[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

[Help Welcome] KVM Development - staying the course


#21

Since KVM requires Intel VT and/or AMD-V, would you also be interested to add Qemu support?

When virt-manager is started as root (using kdesudo or gksudo), you can choose between qemu and kvm.

Any idea how much difference there would be? If we’re lucky, Qemu/KVM is just one differencing settings.


#22

Sure, adding just plain qemu shouldn’t require anything more than specifying this as a on off setting. It could be useful for debugging scenarios, but as far as I know, the performance is going to be disappointing since all cpu instructions will be emulated instead of run on the metal directly.

On a related subject, communication with the KVM mailinglist looks pessimistic.


#23

Hey Patrick were you able to solve the vm clock setting with a script? or is this still an outstanding problem?

After you confirm this is done, we could look at ways to improve the performance.


#24

I didn’t look into it. I didn’t know I am supposed to do it. The script is just the final step. Beforehand, it would be great if you could sort out this two questions:

  1. Are we 100% sure, that there is no config file setting to set this instead of using a command line option? It would really so much better not needed command line option and by extension would not need a script. Exhausted mailing lists / IRC already?
  2. If the answer to 1) is, that we really need a command line option, then what is the command required to start KVM? Does it work? Add to the wiki?

Please also have a look at the file size topic if you have time, which is also about performance (using metadata preallocation vs not using metadata preallocation):
https://www.whonix.org/forum/index.php/topic,202.0/topicseen.html


#25

I tried the kvm mailinglist, but not IRC. I’d be grateful if you create an account and pass on the nick/password to the email: bancfc openmailbox [.] org . Also let me know how I can connect to these servers anonymously using sasl as freenode is finicky about this.

Please let me know what to input in the terminal so I can experiment with this myself. Maybe the answer can be found without chasing these non cooperative support channels.

Edited to add:
There is a way described here to store the qemu-kvm parameters as a configuration file to be used in the future rather than have it scripted or manually typed in. The caveat is that we have to include eveything that we are doing from virt-manager in there. Its under this section in the very useful link beneath it:

13.2.2. Storing and Reading Configuration of Virtual Devices
https://doc.opensuse.org/products/draft/SLES/SLES-kvm_sd_draft/cha.qemu.running.html

I promise I am not being lazy,its just that I have limited knowledge in this area but I am trying to help as much as I can by testing things directly or finding out how.

I remember reading about pre-allocation as very beneficial for speed and vm performance, so its good that you are enabling this in the new images. However, paravitualization has a very important impact on a vm as well.

I have a question besides this topic. In the other thread on disk encryption, it was mentioned that Whonix doesn’t have a boot partition. Does this mean that the information on turning on virtio-blk won’t be of much use? https://wiki.debian.org/DebianKVMGuests


#26

I have included a very close representation of an xml configuration file created when a snapshot was taken of a kvm image.

You will notice there is a clock section. Wonder if any of those values are of any use to you?

As I mentioned in another thread, I am new to KVM as well so am not sure if any of this would be helpful or not but figured why not see anyway.

