Xen Orchestra has unveiled version 5.89, featuring over 20 new enhancements and functionalities. Noteworthy developments include Broadcom’s acquisition of VMware for over $60 billion, impacting the virtualization industry. Xen Orchestra’s team has expanded with new members, alongside the release of Xen 4.18, where one of their developers secured a Top 10 contributor spot. The landscape of virtualization is explored in light of industry shifts, emphasizing Vates’ innovative ‘Bundles’ amid these changes.

Xen Orchestra’s growth includes the addition of Bastien, focusing on XO’s backend, and a dedicated member for Project Pyrgos, concentrating on k8s cluster creation. Positive feedback surrounds the Rust Linux tools, with updates driven by community input. Backup functionality improvements introduce features like differential restore, API/CLI file-level restore, and enhanced XO Lite with a more compact interface, improved dashboard, and added functionalities.

The REST API sees updates for versatility, including user management, VDI content import, and XVA file management. Enhanced integration with Netbox facilitates optional synchronization between XO users and Netbox’s “tenant” entity, enhancing user activity tracking. Compatibility with XCP-ng 8.3 brings detailed task monitoring for coalesce, among other tailored features.

Additional improvements cover token management, VM booting with disk and ISO, console view disablement, and clearer messages for actions like forgetting a Storage Repository. Xen Orchestra 5.89 solidifies its position as a comprehensive solution for XCP-ng infrastructure management, demonstrating ongoing innovation and expansion within the Xen Orchestra team. The full changelog is available here.

The Xen Project has unveiled version 4.18, showcasing continued growth in both technological advancements and community contributions. The release emphasizes expanded hardware support and feature enhancements across various architectures.

Key Highlights:

• Enhanced ARM Support: Notable additions include the Scalable Vector Extension (SVE), Arm Firmware Framework (FF-A), and an improved memory subsystem, signaling substantial progress in ARM architecture support.
• x86 Architectural Improvements: Extensive support for features in AMD Genoa and Intel Sapphire Rapids CPUs, coupled with advancements like the Protection Key Supervisor (PKS) and bus-lock detection, enhances security and performance on Intel and AMD systems.
• RISC-V and Power Ports: Demonstrating a commitment to diversity, initial ports for RISC-V and Power architectures have been introduced, promising intriguing developments in subsequent releases.
• New Hypercalls and MISRA-C Adoption: The release introduces new hypercalls and an increased adherence to MISRA-C rules, bolstering the project’s robustness and versatility.

Community Initiatives: Ongoing projects and future plans within the Xen community include continuous improvements in ARM MPU support and PCI-passthrough, refining RISC-V support, and focusing on the ppc64le architecture with Radix MMU page table initialization, paving the way for broader PowerPC support.

For further details, refer to the official announcement.

XCP-ng has released a new security update for the 8.2 LTS version. The update includes new microcode from Intel to mitigate hardware vulnerabilities. However, it is recommended to update the hardware’s firmware for the best results. The update also addresses security issues related to IOMMU and PV guests in the Xen Project. The fixed vulnerability, CVE-2023-23583, can allow privilege escalation, information disclosure, or denial of service. It affects specific generations of server, desktop, embedded, and mobile processors.

The update also mentions upcoming fixes for XSA-445 and XSA-446 vulnerabilities. XSA-445 can affect hosts if the dom_io feature is enabled, and XSA-446 can bypass certain protections for PV guests. It is recommended to avoid PV guests to avoid any potential impact. The updated microcode for Intel SA is included in the XCP-ng update. The integration of fixes for XSAs will be incorporated in a future release or as needed in the coming days.

XCP-ng has released Xen Orchestra 5.88, packed with new features and improvements. In the backup area, there have been code improvements and bug fixes, as well as an optimization for full backups using S3. The Terraform provider has also seen updates, including support for XenServer/XCP-ng bonded networks and improvements to the XO internal API. XO Lite now allows for cloning and snapshotting of VMs, and a “Ctrl Alt Del” button has been added to the console view. Xen Orchestra 6 is also in the works, with a focus on backup management and a revamped user interface. Mockups of the new UI have been shared, showcasing a more streamlined and efficient backup view. XOSTOR, the hyperconverged storage solution, now has a simple UI for creating new storage. XCP-ng 8.3 features have been added to Xen Orchestra, including vTPM management in the web UI and a new optional argument for the host.evacuate method. Overall, Xen Orchestra 5.88 brings a range of enhancements and improvements to the platform.

New security and maintenance updates are available for the only currently supported release of XCP-ng, version 8.2 LTS. This update includes fixes for several vulnerabilities in Xen and the Linux kernel in the controller domain. Additionally, maintenance updates that were ready and waiting for the next push are also included.

