Configuration of (lightweight) Whonix minimal flavor

I’m opening this thread to start a discussion on how to configure a more lightweight of Whonix. By lightweight I am mostly referring to desktop environment but perhaps this can be expanded.

Point 1 - Desktop environment.

Which one?

LXDE, Xfce, E17, some from-scratch-*box variety(Fluxbox, Openbox)? The DE (components) should be available in Debian repository.

While the resources fingerprint would probably be the lowest with from-scratch-*box, having a package of the essentials is really convenient.

Personally I don’t like E17, too flashy.

There was a report on the old Whonix forum that Whonix Xfce is somewhat faster than Whonix LXDE but other then that, I wasn’t able to find any comparable data.

I’m running some tests and will post my free -m numbers later.

7.7.6.7
Gateway
Default KDE

free -m

Mem:
Total 755
Used 667 /436
Free 88 /319
Buffers 23 /33
Cached 448 /212

Swap: 511
Used 0
Free 511
…

7.7.8.7
Gateway
Terminal-only

free -m

Mem:
Total 755
Used 187 /274
Free 569 /481
Buffers 10 /
Cached 140 /212

Swap: 511
Used 0
Free 511
…

7.7.8.7
Gateway
Terminal-only
Additionally installed: lxde-icon-theme lxde-core --no-install-recommends

free -m

Mem:
Total 755
Used 578
Free 177
Buffers 43
Cached 451

Swap: 511
Used 0
Free 511
…

7.7.6.7
Workstation
Installed: Default KDE

free -m

Mem:
Total 755
Used 561
Free 194
Buffers 22
Cached 353

Swap: 511
Used 0
Free 511
…

7.7.8.7
Workstation
Terminal-only
Additionally installed: lxde-core --no-install-recommends

free -m

Mem:
Total 755
Used 471
Free 284
Buffers 22
Cached

Swap: 511
Used 0
Free 511

…

7.7.8.7
Workstation
Terminal-only

free -m

Mem:
Total 755
Used 208
Free 547
Buffers 22
Cached 161

Swap: 511
Used 0
Free 511
…

Where there are two numbers 1/2 it means that I tested two times. It was more playing then a rigid scientific experiment. All LXDE and XFCE packages were installed upon full xorg package.

All LXDE (full, core, --no-recommends) varieties on Workstation froze after 30 seconds (I can move the mouse but nothing else works). No whonix startup scripts ran in LXDE- Xfce ran them.

KDE Gateway is slow. It takes it’s sweet time to load. Similar free -m values don’t show the real picture.

Anyone else want to try out this LXDE Worksation bug?

AWESOME thread Occq!!! While I’m still struggeling with the C code for my wireless card driver, my ultimate goal is exactly this, i.e. to come up with a LowFat Whonix build configuration. If you appreciate this, I would very much like to join your efforts here.

I already built the terminal-only GW, my workstation host is running icewm, 40MB Ram consumption so far, 60MB Ram with the VBox Manager running. I was reading a lot about light environments lately to prepare for this and I’m currently planning for LightDM+LXDE for the Workstation VM.

While researching, I came across A Memory Comparison of Light Linux Desktops | l3net – a layer 3 networking blog - while this is a rather high-level review, the writer provides a nice Mem consumption comparison chart at the bottom of this post (review consisting of 3 parts). LXDE is a clear winner here against Xfce4 - when it comes to DE as opposed to WM.

While I - in general - like Xfce4 better, my personal goal is to get just the Workstation VM running on 1GB Ram, with the GW physically isolated. I would be further into the process already but I’m stuck with C code hacking to stabilize the wireless network. That’s a must have to continue.

At Whonix Forum troubadour also researches lightweight options - my dream seem to come true. This is awesome - let’s work all together to get rid of the resource hog that is KDE (sorry adrelanos), make it happen with joined forces and ultimately come up with a build configuration we can ship as a “LowFat community edition”. Maybe we even manage to convince adrelanos during the process that Whonix does not urgently need a Quad-Core machine with 16GB Ram to run

There’s power in numbers Thanks for the link.

Have you build both no-terminal and no-recommended-apps GW as the same system? Or just no-terminal?

