RE: Epyc VM to VM networking slow

The fix, which was proposed as a test to resolve some of the issues encountered, has been integrated into an official update candidate which will be released to everyone next time we publish updates. For more information on this update, you can consult the following post: https://xcp-ng.org/forum/post/96135

New update candidates for you to test!

A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.

---

Maintenance updates

• blktap: Fix a bad integer conversion that interrupts valid coalesce calls on large VDIs. This fixes an error that could occur on VHD coalesces, generating logs on the SMAPI side.
• kernel:
  • Fix compatibility issues with Minisforum MS-A2 machines. For more information, you can consult this forum post.
  • Backport fix for CVE-2020-28374, a vulnerability that is unlikely to be exploitable in XCP-ng, fixed as defence-in-depth.
• xapi & xen:
  • Add a new /etc/xenopsd.conf.d directory, in which users can add a .conf file with configuration values for xenopsd.
  • Patch Xen to support a new option allowing to activate the remapping of grant-tables as Writeback. This fixes a performance issue for Linux Guests on AMD processors. Guests need their kernel to support the feature which enables this fix (Linux distributions that have recent enough kernels or apply fixes from the mainline LTS kernels are OK. Older ones are not. Some currently supported LTS distros don't have the patch yet: RHEL 8 and 9 and their derivatives are not ready yet - no effect on older distros such as Ubuntu 20.04. See partial list below). Windows and *BSD guests were not affected by the performance problem this change solves.
  • While we are confident with this change, we decided to make it opt-in at first, so that users be conscious of the change and also know how to revert it if any side effects remain in edge cases. To enable the fix pool-wide, create a file named /etc/xenopsd.conf.d/custom.conf with the following line:

    xen-platform-pci-bar-uc=false
    

    • Then restart the toolstack on the host: xe-toolstack-restart
    • Then add the configuration and restart the toolstack on every other hosts of the pool
    • Then stop and start VMs so that the setting is applied to them at boot.
  • In a future update, this will become the default.
  • This is not the end of the way towards better performance on AMD EPYC servers, but it's significant progress!
• xo-lite:
  • [Host/VM/Dashboard] Fix display error due to inversion of upload and download
  • [Sidebar] Updated sidebar to auto close when the screen is small
  • [SearchBar] Updated query search bar to work in responsive (PR #8761)
  • [Pool,Host/Dashboard] CPU provisioning considers all VMs instead of just running VMs
  • For more details, we invite you to read the blog post about the latest Xen-Orchestra update.

OS support for the AMD performance workaround:

• Debian: 11 (5.10: TODO), 12 (6.1: OK)
• Ubuntu: 20.04 LTS (5.4: EOL), 22.04 LTS (5.15: SOON, HWE 6.8: OK), 24.04 LTS (6.8 & HWE 6.14: OK)
• openSUSE Leap, 15.5 (5.14: EOL) 15.6 (6.4: OK)
• SUSE Enterprise (LTSS) : SLE15 SP3 - LTSS (5.3: Not upstream), SLE15 SP4/5 - LTSS (5.14: Not upstream), SLE15 SP6+ (OK)
• RHEL (+derivates): 8 (4.19: EOL-ish?), 9 (5.14: Not upstream), 10 (6.12: OK)
• Fedora: All supported: OK (37+)
• Alpine Linux: All supported: OK (v3.18+)

• EOL = distro is EOL
• Not upstream = not covered by Linux stable project (i.e probably needs discussions with distro)
• SOON: Distro needs to update its kernel

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• blktap: 3.55.5-2.3.xcpng8.3
• kernel: 4.19.19-8.0.38.4.xcpng8.3
• xapi: 25.6.0-1.11.xcpng8.3
• xen: 4.17.5-15.2.xcpng8.3
• xo-lite: 0.13.1-1.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

Hello,

We've added a card to our backlog to investigate this topic.

Updates published: https://xcp-ng.org/blog/2025/07/29/july-2025-security-update-2-for-xcp-ng-8-2-lts/

Thank you for the tests!

New security update candidate

A new XSA (Xen Security Advisory) was published on the 8th of July, and an update to Xen addresses it.

---

Security updates

• linux-firmware: Update to 20250626-1 as redistributed by XenServer.
• xen-*:
  • Fix XSA-471 - New speculative side-channel attacks have been discovered, affecting systems running all versions of Xen and AMD Fam19h CPUs (Zen3/4 microarchitectures). An attacker could infer data from other contexts. There are no current mitigations, but AMD is producing microcode to address the issue, and patches for Xen are available. These attacks, named Transitive Scheduler Attacks (TSA) by AMD, include CVE-2024-36350 (TSA-SQ) and CVE-2024-36357 (TSA-L1).