<domainsnapshot>
  <name>Initial configuration complete</name>
  <state>shutoff</state>
  <creationTime>1395643210</creationTime>
  <memory snapshot='no'/>
  <disks>
    <disk name='sda' snapshot='internal'/>
  </disks>
  <domain type='kvm'>
    <name>kvm-virtual-machine</name>
    <uuid>12345678-9012-3456-7890-abcfef012345</uuid>
    <memory unit='KiB'>4096000</memory>
    <currentMemory unit='KiB'>4096000</currentMemory>
    <vcpu placement='static'>2</vcpu>
    <os>
      <type arch='x86_64' machine='pc-i440fx-1.7'>hvm</type>
      <boot dev='hd'/>
      <bootmenu enable='yes'/>
    </os>
    <features>
      <acpi/>
      <apic/>
      <pae/>
    </features>
    <cpu mode='custom' match='exact'>
      <model fallback='allow'>Localhost</model>
    </cpu>
    <clock offset='utc'>
      <timer name='rtc' tickpolicy='catchup'/>
      <timer name='pit' tickpolicy='delay'/>
      <timer name='hpet' present='no'/>
    </clock>
    <on_poweroff>destroy</on_poweroff>
    <on_reboot>restart</on_reboot>
    <on_crash>restart</on_crash>
    <pm>
      <suspend-to-mem enabled='no'/>
      <suspend-to-disk enabled='no'/>
    </pm>
    <devices>
      <emulator>/usr/bin/kvm-spice</emulator>
      <disk type='file' device='disk'>
        <driver name='qemu' type='qcow2'/>
        <source file='/tmp/image.qcow2'/>
        <target dev='sda' bus='scsi'/>
        <address type='drive' controller='0' bus='0' target='0' unit='0'/>
      </disk>
      <controller type='usb' index='0' model='ich9-ehci1'>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/>
      </controller>
      <controller type='usb' index='0' model='ich9-uhci1'>
        <master startport='0'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0' multifunction='on'/>
      </controller>
      <controller type='usb' index='0' model='ich9-uhci2'>
        <master startport='2'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x1'/>
      </controller>
      <controller type='usb' index='0' model='ich9-uhci3'>
        <master startport='4'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x2'/>
      </controller>
      <controller type='scsi' index='0'>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
      </controller>
      <controller type='pci' index='0' model='pci-root'/>
      <interface type='network'>
        <mac address='01:23:45:67:89:10'/>
        <source network='default'/>
        <model type='virtio'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
      </interface>
      <interface type='network'>
        <mac address='02:23:45:67:89:10'/>
        <source network='whonix'/>
        <model type='virtio'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
      </interface>
      <serial type='pty'>
        <target port='0'/>
      </serial>
      <console type='pty'>
        <target type='serial' port='0'/>
      </console>
      <input type='tablet' bus='usb'/>
      <input type='mouse' bus='ps2'/>
      <input type='keyboard' bus='ps2'/>
      <graphics type='vnc' port='-1' autoport='yes' keymap='en-us'/>
      <video>
        <model type='cirrus' vram='9216' heads='1'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
      </video>
      <memballoon model='virtio'>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
      </memballoon>
    </devices>
  </domain>
  <active>1</active>
</domainsnapshot>

#27
I'd be grateful if you create an account and pass on the nick/password to the email: bancfc openmailbox [.] org.
You're most helpful developing Whonix KVM support and I am happy to help out here.

I’ve send you and e-mail. You gotta click the confirmation link within 24 hours. (Otherwise I need to do it again, no problem.)

Also let me know how I can connect to these servers anonymously using sasl as freenode is finicky about this.
Yeah, freenode is quite important for development questions.

In Whonix 8:

Safe http://lwsitu.com/xchat/cap_sasl_xchat.pl in ~/.xchat2/

Unfortunately, that file is down.

This is the version I am using.

[code]# based on cap_sasl.pl by Michael Tharp and Jilles Tjoelker

ported to X-Chat 2 by Lian Wan Situ

license: GNU General Public License

Latest version at http://lwsitu.com/xchat/cap_sasl_xchat.pl

Configuration

How long to wait between authentication messages

my $AUTHENTICATION_TIMEOUT = 5;

End Configuration

use strict;
use warnings;
use Xchat qw(:all);

use MIME::Base64;

register(
“CAP SASL”,
“1.0107”,
“Implements PLAIN SASL authentication mechanism for use with charybdis ircds, and enables CAP MULTI-PREFIX IDENTIFY-MSG”,
&cmd_sasl_save,
);

my %timeouts;
my %processing_cap;
hook_print( “Connected”, &event_connected );

hook_server( ‘CAP’, &event_cap);
hook_server( ‘AUTHENTICATE’, &event_authenticate);
hook_server( ‘900’, sub {
cap_out( substr( $_[1][5], 1, ) );
timeout_remove();
return EAT_XCHAT;
});
hook_server( ‘903’, &event_saslend);
hook_server( ‘904’, &event_saslend);
hook_server( ‘905’, &event_saslend);
hook_server( ‘906’, &event_saslend);
hook_server( ‘907’, &event_saslend);