Have you used full xorg, xorg-server, something else?

40MB number comes from free-m?

Please post you steps for LXDE-Workstation here and I will reproduce. That way we can determine if something is wrong with my setup or if Whonix Worksation and LXDE just don’t play well together.

There's power in numbers ;) Thanks for the link.

you're welcome. glad you like it. thanks for accepting my request to join your efforts.

Have you build both no-terminal and no-recommended-apps GW as the same system? Or just no-terminal?

I built the GW with terminal-only only.

Have you used full xorg, xorg-server, something else?

[code]sudo apt-get install xorg icewm[/code] That's what I used for the workstation host. No DM on the host so far, just using "startx". After thorough research, I chose icewm for its lightness while still being a very much usable environment. Other than that (and due to 1GB ram on the workstation host), I introduced zram (compressed swap in ram - nice!) to the Debian system like [code]sudo wget https://raw.github.com/gionn/etc/master/init.d/zram -O /etc/init.d/zram sudo chmod +x /etc/init.d/zram sudo update-rc.d zram defaults[/code]

40MB number comes from free-m?

I use "htop" for convenience here. "free -m" shows the same number at "-/+ buffers/cache -> used"

Please post you steps for LXDE-Workstation here and I will reproduce. That way we can determine if something is wrong with my setup or if Whonix Worksation and LXDE just don't play well together.

I'm going to do this as soon as my wireless is working with the new driver. I worked through numerous C sources yesterday and finally made it to successfully compile - basically porting the driver to the new net_device_ops kernel API - without the slightest idea of C code actually. Anyway, it worked out. The card associates with the access point, everything looks awesome but (so far) it fails to get a dhcp lease - most likely an issue with the encryption used = WPA2/CCMP. This is now next to solve on my agenda as without a stable GW uplink, building the workstation VM on the workstation host is asking for troubles. The native kernel module for that particular wireless card basically is not usable.

That said, as of LXDE, I researched that Debian repos basically provide three options here:

• lxde-core
• lxde
• task-lxde-desktop (my current favourite)

I still have to research them, i.e. if (one or the other of) these meta-packages pull a DM as a dependency. I plan on using LightDM (or lxdm). Seems to be the most standard-compliant DM that seeks to be the free-desktop standard DM.

I’m afraid lxdm is not in the official Debian repositories yet. “Pont 2” will include DMs selection, for now startx is how I test.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560004

task-lxde-desktop seems heavy at 450MB (archives).

I crunched some more numbers, this time in a much nicer presentation (-/+ buffers/cache). KDE numbers are for 7.7.6.4, all others for 7.7.8.7.

My GW memory consumption in regards to DE.

KDE - 184MB
Xfce4 - 115MB
LXDE - 115MB
LXDE core - 93MB
Xfce4* - 88MB
LXDE* - 83MB
LXDE core*- 75MB (82**)
Terminal - 35MB

WS memory consumption in regards to regarding DE.

KDE - 175MB
Xfce4 - 104MB
LXDE - 100MB
LXDE core - 81MB
Xfce4* - 81MB
LXDE* - 69MB
LXDE core*- 61MB (69**)
Terminal - 31MB

General speed observations - from startx to full desktop

GW

KDE*** - 65s
LXDE - 35s
Xfce4 - 25s
Xfce4* - 24s
LXDE core - 22s
LXDE* - 19s
LXDE core*- 17s (19s**)

WS

KDE *** - 60s
LXDE - 45s
Xfce4 - 35s
Xfce4* - 28s
LXDE core - 25s
LXDE* - 24s
LXDE core*- 22s (22s**)

• -no-install-recommends
  ** with lxde-icon-theme
  *** Intterupt login manager process and then sudo kdm start

Since I have started the ‘Whonix with Xfce4’ thread, I join the club.

I could not find lxdm in the Debian repositories either. I have installed LightDM but I have to start it manually so far (‘sudo /usr/sbin/lightdm’).

From the workstation (7.7.8.6), here are the memory usage (free -m) for the three desktop environments after boot. LXDE is ‘as is’ after installation, no tweaks. Xfce4 is full blown with Xfce4-goodies.

