Release

Xen Orchestra 5.80

After a previous large release, here is another big one! OpenID Connect support, VMware migration tool from the web UI, CR health-check and many other things are shipped into this XO 5.80.

Olivier Lambert

Feb 28, 2023 • 7 min read

Despite a previous release including a lot of new features, we managed to strike again with even more content packed into this shorter month. XO 5.80 has landed with a lot of new stuff available: VMware migration tool from the web UI, OpenID Connect support, REST API async actions and VM replication health-check for the biggest changes. But also with many other things.

🔐 OpenID Connect support

You can now login to your Xen Orchestra using OpenID Connect, which is a very convenient and secure protocol. It's the 3rd generation of OpenID technology, built on top of the OAuth 2.0 authorization framework. We also managed to enable auto discovery, to make it very simple to configure.

It's also very extensible and easy to use. We'll show here how to use it with KeyCloak, an open source Single Sign-On platform.

☝️

You can also configure your KeyCloak platform to use 2FA (like TOTP) methods to have strong authentication for your users. Since it's managed by your SSO platform, it's entirely transparent for Xen Orchestra.

Creating the client in KeyCloak

We wanted to provide a real example with KeyCloak. Obviously, any SSO server with OpenID Connect will also work. First, you need to create the "client" (the application that will use OpenID):

First step in Keycloak: create a new client

In the client creation wizard, you need to select the "OpenID Connect" type, and choose a client ID (you need to keep this in mind to configure it in Xen Orchestra). Here, we are using xoa:

Don't forget to switch "Client authentication" to On:

Now you also need to add a URL in the "Valid redirect URIs": in short, that's where KeyCloak will send you after a successful authentication. Use your XO URL (or IP address) on a format https://xoa.example.org/*. Note that if you access your XO both with IP and name, you can add multiple URIs.

Now the client is created, you can edit it and check the "Credentials" tab, in order to copy the "Client secret": it will be needed in XO plugin configuration:

Click on the "copy" icon to put the secret in your pastebin

Last thing needed to configure the plugin on the XO side: the "Auto-discovery URL". It's available in the left menu "Realm settings". Copy the "OpenID Endpoint Configuration" somewhere.

Now you should have, in our example:

the client ID, xoa
the Client secret
the "Auto-discovery URL"

Enabling and configuring the plugin

This is pretty straightforward:

Don't forget to enable and save the plugin configuration!

That's it! With this configured with a strong auth process in KeyCloak, you can safely expose Xen Orchestra on the internet. Note the new login button on the top:

🐦 VMware migration tool

Our VMware migration tool, logically called V2V (Virtual to Virtual, or VMware to Vates), is now usable directly from the Xen Orchestra web UI, in the "Import" menu. A new entry there: "From VMware":

After giving the vCenter credentials, you can click on "Connect" and go to the next step:

On this screen, you will basically select which VM to replicate, and to which pool, storage and network. When it's done, just click on "Import" and there you go!

Don't forget to give your feedback on our dedicated forum thread.

☝️

You can choose to enable "thin mode": it's longer ("double read") but the disk created on XCP-ng side will only use the space used in the VMware disk. For now, there's no progress on this initial read, but we have plans to expose the "XO task" for it in the next release.

Current limitations and next steps

We have various improvements in the pipes. So far, the delta import is only supported up to VMware 6.5. This will be solved in our next release, to support all VMware versions in delta mode. If you use something more recent, you can just shutdown the VM, the replication will work, but not in "warm" mode (ie: delta).

Also, our internal XO task system is about to be exposed with this feature, so even in case of using the "thin mode" (mode we recommend to use), you'll be notified of the progress of the first read.

And finally, multi-VMs import will also land for our next release.

💾 Pool Metadata restore

If you lose all your hosts, but not your shared storage, it might be shorter to re-install XCP-ng on some fresh hardware, and restore the pool metadata. Thanks to this, all your VMs will be back (and the configuration with it!) in a minute. No need to restore all your backups!

Now, the restore menu is more complete:

It will overwrite any previous configuration on your pool:

As you can see, it's also multi-pool compatible: it means you can restore multiple metadata backups to multiple pools at once!

Despite the fact we've had the pool metadata restore for a while, it wasn't practical due to a limitation we removed. Now, this is another life saver for your XCP-ng/XenServer infrastructure.

⚕️ Continuous Replication health check

We integrated a way to automatically test your backups, a few releases ago:

Now, we extended this feature to the Continuous Replication backup type. You just have to enable the feature in your backup job, and that's it! After each VM is replicated on the destination, we'll start a copy of it (to avoid any replication disruption, also without networking) and see if it boots until the VM tools are started. Then, we remove it. Simple and efficient.

If any VM fails, you'll be notified directly in your backup logs.

📡 REST API async actions

You can now start, reboot or shutdown (both soft & hard) and snapshot your VMs with the REST API! Since those operations can be long, we plugged it to our new task system. Yes, the task system we already told you about for the next big XO release, XO 6.

List the available actions

To see the actions available on a given object, get the collection at /rest/v0/<type>/<uuid>/actions.

For example, to list all actions on a given VM:

curl \
  -b authenticationToken=KQxFkTbs \
  'https://xo.company.lan/rest/v0/vms/770aa52a-fd42-8faf-f167-8c5c4a237cac/actions'

Start an action

Post at the action endpoint which is /rest/v0/<type>/<uuid>/actions/<action>.

For instance, to reboot a VM:

curl \
  -X POST \
  -b authenticationToken=KQxFkTbs \
  'https://xo.company.lan/rest/v0/vms/770aa52a-fd42-8faf-f167-8c5c4a237cac/actions/clean_reboot'

Force an action in sync mode

For some cases, you might prefer to send a sync action, meaning the HTTP call will only return when the action is finished. To do that, just add the ?sync query string to your HTTP call.

🔭 XO Lite

We continue to work on XO Lite, and this time we made some progress on displaying tasks and also listing all the available updates for your pool.

Tasks

In the "Dashboard" and in "Task tab" of your pool, you can now see the XCP-ng active tasks running:

List of updates available

In the dashboard view (or at the pool level), you can see all the available updates.

🆕 Misc

And there's always various stuff added that doesn't fit in a specific category 😊

XOA check: free memory

When you do an XOA check (on your XO virtual Appliance), we added an extra check to see if you have enough RAM to run everything without any issue. It's helpful to reduce the time to find potential issues, or even fixing problems before they appear.

If you enable "Windows Update tools", you'll have a confirmation modal with a warning, avoiding some mistakes:

Backup logs improved

We improved the logs of your backup jobs. if you are using NBD, it will be visible:

☸️ Announcing Project Pyrgos: turnkey k8s

Just announced yesterday, if you are interested in deploying production-ready Kubernetes clusters easily, don't miss our previous blog post: