XCP-ng has released Xen Orchestra 5.88, packed with new features and improvements. In the backup area, there have been code improvements and bug fixes, as well as an optimization for full backups using S3. The Terraform provider has also seen updates, including support for XenServer/XCP-ng bonded networks and improvements to the XO internal API. XO Lite now allows for cloning and snapshotting of VMs, and a “Ctrl Alt Del” button has been added to the console view. Xen Orchestra 6 is also in the works, with a focus on backup management and a revamped user interface. Mockups of the new UI have been shared, showcasing a more streamlined and efficient backup view. XOSTOR, the hyperconverged storage solution, now has a simple UI for creating new storage. XCP-ng 8.3 features have been added to Xen Orchestra, including vTPM management in the web UI and a new optional argument for the host.evacuate method. Overall, Xen Orchestra 5.88 brings a range of enhancements and improvements to the platform.

New security and maintenance updates are available for the only currently supported release of XCP-ng, version 8.2 LTS. This update includes fixes for several vulnerabilities in Xen and the Linux kernel in the controller domain. Additionally, maintenance updates that were ready and waiting for the next push are also included.

The fixed vulnerabilities in this security update are as follows:

• XSA-440: CVE-2023-34323 - “xenstored: A transaction conflict can crash C Xenstored”. This vulnerability could potentially lead to a denial of service (DoS) attack. However, it only affects users who deliberately switched to C Xenstored from the default ocaml version used by XCP-ng.
• XSA-441: CVE-2023-34324 - “Possible deadlock in Linux kernel event handling”. While this denial of service vulnerability is not exploitable in XCP-ng’s default configuration, a patched dom0 kernel is provided as an additional layer of defense.
• XSA-442: CVE-2023-34326 - “x86/AMD: missing IOMMU TLB flushing”. On certain AMD systems, an attacker could exploit a vulnerability in the handling of PCI passthrough to escalate privileges, cause a denial of service, or gain access to leaked information.
• XSA-443: CVE-2023-34325 - “Multiple vulnerabilities in libfsimage disk handling”. This privilege escalation vulnerability affects PV guests through flaws in the handling of libfsimage, particularly with XFS. While PV guests are deprecated and not security-supported on XCP-ng 8.2, a fix is provided for users who still have PV guests. It is strongly recommended to convert these VMs to HVM. The Xen Security Team plans to issue another update later this month to remove all uses of libfsimage wherever possible.
• XSA-444: CVE-2023-34327 and CVE-2023-34327 - “x86/AMD: Debug Mask handling”. This vulnerability affects AMD CPUs, specifically the Steamroller microarchitecture and later. It allows guests to crash other guests and can also result in a crash of the host if a buggy or malicious PV guest kernel is present.

In addition to the security updates, this release includes other improvements:

• The Storage Manager (sm) now has better handling of custom multipath configurations. Previously, modifying the /etc/multipath.conf file could lead to issues when the file was updated to add support for new hardware. The correct way to add custom multipath configuration is now through a file in the /etc/multipath/conf.d/ directory. XCP-ng 8.2 now includes a warning on top of the /etc/multipath.conf file, creates the /etc/multipath/conf.d/ directory by default, and provides a ready-to-modify /etc/multipath/conf.d/custom.conf file.
• Guest templates have been synced with Citrix Hypervisor’s recent hotfixes. The only new template added is for Ubuntu 22.04.
• A backport of Citrix Hypervisor’s hotfix (XS82ECU1048) for irqbalance has been included. This hotfix enables interrupt balancing for Fibre Channel (FC) PCI devices, improving performance on fast FC HBA SRs, especially when multipathing is used.

For more information and to download the October 2023 Security Update for XCP-ng 8.2, please visit the XCP-ng blog.

XCP-ng has made significant progress in the development of their VM guest tools, which are being rewritten in Rust. These tools have moved from their alpha phase to the beta phase and are now considered robust, though not yet stable.

Here are the achievements that have been made:

1. A complete README: XCP-ng has created a comprehensive README file that outlines the goals, design, and instructions for building and running the tools. The README can be found here.

2. Drop-in compatibility: The new tools are designed to be fully compatible with the existing XCP-ng toolstack. This means that installing the new tools will not interfere with any external elements. Xen Orchestra, for example, will accurately display all relevant information such as IP addresses, distro version, and RAM usage.

3. Alternative schema: The tools allow for flexibility in reporting data by offering different data formats. The default model, called ‘std’, is retro-compatible, while the adaptable model, called ‘rfc’, provides superior results. More details can be found in the usage documentation.

4. Netlink as first class citizen: Netlink, a socket family that facilitates communication between the guest kernel and user space processes, plays a crucial role in the toolkit. It allows for efficient notification of network changes in the VM, resulting in quicker and more efficient updates. For guests without Netlink support, a fallback system has been implemented to ensure networking information can still be reported.

