XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Home
    2. john.c
    J Offline
    • Profile
    • Following 0
    • Followers 1
    • Topics 16
    • Posts 398
    • Groups 0

    john.c

    @john.c

    104
    Reputation
    110
    Profile views
    398
    Posts
    1
    Followers
    0
    Following
    Joined
    Last Online
    [[user:location]] United Kingdom

    john.c Unfollow Follow
    • RE: WORM Backups with XCP-ng / Xen Orchestra - Seeking Solutions & Experience

      @SylvainB said in WORM Backups with XCP-ng / Xen Orchestra - Seeking Solutions & Experience:

      Hello everyone,

      I'm exploring options for implementing WORM (Write Once, Read Many) capabilities for my backups within my XCP-ng environment, specifically using Xen Orchestra.

      My current setup:

      • XCP-ng Version: 8.3
      • Xen Orchestra Version: 5.106.4 (Stable)
      • Intended Backup Target: Synology NAS

      My primary goal is to ensure that my backup data, once written, becomes immutable for a defined retention period, offering protection against accidental deletion or ransomware attacks.

      My questions are:

      1. Does Xen Orchestra offer any native WORM features or integrations that I might be overlooking for its backup jobs?
      2. If not directly, has anyone successfully implemented WORM backups with a similar perimeter (XCP-ng, Xen Orchestra, and potentially a Synology NAS or other storage solution)? I'm very interested in learning about your setup, the specific technologies you used (e.g., storage features, specific configurations), and any lessons learned or best practices.

      Any insights, architectural recommendations, or shared experiences would be highly valuable.

      Thank you in advance for your help!

      Best regards,

      SylvainB

      You can setup in the Synology its WriteOnce feature, then configure the appropriate configuration settings, including retention ones.

      This will prepare the appropriate WORM environment you’re looking for. It will work well due it being the equivalent to Vates solution and/or the S3 based one.

      https://kb.synology.com/en-in/search?tags[]=WriteOnce

      posted in Backup
      J
      john.c
    • RE: Hosts compatibility

      @wtdrisco said in Hosts compatibility:

      As I am starting to build an environment for testing to replace VMWare, I had a question related to hardware.

      When setting up multiple hosts, do these need to match the same specs (like VMWare?) for HA (moving VMs from host to host)?

      I have several DELL R series servers, and some do not have the exact same CPU model or one has less memory than the other.

      When setting up (HOST POOLS??) if I needed to migrate VMs, will this support different host configurations?

      If the the hosts don't match by close enough, especially if their capabilities (e.g. instruction sets) and specifications. Then in the case of capabilities then the non-matching ones will be suppressed by XCP-ng so that they all match. Also when migrating the specifications, of hosts really need to match so that when VMs are placed on the hosts. There's no issues when live migrating between the each of the pool member hosts.

      As the VMs expect at least a certain number of cores dependent on the hosts, and the number specified per each VM. If this number isn't met then that VM can't migrate to a specific host, which don't meet or exceed it.

      posted in Hardware
      J
      john.c
    • RE: XCP-ng 8.3 betas and RCs feedback 🚀

      @ThierryC01 said in XCP-ng 8.3 betas and RCs feedback 🚀:

      @bleader Update successful, no issue so far. There is just a message appearing when starting the update: "Delta RPMs disabled because /usr/bin/applydeltarpm not installed."

      All VM working for now.

      That's harmless. It's just notifying that the system doesn't have deltarpm package installed. This package reduces the size of updates based on what's already installed.

      posted in News
      J
      john.c
    • RE: First SMAPIv3 driver is available in preview

      @still_at_work said in First SMAPIv3 driver is available in preview:

      Hello @olivierlambert ,

      I am joining this topic as I have a few questions about SMAPIv3:

      • Will it allow provisioning of VDIs larger than 2TB?

      • Will it enable thin provisioning on iSCSI SRs?

