Offline
@olivierlambert said in Limiting access to xo-lite to a specific IP address or ssubnet:
About iptables, there's /etc/sysconfig/iptables but I'm not sure it's the right place to put manual modification, that's why I pinged the @Team-OS-Platform-Release
In a way that's the right place, but one needs to be careful with modifications there.
This changes nothing regarding brute-forcing. XAPI still listens to RPC requests on port 443.
Without changing iptables rules (that's not very flexible and could conflict with XAPI's handling of the rules), there's a way to disable the webserver.
https://docs.xcp-ng.org/management/manage-locally/xo-lite/#disabling-xo-lite
Also note that there is a simpler approach if you don't need an "all-in-one" ISO image: driver disks.
You can build driver disks using https://github.com/xcp-ng/driver-disks and load them during the installation.
You can also ask us to provide driver disks for alternate drivers for which we haven't built them yet. We make them available on https://mirrors.xcp-ng.org/isos/drivers/8.x/...
That's also something we need to document in the official docs. It's mentioned in the release notes for 8.3 but not in other sections of the documentation.
And fixes for XCP-ng 8.2 are coming but they require more work to backport the patches.
I moved this discussion to its own topic, as we need the other one for update candidate testing.
That's actually a question for @Team-XAPI-Network
@gduperrey said in XCP-ng 8.3 updates announcements and testing:
Since it doesn't indicate that an updated 8.2 is actually 8.2.1, only the major version is displayed.
Not a very good example actually 
(but what's true is that for 8.2 we didn't add a "LTS" mention next to the version number in the system either).
But yes, we decided not to increment the version number for XCP-ng 8.3.0. That breaks compatibility with some third party software because they wouldn't recognize a "8.3.1".
However we're working on a secondary version identifier that would allow you to know your precise patch level.
@gb.123 Yes. If you think it's not clear in the blog post, I'll think how I can word it.
Current wording:
This announcement does not represent a new release. It applies to the existing XCP-ng 8.3.
If you're already running XCP-ng 8.3, you're on the LTS version. There's no need for a full upgrade. Standard package updates will keep your system current.
A new batch of non-urgent updates is ready for user tests before a future collective release.
openssh: Fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")samba: Fix vulnerabilities which are very unlikely to be exploitable on XCP-ng but are reported by security scanners.xcp-ng-release: This update adds a certificate to resolve a TLS handshake error, particularly when deploying XOA from CLI using curl.From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot
The usual update rules apply: pool coordinator first, etc.
No specific steps for these updates for XOSTOR users.
openssh: 7.4p1-23.3.2.xcpng8.2samba: 4.10.16-25.el7_9xcp-ng-release: 8.2.1-16Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback 
You probably saw it, but just in case: https://xcp-ng.org/blog/2025/06/16/xcp-ng-8-3-is-now-lts/
Today marks several important updates for XCP-ng 8.3. In a nutshell:
- It officially becomes a Long-Term Support (LTS) release, as previously announced when it was first released on October 7th, 2024.
- We are releasing updated installation images ("ISOs") that include installer improvements and all updates published since the original release.
- XOSTOR, our hyperconverged storage solution powered by LINSTOR, is now officially supported on XCP-ng 8.3.
- A new, dedicated upgrade ISO is available to support upgrading from an 8.2 pool that includes a XOSTOR storage repository.
The above issue is solved in packages that we haven't released as an update yet, that @Andrew tested.
We do advise to jump to 8.2 from earlier releases, before jumping to 8.3.
@Andrew Does restarting the toolstack bring the stats back?
Regarding coretemp, @r1's module doesn't work anymore with Xen 4.17. See https://github.com/xcp-ng/xcp/issues/669. A possible workaround is using IPMI readings, when available. For a better solution, there's work needed in Xen.
(CC @Team-Hypervisor-Kernel, FYI)
said in XCP-ng 8.3 updates announcements and testing:
here are the pre-release ISO images for a refreshed XCP-ng 8.3 installer
Last call
A few days late because internal tests led to a few fixes, here are the pre-release ISO images for a refreshed XCP-ng 8.3 installer:
$ cat SHA256SUMS
22deae59e7c5cff7d4691c447af9dbf27b29a372748c1844c280bdc212ef2a5f xcp-ng-8.3-20250606-linstor-upgradeonly.pre3.iso
9a5dcc8d98949ee207d28307b8b94320d1ffd24841e34ca74e1c0f0422e5ecab xcp-ng-8.3-20250606-netinstall.pre3.iso
4d6f5a99da0d70920bc313470ad2b14decab66038f0863ca68a2b81126ee2977 xcp-ng-8.3-20250606.pre3.iso
.-linstor-upgradeonly). After the upgrade, if there are available updates in 8.3 for linstor, then you can follow the usual update process (which also contains specific steps for XOSTOR such as updating linstor-satellite first on all hosts and restarting the services on all of them, still due to linstor not supporting rolling update. That's something that XOA's RPU handles automatically since a few releases, by the way).Regarding testing we are interested on all kind of feedback. Installations, upgrades with and without XOSTOR, and everything you want to test that seems pertinent to ensure there are no regressions when compared to the original 8.3.0 installation ISOs.
said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
- We do plan a way to remove the warning for VMs that you would choose.
That's now done and will be included in the next update to the latest update channel for XOA. VMs with the HIDE_XSA468 tag will not be included in the vulnerability detection.
@Andrew I've thought about it and I agree on the principle as there's already a section about guest tools there, but we have put enough pressure on the XO team to make them release the helpful features in time to help users detect vulnerable VMs, on XOA's stable update channel, so it might be wiser to wait for XO6 for such alert to be in a centralized place about guest tools.
Thanks for the feedback. Let's add a notice in the docs, @dinhngtu?
Just a heads-up to let you know that we'll soon (tonight? Tomorrow?) upload pre-releases of the refreshed installation ISOs for XCP-ng 8.3.