hook_command( ‘SASL’, &cmd_sasl, { help_text => cmd_sasl_help_text() } );

my $AUTH_TIMEOUT;
if( $AUTHENTICATION_TIMEOUT ) {
$AUTH_TIMEOUT = $AUTHENTICATION_TIMEOUT * 1_000;
} else {
$AUTH_TIMEOUT = 5_000;
}

my %sasl_auth = ();
my %mech = ();

sub send_raw {
commandf( “QUOTE %s”, $_[0] );
}

sub cap {
send_raw( "CAP " . $_[0] );
}

sub cap_end{
delete $processing_cap{ get_info “id” };
cap( “END” );
}

sub connected {
my $flags = context_info->{flags};
return $flags & 1 || $flags & 2;
}

sub get_config_file {
return get_info( “xchatdirfs” )."/sasl.auth";
}

sub network_name {
return lc get_info( “network” );
}

switch to the server tab for the current connection

return true if successful

sub switch_to_server {
my $connection_id = shift;

for my $tab( get_list "channels") {
	if( $tab->{id} == $connection_id && $tab->{type} == 1 ) {
		return set_context( $tab->{context} );
	}
}

return;

}

sub cap_out {
my $output = shift;
switch_to_server( get_info “id” );

prnt( $output );

}

sub event_connected {
cap( “LS” );

# reset everything for new connection
timeout_remove();
delete $processing_cap{ get_info( "id" ) };
return EAT_NONE;

}

sub event_cap {
my $tosend = ‘’;
my $subcmd = uc $[0][3];
my $caps = $
[1][4];
$caps =~ s/^://;

if ($subcmd eq 'LS') {
	my $id = get_info "id";
	if( $processing_cap{ $id } ) {
		return EAT_XCHAT;
	}
	$processing_cap{ $id } = 1;
	$tosend .= ' multi-prefix' if $caps =~ /\bmulti-prefix\b/xi;

	if( $caps =~ /\bsasl\b/xi ) {
		if( defined($sasl_auth{network_name()}) ) {
			$tosend .= ' sasl';
		} else {
			cap_out( "\cC05SASL is supported but there is no authentication information set for this network(\cC02".network_name()."\cC05)." );
		}
	}

	$tosend .= ' identify-msg' if $caps =~ /\bidentify-msg\b/;
	$tosend =~ s/^ //;
	cap_out( "CLICAP: supported by server: $caps" );

	if ( connected() ) {
		if ($tosend eq '') {
			cap_end();
		} else {
			cap_out( "CLICAP: requesting: $tosend" );
			cap( "REQ :$tosend" );
		}
	}
} elsif( $subcmd eq 'ACK' ) {
	cap_out( "CLICAP: now enabled: $caps" );

	if( $caps =~ /\bidentify-msg\b/i ) {
		commandf( "RECV %s 290 %s :IDENTIFY-MSG",
			$_[0][0], get_info( "nick" ) );
	}

	if( $caps =~ /\bsasl\b/i ) {
		$sasl_auth{network_name()}{buffer} = '';
		if($mech{$sasl_auth{network_name()}{mech}}) {
			send_raw( "AUTHENTICATE "
				. $sasl_auth{network_name()}{mech}
			);

			timeout_start();
		} else {
			cap_out( 'SASL: attempted to start unknown mechanism "%s"',
				$sasl_auth{network_name()}{mech}
			);
		}
	} elsif( connected() ) {
		cap_end;
	}
} elsif( $subcmd eq 'NAK' ) {
	cap_out( "CLICAP: refused:$caps" );
	if ( connected() ) {
		cap_end;
	}
} elsif( $subcmd eq 'LIST' ) {
	cap_out( "CLICAP: currently enabled:$caps" );
}

return EAT_XCHAT;

}

sub event_authenticate {
my $args = $_[1][1] || “”;

my $sasl = $sasl_auth{network_name()};
return EAT_XCHAT unless $sasl && $mech{$sasl->{mech}};