      Currently, the blockers I encounter are related to my iSCSI storage. This is a major differentiating factor compared to other vendors, and resolving these blockers would significantly increase your market share.

      Thanks !

      @still_at_work The size limit of the VDI is due to the file format used for these, which is VHD (https://en.wikipedia.org/wiki/VHD_(file_format)). This format can't support more than 2TB, it's known about and are dealing with the issue. It will likely result in a change or addition of a new VDI format likely to be qcow2 unless necessary software for VHDX format is fully open sourced and software for Xen is created which enables create, read, write and use of this format.

      It's not a limitation of iSCSI as it also emerges with both NFS and SMB based connections.

      posted in Development
      J
      john.c
    • RE: Tips on installing XO

      @jasonnix The Linux distribution operating system restricts certain commands, operations and/or path (location) to the root account, as well as the location owner.

      The path your trying to write to is just one such location as the location is read only to non-root users. If you really wish to write to /usr/local/src then root account is required.

      If you use the root account to install then the directory and the Xen Orchestra files will be owner by root. You would need to create a non-root user for the xen orchestra server process. As well as change ownership of the Xen Orchestra files and folders to that non-root account. Though at least the ones which Xen Orchestra should be able to modify as required, when needed.

      As well as provide the necessary sudo permissions for the necessary commands to that account.

      Using root account to run exposes any vulnerabilities present to the capacity of being exploited as root (aka Administrator) privileges.

      Also how good is your internet connection and your connection to GitHub? Cause you could be experiencing a time out packet loss connection issue.

      posted in Xen Orchestra
      J
      john.c
    • RE: 🛰️ XO 6: dedicated thread for all your feedback!

      @Octopuss said in 🛰️ XO 6: dedicated thread for all your feedback!:

      @olivierlambert Well ok, it's just that last time I tried to ask about stuff I was politely told off because I used the installation script instead of paying (that's not the literal formulation but it's basically what the person responding meant).

      I know nothing about any blogs, I just check the main xcp website (FFS I am not even allowed to post links, what a forum...) from time to time, so I have no idea. I just updated the admin interfce for the first time since moving over from ESXi, and was puzzled why it looked the same as the "castrated" lite version when previously (which means v5, apparently) it was full of features. I had no idea it wasn't a completed product.

      TL;DR: I am just an idiot who installed this few months ago and has no idea about the details. shrug

      You were told off if the script was 3rd party because officially, the scripts may have made changes to the Xen Orchestra source code prior to compilation. They have a set of steps, for building from source which are able to receive support in the forums for. Anyway getting paid support if an organisation is best as their pro support is top notch!

      With the blogs which are being referred to are under the “News” links. Which detail releases and other news worthy information.

      You can post links but it does take some work, also make sure you’ve read the rules, also going through the introduction training which a forum function bot runs. Doing this will eventually earn you more access and feature functionality. It’ll help you get used to the forums functions.

      The XO 6 is a minimum viable product currently, but is growing from there as features from v5 transitions to v6. If there’s features missing from v5 and v6 that are needed please enter them on the Feedback portal, so they can be voted on. It’s link is in several XOA update and release news posts (especially 6.0 and 6.1).

      Read both these posts along with others along the way, it will help you get caught up on all of the Xen Orchestra releases and updates.

      posted in Xen Orchestra
      J
      john.c
    • RE: XOA letsencrpyt module not setting acmeDomain

      @olivierlambert I created the issue on GithHub. https://github.com/vatesfr/xen-orchestra/issues/7884

      posted in Advanced features
      J
      john.c
    • RE: XOA letsencrpyt module not setting acmeDomain

      @peb2 said in XOA letsencrpyt module not setting acmeDomain:

      Hello,

      I'm new to Xen and XOA (migrating from Vmware) and I was wondering if anyone could help me with a problem.

