XO 5.113 is here. It's the final chapter in the XO 5.x saga. Over nearly ten years, 113 releases, and countless improvements, we’ve grown from a simple management interface to a full-fledged, enterprise-ready virtualization orchestration platform. This last 5.x release packs security hardening, backup reliability, major UI improvements, and paves the way for a smooth transition to XO 6.

👨‍🚀 Project & Community

Funny enough, even with several exciting announcements on the horizon, this section is still smaller than the feature-packed release notes that follow. So let’s kick things off here!

Vates and Nexsan

One of the big highlights this month is our partnership with Nexsan. Their Unity platform brings the kind of storage you actually want in production: predictable performance, multiple protocols built-in, and real data protection features that don’t get in your way.

For XCP-ng and Xen Orchestra users, it simply means a storage backend that does the job, scales properly, and doesn’t trap you in anyone’s ecosystem. It fits naturally with what we’ve been building for years: an open, transparent, and reliable virtualization stack.

Vates & Nexsan Unity: Open virtualization meets proven enterprise storage

Vates and Nexsan join forces to deliver a validated, production-ready solution combining XCP-ng, Xen Orchestra, and Nexsan Unity storage, offering enterprise performance, data protection, and freedom from vendor lock-in.

Vates BlogMarc-André Pezin

Ampere ARM processors: diversity in the datacenter

Our work with Ampere Computing also continues to gain traction. Their ARM processors aren’t just “another CPU option”: they offer high core density, excellent efficiency, and a design that really shines in modern, scale-out environments.

For Xen Orchestra users, this means something we care deeply about: choice. You’re not tied to x86 anymore. ARM is becoming a credible option for cloud-native workloads, edge deployments, or even just reducing your power consumption without sacrificing performance.

XCP-ng on Ampere Altra: Our First ARM Demo at KubeCon

A first look at XCP-ng running on Ampere Altra ARM servers.

XCP-ng BlogOlivier Lambert

New Windows PV driver release (9.1.100)

Here comes a fresh release of our Windows PV drivers, with new features, lots of fixes, and all of it fully baked at Vates. With our ongoing upstream work, we’re really moving the needle on driver quality for the whole Xen ecosystem.

Drivers can be found here:

Release 9.1.100 Release Signed · xcp-ng/win-pv-drivers

This release brings multiple bug fixes to all Windows drivers and guest tools components. To download XenClean, click here. The installer downloads also includes a copy of XenClean and XenBootFix.…

GitHubxcp-ng

If you want to read the story on how we managed to do all of this, don't miss our previous blog post:

Signed Windows PV drivers now available

After years of work and collaboration with Microsoft, we are proud to announce that the XCP-ng Windows PV drivers are now officially signed and ready for production, marking a major milestone in our journey toward full stack independence.

XCP-ng BlogTu Dinh

Choosing the right backup strategy

Backups aren’t a “feature”, they’re a strategy. And depending on your constraints, your infrastructure, and your recovery goals, the right approach might look very different from someone else’s.

This is why Xen Orchestra doesn’t force you into a single model. You can go with full snapshots, incremental backups, replication, or long-term archiving, whatever matches your workload and risk profile. The idea is simple: the tool adapts to your environment, not the opposite.

Cost-Effective Backup Strategy with XenOrchestra

Xen Orchestra provides fast, flexible, and cost-efficient backup and replication to meet your RTO and RPO needs

Xen Orchestra BlogFlorent Beauchamp

Xen 4.21

Xen 4.21 is out, with broader architecture support and key performance improvements. As one of the top contributors and the team behind Xen’s release management, we’re proud to help drive the hypervisor forward.

Xen Project Delivers Xen 4.21, a Modernized Hypervisor with Broader Architecture Support and Improved Performance

OpenSSF Announces Key Membership Growth and Golden Egg Award Winners at Open Source SecurityCon North America

The Linux FoundationThe Linux Foundation

XO 6 is coming: phased rollout starts now

We’re entering the final stretch for the transition to XO 6, and things will start moving quickly over the next few weeks.

End of November:
If you’re on the latest channel in XOA, you’ll notice a new entry in the left menu giving you access to XO 6. XO 5 stays the default interface for now, but you can start testing XO 6 whenever you feel ready.
For those running XO from the sources, the switch is even more direct: XO 6 becomes the default UI, with an easy link to jump back to XO 5 if needed.

End of December:
The latest XOA channel will make XO 6 the default interface as well. And just like before, XO 5 remains available anytime, no pressure, no forced switch.
If you prefer the stable channel, nothing changes yet: it will continue using XO 5 by default.