$sasl->{buffer} .= $args;
timeout_reset();
return EAT_XCHAT if length($args) == 400;

my $data = $sasl->{buffer} eq '+' ? '' : decode_base64($sasl->{buffer});
my $out = $mech{$sasl->{mech}}($sasl, $data);
$out = '' unless defined $out;
$out = $out eq '' ? '+' : encode_base64($out, '');

while(length $out >= 400) {
	my $subout = substr($out, 0, 400, '');
	send_raw("AUTHENTICATE $subout");
}
if(length $out) {
	send_raw("AUTHENTICATE $out");
}else{ # Last piece was exactly 400 bytes, we have to send some padding to indicate we're done
	send_raw("AUTHENTICATE +");
}

$sasl->{buffer} = '';
return EAT_XCHAT;

}

sub event_saslend {
my $data = $_[1][1];
$data =~ s/^\S+ :?//;

if (connected()) {
	cap_end();
}

return EAT_XCHAT;

}

sub timeout_start {
$timeouts{ context_info->{id} }
= hook_timer( $AUTH_TIMEOUT, sub { timeout(); return REMOVE; } );
}

sub timeout_remove {
unhook( $timeouts{ context_info->{id} } ) if $timeouts{ context_info->{id} };
}

sub timeout_reset {
timeout_remove();
timeout_start();
}

sub timeout {
my $id = get_info “id”;
delete $processing_cap{ $id };

if( connected() ) {
	cap_out( "SASL: authentication timed out" );
	cap_end();
}

}

my %sasl_actions = (
load => &cmd_sasl_load,
save => &cmd_sasl_save,
set => &cmd_sasl_set,
delete => &cmd_sasl_delete,
show => &cmd_sasl_show,
help => &cmd_sasl_help,
mechanisms => &cmd_sasl_mechanisms,
);

sub cmd_sasl {
my $action = $_[0][1];

if( $action and my $action_code = $sasl_actions{ $action } ) {
	$action_code->( @_ );
} else {
	$sasl_actions{ help }->( @_ );
}

return EAT_XCHAT;

}

sub cmd_sasl_help_text {
return <<“HELP_TEXT”;
SASL [action] [action paramters]
actions:
load reload SASL information from disk
save save the current SASL information to disk
set set the SASL information for a particular network
set
delete delete the SASL information for a particular network
delete

show        display which networks have SASL information set
mechanisms  display supported mechanisms

help        show help message

HELP_TEXT

}

sub cmd_sasl_set {
my $data = $_[1][2] || “”;

if (my($net, $u, $p, $m) = $data =~ /^(\S+) (\S+) (\S+) (\S+)$/) {
	if($mech{uc $m}) {
		$net = lc $net;
		$sasl_auth{$net}{user} = $u;
		$sasl_auth{$net}{password} = $p;
		$sasl_auth{$net}{mech} = uc $m;
		prnt( "SASL: added $net: [$m] $sasl_auth{$net}{user} *" );
	} else {
		prnt( "SASL: unknown mechanism $m" );
	}
} elsif( $data =~ /^(\S+)$/) {
	$net = lc $1;
	if (defined($sasl_auth{$net})) {
		delete $sasl_auth{$net};
		prnt( "SASL: deleted $net" );
	} else {
		prnt( "SASL: no entry for $net" );
	}
} else {
	prnt( "SASL: usage: /sasl set <net> <user> <password or keyfile> <mechanism>" );
}

}

sub cmd_sasl_delete {
my $net = $_[0][2];
prnt “Net: $net”;

delete $sasl_auth{$net};

}

sub cmd_sasl_show {
foreach my $net (keys %sasl_auth) {
prnt( “SASL: $net: [$sasl_auth{$net}{mech}] $sasl_auth{$net}{user} *” );
}
prnt(“SASL: no networks defined”) if !%sasl_auth;
}

sub cmd_sasl_save {
my $file = get_config_file();

if( open my $fh, ">", $file ) {

foreach my $net (keys %sasl_auth) {
	printf $fh ("%s\t%s\t%s\t%s\n", lc $net, $sasl_auth{$net}{user}, $sasl_auth{$net}{password}, $sasl_auth{$net}{mech});
}

prnt( "SASL: auth saved to $file" );
} else {
	prnt qq{Couldn't open '$file' to save auth data: $!};
}

