RE: XCP-ng 8.3 updates announcements and testing

New update candidates for you to test!

In addition to the previous updates, available for testing, here are some new, non-urgent ones, expected to be released in a few days. Below are the details about these.

• blktap: Add an option to use backup footer when vhd-util query is called. This will be used in a future storage driver.
• intel-igc: Update to version 5.10.226.
• xcp-ng-deps: Added vim-minimal as a dependency, so it is always present on XCP-ng systems.

For XOSTOR users:

• drbd: Prevent a dead-lock in some situations, plus other improvements

(Reminder: XOSTOR is still in beta stage on XCP-ng 8.3)

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• blktap: 3.54.9-1.2.xcpng8.3
• intel-igc: 5.10.226-1.xcpng8.3
• kmod-drbd: 9.2.11-1.1.xcpng8.3
• xcp-ng-deps: 8.3-13

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~ 2 days

New update candidates for you to test!

In addition to the previous updates, available for testing, here are some new, non-urgent ones, expected to be released in a few days. Below are the details about these.

• kernel:
  • Synchronized with hotfix XS82ECU1079
  • Occasionally, a host that crashes is unable to produce a crash dump and becomes inoperable until it is restarted.
• XAPI + xha:
  • Synchronized with hotfix XS82ECU1080 that fixes these issues:
    • High availability occasionally fails to process heartbeats in time when there are a lot of hosts in a pool. Consequently, the host that is unable to process heartbeats is flagged as offline and self-fences.
    • A virtual machine (VM) on the host that is restarted during or after a connectivity issue may become unresponsive or fail to start with the error message "an emulator required to run this VM failed to start" if there are problems connecting the pool coordinator to a host in the pool.
    • Resetting the connection can cause long-running VDI migrations to fail.
    • Current up-to-date RRD data is not included in the server status report.
• sm:
  • Fix VG activation in LargeBlockSR for non-NVMe devices meaning than 4KiB devices other than NVMe didn't work with the driver.

XOSTOR:

• drbd: Prevent a dead-lock in some situations, plus other improvements.
• linstor: Updated from version 1.21.1 to 1.29.0.
• http-nbd-transfer: improved for faster and more reliable HA.
• sm (specific release for XOSTOR):
  • Add the same fixe as in the common sm.
  • Update for latest linstor, drbd and http-nbd-transfer.
  • XOSTOR Fixes.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

If you are using Xostor on your test servers, be sure to read our documentation on updating Xostor. You will need to enable an additional repo. Replace the yum update command above with this one:

yum update --enablerepo=xcp-ng-testing,xcp-ng-linstor-testing

Versions

• forkexecd: 1.18.3-15.1.xcpng8.2
• gpumon: 0.18.0-23.1.xcpng8.2
• kernel: 4.19.19-7.0.24.1.xcpng8.2
• message-switch: 1.23.2-22.1.xcpng8.2
• ocaml-rrd-transport: 1.16.1-20.1.xcpng8.2
• ocaml-rrdd-plugin: 1.9.1-20.1.xcpng8.2
• ocaml-tapctl: 1.5.1-20.1.xcpng8.2
• ocaml-xcp-idl: 1.96.7-9.1.xcpng8.2
• ocaml-xen-api-client: 1.9.0-23.1.xcpng8.2
• ocaml-xen-api-libs-transitional: 2.25.7-4.1.xcpng8.2
• rrd2csv: 1.2.6-20.1.xcpng8.2
• rrdd-plugins: 1.10.9-17.1.xcpng8.2
• sm-cli: 0.23.0-66.1.xcpng8.2
• squeezed: 0.27.0-23.1.xcpng8.2
• varstored-guard: 0.6.2-20.xcpng8.2
• vhd-tool: 0.43.0-23.1.xcpng8.2
• wsproxy: 1.12.0-24.xcpng8.2
• xapi: 1.249.40-1.1.xcpng8.2
• xapi-nbd: 1.11.0-22.1.xcpng8.2
• xapi-storage: 11.19.0_sxm2-22.xcpng8.2
• xapi-storage-script: 0.34.1-21.1.xcpng8.2
• xcp-networkd: 0.56.2-20.xcpng8.2
• xcp-rrdd: 1.33.5-3.1.xcpng8.2
• xenopsd: 0.150.19-8.1.xcpng8.2
• xha: 10.3.1-3.1.xcpng8.2
• xs-opam-repo: 6.35.13-5.xcpng8.2

If you're using XOSTOR, there are these versions too:

• drbd: 9.28.0-1.el7
• drbd-reactor: 1.4.1-1
• kmod-drbd: 9.2.11-1.1.xcpng8.2
• linstor: 1.29.0-1.el7_9
• linstor-client: 1.23.0-1.xcpng8.2
• python-linstor: 1.23.0-1.xcpng8.2
• sm: 2.30.8-13.2.0.linstor.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better. It would be nice if you could specify in your feedback if you are using XOSTOR or not.