KDE Plasma

                total         used       free     shared    buffers     cached

Mem: 1009 458 551 0 40 221
-/+ buffers/cache: 197 812
Swap: 511 0 511

LXDE

                total         used       free     shared    buffers     cached

Mem: 1009 395 614 0 44 271
-/+ buffers/cache: 79 930
Swap: 511 0 511

Xfce

            total         used       free     shared    buffers     cached

Mem: 1009 467 542 0 46 297
-/+ buffers/cache: 123 886
Swap: 511 0 511

There is not much difference between KDE and Xfce4, but if you look at the processes in the latter, you’ll see many ‘k’ process still runinng. Some do not use any memory, some do, like klauncher, knotify, kde4 an others.

I think that in order to run a fair test between the challengers, one should proceed like Cerberus, that is building Whonix with the chosen environments(s). I am not there yet.

Thanks for sharing troubadour. I’ll add Xfce with goodies to my tests too.

For information. At some stage during the tests, the Tor browser would no longer start. Because I am testing an apparmor profile at the same time, It took some time and a re-installation of TBB before I found the cause. I had to purge LightDM, and I am back with slim.

PC2. Slight differences. Speed observations are more reliable here (I had time to double check and double run). These are all first boot numbers. Terminal only build, then xorg then selected DE.

My GW memory consumption in regards to DE.

KDE - 196MB
Xfe4*** - 117MB
LXDE - 116MB
Xfce4 - 114MB
LXDE core - 92MB
Xfce4* - 88MB
LXDE* - 82MB
LXDE core* - 74MB (81MB**)
Terminal - 44 MB

WS memory consumption in regards to regarding DE.

KDE - 189MB
Xfe4*** - 107MB
Xfce4 - 104MB
LXDE - 101MB
LXDE core - 79MB
Xfce4* - 74MB
LXDE* - 69MB
LXDE core* - 61MB (69MB**)
Terminal - 41 MB

General speed observations - from startx to full desktop

GW

KDE**** - 35s
LXDE - 20s
Xfce4* - 13s
LXDE core - 13s
LXDE* - 12s
LXDE core* - 12s (12s**)
Xfce4 - 10s
Xfce4*** - 10s

WS

KDE **** - 40s
LXDE - 25s
Xfce4 - 23s
LXDE* - 17s
LXDE core* - 17s (17s**)
LXDE core - 16s
Xfce4* - 15s
Xfe4*** - 14s

• -no-install-recommends
  ** with lxde-icon-theme
  *** -with-goodies
  **** Interrupt login manager process and then sudo start kdm

Since Whonix,

• now consists of multiple Debian packages,
• we’re using Debian stable and the frozen snapshot.debian.org repository
• and there is also whonixsetup
  We could consider shipping a minimal Whonix-Gateway and Whonix-Workstation by default which doesn’t come with any desktop environment or default applications installed by default.

Like said in the FAQ, inspired by ‘choose your browser’, we could implement a ‘choose your desktop’ in whonixsetup. I am happy to make the necessary changes in whonixsetup. But I won’t be involved in developing the other desktop environments. Whonixsetup could offer choices

• install KDE desktop
• install LXDE (or what you come up with) desktop
• install standard applications only
• installing nothing more, keep minimal install (but don’t complain about missing packages such as arm!).
  The whonix-desktop-kde, or -lxde package could already be preinstalled in a special folder waiting to get installed.

Since whonixsetup would run in cli while it asks which desktop environment to install, the choice could only be a dialog one, cli one. None with screenshot previews. (Unless we supply yet another minimal desktop just for whonixsetup.)

(The package would just be a very few megabytes big, since it would only be a description which packages should be pulled from Debian.)
(Bonus: enabling Whonix’s apt repository would still be optional.)

Time isn’t quite ready to discuss this yet. Let’s get Whonix 8 released first. And see how this develops. Then make a blog post about this idea and see what users think about this. I could imagine that a fair share would hate, that Whonix comes unfinished and after importing you need to install (which is just one click but takes some time) and download (takes a while over Tor) lots of packages first. Using multiple Whonix-Workstations would get more inconvenient (because in a freshly imported VM, you’d need to install the desktop again first). Also I need to hear your opinion on that first, since if you don’t like this idea, we can just forget about it.

