@normanghenderson They do

Posts made by stormi
-
RE: Host Patch Installation Failure | "global name 'commmand' is not defined"
The error message about
commmand
masks the actual error that occurred (it's an error raised during error handling itself).Please try to do the update from CLI so that we may see the actual error from
yum
.https://xcp-ng.org/docs/updates.html#how-to-apply-the-updates
-
RE: Updates announcements and testing
@NielsH DRPW and SBDR are related to MMIO (and thus PCI Passthrough), but there are other vulnerabilities that are not related to it.
-
RE: Updates announcements and testing
The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/06/27/june-2022-security-update-2/
-
RE: Updates announcements and testing
New security update (xen, Intel CPUs)
Xen is being updated to mitigate hardware vulnerabilities in Intel CPUs.
- Upstream (Xen project) advisory: XSA-404
- Citrix Hypervisor Security Bulletin (which also covers vulnerabilities that we already fixed in the previous update): https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-update
Impact of the vulnerabilities - I'll quote Citrix' security team here: "may allow code inside a guest VM to access very small sections of memory data that are actively being used elsewhere on the system"
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.4-9.23.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: XCP-ng 8.2.1 (maintenance update) - final testing sprint
@KPS Hi. This thread is now inactive sop please open a new thread dedicated to your issue.
-
RE: vGPU AMD mxgpu iso nowhere to find
It's well hidden in AMD's website and you can't even find it with a text search!
Select your card model then you'll find a download for Citrix Hypervisor.
-
RE: Updates announcements and testing
Update released (xen + uefistored). Thanks for your tests!
Blog: https://xcp-ng.org/blog/2022/06/13/june-security-update-1/
-
RE: Updates announcements and testing
New security update (xen)
Impact: when the conditions are met (roughly: CPU Model, PV guest + PCI passthrough or race condition exploitation), an attacker in a malicious VM may escalate privilege and control the whole host.
Upstream (Xen project) references: XSA-401 and XSA-402
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.4-9.22.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: Updates announcements and testing
To me, this
uefistored
update is ready, but I'll group it with the next updates.Test feedback remains welcome.
-
RE: Netdata package is now available in XCP-ng
Additional notes:
- my last update attempt ended in
curl: (6) Could not resolve host: github.com; Unknown error
because the spec file started defaulting to downloading stuff from github when a distro must build everything using only the RPM sources and our build environment has no internet access on purpose. So this means I must re-bundle sources that were unbundled upstream. I had already done such work previously for other components that are downloaded during the RPM build. - EPEL now has a netdata RPM that seems to be updated regularly (currently at 1.34.1) and which I could probably light-fork. It will probably be more suited to the needs of a distro maintainer than the upstream spec file which is tailored for the needs of the netdata project itself (you often see this dichotomy between upstream developers and downstream packagers, as in the example I gave earlier of a spec file that does what no distro would allow: download stuff dynamically at build time).
- my last update attempt ended in
-
RE: Netdata package is now available in XCP-ng
The netdata version is rather old because XCP-ng 8.2 is a LTS and netdata sadly doesn't have long term maintenance branches that would guarantee an absence of regressions. And I've had serious issues with netdata on XCP-ng in the past (disk full due to a bug that I reported at the time, fixed since but now I completely disable disk writes and let only netdata use a limited RAM database, just in case), so I'm not eager to update often as long as it is working and no unpatchable major security issues are found.
And given the pace at which netdata evolves, each update is a significant amount of packaging work for me
I will provide an update at some point, in the testing repository at least, but I don't know when exactly.
-
RE: Windows VM cannot start (FAILED_TO_START_EMULATOR)
@AlexanderK said in Windows VM cannot start (FAILED_TO_START_EMULATOR):
@stormi should i try to install what is at the guide?
running this?
secureboot-certs installIf you want to use secure boot, yes. BTW there's an update candidate to fix a recent issue with microsoft servers. See https://xcp-ng.org/forum/post/49373
-
RE: Windows VM cannot start (FAILED_TO_START_EMULATOR)
@AlexanderK Secure Boot was not supported and the switch did nothing before XCP-ng 8.2.1. Now it really attempts to enforce it and fails because you probably didn't install the Secure Boot certificates to the pool.
-
RE: Windows VM cannot start (FAILED_TO_START_EMULATOR)
Make sure you haven't enabled secure boot by mistake on the VMs.
-
RE: Updates announcements and testing
@Andrew That's because
install
is a sub-command:secureboot-certs install -h
.Anyway, if download fails (you can test by using "test" as the user agent for example), the option will be mentioned.
-
RE: Secure Boot Download Fails
Update candidate available to fix certificate download: https://xcp-ng.org/forum/post/49373
-
RE: secureboot-certs install fails
Update candidate available to fix certificate download: https://xcp-ng.org/forum/post/49373