RE: Updates announcements and testing

@normanghenderson They do

The error message about commmand masks the actual error that occurred (it's an error raised during error handling itself).

Please try to do the update from CLI so that we may see the actual error from yum.

https://xcp-ng.org/docs/updates.html#how-to-apply-the-updates

@NielsH DRPW and SBDR are related to MMIO (and thus PCI Passthrough), but there are other vulnerabilities that are not related to it.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/06/27/june-2022-security-update-2/

New security update (xen, Intel CPUs)

Xen is being updated to mitigate hardware vulnerabilities in Intel CPUs.

• Upstream (Xen project) advisory: XSA-404
• Citrix Hypervisor Security Bulletin (which also covers vulnerabilities that we already fixed in the previous update): https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-update

Impact of the vulnerabilities - I'll quote Citrix' security team here: "may allow code inside a guest VM to access very small sections of memory data that are actively being used elsewhere on the system"

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.23.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

@KPS Hi. This thread is now inactive sop please open a new thread dedicated to your issue.

@olivierlambert I don't think so

Yes, I think so.

It's well hidden in AMD's website and you can't even find it with a text search!

Select your card model then you'll find a download for Citrix Hypervisor.

Update released (xen + uefistored). Thanks for your tests!

Blog: https://xcp-ng.org/blog/2022/06/13/june-security-update-1/

New security update (xen)

Impact: when the conditions are met (roughly: CPU Model, PV guest + PCI passthrough or race condition exploitation), an attacker in a malicious VM may escalate privilege and control the whole host.

Upstream (Xen project) references: XSA-401 and XSA-402

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.22.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

To me, this uefistored update is ready, but I'll group it with the next updates.

Test feedback remains welcome.

Additional notes:

• my last update attempt ended in curl: (6) Could not resolve host: github.com; Unknown error because the spec file started defaulting to downloading stuff from github when a distro must build everything using only the RPM sources and our build environment has no internet access on purpose. So this means I must re-bundle sources that were unbundled upstream. I had already done such work previously for other components that are downloaded during the RPM build.
• EPEL now has a netdata RPM that seems to be updated regularly (currently at 1.34.1) and which I could probably light-fork. It will probably be more suited to the needs of a distro maintainer than the upstream spec file which is tailored for the needs of the netdata project itself (you often see this dichotomy between upstream developers and downstream packagers, as in the example I gave earlier of a spec file that does what no distro would allow: download stuff dynamically at build time).

The netdata version is rather old because XCP-ng 8.2 is a LTS and netdata sadly doesn't have long term maintenance branches that would guarantee an absence of regressions. And I've had serious issues with netdata on XCP-ng in the past (disk full due to a bug that I reported at the time, fixed since but now I completely disable disk writes and let only netdata use a limited RAM database, just in case), so I'm not eager to update often as long as it is working and no unpatchable major security issues are found.

And given the pace at which netdata evolves, each update is a significant amount of packaging work for me

I will provide an update at some point, in the testing repository at least, but I don't know when exactly.

@AlexanderK said in Windows VM cannot start (FAILED_TO_START_EMULATOR):

@stormi should i try to install what is at the guide?
running this?
secureboot-certs install

If you want to use secure boot, yes. BTW there's an update candidate to fix a recent issue with microsoft servers. See https://xcp-ng.org/forum/post/49373

@AlexanderK Secure Boot was not supported and the switch did nothing before XCP-ng 8.2.1. Now it really attempts to enforce it and fails because you probably didn't install the Secure Boot certificates to the pool.

https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot

Make sure you haven't enabled secure boot by mistake on the VMs.

@Andrew That's because install is a sub-command: secureboot-certs install -h.

Anyway, if download fails (you can test by using "test" as the user agent for example), the option will be mentioned.

Update candidate available to fix certificate download: https://xcp-ng.org/forum/post/49373

Update candidate available to fix certificate download: https://xcp-ng.org/forum/post/49373