RE: XCP-ng Windows PV tools announcements

@Greg_E said in XCP-ng Windows PV tools announcements:

@john.c

I'll have to update group policy and check that out, would be a time saver. Everything I use is an Enterprise level of some kind, using EDU in production right now, and Pro/Enterprise evaluation in the lab.

I was looking at running a post imaging script to prevent some of the bloat, but a GPO might be easier.

You can use Windows ADK to customise the installation media and build a custom ISO. That file can then be placed on your ISO SR. The GPO is especially effective when combined with a custom ISO built using Windows ADK.

I have tried this myself and it’s very effective doing it this way, the Windows ADK tool is very powerful but will require time to learn. Will save time with all of the extra installations, if you use a custom ISO.

@Greg_E said in XCP-ng Windows PV tools announcements:

Just wanted to add a comment:

Thanks for continuing to release the drivers in an ISO. I was having some slowness with the 9.0.9 versions that are currently included with XCP-ng, this is a new Windows 11 25h2 that I'm working with to prototype a workflow in my lab. I just grabbed the 9.1.x ISO from Github and copied it to my ISO SR and installed. There seems to be a slight performance increase in this Win11 VM. That said, 25h2 is horribly bloated with junk, so much so that I think I'm going to need to strip a bunch out before I put this version into production. This might be a condition for MicroWin customization.

Or maybe add a couple of things to the LTSC version (we have licensing for this at work).

Download the full Windows 11 ISO then use Microsoft Windows ADK. To customise, strip down unwanted parts, including appx provision packages and slipstream in drivers and/or msi installers.

If your using a high enough edition of Windows 11 version 25H2 don’t forget the new GroupPolicy option to remove default packages!

@cichy said in DevOps Megathread: what you need and how we can help!:

Prioritization of VM startup AND shutdown sequencing! PLEASE - in the GUI (XO). So - without code - I can finally shutdown my servers accessing DB's prior to shutting down the DB server vm's themselves thereby saving myself from table corruption.

@cichy In the past it was recommended to do this with an vApp and script. However this means editing the script or configuration file (if one’s created for the script). Which doesn’t make it as easy as the method, used by VMware ESXi for configuring the order and enabling the capacity.

Xen Orchestra and/or XCP-ng could really do with an UI (and API) based method of setting up and managing the VM boot and shutdown order.

@stormi said in XCP-ng 8.3 updates announcements and testing:

IMPORTANT NOTICE!

After publishing the updates, we discovered a very nasty bug when using the UEFI certificates that we distribute. Long story short, they're too big, and there's only limited space (57K), and combined to a preexisting bug in varstored, this will cause the VM to stop booting after Windows or any other OS attempts to append to the DBX (revocation database).

We pulled the varstored update, but those who updated can be affected.

There are conditions for the issue:

• Existing VMs are not affected, unless you propagated the new certs to them
• New VMs are affected only if you never installed UEFI certs to the pool yourself (through XOA or secureboot-certs install), or cleared them using secureboot-certs clear in order to use our default certificates.

If you have the affected version of varstored (rpm -q varstored yields varstored-1.2.0-3.1.xcpng8.3) :

• on every host, downgrade it with yum downgrade varstored-1.2.0-2.3.xcpng8.3. No reboot or toolstack restart required.
• if you have affected UEFI VMs, that is VMs that meet the conditions above but are not broken yet, don't install updates, turn them off, and fix them by deleting their DBX database: https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/#remove-certificates-from-a-vm. This has to be done when the VM is off. Your OS will add its own DBX afterwards.
• If you already have broken VMs (this warning reaching you too late), revert to a snapshot or backup. Other ways to fix them will require a patched varstored currently in the making.

@dinhngtu A little trick for the future when determining whether a user’s system, is affected by a bad update based on version, as well as remediation checks.

You can use “yum history list <packagename>”, to retrieve transaction IDs. The script can then iterate over the transaction IDs retrieving the package versions.

The specific transaction info can be retrieved with “yum history info <transaction_id>”. This will enable you to go back much further, thus seeing if remediation is required more easily!!

@Marc.pezin said in A list of events which may be worth attending:

Hello John,

Thanks a lot for sharing this list of events, we’ll take a look and see which ones best fit our audience and objectives.

