RE: WORM Backups with XCP-ng / Xen Orchestra - Seeking Solutions & Experience

@SylvainB said in WORM Backups with XCP-ng / Xen Orchestra - Seeking Solutions & Experience:

Hello everyone,

I'm exploring options for implementing WORM (Write Once, Read Many) capabilities for my backups within my XCP-ng environment, specifically using Xen Orchestra.

My current setup:

• XCP-ng Version: 8.3
• Xen Orchestra Version: 5.106.4 (Stable)
• Intended Backup Target: Synology NAS

My primary goal is to ensure that my backup data, once written, becomes immutable for a defined retention period, offering protection against accidental deletion or ransomware attacks.

My questions are:

1. Does Xen Orchestra offer any native WORM features or integrations that I might be overlooking for its backup jobs?
2. If not directly, has anyone successfully implemented WORM backups with a similar perimeter (XCP-ng, Xen Orchestra, and potentially a Synology NAS or other storage solution)? I'm very interested in learning about your setup, the specific technologies you used (e.g., storage features, specific configurations), and any lessons learned or best practices.

Any insights, architectural recommendations, or shared experiences would be highly valuable.

Thank you in advance for your help!

Best regards,

SylvainB

You can setup in the Synology its WriteOnce feature, then configure the appropriate configuration settings, including retention ones.

This will prepare the appropriate WORM environment you’re looking for. It will work well due it being the equivalent to Vates solution and/or the S3 based one.

https://kb.synology.com/en-in/search?tags[]=WriteOnce

@wtdrisco said in Hosts compatibility:

As I am starting to build an environment for testing to replace VMWare, I had a question related to hardware.

When setting up multiple hosts, do these need to match the same specs (like VMWare?) for HA (moving VMs from host to host)?

I have several DELL R series servers, and some do not have the exact same CPU model or one has less memory than the other.

When setting up (HOST POOLS??) if I needed to migrate VMs, will this support different host configurations?

If the the hosts don't match by close enough, especially if their capabilities (e.g. instruction sets) and specifications. Then in the case of capabilities then the non-matching ones will be suppressed by XCP-ng so that they all match. Also when migrating the specifications, of hosts really need to match so that when VMs are placed on the hosts. There's no issues when live migrating between the each of the pool member hosts.

As the VMs expect at least a certain number of cores dependent on the hosts, and the number specified per each VM. If this number isn't met then that VM can't migrate to a specific host, which don't meet or exceed it.

@ThierryC01 said in XCP-ng 8.3 betas and RCs feedback :

@bleader Update successful, no issue so far. There is just a message appearing when starting the update: "Delta RPMs disabled because /usr/bin/applydeltarpm not installed."

All VM working for now.

That's harmless. It's just notifying that the system doesn't have deltarpm package installed. This package reduces the size of updates based on what's already installed.

@still_at_work said in First SMAPIv3 driver is available in preview:

Hello @olivierlambert ,

I am joining this topic as I have a few questions about SMAPIv3:

• Will it allow provisioning of VDIs larger than 2TB?

• Will it enable thin provisioning on iSCSI SRs?

Currently, the blockers I encounter are related to my iSCSI storage. This is a major differentiating factor compared to other vendors, and resolving these blockers would significantly increase your market share.

Thanks !

@still_at_work The size limit of the VDI is due to the file format used for these, which is VHD (https://en.wikipedia.org/wiki/VHD_(file_format)). This format can't support more than 2TB, it's known about and are dealing with the issue. It will likely result in a change or addition of a new VDI format likely to be qcow2 unless necessary software for VHDX format is fully open sourced and software for Xen is created which enables create, read, write and use of this format.

It's not a limitation of iSCSI as it also emerges with both NFS and SMB based connections.

@jasonnix The Linux distribution operating system restricts certain commands, operations and/or path (location) to the root account, as well as the location owner.

The path your trying to write to is just one such location as the location is read only to non-root users. If you really wish to write to /usr/local/src then root account is required.

If you use the root account to install then the directory and the Xen Orchestra files will be owner by root. You would need to create a non-root user for the xen orchestra server process. As well as change ownership of the Xen Orchestra files and folders to that non-root account. Though at least the ones which Xen Orchestra should be able to modify as required, when needed.

As well as provide the necessary sudo permissions for the necessary commands to that account.

Using root account to run exposes any vulnerabilities present to the capacity of being exploited as root (aka Administrator) privileges.

Also how good is your internet connection and your connection to GitHub? Cause you could be experiencing a time out packet loss connection issue.

@olivierlambert I created the issue on GithHub. https://github.com/vatesfr/xen-orchestra/issues/7884

MrGrymReaper created this issue in vatesfr/xen-orchestra

open xo-server fix: Update acme-client npm and introduce support for External Account Binding (EAB) #7884

@peb2 said in XOA letsencrpyt module not setting acmeDomain:

Hello,

I'm new to Xen and XOA (migrating from Vmware) and I was wondering if anyone could help me with a problem.

I'm trying to use the Letsencrypt module as specified in:

https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/mixins/docs/SslCertificate.md?ref=xen-orchestra.com

However, the XOA doesn't seem to be passing the variable for 'acmeDomain' so I get a certificate without a CN.