🎫 Events

Curious where you can meet us next?

🇫🇷 API Days (December 9-11, Paris, France)

We'll have a talk and a panel discussion there. If you are in Paris at those date, it's the opportunity to connect!

Paris - 9 - 11 December 2025 | apidays

As Europe’s capital of tech, policy, and innovation, Paris provides the perfect setting to explore the convergence of APIs and AI. At the heart of this intersection, apidays Paris sparks essential conversations on data security, digital sovereignty, and sustainable innovation in the age of intelligent systems.

Apidays

We've been there!

🇺🇸 KubeCon North America 2025

We were present at KubeCon with our own booth. We highlighted our work around XCP-ng on ARM with Ampere processors, showing how our stack is evolving to support modern ARM-based infrastructures and giving attendees a preview of what’s coming. See more here.

🇱🇺 Luxembourg Internet Days 2025 (with C2D IT Solutions)

We were also involved through our partner C2D IT Solutions, who presented our solutions and engaged with organizations interested in open virtualization and infrastructure flexibility.

XO 5.113

The final lap for the XO 5.x saga! Release 5.113 marks the end of the line: the next stop is XO 6.0.

That’s 113 releases on the XO 5 branch, nearly a full decade of work (we’re only a few releases short of what would have been 120 in 10 years!).
When we started XO 5, we definitely didn’t expect it to carry us this far. The amount of functionality added over these years (all while staying within the same UI and architecture) is honestly wild.

As usual, our official changelog can be found here:

xen-orchestra/CHANGELOG.md at master · vatesfr/xen-orchestra

The global orchestration solution to manage and backup XCP-ng and XenServer. - vatesfr/xen-orchestra

GitHubvatesfr

🛡️ Security

As always, we’re tightening things up on the security side.

Updated xml2js Dependency

We’ve upgraded xml2js to a safe, modern version, since anything below 0.5.0 carries a known moderate vulnerability. The update removes that risk and keeps our dependency stack aligned with current security standards.

As part of the change, we checked the components still relying on older versions to ensure nothing breaks. Everything continues to behave as expected, just with one less security concern hanging around.

VSA-2025-003

We've published a new security notice to the Vates VMS documentation platform: this page includes a detailed breakdown of the vulnerability known as VSA-2025-003, including affected components and potential impact, along with clear, actionable recommendations to secure your environment.

This notice follows our commitment to transparency and proactive security. Admins and operators are encouraged to review it immediately to assess exposure and apply necessary measures.

Click the link below to read the notice:

VSA-2025-003: Xen Orchestra SAML plugin Vulnerability | Vates VMS Documentation

2025-11-04 / Important severity / Xen-Orchestra prior to 5.111.1 affected.

Vates VMS Documentation

💾 Backup

Nothing flashy this time: just solid under-the-hood fixes and stability boosts.

Long-term Retention fixes

We've resoled inconsistencies with long-term retention backups. Previously, some configurations incorrectly retained the last backup of the day instead of the first. Automated tests failed unexpectedly, and in rare cases, no LTR backups were preserved at all.

These issues have been fully addressed. LTR now accurately selects and retains the correct backups, tests validate successfully, and retention policies apply consistently across all environments. . This makes long-term backup strategies far more predictable and trustworthy.

🥝 Core UI

Core UI is the next-gen common UI for both XO 6 and XO Lite.

Switch from XO 5 to XO 6

On top of the fallback link to XO 5 (see the XO 6 section), we've added a link that lets you switch back to XO 6 at all times. The link stays visible in the XO 5 header, so you can go back to the new, default XO 6 experience with just one click. Previously, this option only worked the other way, from XO 6 to XO 5.

Redesigned Pool Hosts tab

We've completely refreshed the Hosts tab in the Pool view to align with XO 6’s modern design. The tab was already there, but its layout and structure didn’t fit the new UI direction, so it’s been refactored for consistency and readability.

Shared TypeScript definitions

XO 6 and XO Lite now rely on the common @vates/types package for their TypeScript definitions. Instead of maintaining separate sets of types on the frontend and backend, both sides now pull from the same source of truth.

This removes duplicate definitions and makes the whole codebase a bit more predictable. It also simplifies cross-project work, since updates to shared types automatically propagate where they’re needed.

🛰️ XO 6

As you can see, development on XO 6 is now moving at full thrust.

Default to XO 6 on build incoming

From December 2025 onwards, cloning the repo and running XO from source will launch XO 6 by default. You won't need to set extra flags or environment variables anymore. We are removing the unnecessary steps so that you can immediately experience the next generation of Xen Orchestra.

