Xen Orchestra 5.107

Welcome to the May edition of our monthly Xen Orchestra updates!

I'm starting this month’s post a little differently by leading with essential security updates. In today’s world, keeping your infrastructure safe is more critical than ever, and we’re dedicated to making sure you have the tools and knowledge to do just that.

Beyond security, we’ve got plenty to share: from our new partnership with Hexatrust to the upcoming Vates Innovation Summit in Capri, the latest progress on Xen Orchestra 6, and continuous improvements in usability and reliability.

Let’s jump in and see what’s new!

🚨 Latest security updates

We’ve released three important security updates this month to ensure your infrastructure stays secure and up to date.

XSA-468: multiple Windows PV driver vulnerabilities - update now!

We've found several vulnerabilities in all existing Xen PV drivers for Windows from all vendors (XCP-ng, XenServer, AWS, etc.), which allow unprivileged users to gain system privileges inside Windows guests.

To keep your environment secure, we strongly recommend updating your PV drivers.

Please read the critical information in the following XCP-ng blog post and follow the instructions provided:

XSA-468: multiple Windows PV driver vulnerabilities - update now!

Multiple vulnerabilities have been discovered in Windows PV drivers, allowing unprivileged users to gain system privileges inside Windows VMs. We provide updates, tools and guidance in response.

XCP-ng BlogTu Dinh

XCP-ng security update: mitigating Intel vulnerabilities

A new security update is now available for XCP-ng 8.3 and XCP-ng 8.2, focusing on addressing hardware vulnerabilities related to Intel processors. This update includes:

• Updated Intel microcode to help protect against newly disclosed CPU vulnerabilities
• A Xen patch for XSA-469 (CVE-2024-28956), improving protection against potential memory inference attacks
• Additional microcode updates covering multiple Intel security advisories

May 2025 Security Update for XCP-ng 8.2 & 8.3

New security updates are available for XCP-ng 8.2 LTS and XCP-ng 8.3

XCP-ng BlogDavid Morel

Xen Orchestra security patches

This month’s release also includes an important security patch for Xen Orchestra. We strongly recommend updating as soon as possible. Details about this patch will be disclosed in a future changelog.

Now let's move to our usual first section: "Project and community"!

👨‍🚀 Project & Community

This month is packed with important news, as we're joining Hexatrust to support digital sovereignty in Europe, we're releasing a maintenance update for XCP-ng 8.3, and thanks to your input, we've set the priorities for our Xen Orchestra 6 MVP.

We're also looking forward to the Vates Innovation Summit in Capri, and finally, don't miss our new guide to deploying Windows VMs with Cloudbase-init.

Stay tuned for more updates!

Strengthening virtualization independence with Hexatrust

We’re proud to announce that Vates has joined Hexatrust, a non-profit alliance uniting key players in cybersecurity and trusted digital infrastructure. This marks another milestone in our commitment to building a credible, open alternative in virtualization.

Vates Joins Hexatrust: advancing trusted and sovereign IT Infrastructure

Vates joins Hexatrust to promote trusted, sovereign IT infrastructure in Europe. As part of the ecosystem, we aim to drive collaboration, share expertise, and advocate for strong virtualization alternatives in strategic industries.

Vates BlogMarc-André Pezin

I recently shared more thoughts on this in my personal blog post, “The Right Time for Europe,” where I explain why investing in digital independence is more urgent than ever.

The right time for Europe

In a world where resilience depends on more than supply chains, Europe must decide where it wants control—and where it’s willing to depend on others.

VirtualizeOlivier Lambert

Joining Hexatrust is part of that journey: helping to ensure that critical digital infrastructure remains open, secure, and sovereign.

Sneak peek: XO6 MVP priorities

We recently surveyed our community and customers to gather input on the most essential features for the MVP of Xen Orchestra 6 we are working on.

Here’s a quick glimpse of what you have highlighted as top and lower importance – these are valuable insights that will help us to define the roadmap for the Xen Orchestra 6 MVP.

• What stood out
  • VM lifecycle management
  • Host and pool management
  • Backup & restore
  • Storage management
  • Network configuration
• Seen as less critical
  • RBAC
  • API / automation readiness
  • DevOps integrations
  • Integration with external authentication
  • Dashboard and performance metrics

We’ll share a dedicated blogpost soon to deep dive into these findings and outline how they’ll shape the next major release of Xen Orchestra — stay tuned!

Maintenance update for XCP-ng 8.3

We’ve also released a maintenance update for XCP-ng 8.3 this month. It focuses on stability, hardware support, and performance improvements, while including some defense-in-depth security updates and refreshed guest OS templates (like Windows Server 2025 and Ubuntu 24.04). This update lays the groundwork for XCP-ng 8.3’s upcoming long-term support phase, so don’t miss out!

May 2025 Maintenance Update for XCP-ng 8.3

New bugfix and enhancement updates are available for XCP-ng 8.3.

XCP-ng BlogSamuel Verschelde

Vates Innovation Summit in Capri

We’re excited to announce that the Vates Innovation Summit is just around the corner! On May 30, in the stunning setting of Capri, Italy, we’re bringing together industry leaders, policymakers, and technology experts to discuss the future of sustainable virtualization and digital sovereignty in Europe.

Vates Capri Innovation Summit

Data Centers and the Environment: The Path Toward Sustainable Virtualization Today’s global innovation is driven by emerging and constantly evolving technologies. Current scenarios demand a hybrid and open approach that allows for achieving both efficiency and environmental sustainability goals. Vates has always been committed to developing sustainable open source

Vates BlogBertille OLDMAN

Windows templates with Cloudbase-Init: Step-by-step guide & best practices

We’ve published a comprehensive guide on streamlining Windows VM deployments in XCP-ng using Cloudbase-Init. This step-by-step tutorial walks you through creating a master Windows VM, configuring Cloudbase-Init, and preparing reusable templates.

Windows Templates with Cloudbase-init: Step-by-step Guide & Best Practices

Easily automate Windows VM deployments in XCP-ng with Cloudbase-init and Xen Orchestra. Here’s how to do it right!

Xen Orchestra BlogTu Dinh

Okay now let's switch to our monthly XO release content!

💾 Backup

A major refactor of the backup code has been done. If it's not visible for you, we announced it last month and we delivered. If you want to play with it, use your XOA on latest release channel. We also used the opportunity to fix some bugs.

Full backup mirroring over 50GB from encrypted S3 remotes

We’ve resolved an issue where mirroring full backups larger than 50GB from encrypted S3 remotes could fail. The problem was related to how part sizes were calculated during large file uploads: too many chunks would cause things to break.

Now, Xen Orchestra estimates the backup size even when it’s coming from an encrypted remote and uses that to calculate a proper part size. This keeps the upload within S3’s limits (max. 10,000 parts), while balancing memory usage.

🥝 Core UI

This month, we're introducing new ways to view critical information about your hosts at a glance, by updating the System tab. Also, we've improved translations and the dated the interface, with new SVG visuals for a cleaner look.

New Host section in the System tab

We've added a Host section inside the System tab. This gives you a quick look at essential host info like hardware details, CPU, and memory usage, all in one place. It's an easy way to keep an eye on your infrastructure and paves the way for future monitoring improvements.

Updated translations

Thanks to our community and their efforts on Weblate, translations have been improved across the app, with updates for Czech, German, Spanish, Dutch, Russian, and Swedish. This makes the interface more accessible and consistent for our international users, as part of our effort to enhance the experience for everyone.

Thanks a lot to the community! If you'd like to help translate Xen Orchestra or fix existing translations, feel free to contribute here.

If you want to discover more about Weblate, check out their website:

Weblate - web-based localization

Copylefted libre software, used by over 2,500 libre software projects and companies in over 165 countries.

Weblate

Improved visuals with new SVG images

The interface of both XO 6 and XO Lite now uses a new set of SVG images. The new graphics look neater, more consistent, and perform better on all screen sizes and resolutions.

🔭XO Lite

This month with XO Lite, you can now choose storage repositories for VDIs when creating a VM! Read on for more details.

Select a storage repository for existing VDIs at VM creation

When creating a VM, you can now select which storage repository (SR) you want to use for each virtual disk (VDI). This gives you more control over where your VM's storage resides from the start. Whether you're balancing the load across multiple SRs or certain types of storage, this new option makes creating the VM more flexible and tailored to your setup.

🛰️ XO 6

This month, we've updated XO 6 to add a System tab to the VM page, so that you can see key information in an instant.

System tab available for VMs

VMs now have their own System tab. That makes it easy to quickly check key metrics for your VMs.

🪐XOA

We've made some important updates for XOA as well, tightening security to prevent misuse of trial accounts, while keeping it accessible for genuine users. Additionally, we've released a new XOA image build!

Enhanced security for trial accounts

We've made some tweaks to how account changes are managed in XOA. The reason for this is to cut down on trial abuse and ensure that our trial system remains a resource for genuine users exploring our platform. As our CEO Olivier Lambert highlighted in his recent blog post, we've encountered instances where organizations repeatedly exploited our trial system instead of opting for our open-source version or a supported subscription. Such practices challenge the sustainability of our open-source model and the trust we place in our user community.

Ground control to Major Trial

When a $130M aerospace company chooses to endlessly abuse free trials instead of typing git pull, you start to question gravity, or at least common sense.

VirtualizeOlivier Lambert

Prior to these adjustments, users could easily update both their email and password in the registration tab. Now, to enhance security and discourage misuse, we've implemented a few changes specifically for trial users.

If you're using XOA in trial mode and open the Registration form to update your details, the email field will be greyed out, and you won’t be able to change your email address anymore.

Obviously, if you need to do it because you had a good reason for that, contact us, we'll be happy to assist!

XOA image updated

A new build of the XOA image was released, based on Debian 12.10 and XO 5.105.0. As usual, you can grab it on vates.tech/deploy.

Xoa Deploy

It's very easy to export your config and import it on a new XOA, so if yours is still running a older Debian release (10 or 11), it's time to switch!

