RE: XCP-ng 8.3 updates announcements and testing

@dxym It is always important to follow the instructions given on the forum or on the blog. In both cases, we indicate that the hosts must be restarted.
This way, we are sure that the hosts will apply the changes coming from the updates, like here changes on Xen and the Intel microcode.

@Greg_E No, the kernel version has not changed.
There is no kernel update in this update series either.

This package is installed by Xostor. If you have not installed it yet, it is not present on the system and has not been updated.
The right package, in the right version, will be installed when you will install Xostor to test it.

Update published: https://xcp-ng.org/blog/2024/11/15/november-2024-security-and-maintenance-update-for-xcp-ng-8-2-lts/

Thank you for the tests!

Update published: https://xcp-ng.org/blog/2024/11/15/november-2024-security-update-for-xcp-ng-8-3/

Thank you for the tests!

We have identified an issue related to Xostor and HA management in the http-nbd-transfer-1.4.0-1.xcpng8.2 package. We therefore prefer to remove it from these updates while waiting for a future corrected version.

For those who have tested these updates and who have Xostor on their test pool, we invite you to downgrade this package to version 1.3.0 with the following command:

yum downgrade http-nbd-transfer

New security update candidates for XCP-ng 8.2 LTS (xen, microcode_ctl)

Two new XSAs were published on November 12th 2024.
Intel published a microcode update on the November 12th 2024.

NOTE: This was published soon after the previous testing updates, therefore, we did not publish the previous and everything will be published altogether.

---

• XSA-463 an unprivileged guest making two quick accesses to the VGA memory can deadlock a host.
• XSA-464 an unprivileged PVH guest may access sensitive information from the host, control domain or other guests.

---

SECURITY UPDATES

• xen-*:
  • Fix XSA-463 - Deadlock in x86 HVM standard VGA handling. A mistake in the locking of process of the "standard" VGA memory makes it possible for a guest to make 2 quick accesses and create a deadlock that will hang the host.
  • Fix XSA-464 - libxl leaks data to PVH guests via ACPI tables. The ACPI tables for PVH guests initialization left the excess memory space with its previous content, which was then copied to the guest memory as it was, resulting in possible leak of sensitive information. This doesn't affect XCP-ng in its normal configuration, as only HVM and PV-in-PVH (not affected) guests are supported.
• microcode_ctl:
  • Latest Intel microcode update, published on November the 12th:
    • Security updates for INTEL-SA-01101
    • Security updates for INTEL-SA-01079
    • Updated security updates for INTEL-SA-01097
    • Updated security updates for INTEL-SA-01103
    • Multiple other updates for functional issues.

Test on XCP-ng 8.2

Install all the current update candidates: the ones we already made users test to prepare for the next train of updates, and the new ones which fix security vulnerabilities. We will release them all together.

yum clean metadata --enablerepo=xcp-ng-candidates,xcp-ng-testing
yum update  --enablerepo=xcp-ng-candidates,xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

Security updates:

• xen: 4.13.5-9.45.1.xcpng8.2
• microcode_ctl: 2.1-26.xs29.6.xcpng8.2

The rest of the packages is described in the previous update candidate announcement.

What to test

Normal use and anything else you want to test.

Test window before official release of the update

~ 2 days because of security updates.

New update candidates for you to test!

As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.

The moment to release such a batch has come, so here they are, ready for user tests before the final release.