Test window before official release of the updates

~ 2 days

There may be another issue then. Are these XOAs or XOs from source?

Are they up to date (version or commit)?

I haven't reproduced on my side yet. Maybe someone else will have an idea.

maniix, since you are not encryptblockr, you can't say that his problem is not related to this behavior. Unless you work or live together.

I have noticed this behavior and solved it with this solution when I work on modifying or adding XCP-ng templates. So it is a possibility that has already been tested. But that does not mean that this explanation is always the right one.

In this case we lack information regarding the specific context of encryptblockr. But my answer may be the right one.

In your case, it may be another explanation. And since you don't give much information either...

I have XOAs with several pools on them. Pools of 1, 2, 3, 4 hosts. And it does not display entries for each of the hosts, fortunately!

As I said, when I make changes to templates, I force the scan of these on the XO I am using in order to validate them. The list then shows duplicated entries, and in my case, a reboot of the XO fixes the problem.

If I'm not mistaken, this display happens when you edit a template or add one and scan this list from the XCP-ng host. Xen-Orchestra then has this display. It should disappear if you reboot Xen-Orchestra (I don't know if a simple restart of the service can be enough).
So this behavior does not come from XCP-ng itself, but more from XO.

New update candidates for you to test!

A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.

• amd-microcode: Update AMD microcode to the 2024-11-21 drop
  • Updates firmware for families 17h and 19h CPUs. For the first time, AMD published updates for non-server CPUs. One can assume that they started supporting microcode update for these, contrarily to what they did in the past, and that these updates thus fix various bugs and vulnerabilities. This is only (sensible) speculation at the moment, though.
• grub: Backport VLAN networking support for UEFI PXE boot.
• iperf3: Upgrade to version 3.9-13 from CentOS 7
  • Includes a security fix for CVE-2023-38403
• kernel: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.
• kexec-tools: Backport of a patch removing kernel_version(). Fixing a bug for kernel with a patchlevel greater than 255.
• netdata: Fixed an issue that could occur when quickly uninstalling the package, right after an unfinished installation, and leave a service in an undetermined status.
• slang: Fixed display and input issues in optional package mc.
• sm: Contains a fix for leaf coalesce where the size of the leaf to coalesce was wrongly computed before deciding if it was a live coalesce or not, it resulted in some leaf having too much data to coalesce not successing the live coalesce and staying in this state indefinitely.
• xapi:
  • Fixed a malfunction related to the absence of a certificate, which could cause a loop.
  • Fixed and improved various points in IPv6, related to management, reboot and re-initialization.
• xo-lite: Update to version 0.6.0. For more details, you can consult the blog post on the latest release of Xen Orchestra.

Optional packages:

• kernel-alt: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.
• socat: Update the package to version 1.7.4.1 which includes a fix for a buffer overflow and security fixes.
• traceroute: Updated to version 2.1.5.
• Alternate Drivers: Updated to newer versions.
  • broadcom-bnxt-en-alt: From version 1.10.2_227.0.130.0 to 1.10.3_231.0.162.0
  • intel-i40e-alt: From version 2.22.20-3.1 to 2.26.8
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• amd-microcode: 20240503-1.1.xcpng8.3
• grub: 2.06-4.0.2.1.xcpng8.3
• iperf3: 3.9-13.xcpng8.3
• kernel: 4.19.19-8.0.37.1.xcpng8.3
• kexec-tools: 2.0.15-20.1.xcpng8.3
• netdata: 1.44.3-1.2.xcpng8.3
• slang: 2.3.2-11.xcpng8.3
• sm: 3.2.3-1.13.xcpng8.3
• xapi: 24.19.2-1.9.xcpng8.3
• xo-lite: 0.6.0-1.xcpng8.3

Optional packages:

• kernel-alt: 4.19.322+1-1.xcpng8.3
• socat: 1.7.4.1-6.xcpng8.3
• traceroute: 2.1.5-2.xcpng8.3
• Alternate drivers:
  • broadcom-bnxt-en-alt: 1.10.3_231.0.162.0-1.xcpng8.3
  • intel-i40e-alt: 2.26.8-1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

New update candidates for you to test!