}

sub cmd_sasl_load {
#my ($data, $server, $item) = @_;
my $file = get_config_file();

open FILE, "< $file" or return;
%sasl_auth = ();
while (<FILE>) {
	chomp;
	my ($net, $u, $p, $m) = split (/\t/, $_, 4);
	$m ||= "PLAIN";
	$net = lc $net;
	if($mech{uc $m}) {
		$sasl_auth{$net}{user} = $u;
		$sasl_auth{$net}{password} = $p;
		$sasl_auth{$net}{mech} = uc $m;
	}else{
		prnt( "SASL: unknown mechanism $m" );
	}
}
close FILE;
prnt( "SASL: auth loaded from $file" );

}

sub cmd_sasl_mechanisms {
prnt( “SASL: mechanisms supported: " . join(” ", keys %mech) );
}

sub cmd_sasl_help {
prnt( cmd_sasl_help_text() );
}

$mech{PLAIN} = sub {
my($sasl, $data) = @_;
my $u = $sasl->{user};
my $p = $sasl->{password};

join("\0", $u, $u, $p);

};

binary to BigInt

sub bin2bi {
return Crypt::OpenSSL::Bignum
->new_from_bin(shift)
->to_decimal;
}

BigInt to binary

sub bi2bin {
return Crypt::OpenSSL::Bignum
->new_from_decimal((shift)->bstr)
->to_bin;
}

eval {
require Crypt::OpenSSL::Bignum;
require Crypt::DH;
require Crypt::Blowfish;
require Math::BigInt;

$mech{'DH-BLOWFISH'} = sub {
	my($sasl, $data) = @_;
	my $u = $sasl->{user};
	my $pass = $sasl->{password};

	# Generate private key and compute secret key
	my($p, $g, $y) = unpack("(n/a*)3", $data);
	my $dh = Crypt::DH->new(p => bin2bi($p), g => bin2bi($g));
	$dh->generate_keys;

	my $secret = bi2bin($dh->compute_secret(bin2bi($y)));
	my $pubkey = bi2bin($dh->pub_key);

	# Pad the password to the nearest multiple of blocksize and encrypt
	$pass .= "\0";
	$pass .= chr(rand(256)) while length($pass) % 8;

	my $cipher = Crypt::Blowfish->new($secret);
	my $crypted = '';
	while(length $pass) {
		my $clear = substr($pass, 0, 8, '');
		$crypted .= $cipher->encrypt($clear);
	}

	pack("n/a*Z*a*", $pubkey, $u, $crypted);
};

};

cmd_sasl_load();

vim: ts=4

[/code]

Alternatively use the cap_sasl_xchat.py.

To enable XChat perl or python, you can copy and paste the required command from here:

IRC servers can be found here (at the bottom, for Tor, you must use a Tor hidden service):
http://freenode.net/irc_servers.shtml

Official instructions:
http://freenode.net/sasl/
http://freenode.net/sasl/sasl-xchat.shtml


#28

Nevermind. Either use the instructions to use the account (that is working over Tor/sasl, I just tested that) or do you the .xchat2 folder, that I have just send to you by e-mail. (The folder, that I used for testing if this works.)


#29

[quote=“HulaHoop, post:25, topic:166”]There is a way described here to store the qemu-kvm parameters as a configuration file to be used in the future rather than have it scripted or manually typed in. The caveat is that we have to include eveything that we are doing from virt-manager in there. Its under this section in the very useful link beneath it:

13.2.2. Storing and Reading Configuration of Virtual Devices
https://doc.opensuse.org/products/draft/SLES/SLES-kvm_sd_draft/cha.qemu.running.html[/quote]
This looks useful. That’s probably what I meant with native KVM config files, where virsh/libvirt is not involved.

If it would be possible to set all settings using such a config file, that would be better, I guess. (Curious what you find out and think.)