Alternatively, you could upload your own binary builds if you like. Or only maintain this as from-source-code-only version. Entirely up to you.

The bigger picture for now should be the release of Whonix 8 but thanks for the support Patrick, it means a lot.

Choose your DE idea is nice, slightly inconvenient (snapshots) but worth considering. I’m debating over to have a selection menu vs. maintaining a single light DE (Xfce or LXDE). Maybe one is more suitable then the other.

People who need both terminal GW and WS have the skills to do that themselves so as a minimal I’m thinking a combination of terminal GW and DE WS.

The problem with the default packages is that you have selected them very well. I have been looking over the content list for the last few days and it’s good, very little extra stuff.

We can remove “Package: whonix-shared-desktop” but you still need xorg for any DE and power management will get install by the user anyway.

Package: whonix-gateway-packages-recommended
Depends: tor-geoipdb, tor-arm, obfsproxy

How much space/system resources do we get by not installing this? I imagine not much and bridges are universally useful.

Package: whonix-workstation-packages-recommended
libasound2, alsa-base, alsa-utils, iceweasel, gtk2-engines-oxygen, gtk3-engines-oxygen, faketime,

First three are sound, if you want sound as I imagine most of us do. Light enough.

If not using KDE do we still need gtk2-engines-oxygen, gtk3-engines-oxygen?

faketime is really small and really useful. Would it make sense to be included in whonix-shared-desktop? It has it’s uses in both GW and WS, right?

Package: whonix-workstation-default-applications
Depends: xchat, vlc, mixmaster, kcalc, gwenview, kgpg, kmix, mat, python-hachoir-core, python-hachoir-parser, python-pdfrw, python-cairo, python-poppler, python-mutagen, libimage-exiftool-perl, pinentry-qt4

Here I like some (xchat, mixmaster, mat) but not others (vlc, kgpg). Why so many python entries? Aimed at the casual user? For the Python programmer?

Packages content:
https://github.com/Whonix/Whonix/blob/master/debian/control

A lot of open questions, a lot of discussion still needs to be done to shape this project (Whonix minimal) into something more concrete but I am glad we started.

This is interesting (and unfortunate). Have you researched the reason for this? While I haven’t had a chance yet to test it myself - reason: Whonix Forum - I’m a bit surprised here. That is to say, I’m occasionally using Tor Browser in a Lightdm controlled session, think Ubuntu, and it never failed on me (yet).

@Occq, troubadour
Something to think about: As long as Patrick sticks to KDE as the default, wouldn’t it be a good idea to built upon the full KDE workstation? I.e. building a LXDE whatever on top of the default KDE (side by side) instead of replacing lots of things? My idea here is: Patrick takes care of a solid KDE session and ships all that’s needed. From my perspective, a lightweight flavor could just replace the DE (for now), i.e. ship as a configured on-top replacement, so to speak. I mean, that way we could control what’s already there, leverage on it, through a light environment. This certainly would come with some surplus disk space requirement but I guess we’re most of all after CPU/Ram advantages. Are we? Just loud thinking here. What do you think?

EDIT: Silly me. Somehow, I completely missed Patrick’s post at Whonix Forum - from a longer term perspective, I very much support this approach. Applause to you Patrick for being open to suggestions! much appreciated!

@Patrick
I mentioned this somewhere before here but most likely you missed it (haven’t got a reaction on mentioning it): You may be interested to follow KLyDE - an effort to modularize KDE to make it less bloated by default. Actually an attempt to solve the bloat issue with clever packaging. KLyDE is driven by core KDE hacker Will Stephenson. There is, afaik, no releases for this new approach to packaging (yet) but surely an interesting topic to follow from a KDE-distro/packaging-perspective. If you’re interested, just search for “KLyDE” - Will Stephenson blogged about it several times already.

Speaking of lightweight environments, I came across dwm at http://dwm.suckless.org/. While this certainly isn’t something for Whonix or our discussion, I’d like to briefly share a statement from dwm developers with you that actually made me laugh (just for the fun of it):

Because dwm is customized through editing its source code, it’s pointless to make binary packages of it. This keeps its userbase small and elitist. No novices asking stupid questions.

