Cloud Hypervisor, an open source Virtual Machine Monitor (VMM), has announced the release of version v36.0. This VMM runs on top of the KVM hypervisor and the Microsoft Hypervisor (MSHV) and is designed to run modern cloud workloads on common hardware architectures.

The project focuses on enabling customers to run cloud workloads inside a Cloud Service Provider, utilizing modern operating systems with paravirtualized devices (such as virtio) for efficient I/O, 64-bit CPUs, and no requirement for legacy devices.

Cloud Hypervisor is implemented in Rust and is based on the Rust VMM crates. The v36.0 release includes several user-visible changes and improvements:

Command Line Changes

The project has switched back to using the clap crate to create the command line interface, as the previous argh crate was not being actively maintained. This switch has resulted in syntax changes, such as using --option=value instead of --option value.

Enabled Features Reported via API Endpoint and CLI

Users can now query the enabled features of the running Cloud Hypervisor instance through the API endpoint (/vmm.ping) and the CLI (--version -v).

NUMA Support for PCI Segments

The --numa command has been updated with a new option pci_segment=, allowing users to define the relationship between PCI segments and NUMA nodes. Examples of usage can be found in the memory documentation.

CPU Topology Support on AMD Platforms

The CPU topology on x86_64 platforms now supports multiple vendors, providing improved flexibility and compatibility.

Unix Socket Backend for Serial Port

The --serial command has been enhanced with a new option socket=, enabling users to access the serial port using a Unix socket.

AIO Backend for Block Devices

An AIO (Asynchronous Input/Output) backend has been added for virtio-block devices, improving block device performance when the io_uring feature is not supported by the host operating system.

Documentation Improvements

The release includes various documentation improvements, including a new document for collecting coverage data and various typo fixes.

Notable Bug Fixes

Several notable bug fixes have been included in this release, including a fix for a deadlock issue when TDX (Intel Total Memory Encryption Extension) is enabled, a correction of the default value for vCPU topology on AArch64, and ensuring that AMX (Advanced Matrix Extensions) feature bits are only advertised to guests when the AMX CPU feature is enabled.

XCP-ng has released Xen Orchestra 5.88, packed with new features and improvements. In the backup area, there have been code improvements and bug fixes, as well as an optimization for full backups using S3. The Terraform provider has also seen updates, including support for XenServer/XCP-ng bonded networks and improvements to the XO internal API. XO Lite now allows for cloning and snapshotting of VMs, and a “Ctrl Alt Del” button has been added to the console view. Xen Orchestra 6 is also in the works, with a focus on backup management and a revamped user interface. Mockups of the new UI have been shared, showcasing a more streamlined and efficient backup view. XOSTOR, the hyperconverged storage solution, now has a simple UI for creating new storage. XCP-ng 8.3 features have been added to Xen Orchestra, including vTPM management in the web UI and a new optional argument for the host.evacuate method. Overall, Xen Orchestra 5.88 brings a range of enhancements and improvements to the platform.

New security and maintenance updates are available for the only currently supported release of XCP-ng, version 8.2 LTS. This update includes fixes for several vulnerabilities in Xen and the Linux kernel in the controller domain. Additionally, maintenance updates that were ready and waiting for the next push are also included.

The fixed vulnerabilities in this security update are as follows:

• XSA-440: CVE-2023-34323 - “xenstored: A transaction conflict can crash C Xenstored”. This vulnerability could potentially lead to a denial of service (DoS) attack. However, it only affects users who deliberately switched to C Xenstored from the default ocaml version used by XCP-ng.
• XSA-441: CVE-2023-34324 - “Possible deadlock in Linux kernel event handling”. While this denial of service vulnerability is not exploitable in XCP-ng’s default configuration, a patched dom0 kernel is provided as an additional layer of defense.
• XSA-442: CVE-2023-34326 - “x86/AMD: missing IOMMU TLB flushing”. On certain AMD systems, an attacker could exploit a vulnerability in the handling of PCI passthrough to escalate privileges, cause a denial of service, or gain access to leaked information.
• XSA-443: CVE-2023-34325 - “Multiple vulnerabilities in libfsimage disk handling”. This privilege escalation vulnerability affects PV guests through flaws in the handling of libfsimage, particularly with XFS. While PV guests are deprecated and not security-supported on XCP-ng 8.2, a fix is provided for users who still have PV guests. It is strongly recommended to convert these VMs to HVM. The Xen Security Team plans to issue another update later this month to remove all uses of libfsimage wherever possible.
• XSA-444: CVE-2023-34327 and CVE-2023-34327 - “x86/AMD: Debug Mask handling”. This vulnerability affects AMD CPUs, specifically the Steamroller microarchitecture and later. It allows guests to crash other guests and can also result in a crash of the host if a buggy or malicious PV guest kernel is present.