Test on XCP-ng 8.2

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• linux-firmware: 20190314-11.3.xcpng8.2
• xen: 4.13.5-9.49.3.xcpng8.2

What to test

On Intel platform:

• Normal use and anything else you want to test.

On AMD platform zen3 or zen4:

• Normal use of course
• On a Linux guest, with cpuid installed, run the command following command:

lscpu | grep -q AMD && lscpu | grep -qi "cpu family.* 25$" && [ $(($(cpuid -1 -r -l 0x80000021 | grep eax | sed -r 's/.*eax=([^ ]+) .*/\1/') & 0x20)) -eq 32 ] && echo OK

This should print OK if your system is protected against XSA-471.

Test window before official release of the updates

~3 days.

@manilx We recently upgraded our Koji build system. This may have caused disruptions in this recent update release yesterday, where an XML file was generated multiple times. This has now been fixed and should not happen again. This may explain the issue encountered this time, particularly with the notification of updates via XO.

Note that normally yum metadata expires after a few hours and so it should normally return to normal on its own.

@manilx said in XCP-ng 8.3 updates announcements and testing:

yum clean all

I can't explain it. I can't say what's going on on your system, especially with so little information.

Personally, I run the following commands all the time:

yum clean metadata ; yum update

I very rarely need to use yum clean all, and I don't remember having to do an additional rm. And yet, I run the above commands a lot during testing campaigns.

@flakpyro Yes, it always takes a little time for the mirrors to synchronize.

I'm getting correct feedback from the main repository (https://updates.xcp-ng.org/) with the correct updates available.

Updates published: https://xcp-ng.org/blog/2025/07/15/july-2025-security-update-2-for-xcp-ng-8-3-lts/

Thank you for the tests!

New security and maintenance update candidate

A new XSA (Xen Security Advisory) was published on the 8th of July, related to hardware vulnerabilities in several AMD CPUS. Updated microcode mitigate it, and Xen is updated to adapt to the changes in the CPU features. We also publish other non-urgent updates which we had in the pipe for the next update release.

---

Security updates

• amd-microcode:
  • Update to 20250626-1 as redistributed by XenServer.
• xen-*:
  • Fix XSA-471 - New speculative side-channel attacks have been discovered, affecting systems running all versions of Xen and AMD Fam19h CPUs (Zen3/4 microarchitectures). An attacker could infer data from other contexts. There are no current mitigations, but AMD is producing microcode to address the issue, and patches for Xen are available. These attacks, named Transitive Scheduler Attacks (TSA) by AMD, include CVE-2024-36350 (TSA-SQ) and CVE-2024-36357 (TSA-L1).

Maintenance updates

• http-nbd-transfer:
  • Fix missing import exceptions in log files.
  • Fix a potential HA startup failure with LINSTOR.
• xo-lite: update to 0.12.1
  • [Charts] Fix tooltip overflow when too close to the edge
  • [Host/VM/Dashboard] Fix timestamp on some charts

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• amd-microcode: 20250626-1.1.xcpng8.3
• http-nbd-transfer: 1.7.0-1.xcpng8.3
• xen: 4.17.5-15.1.xcpng8.3
• xo-lite: 0.12.1-1.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

We're not yet familiar with Netdata Cloud. Could you describe your requirements in more detail? What are you trying to accomplish?

The installation and use of third-party packages for XCP-ng is described in the following documentation: https://docs.xcp-ng.org/management/additional-packages/

We currently offer a version of Netdata in our repositories, but as a best-effort support option.

If you install a version from another source, this is not supported by us. You must therefore be careful to ensure that what you install does not overwrite or modify packages already present and used by XCP-ng. Furthermore, this will not persist during a server upgrade (a major version change, such as from 8.2 to 8.3, for example), and you will need to install it again, taking the same precautions.

Updates published: https://xcp-ng.org/blog/2025/07/03/july-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/

Thank you for the tests!

Updates published: https://xcp-ng.org/blog/2025/07/03/july-2025-security-and-maintenance-update-for-xcp-ng-8-3-lts/

Thank you for the tests!

New security and maintenance update candidate

A new XSA (Xen Security Advisory) was published on the 1st of July, and an update to Xen addresses it. We also publish other non-urgent updates which we had in the pipe for the next release.

---

Security updates

• xen-*:
  • Fix XSA-470 - An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.