LOL! Sounds like a marketing strategy to me!

Totally agreed about running another DE side by side with KDE. I am practical. I do not like KDE, so I am now using Xfce full time with Whonix. Since the original setup is intact (including whonixsetup), I still have access to the full functionalities. They are just in different places in the environment.

As Patrick says, one should concentrate on Whonix 8, and wait and see what the future holds.

If memory resources matters, from Occq’s and my own posts here, it is obvious that when using a light DE along a heavy one, the gain is marginal. I have run some tests in my host to show the differences.

Here, LXDE does not access all Gnome’s functionalities, which might explain the difference.
##############################################

Debian wheezy in host, Gnome3

	                  total       used       free     shared    buffers     cached
Mem:          7804        620       7183          0         31        299
-/+ buffers/cache:        289       7514
Swap:         9999          0       9999

Debian wheezy in host, Gnome3 + Xfce4

	                  total       used       free     shared    buffers     cached
Mem:          7804        415       7389          0         32        197
-/+ buffers/cache:        185       7619
Swap:         9999          0       9999

Debian wheezy in host, Gnome3 + LXDE

	                  total       used       free     shared    buffers     cached
Mem:          7804        378       7426          0         31        187
-/+ buffers/cache:        159       7645

Swap: 9999 0 9999
##############################################

Now, the light DEs alone.
##############################################

Debian wheezy in VM, Xfce4 only

	                  total       used       free     shared    buffers     cached
Mem:          1002        209        793          0         20         92
-/+ buffers/cache:         97        905
Swap:         1099          0       1099

Debian wheezy in VM, LXDE only

	                   total       used       free     shared    buffers     cached
Mem:          1002        207        795          0         16        100
-/+ buffers/cache:         90        912
Swap:          701          0        701

####################################################

That is a problem? I hope our biggest one.

We can remove "Package: whonix-shared-desktop" but you still need xorg for any DE and power management will get install by the user anyway.

Can't be removed, we run into issues. Those are documented here: https://github.com/Whonix/whonix-developer-meta-files/tree/master/package_documentation

I recommend reading these files very much. Contain additional developer documentation with reasoning why which package has been chosen. Maybe in Jessie + 1 a few issues will be fixed and fewer packages need to be installed. For the most part, probably not even bugs have been reported for systems not having installed those. Pretty standard packages. But feel free to experiment without them installed. If it works, I am happy to reconsider.

Package: whonix-gateway-packages-recommended Depends: tor-geoipdb, tor-arm, obfsproxy

How much space/system resources do we get by not installing this?

I don’t know. Probably very little. That package selection has also been chosen to keep support requests low, since time answering those can not be used for actual development. For example not having the tor-geoipdb package installed, will lead to people installing arm and wondering why Whonix is broken why arm doesn’t show country information. Not having obfsproxy installed would require providing a separate obfsproxy-enabled version for censored users, since they can’t “apt-get install obfsproxy” if they’re living in a censored area to begin with. Would make it really difficult for them to install that extra package inside Whonix.

Package: whonix-workstation-packages-recommended libasound2, alsa-base, alsa-utils, iceweasel, gtk2-engines-oxygen, gtk3-engines-oxygen, faketime,

First three are sound, if you want sound as I imagine most of us do. Light enough.

If not using KDE do we still need gtk2-engines-oxygen, gtk3-engines-oxygen?

I am not sure anymore why I added them there instead of the whonix-desktop-kde. Perhaps it was required for compatibility with GTK2 and GTK3 applications. (So they don’t look even more weird.) I’ll asked the person who most likely suggested adding them in Whonix 0.4.5 times or so.

faketime is really small and really useful. Would it make sense to be included in whonix-shared-desktop? It has it's uses in both GW and WS, right?

Faketime is currently in whonix-workstation-packages-recommended package. It's required for timeprivacy. (/usr/bin/time_privacy) (man time_privacy) I never found time to write documentation for it. Perhaps one day someone will help out with that. And it would also require more testing, not sure it would work well in context of git and file access times. Eventually also the shell would be required to run wrapped by time_privacy.