Has anyone else seen this problem or know what my mistake may be?

Here's my /etc/xo-server/config.toml:

#=====================================================================

# HTTP proxy configuration used by xo-server to fetch resources on the
# Internet.
#
# See: https://github.com/TooTallNate/node-proxy-agent#maps-proxy-protocols-to-httpagent-implementations
#httpProxy = 'http://jsmith:qwerty@proxy.lan:3128'

# Configuration of the embedded HTTP server.
[http]
# If set to true, all HTTP traffic will be redirected to the first
# HTTPs configuration.

redirectToHttps = true

# Basic HTTP.
[[http.listen]]
# Port on which the server is listening on.
port = 80


# Basic HTTPS.
[https]
#
# You can find the list of possible options there https://nodejs.org/docs/latest/api/tls.html#tls.createServer
#
# The only difference is the presence of the certificate and the
# key.

hostname = '0.0.0.0'

[[http.listen]]
port = 443

# Whether to autogenerate a self signed certificate if the `cert` and `file`
# entries could not be found.
#
# Default: true
#autoCert = false
autoCert = true

# File containing the certificate (PEM format).
#
# If a chain of certificates authorities is needed, you may bundle
# them directly in the certificate.
#
# Note: the order of certificates does matter, your certificate
# should come first followed by the certificate of the above
# certificate authority up to the root.
#cert = '/etc/ssl/cert.pem'
cert = '/etc/ssl/xoa.cert.pem'

# File containing the private key (PEM format).
#
# If the key is encrypted, the passphrase will be asked at
# server startup.
#key = '/etc/ssl/key.pem'
key = '/etc/ssl/xoa.key.pem'

# ACME (e.g. Let's Encrypt, ZeroSSL) CA directory
#
# Specifies the URL to the ACME CA's directory.
#
# A identifier `provider/directory` can be passed instead of a URL, see the
# list of supported directories here: https://www.npmjs.com/package/acme-client#directory-urls
#
# Note that the application cannot detect that this value has changed.
#
# In that case delete the certificate and the key files, and restart the
# application to generate new ones.
#
# Default is 'letsencrypt/production'
acmeCa = 'zerossl/production'

# Domain for which the certificate should be created.
#
# This entry is required.
acmeDomain = 'xoa.mydomain.com'

# Optional email address which will be used for the certificate creation.
#
# It will be notified of any issues.
acmeEmail = 'myemail@mydomain.com'

The acmeDomain needs to be the actual Fully Qualified Domain Name (FQDN) which XOA uses. Also some verification and/or validation will need to be added either as a text file to the XOA appliance (in a web accessible directory) or as a DNS text record for XOA FQDN.

Also update the acmeEmail so its the actual email to be used for receiving the notification of issues. These don't look valid to me this is critical for them to be real, active and valid as the ACME Client uses these to send the certificate requests and renewals to the certificate authority!!

@Statitica said in Install XCP-ng in old HP ProLiant DL160 G6 (gen 6):

@ilu said in Install XCP-ng in old HP ProLiant DL160 G6 (gen 6):

@nick.lloyd Thankyou...i'll try the last version, reading forums people says HP was problematic, thats why i was asking for help.

Runs fine on my HP hardware, and was pretty easy to install.

@john.c said in Install XCP-ng in old HP ProLiant DL160 G6 (gen 6):

@ilu Though note that XCP-ng 8.3.0 when it goes LTS, will be getting a fix for the 2TB VDI limit. This will allow you to handle VMs which have large, disks.

You have a source for this? IIRC, the fix the the 2TB limit will fix a few other storage limitations too so I'm keen to know more.

https://xcp-ng.org/blog/2025/03/14/the-future-of-xcp-ng-lts/

@andsmith said in 8.3 USB Passthrough - Win Server 2019 BSOD:

@dinhngtu Sorry, I failed to mention this is a Windows Server 2019 VM, it appears that Windbg is a Windows 10/11 application. I've googled installing on Server 2019, but haven't had any luck getting it installed.

Update the AppX Package Deployment software via Microsoft Store or its equivalent in Windows Server 2019. Then once winget is updated (or installed) run the following command:

winget install Microsoft.WinDbg

@olivierlambert If this works for andsmith then it may be worth documenting this, for future users of Windows Server 2019, 2022 and possibly if required the upcoming Windows Server 2025.

@lritinfra Are there any entries in the logs on the HPE iLO as its health monitoring may give you some clues?

Depending on maintenance for those problematic servers is it possible to run Intelligent Provisioning then have it perform the in depth tests of Insight Diagnostics tools?

The Insight Diagnostics tools will test all parts of the system hardware including, drives, memory, storage etc. Letting you know about any parts which fail these tests.

As well as more thoroughly than the non-in depth tests so is more likely to ferret out any hardware issues, as long as its up to date so it can notice any issues if and when firmware on hardware is tested.

@Marc.pezin said in A list of events which may be worth attending:

Hello John,

Thanks a lot for sharing this list of events, we’ll take a look and see which ones best fit our audience and objectives.