      I'm trying to use the Letsencrypt module as specified in:

      https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/mixins/docs/SslCertificate.md?ref=xen-orchestra.com

      However, the XOA doesn't seem to be passing the variable for 'acmeDomain' so I get a certificate without a CN.

      Has anyone else seen this problem or know what my mistake may be?

      Here's my /etc/xo-server/config.toml:

      #=====================================================================
      
      # HTTP proxy configuration used by xo-server to fetch resources on the
      # Internet.
      #
      # See: https://github.com/TooTallNate/node-proxy-agent#maps-proxy-protocols-to-httpagent-implementations
      #httpProxy = 'http://jsmith:qwerty@proxy.lan:3128'
      
      # Configuration of the embedded HTTP server.
      [http]
      # If set to true, all HTTP traffic will be redirected to the first
      # HTTPs configuration.
      
      redirectToHttps = true
      
      # Basic HTTP.
      [[http.listen]]
      # Port on which the server is listening on.
      port = 80
      
      
      # Basic HTTPS.
      [https]
      #
      # You can find the list of possible options there https://nodejs.org/docs/latest/api/tls.html#tls.createServer
      #
      # The only difference is the presence of the certificate and the
      # key.
      
      hostname = '0.0.0.0'
      
      [[http.listen]]
      port = 443
      
      # Whether to autogenerate a self signed certificate if the `cert` and `file`
      # entries could not be found.
      #
      # Default: true
      #autoCert = false
      autoCert = true
      
      # File containing the certificate (PEM format).
      #
      # If a chain of certificates authorities is needed, you may bundle
      # them directly in the certificate.
      #
      # Note: the order of certificates does matter, your certificate
      # should come first followed by the certificate of the above
      # certificate authority up to the root.
      #cert = '/etc/ssl/cert.pem'
      cert = '/etc/ssl/xoa.cert.pem'
      
      # File containing the private key (PEM format).
      #
      # If the key is encrypted, the passphrase will be asked at
      # server startup.
      #key = '/etc/ssl/key.pem'
      key = '/etc/ssl/xoa.key.pem'
      
      # ACME (e.g. Let's Encrypt, ZeroSSL) CA directory
      #
      # Specifies the URL to the ACME CA's directory.
      #
      # A identifier `provider/directory` can be passed instead of a URL, see the
      # list of supported directories here: https://www.npmjs.com/package/acme-client#directory-urls
      #
      # Note that the application cannot detect that this value has changed.
      #
      # In that case delete the certificate and the key files, and restart the
      # application to generate new ones.
      #
      # Default is 'letsencrypt/production'
      acmeCa = 'zerossl/production'
      
      # Domain for which the certificate should be created.
      #
      # This entry is required.
      acmeDomain = 'xoa.mydomain.com'
      
      # Optional email address which will be used for the certificate creation.
      #
      # It will be notified of any issues.
      acmeEmail = 'myemail@mydomain.com'
      

      The acmeDomain needs to be the actual Fully Qualified Domain Name (FQDN) which XOA uses. Also some verification and/or validation will need to be added either as a text file to the XOA appliance (in a web accessible directory) or as a DNS text record for XOA FQDN.

      Also update the acmeEmail so its the actual email to be used for receiving the notification of issues. These don't look valid to me this is critical for them to be real, active and valid as the ACME Client uses these to send the certificate requests and renewals to the certificate authority!!

      posted in Advanced features
      J
      john.c
    • RE: Install XCP-ng in old HP ProLiant DL160 G6 (gen 6)

      @Statitica said in Install XCP-ng in old HP ProLiant DL160 G6 (gen 6):

      @ilu said in Install XCP-ng in old HP ProLiant DL160 G6 (gen 6):

      @nick.lloyd Thankyou...i'll try the last version, reading forums people says HP was problematic, thats why i was asking for help.

      Runs fine on my HP hardware, and was pretty easy to install.