Until now, we’ve mainly focused on events in France or nearby for logistical reasons. In fact, we’ll be at KubeCon + CloudNativeCon in Atlanta next week and it will be our first time in the US.

Starting next year, as our sales and marketing teams continue to grow, we plan to expand our international presence and join more events abroad, so your suggestions come at a great time.

Thanks again for the recommendations!

@Marc.pezin A very good one to target (at minimum), is one of the conferences and trade shows where Bitdefender is attending. They have lots of experience at defending systems against black hats, with their services and products. Especially 0-Day vulnerabilities and malware. A product they develop is designed to defend against malware infections on virtualisation stacks like VMware vSphere, Citrix XenServer and others. If you can meet them during the event, it may give the foundations for a new partnership and/or collaboration!

Hi,

I was wondering whether Vates has ever considered attending any of the following trade shows and/or conferences?

• IoT Tech Expo Global (https://www.iottechexpo.com)
• RISK London (https://www.grcworldforums.com)
• Data Centre World (https://www.techshowlondon.co.uk/data-centre-world)
• Big Data & AI World (https://www.techshowlondon.co.uk/big-data-ai-world)
• Cloud & AI Infrastructure (https://www.techshowlondon.co.uk/cloud-ai-infrastructure)
• Cyber Security & Cloud Expo Global 2026 (https://www.cybersecuritycloudexpo.com)
• DevOps Live London (https://www.techshowlondon.co.uk/dev-ops-live-london)
• MSP Show (https://www.mspshow.co.uk)
• Infosecurity Europe (https://www.infosecurityeurope.com)
• Connected Britain 2026 (https://www.terrapinn.com/conference/connected-britain)

@mlcrane said in Windows PV Drivers - I have one Win 11 VM with a problem:

Ooh flippin' heck. So, I've had the VM "logged in" since midday (UK) just doing nothing at all (in hopes...). I tried the install (8.2.2) again, same result as every other time, EXCEPT...

This time, after closing the installer, a new dialog popped up telling me about the install.log.

I don't really see anything "new" in the log (same 1920 error on the service start), so I'm just going to blank it, run the install again to failure, then grab it for here (diagnosis).

Install.log.txt

If you haven’t blanked the VM yet, can you check its Event Log - the main Windows logging system? There may be more details about the service that failed to start.

@yann said in New Rust Xen guest tools:

@john.c OK, that will be useful when the repo is signed, but for now I don't see what adverse effect it can have. Do I miss something?

Also we try to avoid breaking support for older OS versions, so we'll likely continue to advertise the old format for older versions of Debian.

@yann From Debian 13.0.0 (code name Trixie) having repository signing is mandatory. Without it apt will straight refuse to install, update or upgrade its packages.

Also doing with deb822 format will help to protect the GPG Key, used by Vates from abuse by another repository. Especially if that repository is hosting malware laden deb packages. As only the Vates repository can then use that signing key, as defined in the sources file.

Refusing to install, update or upgrade is an adverse effect wouldn’t you say?

@yann Though the deb822 format allows for that file in sources format, to have the signing key tied to that file’s specified repositories. Very important as it ensures that the key is only used by that repository, unless otherwise specified. The old format typically tends to apply that key to all repositories. So even repositories which shouldn’t use it could, worse the key was trusted for all repositories by the client.

In the new format the repositories can have the specific key tied to them, on the client side as well as the server side.

Sometimes it when asking questions as well as hallucinating ChatGPT, can respond with results based on old versions (not updated for an up to date code base).

So if any past in development or experimental code branch, had its code and was mistakenly released. Then the mistake was found and fixed, it can have found its way into the training data set.

Can also be an example of training data set poisoning, forcing it to give misleading or mistaken responses, due to it hallucinating as a result.

@manilx I have proposed to the IaC team of Vates, a MCP Server for Vates VMS. Which can be used by GitHub Copilot or similar, if used when doing IaC etc.

@manilx said in XCP-ng 8.3 updates announcements and testing:

@gduperrey Installed at HomeLab. No issues.
Running via
yum clean metadata ; yum update

You must have been looking forward to this improvement for quite a while. Once it reaches the point where it can be rolled into production, your AMD Epyc servers will get to see a boost, the Linux guests any way.

