You can find information about kernel-alt
here: https://docs.xcp-ng.org/installation/hardware/#-alternate-kernel
Posts made by gduperrey
-
RE: High Fan Speed Issue on Lenovo ThinkSystem Servers
-
RE: XCP-ng 8.3 beta 🚀
A new version of xo-lite for XCP-ng 8.3 has been released:
Version:
xo-lite-0.2.1-1.xcpng8.3
You can update it like this:
yum update xo-lite
For more information about the changes between version 0.1.3 or 0.2.0 and 0.2.1, you can consult this link: https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/lite/CHANGELOG.md
-
RE: Updates announcements and testing
The updates have been published; thank you for testing them out.
https://xcp-ng.org/blog/2024/03/29/march-2024-maintenance-update/
-
RE: Updates announcements and testing
New update candidates for you to test!
As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.
The moment to release such a batch has come, so here they are, ready for user tests before the final release.
openvswitch
:- CVE-2023-1668: Correct a flaw when processing an IP packet with protocol 0.
- CVE-2023-5366: Apply the patch for OpenFlow and neightbor discovery target with IPv6
- CVE-2023-3966: Correct a vulnerabity with "crafted Geneve packets causing invalid memory accesses and potential denial of service".
blktap
:- Synced with XS82ECU1056:
- Bugfix for time out on NFS tasks which can sometimes exceed the configured value.
- Improve the error handling for some lost iSCSI connection.
- Synced with XS82ECU1056:
sm
:- Support NFS servers which only offer NFSv4. The discovery process for such servers differs from that of servers which offer also NFSv3, so the SR driver had to be improved.
- Synced with XS82ECU1056: bugfix on the path checker for DELL EqualLogic with iSCSI protocol
- Synced with XS82ECU1060: bugfix for when a host is unable to log into all iSCSI portals because there are separate independent Target Portal Groups inside the IQN.
util-linux
: preparatory steps to support 4k-only disks.xapi
: Bugfix in a testing framework.xcp-ng-pv-tools
: Small fixes regarding VM stats reporting.xcp-ng-xapi-plugins
: Add check_installed function in updater plugin to test installed packages. This is a prerequisite for the upcoming XOSTOR release.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing blktap openvswitch sm-* util-linux xapi-* xcp-ng-pv-tools xcp-ng-xapi-plugins reboot
The usual update rules apply: pool coordinator first, etc.
Versions
blktap
: 3.37.4-3.1.xcpng8.2openvswitch
: 2.5.3-2.3.12.2.xcpng8.2sm
: 2.30.8-10.1.xcpng8.2util-linux
: 2.23.2-52.1.xcpng8.2xapi
: 1.249.32-2.2.xcpng8.2xcp-ng-pv-tools
: 8.2.0-12.xcpng8.2xcp-ng-xapi-plugins
: 1.10.0-1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~1 week.
-
RE: XCP-ng 8.3 beta 🚀
A new version of xo-lite for XCP-ng 8.3 has been released:
Version:
xo-lite-0.2.0-1.xcpng8.3
You can update it like this:
yum update xo-lite
For more information about the changes between version 0.1.3 and 0.2.0, you can consult this link: https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/lite/CHANGELOG.md
-
RE: Error: Multilib version problems found. This often means that the root
@Ben said in Error: Multilib version problems found. This often means that the root:
Protected multilib versions: libcom_err-1.47.0-1.1.xcpng8.2.x86_64 != libcom_err-1.42.9-19.el7.i686
If I understand right from the log you posted, you installed another version of libcom_err than the one from XCP-ng. So you'll need to remove that one and have ours:
yum remove libcom_err-1.42.9-19.el7.i686 yum install libcom_err-1.47.0-1.1.xcpng8.2.x86_64
It would be better to disable the OMSA repo as suggested in our documentation about additional packages: https://xcp-ng.org/docs/additionalpackages.html#rules
-
RE: Updates announcements and testing
New Security Update Candidates (Xen)
Xen is being updated to mitigate some vulnerabilities:
- XSA-439: CVE-2023-20588. On AMD Zen1 CPUs, "an attacker might be able to infer data from a different execution context on the same CPU core."