      @john.c said in Install XCP-ng in old HP ProLiant DL160 G6 (gen 6):

      @ilu Though note that XCP-ng 8.3.0 when it goes LTS, will be getting a fix for the 2TB VDI limit. This will allow you to handle VMs which have large, disks.

      You have a source for this? IIRC, the fix the the 2TB limit will fix a few other storage limitations too so I'm keen to know more.

      https://xcp-ng.org/blog/2025/03/14/the-future-of-xcp-ng-lts/

      posted in XCP-ng
      J
      john.c
    • RE: 8.3 USB Passthrough - Win Server 2019 BSOD

      @andsmith said in 8.3 USB Passthrough - Win Server 2019 BSOD:

      @dinhngtu Sorry, I failed to mention this is a Windows Server 2019 VM, it appears that Windbg is a Windows 10/11 application. I've googled installing on Server 2019, but haven't had any luck getting it installed.

      Update the AppX Package Deployment software via Microsoft Store or its equivalent in Windows Server 2019. Then once winget is updated (or installed) run the following command:

      winget install Microsoft.WinDbg

      @olivierlambert If this works for andsmith then it may be worth documenting this, for future users of Windows Server 2019, 2022 and possibly if required the upcoming Windows Server 2025.

      posted in XCP-ng
      J
      john.c
    • RE: Xen 8.2 isos

      @TrapoSAMA said:

      @john.c

      I have this iso but how to know what is de package?

      Thx

      It’s going to be an msi installer package or on the guest tools iso, which is on the XCP-ng or Xen Server your running likely in Local Storage SR or Shared Storage SR (if moved). Named the same as the file linked to above, likely.

      Anyway did you know that the UEFI SecureBoot certificates (at least one of them from 2011) issued by Microsoft are expiring fully during October 2026. Around that time likely at sometime after then those certificates will be placed into dbx. This means the Windows Server 2012 R2 if operating as a UEFI SecureBoot VM, will if restarted (or reboot following a crash), fail to boot.

      So your client will go from having a working app that they can use, but not upgrade at the moment to one which won’t work and can’t be used! They really need to upgrade or migrate from Windows to Linux (released during 2025 or 2026) along with the app if needed. Alternatively upgrade to Windows Server 2022 or 2025 and the app!

      posted in Off topic
      J
      john.c
    • RE: Xen 8.2 isos

      @TrapoSAMA said:

      @john.c

      Oh yes!! but client have still working app and cant upgrade in this moment! 😧

      An instance of that agent maybe held in the contents of one of the XenServer installation media, with a compatible old enough version of the agent compared to current. Though running such old versions, may mean you end up running vulnerable versions of any drivers needed.

      Plus they also have the situation where they can’t, benefit from major improvements. For one thing the highly performing and memory safe agents.

      7.2.x guest agent can be found here http://downloadns.citrix.com.edgesuite.net/14644/managementagentx64.msi

      8.x guest agent is in the 8.2.x Xen Server media, so if you have a copy of the ISO, or on an optical disk then it can be found there!

      posted in Off topic
      J
      john.c
    • RE: Xen 8.2 isos

      @TrapoSAMA said:

      @john.c

      Hello! in this moment i'm working with XCP 8.3 in a DL360G7. Is running good, but some systems are legacy like 2008R2 o 2012R2 and cant migrate for now to new versions. Then i need xentools compatible, but i dont find any alternative download site.

      or xcp tools work fine with this old windows ? i dont test tools in this moment for many reason 😉

      Thx

      Unfortunately not for anything older than Windows Server 2016 and Windows 10. However Windows Server 2008 R2 and Windows Server 2012 R2, need the Xen Tools, but are also EOL operating systems. Additional support is completely gone for Windows Server 2008 R2 from Microsoft, still available for now for Windows Server 2012 R2, however also disappears during October 2026.

