RE: Disable TX checksumming with API

Sorry for the necropost but here is what I did.

import XenAPI
import ssl

HOST_IP = "192.168.1.100"
USERNAME = "root"
PASSWORD = "hostpasswordsecret"
VM_LIST = ('sms', 'firewall1a', 'firewall1b', 'firewall2a', 'firewall2b', 'firewall3a', 'firewall3b')

def main():
    # disable https certificate checking
    if hasattr(ssl, '_create_unverified_context'):
        ssl._create_default_https_context = ssl._create_unverified_context
    url = f"https://{HOST_IP}"
    session = XenAPI.Session(url)
    try:
        print(f"Connecting to {HOST_IP}...")
        session.xenapi.login_with_password(USERNAME, PASSWORD, "1.0", "python-script")
    except XenAPI.Failure as e:
        print(f"XenAPI Error: {e}")
        return
    except Exception as e:
        print(f"General Error: {e}")
        return
    for vm in VM_LIST:
        print(f"Searching for VM: {vm}...")
        vms = session.xenapi.VM.get_by_name_label(vm)
        if len(vms) == 0:
            print(f"Error: VM '{vm}' not found.")
            continue
        vm_ref = vms[0]
        vif_refs = session.xenapi.VM.get_VIFs(vm_ref)
        if not vif_refs:
            print("No network interfaces found on this VM.")
            continue
        print(f"Found {len(vif_refs)} interface(s). Updating settings...")
        for vif in vif_refs:
            device = session.xenapi.VIF.get_device(vif)
            other_config = session.xenapi.VIF.get_other_config(vif)
            # ethtool-tx transmit checksum offload
            # ethtool-tso TCP segmentation offload
            # ethtool-ufo UDP fragmentation offload
            # ethtool-gro generic receive offload
            if other_config.get('ethtool-tx') == 'off':
                print(f"  Interface {device}: TX Checksumming already disabled.")
            else:
                print(f"Disabling TX checksumming for interface {device}")
                other_config['ethtool-tx'] = 'off'
                try:
                    session.xenapi.VIF.set_other_config(vif, other_config)
                    print(f" - Interface {device}: TX Checksumming disabled (ethtool-tx: off)")
                    power_state = session.xenapi.VM.get_power_state(vm_ref)
                    if power_state == 'Running':
                        print("  [!] VM is RUNNING. A reboot is required for these changes to take effect.")
                    elif power_state == 'Halted':
                        print("  [i] VM is Halted. Changes will apply on next boot.")
                    else:
                        print(f"  [i] VM state is {power_state}.")
                        print("Note: You must reboot the VM or unplug/plug the VIFs for changes to take effect.")
                    print("")
                except XenAPI.Failure as e:
                    print(f"XenAPI Error: {e}")
                except Exception as e:
                    print(f"General Error: {e}")            
    try:
        session.xenapi.logout()
    except:
        pass
if __name__ == "__main__":
    main()

Starting from Other install media with BIOS (not uefi) is the only combo that is working with Terraform

BLUF: creating new VMs from my custom Windows Windows Server 2025 templates works, but using terraform I get failures.

XCP-ng 8.3, XO from sources.

Console messages
Console messages
Boot device: Hard Disk - success.
Boot device: CD-Rom - failure: could not read boot disk

No bootable device.
Powering off in 30 seconds.

Workflow:

1. create a VM from base (built-in Windows Server 2025) template, Windows Server 2025 evaluation ISO
2. applied customization (e.g., increase/set display resolution
3. ran sysprep
4. converted to template
5. test by manually creating a VM from the template = success
6. using terraform, all servers created do not boot

Background:
https://xcp-ng.org/forum/topic/9474/terraform-creating-vm-from-my-windows-templates-no-bootable-device

Previously with 8.2 and Server 2022 I was able to change my workflow to use "Other installation media" as my base template, and it worked. Currently using "Other installation media" as my base template also fails. Windows 11 using the recommended base template is fine. Ubuntu Noble Numbat 24.04 base template does not work.

Excepts from servers.tf
data "xenorchestra_template" "server2025-template" {
name_label = "server2025-template"
}
[...]
resource "xenorchestra_vm" "dmz-iis" {
memory_max = 4294934528
cpus = 1
name_label = "dmz-iis"
name_description = "Windows Server 2025 in DMZ running IIS"
template = data.xenorchestra_template.server2025-template.id
depends_on = [xenorchestra_network.network_dmz1]
disk {
sr_id = data.xenorchestra_sr.local.id
name_label = "dmz-iis-disk"
size = 137438953472
}
network {
network_id = data.xenorchestra_network.branch1dmz.id
}
}
[...]

Full details

https://github.com/doritoes/NUC-Labs/blob/xcp-ng-8.3/XCP-ng/terraform/servers.tf

https://github.com/doritoes/NUC-Labs/blob/xcp-ng-8.3/XCP-ng/Appendix-Terraform.md

UPDATE Now on XCP-ng 8.3 and XO from sources

I had no problems with Windows 11.

Had problem Ubuntu Noble Numbat 24.04 base template failing to boot from disk when cloned using Terraform. Changing the base template to "Other install media" resolved the issue, and the Terraform-cloned VMs work fine.

EDIT: Also has problems with base template Windows Server 2025.

@acebmxer thank you for testing and confirming!

For those who try this...

NOTE WSL 1 has the issue of throwing the error Failed to take /etc/passswd lock: Invalid argument
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2069555/comments/12
Here is a fix
sudo sed -i -e '/systemd-sysusers/s/.conf$/.conf || true/' /var/lib/dpkg/info/*.postinst
sudo apt --fix-broken install

@TeddyAstie you give me the answer and a valid workaround. You rock!

Confirmed that solved my issue, as WSL 1 is fine for me to run Ansible.

Error code: Wsl/InstallDistro/Service/RegisterDistro/CreateVm/HCS/HCS_E_HYPERV_NOT_INSTALLED

Additionally tried this:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

EDIT: Add Next steps tried
Open the Turn Windows features on or off panel
Turn these settings off: Hyper-V, Windows Subsystem for Linux, Virtual Machine Platform, click OK, and restart your computer.
Turn these settings ON: Hyper-V, Windows Subsystem for Linux, Virtual Machine Platform, click OK, and restart your computer.

EDIT2:
dism.exe /online /get-features /format:table
HypervisorPlatform was disabled
Enable Windows Hypervisor Platform feature and rebooted.

This did not fix the issue.

EDIT3:
It looks like WSL on Windows 11 might be unsupported on XGP-ng 8.3
https://docs.xcp-ng.org/compute/#-nested-virtualization

XCP-ng 8.3, XO from sources.
Created Win11 from ISO using the built-in Windows 11 template
Configured and turned into template for cloning.

Trouble installing WSL on the cloned Win11:
WSL2 is not supported with your current machine configuration

This worked a couple years ago Win10 on XCP-ng 8.2, Ubuntu 22.04.

From administrative powershell

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
(Accept the reboot, back to administrative powersehll)
wsl --install
(fails)
wsl --list --online
wsl --install -d Ubuntu-24.04
(fails again)

I tried enabling Nested Virtualization for the VM without success
Booted to (F2) BIOS and confirmed not virtualization options there to enable

Has anyone got Win11/WSL/8.3 working? I'm hoping it's not due to not installing a Windows license key.

@bvitnik Thank you for the great response. I have had great success with Terraform - great work.

I'm not touching ocaml myself. And yes, Citrix... they are still above VMware/Broadcom on my list. But SMH.

I keep promoting XCP-ng hoping some large companies take advantage of it. It's much more valuable to me than nautobot, for example.

@olivierlambert and @bvitnik thank you for those thoughts.

I'm thinking at a larger scale than I need right now.

In the future I would like to be able to do things like: migrate all VMs matching <tag x> or name similar to host B (because it's a new host or because I'm taking down A for patching). Ansible is idempotent and perfect for things like that.

Move all large disks to my thin-provisioned SRs.

Move all powered down VM's disk storage to my NFS SR.

