xen: add 4.15 version

[radhus]

Motivation for this change

This brings Xen up-to-date with the latest upstream release, with all features included between 4.10 and 4.15.

This is my first PR to nixpkgs as quite new NixOS user, so please bring any feedback (and I'm sorry in advance if I missed something obvious while contributing). I'll try to check off relevant test boxes below asap.

I removed the Grub2 changes that permits it to boot under EFI, as it's not possible to boot both 4.10 and 4.15 in the same way. Will have to be for another PR.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Xen specific tests that might be useful:

• Booting x86_64 without EFI
• Booting arm64
• Running a NixOS PVH guest under x86_64

[radhus]

I see now that there are some dependencies on xen_4_10 that I missed. I'll try to keep both instead.

[alyssais]

The fact that Xen was completely broken for months makes me think that nobody is using it, at least on unstable. So I'm not sure it really makes sense to keep an old version around (that presumably nobody is using).

[alyssais]

Your first commit looks good on its own. If you want, make it its own PR, CC me, and I'll merge it straight away.

[radhus]

The fact that Xen was completely broken for months makes me think that nobody is using it, at least on unstable. So I'm not sure it really makes sense to keep an old version around (that presumably nobody is using).

@alyssais Hehe, maybe I should've awaited some feedback before reworking it. I can restore the PR to the old state that only keeps 4.15 (which would also bring in Grub2 EFI booting support). What do you think?

[radhus]

Your first commit looks good on its own. If you want, make it its own PR, CC me, and I'll merge it straight away.

@alyssais done, #121695

[alyssais]

I can restore the PR to the old state that only keeps 4.15 (which would also bring in Grub2 EFI booting support). What do you think?

SGTM, but it might be an idea to give it a few days for the Nixpkgs Xen maintainers to see this PR, in case any of them disagree with me. Just so you don't end up having to switch back to this version again if they do. ;)

[alyssais]

BTW, would you be interested in adding yourself as a maintainer? The current ones haven't been very responsive, so it would be good to have somebody who's actually using Xen to get notifications about PRs and stuff.

[radhus]

BTW, would you be interested in adding yourself as a maintainer? The current ones haven't been very responsive, so it would be good to have somebody who's actually using Xen to get notifications about PRs and stuff.

Yes, I can do that if this gets approved 😄 Although I am a very new NixOS user, so I don't know much about the processes around here.

[stale]

I marked this as stale due to inactivity. → More info

[eyJhb]

Is there any reason this isn't merged yet? Seems like everything should work.

@radhus have you used this for a while now?

[radhus]

@eyJhb I have been running this for a while, although I haven't been updating to late nixpkgs revisiosn for quite a while.

I don't know why it never got merged, I guess I didn't follow up correctly. What is the process to getting it reviewed and merged eventually? Should I ping someone in particular?

I'll try to find some time and testing equipment to rebase and get this up to date!
I am currently out of hardware, and booting Xen Dom0 under Virtualbox seems to be a bit tricky 😅

[alyssais]

Let's leave Xen 4.10 for now — that way, there's less to worry about with this PR. Removing 4.10 could be discussed in a follow-up.

I think that @alyssais should be able to help with the merge? AFAIK they're quite the virtualization specialist ;)

@eyJhb Unfortunately I don't really know much about Xen — my area of specialization is KVM. :)

So the best I can suggest here, given the lack of reviewers with Xen knowledge, is that if it looks like all review comments are okay, and every difference from how Xen 4.10 is packaged is explained, somebody go ahead and merge.

[eyJhb]

Let's leave Xen 4.10 for now — that way, there's less to worry about with this PR. Removing 4.10 could be discussed in a follow-up.

I think that @alyssais should be able to help with the merge? AFAIK they're quite the virtualization specialist ;)

@eyJhb Unfortunately I don't really know much about Xen — my area of specialization is KVM. :)

So the best I can suggest here, given the lack of reviewers with Xen knowledge, is that if it looks like all review comments are okay, and every difference from how Xen 4.10 is packaged is explained, somebody go ahead and merge.

Sorry for roping you into it then! I see you as a wizard of virtualization, but good to know in which area now :)
Thanks for your very vaild input!

@radhus if you have the time/energy to fixup the last changes (if they are needed), then I guess it should be good to go! :)

[radhus]

Thanks all for your attention!

@radhus if you have the time/energy to fixup the last changes (if they are needed), then I guess it should be good to go! :)

I am lacking time a bit this week, but hopefully will get things done next week. I've already started fixing the comments and patching the latest XSA's, would like to do some test on hardware again as well just to be sure :)

[SigmaSquadron]

Is there anything else to be done in this PR? It seems pretty much ready to be merged.

[mweinelt]

Hey @radhus, wondering if you're still interested in getting an updated xen version in. The latest version would be 4.16.2, so I expect some minor changes to be needed. Also we have a stable release in 6-7 weeks, so it would be the ideal time to finish this up.

[radhus]

@mweinelt hey! I have been keeping this a little bit up-to-date on my fork of 22.05 stable, see branch here: https://github.com/radhus/nixpkgs/tree/radhus-22.05 , I just recently bumped to 4.16.2 (see commit radhus@bb3ffd4 )

I can try to rebase this on unstable and update this PR, but I'm just not sure if I can test it enough. For example, I don't run any qemu stuff, and I think some things around that is broken (I've seen some errors in logs). 🙏

[mweinelt]

The latest version we have right now is 4.10.4, which has been EOL for a while and I hope nobody is using that to be honest. I marked it insecure a while ago.

https://xenbits.xen.org/docs/unstable/support-matrix.html

With that said, at this point I'll take any update we can get.

[Thesola10]

Is there anything blocking the merge? Would be awesome to get a headstart in writing Xen-based NixOS config with Hydra cache
(also, what is the merge conflict label about?)

[radhus]

Hey, sorry I just don't have time 😞 Feel free to take over this PR and use the commits in my fork above, it should be fairly clean to rebase from 22.05 to unstable.

To be clear, I run Xen from my nixpkgs fork, but I know there are untested parts in my update regarding qemu (which I don't use at all). Linux dom0, PV domUs and PVH domUs works fine though!

Would it be easier if I close this PR, someone else might feel more inclined to open a new one? 🙏

[mweinelt]

@wegank 4.15 is unsupported and only receives security updates. We would still need an actual update to 4.17 and radhus indicated they didn't have time to maintain it.

https://xenbits.xen.org/docs/unstable/support-matrix.html

Also what happened in a9926eb (#121513)?

[wegank]

Yes. My point is that 4.10 is completely broken on both release-22.11 (compile errors) and unstable (python2Packages.markdown is removed), and merging this PR results in at least an insecure but usable version.

Also, sorry for that merge commit, which is created without rebasing.

[mweinelt]

It also leaves 4.10 in place. It should be removed.

4.15 does receive security-support, but nothing else.
4.16 is supported until 2023-06-02 (just after 23.05 release)
4.17 the way to go

[mweinelt]

https://www.openwall.com/lists/oss-security/2023/03/21/1
https://www.openwall.com/lists/oss-security/2023/03/21/2
https://www.openwall.com/lists/oss-security/2023/03/21/1

Can anyone tend to these issues? Also, 4.15.4 is out, can someone take care of the update?

[RaitoBezarius]

I opened #228308 if we cannot have someone to take care of the update.