I promise I am not being lazy,its just that I have limited knowledge in this area but I am trying to help as much as I can by testing things directly or finding out how.
Ok, great.
However, paravitualization has a very important impact on a vm as well.
Yes.
I have a question besides this topic. In the other thread on disk encryption, it was mentioned that Whonix doesn't have a boot partition.
It does not have a separate boot parition. Boot/root partition is shared. I don't see any indication, that this will be a limitation with respect to KVM.
Does this mean that the information on turning on virtio-blk won't be of much use? https://wiki.debian.org/DebianKVMGuests

I guess you are referring to this.

[code]Editing grub configuration

On guests with grub 1 (e.g. Debian Lenny), you need to edit grub configuration:

In /etc/grub/device.map change "(hd0) /dev/hda" to "(hd0) /dev/vda"
in /etc/grub/menu.lst change /dev/hda1 to /dev/vda1 [/code]

This does not apply to us. Seems like a relict in Debian wiki. We’re not using grub 1. We’re using grub 2.

Therefore I guess virtio_pci and virtio_blk will work.

I used these (https://wiki.debian.org/DebianKVMGuests) instructions already.

There is an open todo item, though. [How to check, they are really in use?]


#30

Thanks for going through all that hassle for the IRC account, unfortunately though its not working. It keeps disconnecting me, saying I need to authenticate through SASL. Which it should automatically do since the plugin came prepackaged in the folder you sent me - I deleted the original and extracted the new one in its place BTW.

If it would be possible to set all settings using such a config file, that would be better, I guess.

Yes I agree. What I need to look up is if things like the internal networking we depend on is done through qemu-kvm or if ts and abstraction only possible through libvirt. Also if snapshots could be still done through virt-manager while the machine relies on this config file.


#31

Have you enabled perl in XChat? Sorry, I forgot to remember to say that this step still has to be manually done.

Then restart XChat.

Yes I agree. What I need to look up is if things like the internal networking we depend on is done through qemu-kvm or if ts and abstraction only possible through libvirt. Also if snapshots could be still done through virt-manager while the machine relies on this config file.
Good questions.

#32

This time it says perl is activated, but it still does not want to connect no matter what command I type in there. :-[


#33

I needed to verify the account myself. Used an e-mail address of mine.

I’ve sent you a new .xchat2 folder. Please delete the exiting and and use the new one. To connect.

XChat -> Network List -> freenode -> connect -> choose freenet2

(That worked during my test.)

Please change the account’s e-mail address after you’re connected.


#34

Now it works, thanks for your time doing this. Tell me how to change the email and I’ll do it.

Anyway lets see how this goes.


#35
* Now talking on #kvm * Topic for #kvm is: KVM wiki website is http://www.linux-kvm.org - try status and faq pages, no really, read them! || you can also check the qemu manual at http://wiki.qemu.org/download/qemu-doc.html || don't paste on chan, use http://pastebin.com/ instead || libvirt/virt-manager support is #virt on irc.oftc.net * Topic for #kvm set by aliguori at Wed Mar 30 13:38:24 2011 Hi How do I check if virtio storage is in use or an existing fallback driver for an emulated device? there's no fallback in kvm like in xen so a simple grep should verify if a virtio device is used then - not merely attached I mean? well... if you really want to check, it's going to be /dev/vdX and lspci will show virtio block device Thanks iggy I have a few more questions that I'd really appreciate your help with ask away I am trying to isolate the vm clock so no changes on the host can affect it. This is currently possible with -rtc clock=vm afaik, but it would be much more helpful for my project's purpose if this can be done through something like libvirt is this possible with libvirt? that I don't know the appealing part of using libvirt is the xml settings file it creates, but I think something similar can be done with qemu-kvm cfgfiles option * iggy hates xml But that means all settings would have to be imitated but directly for the qemu-kvm utility which is fine if I can get it to do the same things namely the functionality of isoalted internal networking between two vms is that possible with qemu-kvm directly? libvirt has an option to pass options directly to qemu-kvm please tell me how this is done :-) or where I can know this. ok nevermind, I just want to know if this means that a setting in the xml file is passed directly to qemu-kvm then? ... You might try asking in the libvirt channel I did but no one seems to reply... I know it's possible, I don't remember it off the top of my head Thank you so far for your replies. I am actually working on a project that uses virtualization to route all of a vm's traffic through a TOR instance running on another network facing gateway vm. Its known as Whonix Just letting you know that I'd appreciate any help on getting the main issues with porting it to KVM solved so we can prepare this for a greater good. This is the bugtracker page I am working on resolving: https://www.whonix.org/wiki/Dev/KVM#How_to_get_virtio_running_for_storage.3F iggy do you mind if I post the contents of this thread on our forum? no...