Move all VMs with "automatically power on" to host A.

Maybe someday.

@bvitnik Thanks for that feedback.

XO understands multiple hosts and should be able to see what host a VM is on.

Instead of using Ansible directly against individual hosts, I am looking about how to use Ansible to work with the management layer.

I have been using ansible and community.general.xenserver_guest_powerstate to power on VMs in order, directly to the host.

I'm looking for a link or example of a "first Ansible playbook" to go to XAPI (the orchestrator built from sources) instead.

Example direct to host:

• hosts: localhost
  tasks:
  • name: Power on opnsense
    community.general.xenserver_guest_powerstate:
    hostname: "{{ xenserver_hostname }}"
    username: "{{ xenserver_username }}"
    password: "{{ xenserver_password }}"
    name: opnsense
    state: powered-on
    delegate_to: localhost
    register: facts

Looking for example using XO instead.

@andSmv Thanks for taking a look at it. It's not really needed for a modern platform.

In virtual box I can set the pointing device to PS/2.

How can I set the pointing device to be a PS/2 mouse in XCP-ng 8.3? The first release of Ubuntu Warty Warthog is an example where this is needed.

@splastunov said in Disable TX checksumming with API:

XAPI

Thank you, I found https://xapi-project.github.io/xen-api/networking.html

Greetings! I am seasoned security engineer and that brings with it the need for a lab, automation, and prototyping. Intel NUCs, VMware workstation, and ESXi in my home lab was my MO.

For the past few years I have been putting my home Lab projects on github, and they now include XCP-ng testing. My lab is now split XCP-ng and proxymox. (good-bye Broadcom)

In the Cyber space I'm blue team, shifting more purple. The authentication with XCP-ng bugs me, but I'm happy with the automation potential.

Folding@Home and Unifi are my other fun projects.

Currently I manually disable on TX checksumming on OPNsense firewalls per recommendation.

Is there (undocumented) XO API support for this?

Manual process:
Click the VM
Click the Network tab
Next to each interface is a small settings icon with a blue background
For every interface click the gear icon then disable TX checksumming

I currently have a bunch of Check Point firewall VMs in my lab and they have a several interfaces each. I would like to disable checksumming on all interfaces via API, ansible, and (ideally) terraform.

@Danp thank you for that information.

When I wasn't using Terraform, I followed that advice.

The Windows built-in templates change the boot process fundamentally, requiring "press any key to boot from CD/DVD". If you find another way to resolve it issue, I would love to hear it.

Re-creating the Windows Server 2022 template off of "Other installation media" instead of the built-in template solved the problem.

I will repeat this on the Windows 10 template to confirm.

EDIT: Confirmed Windows 10 working using same solution.

BLUF: creating new VMs from my custom Windows 10 and Windows Server 2022 templates works, but using terraform I get failures.

Console messages
Boot device: Hard Disk - success.
Boot device: CD-Rom - failure: could not read boot disk

No bootable device.
Powering off in 30 seconds.

from my workstations.tf file

data "xenorchestra_template" "workstation-template" {
name_label = "win10-template"
}
[...]
resource "xenorchestra_vm" "branch1-1" {
memory_max = 4294934528
cpus = 1
name_label = "branch1-1"
name_description = "Windows 10 workstation 1 in branch 1"
template = data.xenorchestra_template.workstation-template.id
depends_on = [ xenorchestra_network.vlan_network_201]
disk {
sr_id = data.xenorchestra_sr.local.id
name_label = "workstation-1-1-disk"
size = 137437904896
}
network {
network_id = data.xenorchestra_network.branch1mgt.id
}
}
[...]

I created my own name_label (e.g. "worksation-1-1.disk") based on the system name.

Is there a proper way to clone my windows templates? (i did sysprep on the server 2022 systems before creating the server 2022 template)

Full details https://github.com/doritoes/NUC-Labs/tree/xcp-ng-improvement/XCP-ng/terraform (my entire XCP-ng build is documented there)

Thank you!

EDIT: Add that the original templates I created were based on the build-in templates for Windows, <ins>not</ins> "Other source media"