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing reboot
Version:
- xen: 4.13.5-9.36.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: Updates announcements and testing
Update published. Thanks for the tests!
https://xcp-ng.org/blog/2023/08/14/august-2023-security-update/
-
RE: Updates announcements and testing
New Security Update Candidates (kernel, Xen, linux-firmware, microcode_ctl, XAPI...)
Xen is being updated to mitigate some vulnerabilities:
-
XSA-432: CVE-2023-34319. Under Linux, a buffer overrun in netback can be triggered due to unusual packets. This behavior was due to the fix of the XSA-423 which didn't account an extreme case of an entire packet being split into as many pieces as permitted by the protocol and still being smaller than the area that's dealt with to keep all headers together. It is possible to crash a host from a vm, with malicious and privileged code.
-
XSA-434: CVE-2023-20569. Researchers from ETH Zurich have extended their prior research (XSA-422, Branch Type Confusion, a.k.a Retbleed) and have discovered INCEPTION, also known as RAS (Return Address Stack) Poisoning, and Speculative Return Stack Overflow. An attacker might be able to infer the contents of memory belonging to other guests.
-
XSA-435: CVE-2022-40982. A security issue in certain Intel CPUs may allow an attacker to infer data from different contexts on the same core.
Components are also updated to add bugfixes and enhancements:
-
guest-templates-json: Added Debian 12 Bookworm
-
XAPI:
- Several hotfixes and improvements from XS82ECU1033
- From XS82ECU1045 Significant performance improvements on a set of CPU features for servers with Cascade Lake or later Intel CPUs.
-
microcode_ctl: Update to IPU 2023.3
-
linux-firmware: Expose additional features for Intel CPUs, especially for Cascade Lake or later Intel CPUs. Updated to latest AMD firmware for processor family 19h.
-
Xen: Expose MSR_ARCH_CAPS to guests on all Intel hardware by default.
-
blktap, nbd: An update of the packages for Xostor.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" microcode_ctl linux-firmware kernel forkexecd gpumon message-switch "ocaml-*" rrd2csv rrdd-plugins sm-cli squeezed varstored-guard vhd-tool wsproxy "xapi-*" xcp-networkd xcp-rrdd "xenopsd*" xs-opam-repo "guest-templates-*" blktap xcp-ng-linstor nbd tzdata grub* lldpad xcp-ng-xapi-plugins --enablerepo=xcp-ng-testing reboot
Version:
- forkexecd: 1.18.3-2.1.xcpng8.2
- gpumon: 0.18.0-10.1.xcpng8.2
- kernel: 4.19.19-7.0.17.1.xcpng8.2
- linux-firmware: 20190314-9.1.xcpng8.2
- message-switch: 1.23.2-9.1.xcpng8.2
- microcode_ctl: 2.1-26.xs26.1.xcpng8.2
- ocaml-rrd-transport: 1.16.1-7.1.xcpng8.2
- ocaml-rrdd-plugin: 1.9.1-7.1.xcpng8.2
- ocaml-tapctl: 1.5.1-7.1.xcpng8.2
- ocaml-xcp-idl: 1.96.5-1.1.xcpng8.2
- ocaml-xen-api-client: 1.9.0-10.1.xcpng8.2
- ocaml-xen-api-libs-transitional: 2.25.5-4.1.xcpng8.2
- rrd2csv: 1.2.6-7.1.xcpng8.2
- rrdd-plugins: 1.10.9-4.1.xcpng8.2
- sm-cli: 0.23.0-53.1.xcpng8.2
- squeezed-0.27.0-10.1.xcpng8.2
- varstored-guard: 0.6.2-7.xcpng8.2
- vhd-tool: 0.43.0-10.1.xcpng8.2
- wsproxy: 1.12.0-11.xcpng8.2
- xapi: 1.249.32-1.1.xcpng8.2
- xapi-nbd: 1.11.0-9.1.xcpng8.2
- xapi-storage: 11.19.0_sxm2-9.xcpng8.2
- xapi-storage-script: 0.34.1-8.1.xcpng8.2
- xcp-networkd: 0.56.2-7.xcpng8.2
- xcp-rrdd: 1.33.2-6.1.xcpng8.2
- xen: 4.13.5-9.36.1.xcpng8.2
- xenopsd: 0.150.17-1.1.xcpng8.2
- xs-opam-repo: 6.35.11-1.xcpng8.2
- guest-templates-json: 1.9.6-1.3.xcpng8.2
- blktap-3.37.4-1.0.2.xcpng8.2
- tzdata-2022a-1.el7
- xcp-ng-linstor-1.1-3.xcpng8.2
- nbd-3.24-1.xcpng8.2
- grub-2.02-3.2.0.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
-
RE: Updates announcements and testing
Hello,
Yes, these patches will become available in XCP-ng. We're working on it to release as soon as possible. We'd like to release them this week, so we do everything we can for that.