Until now, we’ve mainly focused on events in France or nearby for logistical reasons. In fact, we’ll be at KubeCon + CloudNativeCon in Atlanta next week and it will be our first time in the US.

Starting next year, as our sales and marketing teams continue to grow, we plan to expand our international presence and join more events abroad, so your suggestions come at a great time.

Thanks again for the recommendations!

@Marc.pezin A very good one to target (at minimum), is one of the conferences and trade shows where Bitdefender is attending. They have lots of experience at defending systems against black hats, with their services and products. Especially 0-Day vulnerabilities and malware. A product they develop is designed to defend against malware infections on virtualisation stacks like VMware vSphere, Citrix XenServer and others. If you can meet them during the event, it may give the foundations for a new partnership and/or collaboration!

Hi,

I was wondering whether Vates has ever considered attending any of the following trade shows and/or conferences?

• IoT Tech Expo Global (https://www.iottechexpo.com)
• RISK London (https://www.grcworldforums.com)
• Data Centre World (https://www.techshowlondon.co.uk/data-centre-world)
• Big Data & AI World (https://www.techshowlondon.co.uk/big-data-ai-world)
• Cloud & AI Infrastructure (https://www.techshowlondon.co.uk/cloud-ai-infrastructure)
• Cyber Security & Cloud Expo Global 2026 (https://www.cybersecuritycloudexpo.com)
• DevOps Live London (https://www.techshowlondon.co.uk/dev-ops-live-london)
• MSP Show (https://www.mspshow.co.uk)
• Infosecurity Europe (https://www.infosecurityeurope.com)
• Connected Britain 2026 (https://www.terrapinn.com/conference/connected-britain)

@mlcrane said in Windows PV Drivers - I have one Win 11 VM with a problem:

Ooh flippin' heck. So, I've had the VM "logged in" since midday (UK) just doing nothing at all (in hopes...). I tried the install (8.2.2) again, same result as every other time, EXCEPT...

This time, after closing the installer, a new dialog popped up telling me about the install.log.

I don't really see anything "new" in the log (same 1920 error on the service start), so I'm just going to blank it, run the install again to failure, then grab it for here (diagnosis).

Install.log.txt

If you haven’t blanked the VM yet, can you check its Event Log - the main Windows logging system? There may be more details about the service that failed to start.

@yann said in New Rust Xen guest tools:

@john.c OK, that will be useful when the repo is signed, but for now I don't see what adverse effect it can have. Do I miss something?

Also we try to avoid breaking support for older OS versions, so we'll likely continue to advertise the old format for older versions of Debian.

@yann From Debian 13.0.0 (code name Trixie) having repository signing is mandatory. Without it apt will straight refuse to install, update or upgrade its packages.

Also doing with deb822 format will help to protect the GPG Key, used by Vates from abuse by another repository. Especially if that repository is hosting malware laden deb packages. As only the Vates repository can then use that signing key, as defined in the sources file.

Refusing to install, update or upgrade is an adverse effect wouldn’t you say?

@yann Though the deb822 format allows for that file in sources format, to have the signing key tied to that file’s specified repositories. Very important as it ensures that the key is only used by that repository, unless otherwise specified. The old format typically tends to apply that key to all repositories. So even repositories which shouldn’t use it could, worse the key was trusted for all repositories by the client.

In the new format the repositories can have the specific key tied to them, on the client side as well as the server side.

Sometimes it when asking questions as well as hallucinating ChatGPT, can respond with results based on old versions (not updated for an up to date code base).

So if any past in development or experimental code branch, had its code and was mistakenly released. Then the mistake was found and fixed, it can have found its way into the training data set.

Can also be an example of training data set poisoning, forcing it to give misleading or mistaken responses, due to it hallucinating as a result.

@manilx I have proposed to the IaC team of Vates, a MCP Server for Vates VMS. Which can be used by GitHub Copilot or similar, if used when doing IaC etc.

@manilx said in XCP-ng 8.3 updates announcements and testing:

@gduperrey Installed at HomeLab. No issues.
Running via
yum clean metadata ; yum update

You must have been looking forward to this improvement for quite a while. Once it reaches the point where it can be rolled into production, your AMD Epyc servers will get to see a boost, the Linux guests any way.

@nathanael-h said in DevOps Megathread: what you need and how we can help!:

@john.c Why not, can you share what would be the first tools to support and your use cases? I assume that if you are working in VSCode you might be useing some infrastructure as code, like Terraform or Pulumi or Ansible, isn't? In these case do you also have some related MCP servers enabled?

@nathanael-h Pulumi for the infrastructure as code, with the code held on a private GitHub repository.

To aid in writing the IaC code as well as helping with provisioning VMs etc.

As well as during development of full stack website projects.

The appropriate servers are already enabled and configured, for GitHub Copilot use.

Visual Studio Code with GitHub Copilot.

@olivierlambert Another useful item to aid in development processes and IaC operations. Is when using GitHub Copilot an MCP Server which will interface with the Vates VMS stack, so the agent can get context related to requests (queries). That way its responses can be properly grounded in the context of the stack, as well as the configuration, setup of the Vates VMS installation and its available resources.

Can the IaC team work on this, though may need other teams help?