• XAPI:
  • Synced with XS82ECU1074
    • Enhancement: robustification of the command xe host-emergency-ha-disable
    • Correction of different issues:
      • Performing a hard shutdown of a VM may hang due to unnecessary RBCA permission checks. An icon (yellow triangle) may then be displayed on some management applications, indicating that the shutdown process did not complete successfully.
      • Canceling a hard shutdown of a hung VM fails because the cancel function only checks for proper shutdowns.
      • Migrating VMs from 8.2.1 to 8.3 with the xe vm-migrate command may fail with the error 'Failure: Unknown tag/contents'.
      • You may encounter a 500 error (internal server error) when trying to retrieve RRD measurements from a powered off virtual machine.
• xsconsole:
  • Synced with XS82ECU1074: Fix for a time-out when creating an iSCSI SR.
• guest-templates-json:
  • Add generic templates for Linux BIOS and UEFI
  • Synced with XS82ECU1085:
    • Oracle 8 requires minimum 2 vCPUS.
    • Added template for Ubuntu 24.04
• sm:
  • Synced with XS82ECU1075
    • Updated multipath.conf for several SANs
    • Fix for CA-393194: Find the real PV in a VG before removing the VG.
• blktap: Synced with XS82ECU1075: Improvements on coalesce performance.
• curl: Backport fixes for several CVE: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, CVE-2024-6197, CVE-2024-7264
• openssl: Update to version 1.0.2k-26 from CentOS 7 updates and backports of available CVE fixes from openssl upstream. Update from CentOS 7 Includes fixes for CVE-2021-3712, CVE-2022-2078 and CVE-2023-0286. Backport are fixing CVE-2019-1547, CVE-2019-1551 and CVE-2019-1563.
• xs-openssl: Rebased on version 1.1.1k-12 from CentOS 8 Stream. Include fixes for CVE-2023-5678, CVE-2023-3446, CVE-2023-3817 and a proper fix for CVE-2020-25659.
• zstd: Update to version 1.5.5 to avoid an extremely rare cases of corruption
• xcp-ng-xapi-plugins: Enhance error reporting when a command run on a host fails.
• xenserver-status-report: Update to latest version, synced with XS82ECU1058
• python-defusedxml: Added as a new dependency of xenserver-status-report.
• Alternate Drivers: Updated to newer versions.
  • intel-i40e-alt: From version 2.22.20-3.1 to 2.22.20-5.1
  • mellanox-mlnxen-alt: From version 5.9.0.5.5.0-1.1 to 5.9.0.5.5.0-1.2
  • More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).
• New alternate driver mlx4-modules-alt: To resolve some issues with CX3 cards and SR-IOV, we added an updated version 4.9-7.1.0.0-LTS of this driver.
• kernel-alt: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.

As a dependency of XOSTOR:

• http-nbd-transfer:
  • Try to open device and start HTTP server before notifying the user
  • Install pyc and pyo files

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• blktap: 3.37.4-4.1.xcpng8.2
• curl: 8.6.0-2.2.xcpng8.2
• forkexecd: 1.18.3-12.1.xcpng8.2
• gpumon: 0.18.0-20.1.xcpng8.2
• guest-templates-json: 1.10.7-1.2.xcpng8.2
• http-nbd-transfer: 1.4.0-1.xcpng8.2
• message-switch: 1.23.2-19.1.xcpng8.2
• ocaml-rrd-transport: 1.16.1-17.1.xcpng8.2
• ocaml-rrdd-plugin: 1.9.1-17.1.xcpng8.2
• ocaml-tapctl: 1.5.1-17.1.xcpng8.2
• ocaml-xcp-idl: 1.96.7-6.1.xcpng8.2
• ocaml-xen-api-client: 1.9.0-20.1.xcpng8.2
• ocaml-xen-api-libs-transitional: 2.25.7-1.1.xcpng8.2
• openssl: 1.0.2k-26.2.xcpng8.2
• python-defusedxml: 0.7.1-1.xcpng8.2
• rrd2csv: 1.2.6-17.1.xcpng8.2
• rrdd-plugins: 1.10.9-14.1.xcpng8.2
• sm: 2.30.8-13.1.xcpng8.2
• sm-cli: 0.23.0-63.1.xcpng8.2
• squeezed: 0.27.0-20.1.xcpng8.2
• varstored-guard: 0.6.2-17.xcpng8.2
• vhd-tool: 0.43.0-20.1.xcpng8.2
• wsproxy: 1.12.0-21.xcpng8.2
• xapi: 1.249.38-1.11.xcpng8.2
• xapi-nbd: 1.11.0-19.1.xcpng8.2
• xapi-storage: 11.19.0_sxm2-19.xcpng8.2
• xapi-storage-script: 0.34.1-18.1.xcpng8.2
• xcp-networkd: 0.56.2-17.xcpng8.2
• xcp-rrdd: 1.33.4-6.1.xcpng8.2
• xenopsd: 0.150.19-5.1.xcpng8.2
• xenserver-status-report: 1.3.16-3.xcpng8.2
• xcp-ng-xapi-plugins: 1.10.1-1.xcpng8.2
• xs-opam-repo: 6.35.13-4.xcpng8.2
• xs-openssl: 1.1.1k-12.3.xcpng8.2
• xsconsole: 10.1.13.1-2.1.xcpng8.2
• zstd: 1.5.5-1.el7

Optional packages:

• kernel-alt: 4.19.265-2.xcpng8.2
• Alternates drivers:
  • intel-i40e-alt: 2.22.20-5.1.xcpng8.2
  • mellanox-mlnxen-alt: 5.9_0.5.5.0-1.2.xcpng8.2

New optional package:

• mlx4-modules-alt: 4.9_7.1.0.0-1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~1 week.