I am not aware of any useful use of faketime on Whonix-Gateway. (Unless building binary deterministically (verifiable builds) from source code.)

Adding to a desktop package wouldn’t be good, since faketime is useful independent from having a desktop installed or not.

Package: whonix-workstation-default-applications Depends: xchat, vlc, mixmaster, kcalc, gwenview, kgpg, kmix, mat, python-hachoir-core, python-hachoir-parser, python-pdfrw, python-cairo, python-poppler, python-mutagen, libimage-exiftool-perl, pinentry-qt4

Here I like some (xchat, mixmaster, mat) but not others (vlc, kgpg). Why so many python entries? Aimed at the casual user? For the Python programmer?

Not for programmer, not for causal user. The python entries are additional dependencies of mat for better file type support. (Noted in workstation package documentation.)

Packages content: https://github.com/Whonix/Whonix/blob/master/debian/control

A lot of open questions, a lot of discussion still needs to be done to shape this project (Whonix minimal) into something more concrete but I am glad we started.

I guess many questions will be answered once you saw the package documentation.

I meant minimal as in, applying boot configuration:

• Build and Update Whonix from Source Code
• Build and Update Whonix from Source Code

And on top of that, adding a whonix-shared-desktop-lxde package which would be an alternative to the whonix-shared-desktop-kde package. Then either providing to binary builds, one with whonix-shared-desktop-lxde and one with whonix-shared-desktop-kde. Or only shipping a minimal (as defined above) package selection, and ask the user in whonixsetup if she wishes to install either whonix-shared-desktop-lxde or whonix-shared-desktop-kde. (We probably wouldn’t use these names in the question, rather ask for LXDE vs KDE vs Minimal and let whonixcheck care about the actual package names and installation.)

[quote=“Cerberus, post:14, topic:84”]@Patrick
I mentioned this somewhere before here but most likely you missed it (haven’t got a reaction on mentioning it): You may be interested to follow KLyDE - an effort to modularize KDE to make it less bloated by default. Actually an attempt to solve the bloat issue with clever packaging. KLyDE is driven by core KDE hacker Will Stephenson. There is, afaik, no releases for this new approach to packaging (yet) but surely an interesting topic to follow from a KDE-distro/packaging-perspective. If you’re interested, just search for “KLyDE” - Will Stephenson blogged about it several times already.[/quote]
Certainly interesting. Wasn’t aware of it. (I am however not feeling like joining the KLyDE efforts. When Debian eventually picks it up we can just switch in Whonix. However, desktop packaging efforts is too much a task for the Whonix project yet.)

[quote=“Cerberus, post:15, topic:84”]Speaking of lightweight environments, I came across dwm at http://dwm.suckless.org/. While this certainly isn’t something for Whonix or our discussion, I’d like to briefly share a statement from dwm developers with you that actually made me laugh (just for the fun of it):

LOL! Sounds like a marketing strategy to me![/quote]

Cerberus.

The package design of Whonix (see debian/control file) makes it possible to retain all of Patrick’s work (Whonix scripts, machine configuration, even icons) even by using a different DE. I don’t like the idea of installing KDE first and then some DE on top of that. If you want KDE, use KDE. If you want to use another DE, use that. The only way to get rid of KDE is to not install it in the first place. No functionality of Whonix (package design) will be lost if KDE is not installed.

For now it’s “LXDE or Xfce?”.

It seems that LXDE installed alongside KDE works (troubadour #6) but fails when standalone (Occq #1). I could try building with just packages-kde omitted but since no-terminal-then-LXDE works for GW, the problem is probably with WS and not the build config.

If either you or troubadour find that WS no-terminal-then-LXDE doesn’t work for you either I suggest we move to the idea of using Xfce instead. There will be more than enough opportunities for troubleshooting, no need to get them all.

troubadour.

what do you believe is lost by not installing KDE first? With my terminal only, whonixsetup is there. Whonix is fully functional. All that I am lacking (by choice) are KDE and it’s apps.

Those are numbers for Wheezy+DE, not Whonix+DE, right?

Patrick.

Thanks for the links. I’ll reply when I get a chance to read them all.