A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.

• iperf3: Upgrade to version 3.9-13 from CentOS 7
  • Includes a security fix for CVE-2023-38403
• kernel: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.
• linux-firmware: Update AMD microcode to the 2024-11-21 drop
  • Updates firmware for families 17h and 19h CPUs
• netdata: Fixed an issue that could occur when quickly uninstalling the package, right after an unfinished installation, and leave a service in an undetermined status.
• openssh:
  • Synchronized with hotfix XS82ECU1072 from Citrix.
  • Security fix for CVE-2024-6387
• socat: Update the package to version 1.7.4.1 which includes a fix for a buffer overflow and security fixes.
• sudo: Synchronized with hotfix XS82ECU1072 from Citrix.
  • intel-igc: This driver replaces igc-module to maintain consistency with the change made in this direction in 8.3.
• vendor-drivers: Updated to pull intel-igc instead of igc-module, following the package renaming.
• xcp-ng-deps: Added vim-minimal as a dependency, so it is always present on XCP-ng systems.
• xcp-ng-release:
  • Synchronized with hotfix XS82ECU1072 from Citrix.
  • Upstream changelog: "Start dhclient on iSCSI BFS interfaces".
• xenserver-status-report:
  • Synchronized with hotfix XS82ECU1072 from Citrix.
  • Update from version 1.3.16-3 to 1.3.17

Optional packages:

• Alternate Driver: Updated to newer version.
  • broadcom-bnxt-en-alt: From version 1.10.2_227.0.130.0 to 1.10.3_231.0.162.0
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• intel-igc: 5.10.214-3.1.xcpng8.2
• iperf3: 3.9-13.xcpng8.2
• kernel: 4.19.19-7.0.23.2.xcpng8.2
• linux-firmware: 20190314-11.2.xcpng8.2
• netdata: 1.19.0-6.xcpng8.2
• openssh: 7.4p1-23.3.1.xcpng8.2
• socat: 1.7.4.1-6.xcpng8.2
• sudo: 1.9.15-4.1.xcpng8.2
• vendor-drivers: 1.0.2-1.7.xcpng8.2
• xcp-ng-deps: 8.2.0-13
• xcp-ng-release: 8.2.1-14
• xenserver-status-report: 1.3.17-1.xcpng8.2

Optional packages:

• Alternate drivers:
  • broadcom-bnxt-en-alt: 1.10.3_231.0.162.0-1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

The kernel RPM integrating the patch is now available on the xcp-ng-testing repo. So you can already upgrade and use it. To do this, here are the commands:

yum clean metadata --enablerepo=xcp-ng-testing
yum update kernel --enablerepo=xcp-ng-testing
reboot

It will be released to all our users in an upcoming security update or update train. We don't have a date yet.

@DeOccultist Yes kernel-alt already includes this patch, but if you are not using it already, we do not recommend doing so as it will possibly have other impacts on your infrastructure by using it.

Our tests were completed overnight. We should be able to offer you the "normal" kernel, integrating this patch, available for validation tests in the xcp-ng-testing repo in the coming hours.

@hrv3e We currently have a kernel version, including a patch for this, waiting for testing. As soon as we have validated the rpm within our test environment, we will be able to make it available for validation through the xcp-ng-testing repo.

@dxym It is always important to follow the instructions given on the forum or on the blog. In both cases, we indicate that the hosts must be restarted.
This way, we are sure that the hosts will apply the changes coming from the updates, like here changes on Xen and the Intel microcode.

@Greg_E No, the kernel version has not changed.
There is no kernel update in this update series either.

This package is installed by Xostor. If you have not installed it yet, it is not present on the system and has not been updated.
The right package, in the right version, will be installed when you will install Xostor to test it.

Update published: https://xcp-ng.org/blog/2024/11/15/november-2024-security-and-maintenance-update-for-xcp-ng-8-2-lts/

Thank you for the tests!

