I had this tab still open which lets me realize that despite we packaged vmfs6-tools and updated the documentation at https://docs.xcp-ng.org/installation/migrate-to-xcp-ng/#local-migration-same-host, we didn't inform you here.
Now it's done
I had this tab still open which lets me realize that despite we packaged vmfs6-tools and updated the documentation at https://docs.xcp-ng.org/installation/migrate-to-xcp-ng/#local-migration-same-host, we didn't inform you here.
Now it's done
OEL 8 & 9 wouldn't contain the fix unless they applied extra patches for this to the RHEL 8 & 9 kernel(s). I'll let the hypervisor team check the current status.
I've had this thread in my TODO list for long.
I'm not sure what the different options we have mean for users.
As r8125-module
is installed by default, we'll want to avoid breaking it for existing users. Would using the new code risk causing regressions? Maybe that's what you meant but I'm not sure. Does our current r8125
driver support both 8125 and 8126, and not 8127? Or just 8125?
If we can't update the driver without causing regressions, then can we offer an alternate driver based on the new code for each chip (8125, 8126, 8127), and what amount of work might this represent?
The target would be XCP-ng 8.3. In XCP-ng 9.0 we'll have a newer kernel and newer drivers anyway.
CCing @Team-Hypervisor-Kernel for their opinion.
@olivierlambert said in Limiting access to xo-lite to a specific IP address or ssubnet:
About iptables, there's /etc/sysconfig/iptables but I'm not sure it's the right place to put manual modification, that's why I pinged the @Team-OS-Platform-Release
In a way that's the right place, but one needs to be careful with modifications there.
This changes nothing regarding brute-forcing. XAPI still listens to RPC requests on port 443.
Without changing iptables rules (that's not very flexible and could conflict with XAPI's handling of the rules), there's a way to disable the webserver.
https://docs.xcp-ng.org/management/manage-locally/xo-lite/#disabling-xo-lite
Also note that there is a simpler approach if you don't need an "all-in-one" ISO image: driver disks.
You can build driver disks using https://github.com/xcp-ng/driver-disks and load them during the installation.
You can also ask us to provide driver disks for alternate drivers for which we haven't built them yet. We make them available on https://mirrors.xcp-ng.org/isos/drivers/8.x/...
That's also something we need to document in the official docs. It's mentioned in the release notes for 8.3 but not in other sections of the documentation.
And fixes for XCP-ng 8.2 are coming but they require more work to backport the patches.
I moved this discussion to its own topic, as we need the other one for update candidate testing.
That's actually a question for @Team-XAPI-Network
@gduperrey said in XCP-ng 8.3 updates announcements and testing:
Since it doesn't indicate that an updated 8.2 is actually 8.2.1, only the major version is displayed.
Not a very good example actually (but what's true is that for 8.2 we didn't add a "LTS" mention next to the version number in the system either).
But yes, we decided not to increment the version number for XCP-ng 8.3.0. That breaks compatibility with some third party software because they wouldn't recognize a "8.3.1".
However we're working on a secondary version identifier that would allow you to know your precise patch level.
@gb.123 Yes. If you think it's not clear in the blog post, I'll think how I can word it.
Current wording:
This announcement does not represent a new release. It applies to the existing XCP-ng 8.3.
If you're already running XCP-ng 8.3, you're on the LTS version. There's no need for a full upgrade. Standard package updates will keep your system current.
A new batch of non-urgent updates is ready for user tests before a future collective release.
openssh
: Fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")samba
: Fix vulnerabilities which are very unlikely to be exploitable on XCP-ng but are reported by security scanners.xcp-ng-release
: This update adds a certificate to resolve a TLS handshake error, particularly when deploying XOA from CLI using curl
.From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot
The usual update rules apply: pool coordinator first, etc.
No specific steps for these updates for XOSTOR users.
openssh
: 7.4p1-23.3.2.xcpng8.2samba
: 4.10.16-25.el7_9xcp-ng-release
: 8.2.1-16Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback
You probably saw it, but just in case: https://xcp-ng.org/blog/2025/06/16/xcp-ng-8-3-is-now-lts/
Today marks several important updates for XCP-ng 8.3. In a nutshell:
- It officially becomes a Long-Term Support (LTS) release, as previously announced when it was first released on October 7th, 2024.
- We are releasing updated installation images ("ISOs") that include installer improvements and all updates published since the original release.
- XOSTOR, our hyperconverged storage solution powered by LINSTOR, is now officially supported on XCP-ng 8.3.
- A new, dedicated upgrade ISO is available to support upgrading from an 8.2 pool that includes a XOSTOR storage repository.
The above issue is solved in packages that we haven't released as an update yet, that @Andrew tested.
We do advise to jump to 8.2 from earlier releases, before jumping to 8.3.
@Andrew Does restarting the toolstack bring the stats back?
Regarding coretemp, @r1's module doesn't work anymore with Xen 4.17. See https://github.com/xcp-ng/xcp/issues/669. A possible workaround is using IPMI readings, when available. For a better solution, there's work needed in Xen.
(CC @Team-Hypervisor-Kernel, FYI)
said in XCP-ng 8.3 updates announcements and testing:
here are the pre-release ISO images for a refreshed XCP-ng 8.3 installer
Last call
A few days late because internal tests led to a few fixes, here are the pre-release ISO images for a refreshed XCP-ng 8.3 installer:
$ cat SHA256SUMS
22deae59e7c5cff7d4691c447af9dbf27b29a372748c1844c280bdc212ef2a5f xcp-ng-8.3-20250606-linstor-upgradeonly.pre3.iso
9a5dcc8d98949ee207d28307b8b94320d1ffd24841e34ca74e1c0f0422e5ecab xcp-ng-8.3-20250606-netinstall.pre3.iso
4d6f5a99da0d70920bc313470ad2b14decab66038f0863ca68a2b81126ee2977 xcp-ng-8.3-20250606.pre3.iso
-linstor-upgradeonly
). After the upgrade, if there are available updates in 8.3 for linstor, then you can follow the usual update process (which also contains specific steps for XOSTOR such as updating linstor-satellite first on all hosts and restarting the services on all of them, still due to linstor not supporting rolling update. That's something that XOA's RPU handles automatically since a few releases, by the way).Regarding testing we are interested on all kind of feedback. Installations, upgrades with and without XOSTOR, and everything you want to test that seems pertinent to ensure there are no regressions when compared to the original 8.3.0 installation ISOs.
said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
- We do plan a way to remove the warning for VMs that you would choose.
That's now done and will be included in the next update to the latest
update channel for XOA. VMs with the HIDE_XSA468
tag will not be included in the vulnerability detection.