🖥️ XO CLI

This month brings improvements to the CLI as well, as you can now manage network-wide traffic rules directly via XAPI and the CLI. This adds more control and flexibility to your SDN setup, with support for advanced policies coming soon.

New traffic rules system now accessible through XAPI and XO CLI

We have expanded the capabilities of the SDN Controller to let you manage network-wide traffic rules directly via XAPI, and support for per-VIF traffic rules on any network, including private networks.

This leverages the efforts made in the past to manage OpenFlow rules on a per-VIF basis, and lets you specify traffic filtering routes that apply to entire networks without needing to manually configure each VM. 

From here on out, network policies can be added and deleted with the new XAPI endpoints. Policies are fully integrated in Xen Orchestra's SDN Controller and you can even use xo-cli to access them for testing or scripting.

This update improves consistency and control over network traffic, while setting the stage for more complex network policies in the future.

📡 REST API

As we keep improving the REST API month after month, you can now perform key server operations through the API. Plus, we've added even more endpoints to Swagger!

Managing servers

With the new release, not only can you create new servers straight from the API, but you can also enable or disable existing servers as well. This feature will help you better integrate and automate your infrastructure setup.

More API endpoints available in Swagger

A few releases ago, we began a project to fully document our REST API in Swagger (something we first discussed in the XO 5.104 blog post).

As part of that process, we have now included more endpoints to Swagger:

• PIFs (get and getId) 
• VMs (snapshot, hard_shutdown, hard_reboot, clean_shutdown,clean_reboot)

If you are repeatedly calling the API or just like to have a more visual, interactive way to explore it, these additions will make your life —and integrations— easier.

Xen Orchestra 5.104

This month at Vates, we’re bringing you a wave of updates across the board! Our virtualization stack is now validated for Red Hat Enterprise Linux 9, and we’ve announced a strategic partnership with VyOS to enhance networking capabilities in Vates VMS.

Xen Orchestra BlogOlivier Lambert

☸️DevOps Tools

If you're using Xen Orchestra in a DevOps environment, we've got some great updates for you! We're making it easier to automate your workflow, with additions such as: a major new release of our Pulumi provider, improvements in our PowerShell module, and fresh template options in the Hub. Plus, we’ve restored full compatibility with the older versions of NetBox.

Read on for more details!

Introducing the Pulumi Xen Orchestra provider v2.0.0

The DevOps team has released a newer version of the Pulumi Xen Orchestra provider. Pulumi is an infrastructure-as-code SDK, that lets you manage infrastructure using a variety of programming languages.

With our Xen Orchestra provider, you can manage XCP-ng and Xen Orchestra resources alongside your application code, using TypeScript, JavaScript, Python, Go, C#, or YAML.

Pulumi XO provider v2

We just released our last version for our Pulumi provider for XO (v2)

Xen Orchestra BlogOlivier Lambert

This release ensures that the provider is up to date with the latest version of the pulumi-terraform-bridge, making it easier to keep up with new Pulumi versions. Since previously deprecated and replaced functions have been removed, this is considered a major release. Check out the Pulumi registry for provider documentation and code examples

Xen Orchestra

Provides an overview of the Xen Orchestra Provider for Pulumi.

pulumi

Hub templates

Head over to the Hub in Xen Orchestra to install a new Alma Linux 9 template! Ready to use, with cloud-init you can start new VMs in seconds.

Xen Orchestra PowerShell module

The xo-powershell module has moved from alpha to beta and is now published in the PowerShell Gallery as version 1.0.0-beta 🥳

xo-powershell 1.0.0-beta

Xen Orchestra PowerShell module

PowerShell Gallery Home

Grab it with this Powershell command in your console:

Install-Module -Name xo-powershell -AllowPrerelease

Then check out the cmdlets documentation here:

GitHub - vatesfr/xo-powershell: PowerShell module for Xen-Orchestra

PowerShell module for Xen-Orchestra. Contribute to vatesfr/xo-powershell development by creating an account on GitHub.

GitHubvatesfr

🆕 Misc

As we are focusing more and more on XO 6 and XO Lite, the misc section is getting thinner. That's a very good sign for 2 reasons: there's less things to fix and it shows how focused we are on the new UI!

Support for NetBox 4.3 and earlier

NetBox is an open-source platform designed to help you manage and document complex networks. It's commonly used to monitor IP addresses, racks, devices, and other infrastructure details, making automation and organization easier. 

Xen Orchestra now fully supports NetBox 4.3 and earlier versions. Recent updates to NetBox had caused some compatibility issues, but the new Xen Orchestra release has resolved these. If you’ve upgraded NetBox, everything should work smoothly again without any extra steps.

Enhanced Safari compatibility 

We've fixed an issue in Safari where the Xen Orchestra logo on the login page appeared way too large. This release corrects the layout, so the page now displays as expected.

We've also improved how the XO header renders on the mobile site. Previously, resizing the window could push the burger icon out of place and shrink the "Xen Orchestra" text. Now, Safari refreshes the header more intelligently, ensuring everything displays properly.