@nathanael-h said in DevOps Megathread: what you need and how we can help!:

@john.c Why not, can you share what would be the first tools to support and your use cases? I assume that if you are working in VSCode you might be useing some infrastructure as code, like Terraform or Pulumi or Ansible, isn't? In these case do you also have some related MCP servers enabled?

@nathanael-h Pulumi for the infrastructure as code, with the code held on a private GitHub repository.

To aid in writing the IaC code as well as helping with provisioning VMs etc.

As well as during development of full stack website projects.

The appropriate servers are already enabled and configured, for GitHub Copilot use.

Visual Studio Code with GitHub Copilot.

@olivierlambert Another useful item to aid in development processes and IaC operations. Is when using GitHub Copilot an MCP Server which will interface with the Vates VMS stack, so the agent can get context related to requests (queries). That way its responses can be properly grounded in the context of the stack, as well as the configuration, setup of the Vates VMS installation and its available resources.

Can the IaC team work on this, though may need other teams help?

@JCS-RVK said in Import from VMware - Uploaded VDDK, now stuck on 'checking':

I have a new xcp-ng pool with two hosts using XO from sources . I went to import a VM from VMware and was prompted to upload a Broadcom VDDK archive. After uploading, the Import from VMware page just shows 'checking'. Past pools I've set up did not prompt for the VDDK, which makes this scenario seem odd to me. Any idea why this is happening and what I can do about it?

The VDDK prompt when going VMware to Vates migration, is something new. This when perfected will enable more reliable migrations, as the vSphere API method is very flaky indeed. Especially when considering, issues involving Broadcom’s and previously VMware’s alterations to that API.

@DustinB said in Pre-Setup for Migration of 75+ VM's from Proxmox VE to XCP-ng:

@john.c So hypothetical issues that may require paid support for a testbed is your concern. Is that correct?

XOCE is alright for test bed, but outside of this in a production environment the use of XOA appliance is likely required.

@cichy How things go with this switch from VMware, to Proxmox now to Vates VMS. Can potentially impact the software part of the architectural solutions, Hok+ provides your clients. Especially when implementing AI!

@DustinB said in Pre-Setup for Migration of 75+ VM's from Proxmox VE to XCP-ng:

@cichy said in Pre-Setup for Migration of 75+ VM's from Proxmox VE to XCP-ng:

@john.c correct. It's the auto updates and automations that come with the appliance that I am after. I believe the trial is only one month? Or possibly only 15 days? The support element is mostly irrelevant to me/us. I do a fair bit of automation via Ansible/Terraform, so developing our own unique library of Templates is ideal. Again, new to all this. So, it may just be that I've not come across this within my XO from "sources" build

Take a look at my provide or lookup Jarli01 on GitHub if you want a simple yet effective installation and maintenance approach to installing and managing XOCE.

@DustinB They mentioned needing the updates and related automations. Also given the size of the organisation that they are working for, they’ll likely need the QA of XOA in production.

If you check out Hok+ (https://www.hok.com/) website then scroll down, to the bottom they list all of their offices around the world. Also you can get statistics about the numbers of employees.

@cichy Am I correct about the above please?

@cichy said in Pre-Setup for Migration of 75+ VM's from Proxmox VE to XCP-ng:

@john.c thanks again for all this info!

I plan to meet up with the team this week to assess our objectives and KPI's; in the meantime, all of the above has helped tremendously. I'm currently messing around with establishing K8S + Swarm clusters, testing the automation capabilities, XCP-ng is proving to be quite flexible. Learning the nuances of dynamic resource allocation (CPU/RAM, etc.), there are some nuanced differences from vSphere/Proxmox.

Again, thanks very much for your help. I've made note of all your comments above. Especially references to Terraform/Vault alternatives! These are gold.

@cichy Also there’s a SR maintenance mode available, something useful for when work needs to be done, on bare metal shared storage.

By the way when your personal notebook blog is fully operational, I would love to subscribe to receive notifications of updates. As we we’ll likely be able to learn from each other.

Was on Saturday 9th August 2025 following the release of Debian 13.0.0 (code name “Trixie”).