There will be a post here for the tests and for the final release.
-
RE: XCP-ng 8.3 beta 🚀
New Security Update Candidates (Xen and AMD CPUs) for Zenbleed
Xen is being updated to mitigate hardware vulnerabilities in AMD CPUs.
- Upstream (Xen project) advisory: XSA-433
This issue affects systems running AMD Zen 2 CPUs. Under specific microarchitectural circumstances, it may allow an attacker to potentially access sensitive information.
As this flaw can be critical for AMD Zen 2 users, we integrated the patch into our 8.3. You can read about this vulnerability on our blog here. This update includes the latest bugfix of this patch from upstream. You can read about it here on the blog.
Test on XCP-ng 8.3
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" amd-microcode --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: xen-4.13.5-10.42.3.xcpng8.3
- amd-microcode: amd-microcode-20220930-2.1.xcpng8.3
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback
-
RE: Updates announcements and testing
Update published. Thanks for the tests!
https://xcp-ng.org/blog/2023/08/04/erratum-july-2023-security-update-zenbleed/
-
RE: Updates announcements and testing
New Security Update Candidates (Xen)
Xen is being updated to correct a flaw in the latest patch (XSA-433) for Zenbleed and AMD CPUs.
- Upstream (Xen project) advisory: XSA-433
The patch provided with earlier versions was buggy by unintentionally disabling more bits than expected in the control register due to bad integer variable truncation.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing reboot
Version:
- xen-*: 4.13.5-9.35.1.xcpng8.2
If you didn't already applied the previous updates, we invite you to also update
linux-firmware
.yum update linux-firmware reboot
Version:
- linux-firmware: 20190314-8.1.xcpng8.2
One reboot for the two updates is enough.
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~1 days. We'll release before the WE if our internal tests are fine.
-
RE: Updates announcements and testing
Update published. Thanks for the tests!
https://xcp-ng.org/blog/2023/07/27/july-2023-security-update-zenbleed/
-
RE: Updates announcements and testing
New Security Update Candidates (Xen and AMD CPUs)
Xen is being updated to mitigate hardware vulnerabilities in AMD CPUs.
- Upstream (Xen project) advisory: XSA-433
This issue affects systems running AMD Zen 2 CPUs. Under specific microarchitectural circumstances, it may allow an attacker to potentially access sensitive information.
Components are also updated to add bugfixes and enhancements:
- Xen:
- Now, MPX feature is disabled by default. Cross-pool migration and upgrade will be simplified as VMs can migrate more easily from pools with Intel SkyLake, CascadeLake, or CooperLake hardware to pools with later Intel hardware (such as IceLake).
A reboot is necessary after updating to benefit from this feature. - Improvements to latency with a limit on the scheduler loadbalancing. This improves performance on large systems with high CPU utilization.
- Now, MPX feature is disabled by default. Cross-pool migration and upgrade will be simplified as VMs can migrate more easily from pools with Intel SkyLake, CascadeLake, or CooperLake hardware to pools with later Intel hardware (such as IceLake).
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" linux-firmware --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.5-9.34.1.xcpng8.2
- linux-firmware: 20190314-8.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: Updates announcements and testing
We began to work on the patch yesterday evening. We will publish it for testers later today, and if everything is fine, for everyone after two days (and success in our tests, of course).
-
RE: Updates announcements and testing
New update candidates for you to test!