You can also do this from a host's xsconsole with the menu:

• Resource Pool Configuration
  • Join a Resource Pool

It seems that it is possible to clean old isos manually, via the command line, as explained in this forum post: https://xcp-ng.org/forum/post/15703

To my knowledge these files are backups when installing new versions of the tools during rpm updates. They do not necessarily take up space or this is managed directly during updates.

Nothing to clean here.

I have the same thing on my test servers (and sometimes even more files than that) and I have never taken care of it.

Do you have a space problem on this SR to want to delete them?

@ph7 I've asked the xo-lite team if they can give us guidance on this or if they have any idea about the current state of this host.

@stormi and @ph7 I just tested with two xo-lites in 0.2.1 and 0.2.2 on just installed servers, and in both cases, the Network throughput graph seems to have lines and values.

You can find information about kernel-alt here: https://docs.xcp-ng.org/installation/hardware/#-alternate-kernel

A new version of xo-lite for XCP-ng 8.3 has been released:

Version: xo-lite-0.2.1-1.xcpng8.3

You can update it like this:

yum update xo-lite

For more information about the changes between version 0.1.3 or 0.2.0 and 0.2.1, you can consult this link: https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/lite/CHANGELOG.md

The updates have been published; thank you for testing them out.

https://xcp-ng.org/blog/2024/03/29/march-2024-maintenance-update/

New update candidates for you to test!

As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.

The moment to release such a batch has come, so here they are, ready for user tests before the final release.

• openvswitch:
  • CVE-2023-1668: Correct a flaw when processing an IP packet with protocol 0.
  • CVE-2023-5366: Apply the patch for OpenFlow and neightbor discovery target with IPv6
  • CVE-2023-3966: Correct a vulnerabity with "crafted Geneve packets causing invalid memory accesses and potential denial of service".
• blktap:
  • Synced with XS82ECU1056:
    • Bugfix for time out on NFS tasks which can sometimes exceed the configured value.
    • Improve the error handling for some lost iSCSI connection.
• sm:
  • Support NFS servers which only offer NFSv4. The discovery process for such servers differs from that of servers which offer also NFSv3, so the SR driver had to be improved.
  • Synced with XS82ECU1056: bugfix on the path checker for DELL EqualLogic with iSCSI protocol
  • Synced with XS82ECU1060: bugfix for when a host is unable to log into all iSCSI portals because there are separate independent Target Portal Groups inside the IQN.
• util-linux: preparatory steps to support 4k-only disks.
• xapi: Bugfix in a testing framework.
• xcp-ng-pv-tools: Small fixes regarding VM stats reporting.
• xcp-ng-xapi-plugins: Add check_installed function in updater plugin to test installed packages. This is a prerequisite for the upcoming XOSTOR release.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing blktap openvswitch sm-* util-linux xapi-* xcp-ng-pv-tools xcp-ng-xapi-plugins
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• blktap: 3.37.4-3.1.xcpng8.2
• openvswitch: 2.5.3-2.3.12.2.xcpng8.2
• sm: 2.30.8-10.1.xcpng8.2
• util-linux: 2.23.2-52.1.xcpng8.2
• xapi: 1.249.32-2.2.xcpng8.2
• xcp-ng-pv-tools: 8.2.0-12.xcpng8.2
• xcp-ng-xapi-plugins: 1.10.0-1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~1 week.

A new version of xo-lite for XCP-ng 8.3 has been released:

Version: xo-lite-0.2.0-1.xcpng8.3

You can update it like this:

yum update xo-lite

For more information about the changes between version 0.1.3 and 0.2.0, you can consult this link: https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/lite/CHANGELOG.md

@Ben said in Error: Multilib version problems found. This often means that the root:

   Protected multilib versions: libcom_err-1.47.0-1.1.xcpng8.2.x86_64 != libcom_err-1.42.9-19.el7.i686

If I understand right from the log you posted, you installed another version of libcom_err than the one from XCP-ng. So you'll need to remove that one and have ours:

yum remove libcom_err-1.42.9-19.el7.i686
yum install libcom_err-1.47.0-1.1.xcpng8.2.x86_64

It would be better to disable the OMSA repo as suggested in our documentation about additional packages: https://xcp-ng.org/docs/additionalpackages.html#rules

New Security Update Candidates (Xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-439: CVE-2023-20588. On AMD Zen1 CPUs, "an attacker might be able to infer data from a different execution context on the same CPU core."

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" --enablerepo=xcp-ng-testing
reboot

Version:

• xen: 4.13.5-9.36.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.