      Your legacy systems are in a potential state of increasing vulnerability and/or security risk. Someway of upgrading or migrating them needs to be found.

      posted in Off topic
      J
      john.c
    • RE: Xen 8.2 isos

      @TrapoSAMA said:

      Hi Teddy,

      I was referring to version 8.2 specifically Citrix and its patches.

      However, having the various versions of XenTools for some older Windows systems would also be useful. Would that be possible?

      thx

      Are there any reason your still on Xen Server 8.2 as it went EOL during last year, and no longer receives any updates? It may be time to upgrade to a newer version of that product, or better yet migrate to XCP-ng version 8.3.0 LTS. Which is under current support and will be that way until 2028 unless obtained with ELTS for when it goes EOL!

      If you migrate to XCP-ng 8.3.0 LTS you can also switch the agents, to the open source rust based agents which do the same job.

      posted in Off topic
      J
      john.c
    • RE: XenOrchestra not showing VM Disks on Pool (on single Server working) - XCP-ng Center is showing them

      @kagbasi-wgsdac said:

      @poddingue Bug report filed as requested — https://github.com/xcp-ng/xcp/issues/825 — and tagging @Team-Storage per your suggestion.

      Full evidence bundle is attached to the issue (versions, sweep output, vhd-util vs xe comparison, SMlog). Summary of what I found:

      One correction to the mechanism, and I think it matters. The recap describes is-a-snapshot being flipped to true. On my system that isn't what's happening — is-a-snapshot is false on every affected VDI. The field being wrongly written is snapshot-of, which is getting populated on base disks that aren't snapshots at all. XO's disappearing-disks symptom is consistent with either (it filters on a non-empty snapshot-of), but if the storage team is hunting for a bad is-a-snapshot write, that may be the wrong field. Every affected VDI here looks like:

      is-a-snapshot: false      <-- correct
      snapshot-of:   <populated with an unrelated VDI's UUID>   <-- wrong
      

      A VDI that is a snapshot of itself. The clearest single artifact:

      uuid:          806f7f42-083f-4a40-b3f1-0700d00bab5a
      name-label:    WinSrv2022SHB_Disk1_Data
      is-a-snapshot: false
      snapshot-of:   806f7f42-083f-4a40-b3f1-0700d00bab5a   <-- itself
      snapshot-time: 20260709T11:19:15Z
      sm-config:     vhd-parent: c86e3247-...   <-- bears no relation to the snapshot-of value
      

      No valid code path produces snapshot-of = self. Whatever writes this field isn't validating the target.

      It's still actively corrupting new VDIs — this is not just legacy damage. That self-referential VDI was created 2026-07-09, a week after my patch + reboot. Sweeps 9 days apart went from ~180 → 191 affected VDIs on one SR, and a fourth anchor UUID appeared that didn't exist in the first sweep. Newly created VHDs keep landing in the affected set. So "stop it happening again" is the urgent half of the two-part fix, at least in my case.

      The bogus targets cluster onto a tiny anchor set, and the anchors point at each other:

      Count Anchor
      97 937c3945 (→ a893fdb4)
      50 a893fdb4 (→ ea150883)
      37 ea150883
      7 806f7f42 (→ itself, new since Jul 9)

      That looks less like corrupted lineage and more like the field being filled from an incorrect/uninitialised source.

      On-disk VHDs are completely healthy. vhd-util check says valid, parent locators are consistent, GC reports no work. The two VDIs the DB calls parent/child are, on disk, siblings under a common parent. The corruption is purely in the XAPI database — which is good news for recoverability.

      The VDI_IN_USE is not a real lock. current-operations is empty, xe task-list is empty, no tapdisk holds it. VM.start fails because it's walking a snapshot relationship that doesn't exist on disk. Reproduces from xe on the pool master with XO entirely out of the path — which is why I filed against xcp-ng/xcp rather than the XO tracker.

      Versions: XCP-ng 8.3.0, xapi 26.1.11 (xapi-core-26.1.11-1.2), sm-3.2.12-17.9, sm-fairlock-3.2.12-17.9, blktap 3.55.5-9.1, build 20260618.