Shortly after we released the previous batch of non-urgent updates, XenServer released several updates for Citrix Hypervisor 8.2 CU1. We prepared new update candidates based on these, as well as a specific update of xcp-ng-xapi-plugins.
There's no date for their release yet, but they're ready for your tests and feedback already.
- xcp-ng-xapi-plugins: the updater plugin, used by Xen Orchestra to apply updates, can now also install new packages (this will be used to deploy XOSTOR from Xen Orchestra).
- kernel: as explained in the hotfix from XenServer XS82ECU1028 "ACPI processor-related data is being reported incorrectly to the hypervisor, affecting Intel - Xeon 84xx/64xx/54xx/44xx/34xx - Sapphire Rapids and possibly other models."
- grub: bugfix
- lldpad:
- The FCoE service can have a memory leak that could use up dom0 memory
- A resource leak in the FCoE service can crash the service
- When trying to create an LACP bond using Cisco Nexus switches, host could have intermittent connection problems
- XenServer hotfix: XS82ECU1032
- xen: Correct a flaw for VMx under Red Hat Enterprise 7 (and derivatives) with a large number of CPUs, that can cause migration failures when trying to migrate to AMD hosts.
- XenServer hotfix: XS82ECU1034
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing xen-* grub* lldpad kernel xcp-ng-xapi-plugins reboot
The usual update rules apply: pool coordinator first, etc.
Versions
- kernel-4.19.19-7.0.16.1.xcpng8.2
- grub-2.02-3.2.0.xcpng8.2
- lldpad-1.0.1-10.xcpng8.2
- xen-*4.13.5-9.32.1.xcpng8.2
- xcp-ng-xapi-plugins-1.8.0-1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback
-
RE: VM changing minimum static ram results in MEMORY_CONSTRAINT_VIOLATION_ORDER() error
The limitation isn't in the Rocky Linux template but in the one we inherit from.
As these templates came from upstream (XenServer), it's better to keep them that way.But you can create your own template to use. Create a VM and modify the memory limit as desired with the command line you used before. When the VM (you don't need to install it; just create an empty one with the right parameters) is ready, like you want it to be, Go to the advanced tab and click on "Convert to template". It will transform your VM into a template (you can see it in the menu Home - Templates). Then you could create any VM you want from this template when you add a new VM.
The information is stored in the XAPI. So it will stay when you upgrade XCP-ng from version 8.2.1 to a higher version.
-
RE: Updates announcements and testing
Update published. Thanks for the tests!
https://xcp-ng.org/blog/2023/03/23/march-2023-security-update/
-
RE: Updates announcements and testing
New Security Update Candidates (Xen)
Xen is being updated to mitigate some vulnerabilities:
-
XSA-427: "Guests running in shadow mode and being subject to migration or snapshotting may be able to cause Denial of Service and other problems, including escalation of privilege". This vulnerability concerns old platforms (Nehalem/Bulldozer families and older) which do not have Hardware Assisted Paging facilitie (EPT/NPT), or modern platforms where this extension is disabled by the firmware or the system software. This also concerns PV guests, which are not officially supported anymore in XCP-ng.
-
XSA-428: "Entities controlling HVM guests can run the host out of resources or stall execution of a physical CPU for effectively unbounded periods of time, resulting in a Denial of Servis (DoS) affecting the entire host. Crashes, information leaks, or elevation of privilege cannot be ruled out".
On the platforms managed by XCP-ng software, with regard of this vulnerability, we would rather talk of "reduction in defence in depth", as the only entity controlling HVM guests is a trusted software (QEMU) running in a trusted domain (dom0). -
XSA-429: The patch completes the original Spectre/Meltdown mitigation work(XSA-254). A malicious PV guest might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Only AMD and Hygon CPUs which offer SMEP/SMAP facilities are affected. Although PV guests are not officially supported in XCP-ng, we also included a fix for this vulnerability.
Components are also updated to add bugfixes and enhancements:
- Xen
- Update to Xen 4.13.5
- Initial Sapphire Rapids support
- Fix memory corruption issues in the Ocaml bindings.
- On xenstored live update, validate the config file before launching into the new xenstored
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.5-9.30.3.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-