
• sm: 3.2.12-3.1.xcpng8.3
• sm-core-libs: 1.1.2-1.xcpng8.3
• vmss: 1.2.1-1.xcpng8.3
• xapi: 24.39.1-1.3.xcpng8.3
• xcp-ng-release: 8.3.0-30
• xcp-python-libs: 3.0.4-2.1.xcpng8.3
• xen: 4.17.5-6.1.xcpng8.3
• xenserver-status-report: 2.0.7-1.xcpng8.3
• xo-lite: 0.9.1-1.xcpng8.3
• xs-opam-repo: 6.86.0-1.1.xcpng8.3
• xsconsole: 11.0.8-1.1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

I think the XO team (@xen-orchestra) will be better able to answer this question

We encourage you to reply in the original thread and not to open new threads for the same issue: https://xcp-ng.org/forum/topic/10633/status-of-pvh

It will allow those trying to help you to have a complete history of the information.

This will be more effective in getting help and, therefore, a resolution

I just received their answer, and this behavior will be changed. The update will be available in a future release of Xen Orchestra.

Thanks for your feedback

I have just forwarded this question to the Xen Orchestra team so they can provide us with more information on this.

Have you seen this blog post?

https://xcp-ng.org/blog/2022/01/17/removing-support-for-32-bit-pv-guests/

There is a solution given in it in relation to this action.

@avx8342 vTPM is not available in 8.2. You will not be able to use this option there.

However, Xostor is coming very soon to XCP-ng 8.3, as we announced in this blog post: https://xcp-ng.org/blog/2025/03/14/the-future-of-xcp-ng-lts/

Probably within one or two months. Indeed, we are doing everything possible to offer XCP-ng 8.3 as LTS, with Xostor, as soon as possible.