XCP-ng issue 1: closed!

This is not just a powerful symbolic thing: by closing issue n°1, we are really reaffirming our independance and our capacity to build everything without using any binary provided by Citrix.

It's really a great news for XCP-ng's future!

https://github.com/xcp-ng/xcp/issues/1

olivierlambert created this issue in xcp-ng/xcp

closed Build components from the sources #1

Since last week, we have a new team member @ronan-a is now part of Vates XCP-ng team, with @stormi and myself.

@r1 and @johnelse are still with us as external contributors.

@ronan-a , feel free to introduce yourself here (and the stuff you are working on)

What about this one?

To avoid splitting the community, we'll merge XO forum in this category. It seems not possible (or very not trivial) to fetch the previous XO threads here, so we'll probably have a transition time until we redirect directly XO forum URL toward this category directly.

Less yellowish terminal to use less different colors and keeping the variations in the logo:

For XCP-ng 8 we thought that it might be interesting to get a dedicated visual identity outside the boot splash: the prompt and the "ncurse" display.

A new prompt

• removed the current user (because it's an "appliance", with only root
• added current time, very handy to know how long your command took (eg export)
• using XCP-ng colors

New vs old:

Obviously, we got a fallback for terminal without color support.

Also, it also works on white background terms:

A new console theme (xsconsole)

New vs old:

There is also a fallback on terminals without color support (unchanged)

Maybe you could think it's a minor thing, but in the end, that's how we show XCP-ng is not just a clone of CH/XS

Obviously, you can still configure this easily (especially the prompt, because you can override it).

What do you think?

https://www.citrix.com/blogs/2019/04/25/citrix-hypervisor-8-0-is-here/
and
https://docs.citrix.com/en-us/citrix-hypervisor/whats-new.html

So this is the starting point of a LOT of things for us. We'll keep you posted on what's new regarding SMAPIv3 perfs, UEFI and everything else.

Stay tuned!

https://xenproject.org/2019/04/02/whats-new-in-xen-4-12/

In short:

• 1446 commits from 364 patches
• possibility to build for PV or HVM/PVH only (reducing attack surface)
• QEMU deprivilege (also reducing attack surface)
• Argo (new inter-domain communication, @ronan-a will take a look)
• Improved VM introspection (less overhead)
• Credit 2 schedule by default
• PVH dom0 in tech preview
• Better IOMMU mapping for improved EPYC boot time
• auto dom0 sizing (% of total system RAM or static+percent)

Details: https://wiki.xenproject.org/wiki/Xen_Project_4.12_Feature_List

Hey guys!

Just before the official announcement tomorrow, please double test our latest ISO: https://xcp-ng.org/7.5/xcp-ng-7.5.0.iso

md5sum: 33adb5d92f56fe6cda0df047f2f60895

Nothing really changed since RC1 (except very few stuff).

Well, that's not true @cheese

The truth is far more complicated:

• XCP-ng already added some new packages inside (eg zstd, modified XAPI to support it, a more recent kernel etc.)
• Some bug are fixed first in XCP-ng (and later in XS by Citrix)
• "XCP" doesn't exist anymore (since 2013), so we can't use it as a base
• Some packages aren't shipped until XS is out and no dev branch is available (thinking about SMAPIv3): it's legal but really anti-Open Source spirit (you can't contribute)
• Some packages are heavily modified by Citrix, eg Xen (400 patches…) so you can't "just" import any vanilla Xen into XCP-ng. This require months of deep Xen knowledge.

But yes, the goal is to be 100% independent in the end, but that require a reasonable team (already hired 3 persons, objective is to double this number in the next months) and as you can imagine, this cost a lot of money. So break even is needed to be sustainable. That's why being only "Fedora like" (eg cutting edge without support) isn't doable. We must also provide something tested and stable through time, otherwise no company will adopt it, and then we couldn't survive (Patreon or Kickstarter is OK to bootstrap a project, but just add 6 to 10 people full time and you'll see you'll need something close to one million USD and more)

So as you see, XCP-ng is not just a toy done in a garage, this is bigger than that Our ambition is to become the first turnkey and Open Source virtualization platform. Some parts will take time but yes, this is the objective.

A bunch of Xen security issues are now public after the usual embargo.

Note: website to check all XSA's is https://xenbits.xen.org/xsa/

XSA 294: insufficient TLB flushing

The major/most visible flaw (XSA 294)was related to a host crash triggered by a PV guest. Some users (@borzel for example), reported it here: https://xcp-ng.org/forum/topic/1025/host-crash-guest_4-o-sh_page_fault__guest 64 bits PV guests are affected.

Note: boot your host with the "pcid=0" parameter. This will likely have an impact on performance but should avoid the crash.

However, it was before the end of the embargo, so we can't comment and release a patch before it's known publicly.

Patched Xen will be available in the usual update channel as soon we got something tested and validated.

Others

The list of other new XSA's are:

• XSA 293: 64 bits PV guests can crash or be used for privilege escalation
• XSA 292: PV guests could cause a host crash or access data of other guests (similar to XSA 294)
• XSA 291: PV guests could cause a DDOS on the host via IOMMU
• XSA 290: PV guests could cause a DDOS on the hostto XSA 294)

All those vuln will be patched in the next Xen update. Stay tuned!

Fake RAID is the worst choice possible in any case. Use purely software RAID or hardware RAID.

edit: because mainly it takes cons of both hardware and software RAID… I always heard horrible stories with fake RAID, as far as I remember on Windows XP to recent hardware on "consumer" grade stuff. And I know I'm not the only one thinking that. Obviously, I'm open to data that suggest there is a lot of benefits.