Update published: https://xcp-ng.org/blog/2024/11/15/november-2024-security-update-for-xcp-ng-8-3/

Thank you for the tests!

We have identified an issue related to Xostor and HA management in the http-nbd-transfer-1.4.0-1.xcpng8.2 package. We therefore prefer to remove it from these updates while waiting for a future corrected version.

For those who have tested these updates and who have Xostor on their test pool, we invite you to downgrade this package to version 1.3.0 with the following command:

yum downgrade http-nbd-transfer

New security update candidates for XCP-ng 8.2 LTS (xen, microcode_ctl)

Two new XSAs were published on November 12th 2024.
Intel published a microcode update on the November 12th 2024.

NOTE: This was published soon after the previous testing updates, therefore, we did not publish the previous and everything will be published altogether.

---

• XSA-463 an unprivileged guest making two quick accesses to the VGA memory can deadlock a host.
• XSA-464 an unprivileged PVH guest may access sensitive information from the host, control domain or other guests.

---

SECURITY UPDATES

• xen-*:
  • Fix XSA-463 - Deadlock in x86 HVM standard VGA handling. A mistake in the locking of process of the "standard" VGA memory makes it possible for a guest to make 2 quick accesses and create a deadlock that will hang the host.
  • Fix XSA-464 - libxl leaks data to PVH guests via ACPI tables. The ACPI tables for PVH guests initialization left the excess memory space with its previous content, which was then copied to the guest memory as it was, resulting in possible leak of sensitive information. This doesn't affect XCP-ng in its normal configuration, as only HVM and PV-in-PVH (not affected) guests are supported.
• microcode_ctl:
  • Latest Intel microcode update, published on November the 12th:
    • Security updates for INTEL-SA-01101
    • Security updates for INTEL-SA-01079
    • Updated security updates for INTEL-SA-01097
    • Updated security updates for INTEL-SA-01103
    • Multiple other updates for functional issues.

Test on XCP-ng 8.2

Install all the current update candidates: the ones we already made users test to prepare for the next train of updates, and the new ones which fix security vulnerabilities. We will release them all together.

yum clean metadata --enablerepo=xcp-ng-candidates,xcp-ng-testing
yum update  --enablerepo=xcp-ng-candidates,xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

Security updates:

• xen: 4.13.5-9.45.1.xcpng8.2
• microcode_ctl: 2.1-26.xs29.6.xcpng8.2

The rest of the packages is described in the previous update candidate announcement.

What to test

Normal use and anything else you want to test.

Test window before official release of the update

~ 2 days because of security updates.

New update candidates for you to test!

As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.

The moment to release such a batch has come, so here they are, ready for user tests before the final release.

• XAPI:
  • Synced with XS82ECU1074
    • Enhancement: robustification of the command xe host-emergency-ha-disable
    • Correction of different issues:
      • Performing a hard shutdown of a VM may hang due to unnecessary RBCA permission checks. An icon (yellow triangle) may then be displayed on some management applications, indicating that the shutdown process did not complete successfully.
      • Canceling a hard shutdown of a hung VM fails because the cancel function only checks for proper shutdowns.
      • Migrating VMs from 8.2.1 to 8.3 with the xe vm-migrate command may fail with the error 'Failure: Unknown tag/contents'.
      • You may encounter a 500 error (internal server error) when trying to retrieve RRD measurements from a powered off virtual machine.
• xsconsole:
  • Synced with XS82ECU1074: Fix for a time-out when creating an iSCSI SR.
• guest-templates-json:
  • Add generic templates for Linux BIOS and UEFI
  • Synced with XS82ECU1085:
    • Oracle 8 requires minimum 2 vCPUS.
    • Added template for Ubuntu 24.04
• sm:
  • Synced with XS82ECU1075
    • Updated multipath.conf for several SANs
    • Fix for CA-393194: Find the real PV in a VG before removing the VG.
• blktap: Synced with XS82ECU1075: Improvements on coalesce performance.
• curl: Backport fixes for several CVE: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, CVE-2024-6197, CVE-2024-7264
• openssl: Update to version 1.0.2k-26 from CentOS 7 updates and backports of available CVE fixes from openssl upstream. Update from CentOS 7 Includes fixes for CVE-2021-3712, CVE-2022-2078 and CVE-2023-0286. Backport are fixing CVE-2019-1547, CVE-2019-1551 and CVE-2019-1563.
• xs-openssl: Rebased on version 1.1.1k-12 from CentOS 8 Stream. Include fixes for CVE-2023-5678, CVE-2023-3446, CVE-2023-3817 and a proper fix for CVE-2020-25659.
• zstd: Update to version 1.5.5 to avoid an extremely rare cases of corruption
• xcp-ng-xapi-plugins: Enhance error reporting when a command run on a host fails.
• xenserver-status-report: Update to latest version, synced with XS82ECU1058
• python-defusedxml: Added as a new dependency of xenserver-status-report.
• Alternate Drivers: Updated to newer versions.
  • intel-i40e-alt: From version 2.22.20-3.1 to 2.22.20-5.1
  • mellanox-mlnxen-alt: From version 5.9.0.5.5.0-1.1 to 5.9.0.5.5.0-1.2
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).
• New alternate driver mlx4-modules-alt: To resolve some issues with CX3 cards and SR-IOV, we added an updated version 4.9-7.1.0.0-LTS of this driver.
• kernel-alt: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.