In addition to the security updates, this release includes other improvements:

• The Storage Manager (sm) now has better handling of custom multipath configurations. Previously, modifying the /etc/multipath.conf file could lead to issues when the file was updated to add support for new hardware. The correct way to add custom multipath configuration is now through a file in the /etc/multipath/conf.d/ directory. XCP-ng 8.2 now includes a warning on top of the /etc/multipath.conf file, creates the /etc/multipath/conf.d/ directory by default, and provides a ready-to-modify /etc/multipath/conf.d/custom.conf file.
• Guest templates have been synced with Citrix Hypervisor’s recent hotfixes. The only new template added is for Ubuntu 22.04.
• A backport of Citrix Hypervisor’s hotfix (XS82ECU1048) for irqbalance has been included. This hotfix enables interrupt balancing for Fibre Channel (FC) PCI devices, improving performance on fast FC HBA SRs, especially when multipathing is used.

For more information and to download the October 2023 Security Update for XCP-ng 8.2, please visit the XCP-ng blog.

XCP-ng has made significant progress in the development of their VM guest tools, which are being rewritten in Rust. These tools have moved from their alpha phase to the beta phase and are now considered robust, though not yet stable.

Here are the achievements that have been made:

1. A complete README: XCP-ng has created a comprehensive README file that outlines the goals, design, and instructions for building and running the tools. The README can be found here.

2. Drop-in compatibility: The new tools are designed to be fully compatible with the existing XCP-ng toolstack. This means that installing the new tools will not interfere with any external elements. Xen Orchestra, for example, will accurately display all relevant information such as IP addresses, distro version, and RAM usage.

3. Alternative schema: The tools allow for flexibility in reporting data by offering different data formats. The default model, called ‘std’, is retro-compatible, while the adaptable model, called ‘rfc’, provides superior results. More details can be found in the usage documentation.

4. Netlink as first class citizen: Netlink, a socket family that facilitates communication between the guest kernel and user space processes, plays a crucial role in the toolkit. It allows for efficient notification of network changes in the VM, resulting in quicker and more efficient updates. For guests without Netlink support, a fallback system has been implemented to ensure networking information can still be reported.

5. Not restricted to Linux: The guest agent is compatible with other UNIX-family systems, such as BSDs. However, making it as efficient as on Linux guests poses a challenge, as Netlink support was previously limited to Linux. Efforts are being made to address this issue and make the guest agent work seamlessly on BSDs.

6. Rust xenstore library: XCP-ng has contributed to the existing Rust xenstore project by enhancing API coverage. Financial support is also provided to the current maintainer to ensure the library’s upkeep.

7. Modern builds, Security & dependency checking: Reproducible builds and security are key considerations in the redesign of the tools. CI infrastructure has been set up to maintain checks and balances, and Dependabot is being utilized to detect known vulnerabilities in dependencies. Work is ongoing to improve security measures.

8. Code base improvements: The use of Rust in this project has allowed for code that embodies more “Rust-like” characteristics. The experience gained from this project has contributed to the growth of the code base.

Overall, XCP-ng’s progress in rewriting the VM guest tools in Rust is promising. The tools are becoming more robust, compatible, and efficient, offering improved functionality for users.

Linux Containers has released Incus 0.1, the first formal release of their community fork of the LXD project. Incus was created after Canonical took control of LXD. Incus 0.1 is similar to the LXD 5.18 release but includes several changes and improvements. The project has dropped unused or problematic features from the LXD codebase and will now focus on backwards compatibility. Notable changes include renaming the project to Incus and replacing /dev/lxd with /dev/incus. More details and downloads can be found at LinuxContainers.org.

Source: Phoronix.

Phoronix reports that Linux will now indicate via /proc/cpuinfo if AMD virtualization (SVM) is disabled. This is a quality of life improvement for home lab virtualization when using AMD CPUs. Previously, checking for the presence of Intel virtualization support and its status could easily be done by looking at the flags in /proc/cpuinfo. However, SVM was always shown in /proc/cpuinfo regardless of whether it was disabled in the BIOS. This oversight is finally being corrected in the upcoming Linux 6.7 kernel cycle, with the possibility of back-porting the fix to existing kernel series.

The patch, developed by Red Hat’s Paolo Bonzini, has been queued into TIP’s x86/cpu branch. This patch will now read the appropriate MSR to verify if SVM has been disabled on AMD and Hygon processors. If SVM is disabled, the CPU capability will be cleared, and it will no longer show in /proc/cpuinfo. Previously, the only indication of AMD SVM being disabled was appearing in the kernel log or KVM virtualization failing to work. This small but useful change makes it much easier to check if virtualization is available via the widely-used /proc/cpuinfo interface.

Source: Phoronix.