If you really want to continue with XO 5, it’s okay, just modify your local configuration to have it as the default.

This change makes early access to XO 6 effortless, while those who want to stay with the classic version still have the ​‍​‌‍​‍‌option.

Seamless fallback to XO 5

Since XO 6 is still in its MVP phase, some actions and views aren’t fully available yet. To keep your workflow uninterrupted, the UI now automatically links to the equivalent XO 5 page whenever you hit an unsupported feature.

This means you can explore XO 6 freely, and if you hit a missing feature, you’re just one click away from the XO 5 version.

Real-Time UI updates

Whenever changes occur in the backend, the XO 6 interface will now update instantly. With this new, real-time responsive system, you won't have to refresh manually anymore. 

Under the hood, we leverage the latest improvements in our REST API for reactivity. Views subscribe to the /rest/v0/events stream and receive updates the moment they’re pushed. XAPI Objects (VMs, hosts, SRs, VDIs, etc.) refresh fluidly, while the frontend manages subscriptions intelligently and clean up to optimize performance and avoid unnecessary re-renders.

VDI Tab in the VM page

A new VDI tab is now available when you open a VM in the treeview. It gives you a direct, consolidated view of all disks attached to that VM, along with its associated VDI tasks.

Instead of jumping around pool-level views to track storage details, everything is now in one place. It’s a cleaner way to inspect and understand a VM’s disk footprint from the VM page itself.

Host and Pool VM tabs

We've revamped the VM tab in the Host and Pool views. The idea is to match the current XO 6 design and offer a clear picture of the VMs tied to each resource.

When you select a host, the VMs tab now shows a table listing every VM running on that machine. Same thing at the pool level: open a pool and switch to the VMs tab to see an updated, consistent view of all VMs in that pool.

These pages already existed, but were rebuilt to fit the new layout and provide a more readable experience across the treeview.

Site-level VM and Host tabs

Site pages in XO 6 now include dedicated VMs and Hosts tabs. This way, you can see everything running in a site without navigating further down the tree view.

Select a Site and open the VMs tab to see a clean table listing all VMs associated with that site. The Hosts tab works the same way, and gives you a full view of every host belonging to that site.

These improvements bring the Site view in line with the rest of the XO 6 design and make navigation more intuitive.

Centralized settings page

XO 6 now has a proper Settings page that brings all the essentials together in one place. Instead of digging through various menus, you can quickly check both XO/XOA and XCP-ng versions, jump to news, docs, community forums, support pages, or the API Swagger, all from the same screen.

The page also lets you set your preferred theme (light, dark, or automatic) and pick your display language.

Clearer backup mode labels

We've replaced ambiguous or overly technical terms for backup modes. Some of the previous labels in the backup list page were a bit unclear or too technical, so the terminology has been refreshed to better reflect what each mode actually does.

Here's what changes:

• Disaster Recovery becomes Full replication.
• Continuous replication becomes Incremental replication.
• Mirror backup and Full backup become Mirror full backup.
• Mirror backup and Incremental backup become Mirror incremental backup.

We've also removed the "Metadata backup" wording for the Pool metadata and XO config backup modes.

Finally, we've updated how backup modes appear in backup job lists. Instead of tag lists, they now appear as simple lists:

Nothing changes in how backups work under the hood. The goal is simply to make the list more readable so you can immediately tell how each job is configured without second-guessing the terminology.

VM creation form notice

The VM creation form in XO 6 is currently in its MVP phase. As a result, it now includes a clear notice about its limitations. This banner outlines unsupported features —such as cloud-init configuration, advanced options, or vTPM management — and provides a direct link to the fully featured XO 5 form, with the correct pool preselected for convenience.

This ensures you know exactly what to expect while we continue enhancing the XO 6 form, with the complete version scheduled for 2026.

VM boot firmware option

The VM creation form now includes the Boot firmware field. You can choose the firmware you want your VM to use, directly during setup, instead of relying on defaults or switching back to XO 5.

This addition brings the form closer to feature parity with XO 5 and gives you proper control over how new VMs start up.

Host and Pool Storage tabs

We've added a Storage tab for both the Host and Pool views in XO 6. Selecting a host or a pool now gives you a dedicated tab listing all storage repositories connected to them.

These additions let you inspect storage repositories directly from the treeview, without drilling down into individual hosts or unrelated pages, for a more straightforward workflow.

🐦 VMware to Vates (V2V)

Our V2V tool also received important improvements.

First, we now properly handle disks that aren’t aligned on 2 MB boundaries, which significantly increases migration success rates and fixes cases where exports could get stuck.