The fixed vulnerabilities in this security update are as follows:

• XSA-440: CVE-2023-34323 - “xenstored: A transaction conflict can crash C Xenstored”. This vulnerability could potentially lead to a denial of service (DoS) attack. However, it only affects users who deliberately switched to C Xenstored from the default ocaml version used by XCP-ng.
• XSA-441: CVE-2023-34324 - “Possible deadlock in Linux kernel event handling”. While this denial of service vulnerability is not exploitable in XCP-ng’s default configuration, a patched dom0 kernel is provided as an additional layer of defense.
• XSA-442: CVE-2023-34326 - “x86/AMD: missing IOMMU TLB flushing”. On certain AMD systems, an attacker could exploit a vulnerability in the handling of PCI passthrough to escalate privileges, cause a denial of service, or gain access to leaked information.
• XSA-443: CVE-2023-34325 - “Multiple vulnerabilities in libfsimage disk handling”. This privilege escalation vulnerability affects PV guests through flaws in the handling of libfsimage, particularly with XFS. While PV guests are deprecated and not security-supported on XCP-ng 8.2, a fix is provided for users who still have PV guests. It is strongly recommended to convert these VMs to HVM. The Xen Security Team plans to issue another update later this month to remove all uses of libfsimage wherever possible.
• XSA-444: CVE-2023-34327 and CVE-2023-34327 - “x86/AMD: Debug Mask handling”. This vulnerability affects AMD CPUs, specifically the Steamroller microarchitecture and later. It allows guests to crash other guests and can also result in a crash of the host if a buggy or malicious PV guest kernel is present.

In addition to the security updates, this release includes other improvements:

• The Storage Manager (sm) now has better handling of custom multipath configurations. Previously, modifying the /etc/multipath.conf file could lead to issues when the file was updated to add support for new hardware. The correct way to add custom multipath configuration is now through a file in the /etc/multipath/conf.d/ directory. XCP-ng 8.2 now includes a warning on top of the /etc/multipath.conf file, creates the /etc/multipath/conf.d/ directory by default, and provides a ready-to-modify /etc/multipath/conf.d/custom.conf file.
• Guest templates have been synced with Citrix Hypervisor’s recent hotfixes. The only new template added is for Ubuntu 22.04.
• A backport of Citrix Hypervisor’s hotfix (XS82ECU1048) for irqbalance has been included. This hotfix enables interrupt balancing for Fibre Channel (FC) PCI devices, improving performance on fast FC HBA SRs, especially when multipathing is used.

For more information and to download the October 2023 Security Update for XCP-ng 8.2, please visit the XCP-ng blog.

XCP-ng has made significant progress in the development of their VM guest tools, which are being rewritten in Rust. These tools have moved from their alpha phase to the beta phase and are now considered robust, though not yet stable.

Here are the achievements that have been made:

1. A complete README: XCP-ng has created a comprehensive README file that outlines the goals, design, and instructions for building and running the tools. The README can be found here.

2. Drop-in compatibility: The new tools are designed to be fully compatible with the existing XCP-ng toolstack. This means that installing the new tools will not interfere with any external elements. Xen Orchestra, for example, will accurately display all relevant information such as IP addresses, distro version, and RAM usage.

3. Alternative schema: The tools allow for flexibility in reporting data by offering different data formats. The default model, called ‘std’, is retro-compatible, while the adaptable model, called ‘rfc’, provides superior results. More details can be found in the usage documentation.

4. Netlink as first class citizen: Netlink, a socket family that facilitates communication between the guest kernel and user space processes, plays a crucial role in the toolkit. It allows for efficient notification of network changes in the VM, resulting in quicker and more efficient updates. For guests without Netlink support, a fallback system has been implemented to ensure networking information can still be reported.

5. Not restricted to Linux: The guest agent is compatible with other UNIX-family systems, such as BSDs. However, making it as efficient as on Linux guests poses a challenge, as Netlink support was previously limited to Linux. Efforts are being made to address this issue and make the guest agent work seamlessly on BSDs.

6. Rust xenstore library: XCP-ng has contributed to the existing Rust xenstore project by enhancing API coverage. Financial support is also provided to the current maintainer to ensure the library’s upkeep.

7. Modern builds, Security & dependency checking: Reproducible builds and security are key considerations in the redesign of the tools. CI infrastructure has been set up to maintain checks and balances, and Dependabot is being utilized to detect known vulnerabilities in dependencies. Work is ongoing to improve security measures.

8. Code base improvements: The use of Rust in this project has allowed for code that embodies more “Rust-like” characteristics. The experience gained from this project has contributed to the growth of the code base.

Overall, XCP-ng’s progress in rewriting the VM guest tools in Rust is promising. The tools are becoming more robust, compatible, and efficient, offering improved functionality for users.