[Help Welcome] KVM Development - staying the course

HulaHoop · February 12, 2020, 7:24pm

Indeed. Good to know there is more active work in this space though. IIUC it can provide stronger guest-host separation than currently available.

Patrick · March 8, 2020, 1:19pm

Could you please check this commit won’t break KVM?

sudo apt install xserver-xorg-video-vmware

HulaHoop · March 8, 2020, 1:38pm

Apt tells me it is already installed and the newest version and nothing is broken.

Patrick · March 8, 2020, 1:39pm

Inside VM already installed?

HulaHoop · March 8, 2020, 1:42pm

Yep and I’m sure I didn’t manually put it there

Patrick · March 15, 2020, 1:36pm

Could you please check that Whonix ™ for KVM does use / does not use sudo whenever appropriate?

It uses sudo virsh start
but also non-sudo virsh -c qemu:///system net-autostart default
which is not obvious to me.

background: ⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on

HulaHoop · March 16, 2020, 2:08pm

There’s no way this command works without sudo while the latter does. Going by principle of least privilege in the guide, I only use sudo for commands that won’t work without it.

Patrick · April 11, 2020, 9:07pm

What’s the status of KVM vs Protocol Leak and Fingerprinting Protection‎ ? Up to date? Specifically…

CPU model and capabilities.

Hidden or non-hidden?

HulaHoop · April 13, 2020, 2:15pm

Obsolete. Output will show exact host CPU flags and properties. Don’t have a choice.

No longer hidden from guest.

Patrick · April 14, 2020, 4:58pm

Do Whonix KVM VMs have a virtual DVD or floppy drive by default?

HulaHoop · April 14, 2020, 6:27pm

No. I exclude the virtual DVD drive to decrease attack surface.

Patrick · April 16, 2020, 1:50pm

What’s a good virtual CPU count for KVM?

Currently it’s 1.

Maybe 2 would be better? Any disadvantages of that?

Would that workaround bug Slow shutdown of version 15 workstation and gateway?

Maybe if there are 4 physical CPUs, one should not assign 4 virtual CPUs to a KVM VM? Could have a similar issue as VirtualBox?
https://www.virtualbox.org/ticket/19500

Which performance benefit are you referring to?

HulaHoop · April 16, 2020, 1:59pm

In my experience one seems to cut it for most tasks including hd video playback. Building Whonix of course needs more cpus allocated, but not many are doing that. The disadvantage is we over commit resources which puts a hard limit on use with dual core machines unless a user decides to edit the settings manually. (yes there are dual core machines out there with 4gb ram go figure). Adding one more core to ws pushes total requirement for Whonix to 3 cores because we don’t allow gw and ws to use same cores.

No this looks like a strange software bug that I hope gets ironed out by stable next.

Yeah you should never assign all cores to VMs. At least one free one should be left to the host or you run into deadlocks and freezing of the host.

HulaHoop · April 16, 2020, 2:01pm

Bumping up vcpu core count while only one is pinned doesn’t give you increased cpu perf, but results in terrible stability and freeze ups of the VM.

Patrick · April 16, 2020, 2:49pm

HulaHoop via Whonix Forum:

Patrick:

Would that workaround bug Slow shutdown of version 15 workstation and gateway?

No this looks like a strange software bug that I hope gets ironed out by stable next.

Alright. Since that bug

doesn’t get fixed, there’s no urgency to change anything.

Patrick:

Maybe 2 would be better? Any disadvantages of that?

In my experience one seems to cut it for most tasks including hd video
playback.

OK.

Building Whonix of course needs more cpus allocated, but not many are
doing that.

Agreed. Not a criteria.

The disadvantage is we over commit resources which puts a hard limit
on use with dual core machines unless a user decides to edit the
settings manually. (yes there are dual core machines out there with 4gb
ram go figure). Adding one more core to ws pushes total requirement for
Whonix to 3 cores because we don’t allow gw and ws to use same cores.

OK. Maybe CPU assignment could be more automatic, better once
Whonix-Host is a reality.

Patrick · November 20, 2020, 9:12am

13 posts were split to a new topic: Host to KVM VM Communication

Patrick · May 17, 2020, 8:35am

Please review:
KVM: Difference between revisions - Whonix

HulaHoop · May 17, 2020, 1:13pm

What an excellent edit. I always welcome prefixing things with GNU
Seriously thanks for clarifying which tool to use though.

Patrick · July 20, 2020, 5:08pm

https://www.whonix.org/w/index.php?title=KVM&type=revision&diff=58711&oldid=58390

virsh -c qemu:///system net-autostart default
==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems

Could you please check all Whonix ™ for KVM if it mentions becoming root or suggests using sudo whenever required?

I don’t see how virsh -c qemu:///system net-autostart default could work without root/sudo since this is a system wide change? It’s on a Kicksecure based host for development purposes. Perhaps that broke pkexec or something and therefore sudo is required?

HulaHoop · July 20, 2020, 11:28pm

Confirmed. You are right sudo is required for defining and interacting with the virsh net command. Otherwise a regular user cannot even see the networks.

This is even the case in upstream documentation:

I will modify the wiki.