      I have not attempted to bulk-clear the fields — on-disk data is intact and I'd rather not do a mass write against the XAPI DB on a live SR without guidance. Backing store snapshotted as a safety net.

      Happy to run whatever diagnostics would help. And +1 to the hand-grenade feeling — the affected set growing on its own is the part that worries me.

      Has this issue been validated on a storage server built around Debian 13, LVM and ext4 or just TrueNAS when connected to XCP-ng version 8.3.0. As part of the XAPI DB corruption. Can anyone answer this please or give a clue?

      posted in Xen Orchestra
      J
      john.c
    • RE: 🛰️ XO 6: dedicated thread for all your feedback!

      @pdonias @julienxovates I’ve made an issue and PR to update the documentation so it’s in sync with the current status of XCP-ng release version 8.3.0. Namely that it’s now a Long Term Support (LTS) release following being a semi rolling or standard release with new features being added.

      https://github.com/vatesfr/xen-orchestra/issues/10091

      posted in Xen Orchestra
      J
      john.c
    • RE: ACL Permissions to CPU Topology on Self-Service Resource Set

      @dvdwx said:

      Hi
      Anyone already tried to review why Users with User permission cannot have the topology menu to edit on their Self-Service resource page? the have admin permission on their self service resource set but cannot edit this setting:
      620b892c-4c04-47ca-8425-064dbceee3e8-image.jpeg
      28d03549-b715-44b6-966f-5d4a5a905825-image.jpeg
      If i log with and full admin account on Xen Orchestra it can be edited:
      b4af0d96-e6c9-4aec-bd23-5b0869b9b31a-image.jpeg

      We are using an HA Pool with 2 hosts to LAB for our NOC/SOC team.

      I already tried to create an ACL with user/tag/group with advanced permission but it release a full permission on the pool and it cannot be delivered to the team.

      if anyone know a workaround to fix it.. I appreciate that.

      As RBAC ACL is implemented for Xen Orchestra 6 you’ll likely find this more possible than currently on Xen Orchestra 5.

      posted in Management
      J
      john.c
    • RE: PCIe Pass-through lanes and lane performance

      Is there anything mentioned in the motherboard or service manuals, about where if one PCIe slot is occupied another is running at reduced speed when occupied?

      Something like this is in the manual for a Gigabyte B450 Aorus Elite (Rev 1.0) motherboard, for example. Can be in yours, somewhere written on one of its pages.

      posted in Compute
      J
      john.c
    • RE: XOA Updater fails

      @andibing said:

      I'm seeing this on XOA:

      xoa@xoa:~$ sudo xoa-updater --upgrade
      ✖ { message: 'missing string at offset 151' }
      xoa@xoa:~$
      

      Unless the sun has got to me, I don't seen any other references to this error. And Gemini was confused too!

      Any thoughts?

      Can you please run “df -h” to start? If either / or /tmp/xoa-updater are low on space please increase disk space or run a clean up. The disk space on the VM and/or the SR may be too low, for the update to succeed.

      The XOA update metadata cache may have become corrupted and need to be cleared, before re-attempting the update. Checking the logs will help to determine if that’s the case.

      posted in Xen Orchestra
      J
      john.c
    • RE: PCIe Pass-through lanes and lane performance

      @JamesG said:

      @anglerfish27 Supermicro H12SSL-i

      I've dabbled with some PCIe settings, but I'm not really getting anywhere.

      Here's a link to the manual:

      https://www.supermicro.com/manuals/motherboard/EPYC7000/MNL-2314.pdf

      Thanks!

      Enable the SVM option will initialise the virtualisation settings automatically. As well as the SR-IOV settings, there’s going to other things need doing in XOA, to configure the necessary settings so that GPU can be passed through to the VM.

      posted in Compute
      J
      john.c