As a dependency of XOSTOR:

• http-nbd-transfer:
  • Try to open device and start HTTP server before notifying the user
  • Install pyc and pyo files

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• blktap: 3.37.4-4.1.xcpng8.2
• curl: 8.6.0-2.2.xcpng8.2
• forkexecd: 1.18.3-12.1.xcpng8.2
• gpumon: 0.18.0-20.1.xcpng8.2
• guest-templates-json: 1.10.7-1.2.xcpng8.2
• http-nbd-transfer: 1.4.0-1.xcpng8.2
• message-switch: 1.23.2-19.1.xcpng8.2
• ocaml-rrd-transport: 1.16.1-17.1.xcpng8.2
• ocaml-rrdd-plugin: 1.9.1-17.1.xcpng8.2
• ocaml-tapctl: 1.5.1-17.1.xcpng8.2
• ocaml-xcp-idl: 1.96.7-6.1.xcpng8.2
• ocaml-xen-api-client: 1.9.0-20.1.xcpng8.2
• ocaml-xen-api-libs-transitional: 2.25.7-1.1.xcpng8.2
• openssl: 1.0.2k-26.2.xcpng8.2
• python-defusedxml: 0.7.1-1.xcpng8.2
• rrd2csv: 1.2.6-17.1.xcpng8.2
• rrdd-plugins: 1.10.9-14.1.xcpng8.2
• sm: 2.30.8-13.1.xcpng8.2
• sm-cli: 0.23.0-63.1.xcpng8.2
• squeezed: 0.27.0-20.1.xcpng8.2
• varstored-guard: 0.6.2-17.xcpng8.2
• vhd-tool: 0.43.0-20.1.xcpng8.2
• wsproxy: 1.12.0-21.xcpng8.2
• xapi: 1.249.38-1.11.xcpng8.2
• xapi-nbd: 1.11.0-19.1.xcpng8.2
• xapi-storage: 11.19.0_sxm2-19.xcpng8.2
• xapi-storage-script: 0.34.1-18.1.xcpng8.2
• xcp-networkd: 0.56.2-17.xcpng8.2
• xcp-rrdd: 1.33.4-6.1.xcpng8.2
• xenopsd: 0.150.19-5.1.xcpng8.2
• xenserver-status-report: 1.3.16-3.xcpng8.2
• xcp-ng-xapi-plugins: 1.10.1-1.xcpng8.2
• xs-opam-repo: 6.35.13-4.xcpng8.2
• xs-openssl: 1.1.1k-12.3.xcpng8.2
• xsconsole: 10.1.13.1-2.1.xcpng8.2
• zstd: 1.5.5-1.el7

Optional packages:

• kernel-alt: 4.19.265-2.xcpng8.2
• Alternates drivers:
  • intel-i40e-alt: 2.22.20-5.1.xcpng8.2
  • mellanox-mlnxen-alt: 5.9_0.5.5.0-1.2.xcpng8.2

New optional package:

• mlx4-modules-alt: 4.9_7.1.0.0-1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~1 week.

You can also do this from a host's xsconsole with the menu:

• Resource Pool Configuration
  • Join a Resource Pool

It seems that it is possible to clean old isos manually, via the command line, as explained in this forum post: https://xcp-ng.org/forum/post/15703