And on top of that, warm migration is now supported even on older ESXi versions (including ESXi 6) expanding compatibility for smoother VMware-to-Vates transitions.

⚖️ Load balancer

Guess what? Load balancer updates are back!

Affinity rule option

In the load-balancer plugin for Xen Orchestra, you’ll now find a new Affinity rule option (in addition to the existing Anti-affinity rule). With this setting, you can guide VMs to land on the same host when it makes sense.

This new rule gives you more flexibility in how you group VMs across hosts, which is useful when you have workloads that benefit from being together (e.g., low-latency inter-VM comms) instead of always trying to spread them.

🪐 XOA

This release also brings an important improvement to how we ship XOA.

Automated XOA image builds

The release process for Xen Orchestra appliance (XOA) images has been fully automated. Previously, although nightly builds were generated automatically, promoting a version to stable required manual coordination between quality assurance and DevOps teams.

As of this release, the entire workflow (including image build, testing, and publication) is now triggered automatically as part of the stable release process. This ensures that every Xen Orchestra release is accompanied by its corresponding, validated XOA image without delay.

The change streamlines operations, minimizes potential errors, and guarantees that users receive a consistent, up-to-date appliance image with each release.

DC Scope and DC NetScope access buttons

XO 6 now has a Third party apps dropdown in the header, which lets you reach DC Scope and DC NetScope directly from the interface. If these EasyVirt tools are already deployed, the links open their dashboards right away. If not, you’ll be redirected to the deployment interface, in the XO 5 interface (for now).

This makes the EasyVirt integration much more visible and saves you from searching through menus to find or deploy DC Scope or DC NetScope.

📡 REST API

Last month was a huge leap for the REST API: this release keeps the momentum going on top of those solid foundations.

VM dashboard endpoints

The VM dashboard is now available through the REST API. Existing JSON-RPC endpoints have been migrated, and the missing ones have been added so the dashboard can be fetched cleanly and consistently over REST.

This gives you direct access to all the usual VM dashboard details without relying on legacy calls. As a result, experience becomes more modern, stable, and easier to integrate with external tools.

SSE support

The API now supports Server-Sent Events (SSE), so you can subscribe to real-time updates. To start receiving events, open an SSE stream by calling GET /rest/v0/events. The first event returned will include a unique connection identifier.

To subscribe to specific events, send a POST request to /rest/v0/events/:id, using the ID received earlier. The server will respond with a subscription ID, which you can use to manage or cancel the subscription later.

This feature lets you track live changes across infrastructure objects (VMs, hosts, pools, and more) so front-end views update instantly when modifications occur.

☸️ DevOps Tools

We’re not forgetting the DevOps Tools side: updates across our providers/plugins, plus an exciting preview.

Terraform Provider v0.36.1

We’ve released version 0.36.1 of the Xen Orchestra Terraform provider, which includes a fix for creating VMs from templates that have three or more disks. This scenario could previously fail or behave inconsistently, and the update makes the workflow fully reliable again.

This release goes hand-in-hand with the updated Go SDK (v1.8.0), which provides the underlying improvements needed by the provider.

A big thank you to lkirkwood for your contributions in this release!

Release v0.36.1 · vatesfr/terraform-provider-xenorchestra

What’s Changed fix: missing disk when create vm from template with >3 disks by @lkirkwood in vatesfr/xenorchestra-go-sdk#49 New Contributors @lkirkwood made their first contribution in vatesfr/x…

GitHubvatesfr

lkirkwood - Overview

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOns3Fsa5sxw/n2j/CQeadwKD3IqmEeGQRIL682RXQmI - lkirkwood

GitHub

Packer Plugin v0.9.0

The latest Packer plugin (v0.9.0) improves how Packer can interact with the VM console. It now supports precise key combinations — like <leftCtrlOn>x<leftCtrlOff> — and a broader range of special keys.

This makes automated OS installs more reliable, especially for distros or installers that depend on specific keyboard sequences.

Release v0.9.0 · vatesfr/packer-plugin-xenserver

What’s Changed Other Changes Improve boot command parser by @nathanael-h in #176 Add:cooldown period(15 days) by @wbatchayon in #182 New Contributors @wbatchayon made their first contribution in…

GitHubvatesfr

This feature was initiated by a partner request and came together quickly — from the initial request in late July to a pre-release review by the end of September.It’s a great example of how Vates collaborates closely with partners to deliver practical improvements fast!

Kubernetes CSI driver preview

We have lifted the veil on next projet to improve Kubernetes integration with Xen Orchestra, the XenOrchestra CSI Driver for Kubernetes.