Maintenance updates

• http-nbd-transfer: moved some logs into debug to reduce log spam
• sm:
  • XOSTOR: avoid a rare migration error when the GC would run on our migration snapshot
  • Use GC daemon code for LINSTOR like other drivers (no changes for users)
    This updated package is already included in the refreshed 8.3 installation ISOs.
• xapi:
  • Fix remote syslog configuration being broken on updates
  • Fix several RRD (stats collection) issues and make the plugins more robust:
    • Cap Derive values within a certain range without making them NaN
    • Use a computed delay time for RRD loop to prevent gaps in metrics collection
    • Avoid duplicating datasources on plugin restore
    • Protect against a resource leak in the plugins
    • Avoid running out of mmap-ed pages in xcp-rrdd-cpu for large numbers of domains
    • Prevent exceptions from escaping and introducing gaps into metrics collection
    • Avoid missing metrics from new and destroyed domains
  • Prevent xapi concurrent calls during migration from indirectly make each other fail (already fixed in the refreshed ISOs)
  • Fix a deadlock in xenopsd due to atom nesting (already fixed in the refreshed ISOs)
• xo-lite: update to 0.12.0
  • [VM/system] Display system information in vm/system tab
  • [Host/system] Display system view information in host/system tab
  • [Host/Dashboard] Fix color of tag list (PR #8731)
  • [Table] add pagination on table (PR #8573)
  • [Pool/system] Display pool information in pool/system tab (PR #8660)
  • [VM/Dashboard] Display VM information in dashboard tab (PR #8529)
  • [Tab/Network] Updated side panel in tab network behavior for mobile view (PR #8688)
  • [Stats] Fix graphs that were sometimes not displayed or displayed incorrectly (PR #8722)

Optional packages:

• Alternate Driver: Updated to newer version.
  • broadcom-bnxt-en-alt: Update to version 1.10.3_232.0.155.5

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• http-nbd-transfer: 1.6.0-1.xcpng8.3
• sm: 3.2.12-3.2.xcpng8.3
• xapi: 25.6.0-1.9.xcpng8.3
• xen: 4.17.5-13.2.xcpng8.3
• xo-lite: 0.12.0-1.xcpng8.3

Optional packages:

• Alternate drivers:
  • broadcom-bnxt-en-alt: 1.10.3_232.0.155.5-1.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

New security and maintenance update candidate

A new XSA (Xen Security Advisory) was published on the 1st of July, and an update to Xen addresses it. We also publish other non-urgent updates which we had in the pipe for the next release.

---

Security updates

• xen-*:
  • Fix XSA-470 - An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.

Maintenance updates

• openssh: fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")
• samba: fix low priority CVEs on client side.
• xcp-ng-release: this update adds a certificate to resolve a TLS handshake error, particularly when deploying xoa.io.

Test on XCP-ng 8.2

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• openssh: 7.4p1-23.3.2.xcpng8.2
• samba: 4.10.16-25.el7_9
• xcp-ng-release: 8.2.1-16
• xen: 4.13.5-9.49.2.xcpng8.2

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

@TrapoSAMA No, as with 8.2, this isn't something displayed in the console.
Since it doesn't indicate that an updated 8.2 is actually 8.2.1, only the major version is displayed. We have the same behavior here.

However, as with many other products, this is clearly displayed on the XCP-ng homepage, in addition to the announcement on the blog.

This will be three months after the official release of 8.3 LTS.

The release should take place in a few days when we release the ISO currently available for testing.

It's what is described in the "What to expect" part of the blogpost given above:

Guaranteed overlap period – There will be at least three months where both XCP-ng 8.2.1 and XCP-ng 8.3 LTS will be supported simultaneously, ensuring organizations can transition smoothly.

@ph7 As David mentioned, the security updates were released yesterday. They are no longer in the candidates repository, but in the updates repository.

Note that the updates in the testing repository have not yet been released. They include a more recent version of the XAPI. This could explain why you can no longer migrate this VHD between your test and production environments.

Are you trying to perform a live migration or with the VM powered off?

This is not an XO behavior, but rather a Xapi behavior, and therefore a XCP-ng behavior.

When you join a host to a pool, the administrator password for the joining host is automatically changed to match the administrator password of the pool master.

Source

From a security perspective, this isn't a risk, because when you run a command on any of the hosts in a pool, the master responds. So, as long as you're connected to a pool member, you have access to the entire pool via xe commands.

@HenrikSchmidt We don't currently offer regular ISO builds. The most recent ISOs are available.

The driver you're talking about is integrated into the kernel, and to my knowledge, there are no updates for it at the moment. @Andrew is currently working on an alternate driver package, but the PR seems to be waiting for his response.

This type of driver can be loaded at the beginning of the installation with an ISO by pressing F9 when the menu prompts. You can then load an additional driver for the installation, and install it on the future system later in the procedure when prompted.

As this is not an issue with the latest updates, I suggest you create a dedicated thread. This would give you better visibility and help from the community on this issue.