5. Not restricted to Linux: The guest agent is compatible with other UNIX-family systems, such as BSDs. However, making it as efficient as on Linux guests poses a challenge, as Netlink support was previously limited to Linux. Efforts are being made to address this issue and make the guest agent work seamlessly on BSDs.

6. Rust xenstore library: XCP-ng has contributed to the existing Rust xenstore project by enhancing API coverage. Financial support is also provided to the current maintainer to ensure the library’s upkeep.

7. Modern builds, Security & dependency checking: Reproducible builds and security are key considerations in the redesign of the tools. CI infrastructure has been set up to maintain checks and balances, and Dependabot is being utilized to detect known vulnerabilities in dependencies. Work is ongoing to improve security measures.

8. Code base improvements: The use of Rust in this project has allowed for code that embodies more “Rust-like” characteristics. The experience gained from this project has contributed to the growth of the code base.

Overall, XCP-ng’s progress in rewriting the VM guest tools in Rust is promising. The tools are becoming more robust, compatible, and efficient, offering improved functionality for users.

Xen Orchestra has released version 5.89. This update brings a range of enhancements and updates to various components, including XO Lite. Let’s dive in and explore the details.

XO Lite

XO Lite has received several enhancements in this release. XO Lite now comes as a standard RPM package within XCP-ng 8.3, making it easier to keep up with updates. Bulk actions for VM migration and snapshot have been introduced, allowing for multiple operations to be executed simultaneously. The pool dashboard now includes a summary of missing patches for XCP-ng hosts, providing better visibility of critical updates.

Backup

Bug fixes and improvements have been made to enhance system resilience and add failsafes for specific scenarios. To prevent unexpected results during VM backup, a lock is now placed on VMs to prevent migration operations. This ensures system integrity and avoids any unpredictable outcomes.

Other Changes

Several quality-of-life enhancements and useful features have been added in this release.

A new feature allows for the download of all host system logs with a simple button press. This comprehensive tarball of logs is valuable for deep investigations. Disk health monitoring has been improved, allowing for the monitoring of disk status via an API call and displaying the information in the Xen Orchestra UI.

Xen Orchestra can now restart the server directly from the UI, providing a handy tool for canceling blocked tasks or unlocking stuck processes. Thin-reclaim for block-based SRs is now supported, allowing for cleaning operations if the SAN supports it.

The task system now logs failed sign-in attempts, providing information about potential brute-force attempts on Xen Orchestra accounts. Host and pool details now include the product brand and version, providing additional information in the UI.

The Xen Orchestra GitHub repository has also undergone cleanup, with a significant reduction in open issues.

The openSUSE Leap Micro 5.5 Beta has been released, offering a lightweight Linux operating system designed for containers and virtualized workloads. As the community version of SUSE Linux Enterprise Micro, openSUSE Leap Micro focuses on reliability and caters to container and virtualization use-cases. One of the major changes in this release is improved Security Enhanced Linux (SELinux) support. A release candidate for Leap Micro 5.5 will be available soon, with the official general availability (GA) release expected in early October. For more information and to download the Leap Micro 5.5 Beta, visit the openSUSE website.

Source: Phoronix.

Cloud Hypervisor, an open-source Virtual Machine Monitor (VMM), has announced the release of version v35.0. This VMM runs on top of the KVM hypervisor and the Microsoft Hypervisor (MSHV). The primary focus of the Cloud Hypervisor project is to enable the running of modern cloud workloads on specific, common hardware architectures. Cloud workloads, in this context, refer to those run by customers within a Cloud Service Provider. This includes modern operating systems with most I/O handled by paravirtualized devices (such as virtio), no requirement for legacy devices, and 64-bit CPUs.

Implemented in Rust and based on the Rust VMM crates, Cloud Hypervisor offers several user-visible changes and improvements in this release. Some of the notable updates include:

• virtio-vsock Support for Linux Guest Kernel v6.3+: With the kernel version 6.3 and newer, a vsock packet can now be included in a single descriptor, rather than being split over two descriptors. The virtio-vsock implementation in Cloud Hypervisor now supports both situations.

• User Specified Serial Number for virtio-block: A new option called serial has been added to the --block command, allowing users to specify a serial number for block devices that will be visible to the guest.

• vCPU TSC Frequency Included in Migration State: This enhancement ensures successful migration between hosts with different TSC frequencies when the guest is running with TSC as the source of timekeeping.

In addition to these improvements, the release also includes several bug fixes, addressing issues like concurrent CPU resizing, handling of APIC EOI messages for MSHV, memory offset calculations, spell check, block device alignment, and latency counter for block devices.

The release of version v35.0 of Cloud Hypervisor is the result of contributions from various contributors, including Alyssa Ross, Anatol Belski, Bo Chen, Christian Blichmann, Jianyong Wu, Jinank Jain, Julian Stecklina, Omer Faruk Bayram, Philipp Schuster, Rob Bradford, Ruslan Mstoi, Thomas Barrett, Wei Liu, Yi Wang, and zhongbingnan.

For more details about the release and the Cloud Hypervisor project, visit the Cloud Hypervisor v35.0 release page.