A Container Storage Interface (CSI) driver that provides persistent storage for Kubernetes workloads using XenServer/XCP-ng infrastructure through Xen Orchestra.

This repository hosts the CSI driver and all of its build and dependent configuration files to deploy the driver.

It is recommended to install the Xen Orchestra CCM in addition to the CSI driver.

GitHub - vatesfr/xenorchestra-csi-driver

Contribute to vatesfr/xenorchestra-csi-driver development by creating an account on GitHub.

GitHubvatesfr

📖 Documentation & Guides

Documentation keeps moving forward too, with new guides and improvements.

Improved email report plugin documentation

The documentation for the email transport plugin has been updated to clearly explain its OAuth 2.0 support, including step-by-step guidance for Gmail and Microsoft accounts.

These details were available in the code but not clearly documented. The details are now easily accessible, which eliminates guesswork makes setup easier for modern email providers.

Backup reports | Xen Orchestra | XO Documentation

At the end of a backup job, you can configure Xen Orchestra to send backup reports directly by email, Slack or in Mattermost. It’s up to you.

Xen Orchestra Documentation

Switching back to XO 5

Since XO 6 is now the default interface, we've updated the documentation to explain how to change the XO interface from XO 6 back to XO 5, either temporarily or by default:

Configuration | Xen Orchestra | XO Documentation

Once Xen Orchestra is installed, you can configure some parameters in the configuration file. Let’s see how to do that.

Xen Orchestra Documentation

🔦 Community spotlight

This month’s highlight comes straight from our community.

Improved LVM File Restore

File-level recovery for Linux VMs using LVM partitions has been significantly improved, in response to a persistent issue reported by the community. Xen Orchestra now reliably detects and mounts LVM partitions during restore operations. Thanks a lot to Julien Porschen for the contribution!

djul1981 - Overview

IT Swiss Army Knife. djul1981 has 4 repositories available. Follow their code on GitHub.

GitHub

🌐 Translations

Those translations are directly embedded in XO Lite and XO 6, thanks to Weblate.

8 languages updated

A big thank you to our community for their ongoing efforts in translating Xen Orchestra!

This month, special attention was given to Czech, Danish, German, French, Italian, Dutch, Brazilian Portuguese, and Ukrainian.

Want to help translate Xen Orchestra or improve existing translations? You’re more than welcome to join in here.

🆕 Misc

A couple of handy enhancements made their way into this release too.

OS details in usage reports

The usage-report plugin now includes each VM’s operating system information in its output. By adding the os_version field to the data returned by the plugin, the usage report email gives a clearer picture of the types of systems running in your infrastructure.

This addition makes reports more informative and helps with inventory tracking, planning, and general visibility.

OIDC group mapping

The OIDC plugin can now map groups from an identity provider directly to XO groups. It works much like the existing LDAP integration: XO reads the group claims in the OIDC token and uses them to assign users to the right XO groups at login.

This is especially handy for environments using providers like Active Directory Fedceration Services (AD FS), where group membership is already managed centrally. It cuts down on manual group maintenance inside XO and makes authentication flow more in line with corporate identity setups.

Improved performance alerts

We've redesigned the performance alert plugin to leverage XAPI’s built-in alert system and eliminate the need for resource-heavy, manual monitoring within XO. Previously, the plugin downloaded and processed RRD data from every pool. It used up too much CPU and RAM, and sometimes even degraded xo-server performance.

The new implementation no longer generates the XAPI alarm, as its lifecycle is not completly defined and may cause excessive load on xo-server. Stay tuned for the next iteration!

Updates to vhd-cli command parameters

The vhd-cli tool has been updated to support all Backup Repositories types (not just unencrypted BR). As a result, we've had to change the parameters for most commands. While vhd-cli is a low-level tool used primarily in scripts or automation, you may need to adjust your command lines to align with the new syntax.

Non-destructive VIF network changes

Changing the network of a VIF no longer destroys and recreates it. XO now uses VIF.move, a safer and non-destructive XAPI call that keeps the original VIF UUID intact and avoids unnecessary guest disruption.

Previously, XO unplugged and deleted the VIF before creating a new one, which could break in edge cases — for example when a VM had more than seven VIFs and XAPI refused to recreate them. In those situations, the VIF simply disappeared.

With VIF.move, the operation is smoother, more reliable, and resilient to those corner cases. It also makes life easier for users migrating large VMs that come with many VIFs attached.

Memory info in usage reports

The usage-reports plugin now shows the RAM usage for each each VM. This lets you easily spot VMs that are over- or under-provisioned, optimize resources and keep your infrastructure running efficiently.