I think I ruined the dialogue by mentioning alot of unnecessary details :-\

Anyhow, going off of what he said, I found a thread with information on how libvirt can trigger speicifc scripts that pass commands directly to feature rich qemu-kvm:

http://ubuntuforums.org/showthread.php?t=826671&s=b46a4b6ee2b45daaf55f16050c3b2dd2&p=6017259#post6017259

Edit by Patrick:
Removed join/part messages.


#36

/msg nickserv set email youraddress@example.com

Also useful for other stuff:
/msg NickServ help


#37

Yes. Nevermind. You will keep improving your irc social skills.

Anyhow, going off of what he said, I found a thread with information on how libvirt can trigger speicifc scripts that pass commands directly to feature rich qemu-kvm:

http://ubuntuforums.org/showthread.php?t=826671&s=b46a4b6ee2b45daaf55f16050c3b2dd2&p=6017259#post6017259


This is a wrapper solution. Works well enough for own use, but not for redistribution.

Config files.

13.2.2. Storing and Reading Configuration of Virtual Devices https://doc.opensuse.org/products/draft/SLES/SLES-kvm_sd_draft/cha.qemu.running.html

Seems like the cleaner solution.


#38

I changed the email.


#39

Storage format details/recommendations:

qcow2 is the best choice that has a good balance between features and speed.

raw does not snapshot directly.
http://wiki.qemu.org/Features/Snapshots

Overall concept

The idea is to be able to issue a command to QEMU via the monitor or QMP, which causes QEMU to create a new snapshot image with the original image as the backing file, mounted read-only. This will allow the original image file to be backed up.

Roll-back to a previous version requires one to boot from the previous backing file, at which point the snapshot file becomes invalid. Unfortunately there is no way to detect that a backing file has been booted, making it important for administrators to take care to not rely on snapshot files being valid after a roll-back.

The snapshot image will have to be in a format which support backing files, ie QCOW2 and QED, however the original image can be of any supported format. Ie. it is possible to make a QCOW2 snapshot of a RAW image, or a QED snapshot of a QED image.

lvm is a security risk AFAIK.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-Virtualization-Adding_storage_devices_to_guests-Adding_hard_drives_and_other_block_devices_to_a_guest.html

With your permission I’d like to move the IRC logs into dev kvm so we don’t lose this info if the forum software goes beserk.

bancfc> Is there any security drawbacks from using a raw image file? bancfc: security drawbacks? like what? iggy: are its contents directly interpreted by the host or is that when lvm is used only? I'm not sure what you mean by "contents directly interpreted", but raw devices/files just means there's a 1:1 correlation between guest request and host request like a virus or advanced persistent threat running in the vm the host doesn't "interpret" what it's reading/writing... it just becomes a read/write in the host ok good just checking. iAnother question is raw snapshotting possible albeit not directly? I saw something about a differencing image applied in qcow format, yes? only if there's something underlying the files that supports it (btrfs, lvm, zfs, etc) so not at the "block" level I guess? iggy: just a question or two about storage if thats ok, becuase we are trying to see which can give maximum performance lvm > raw files > qcow2 > everything else Is qcow2 the standard? Is qed recommended instead? When is the qcow"3" changes included into the present format? didn't mean to send this as you had already responded but anyhow qed seems to have been designed as a speedier replacement for qcow2. But qcow2 were adding changes to become more competitive again I wanted to know what you think about this and thats all. thanks bancfc: qed is deprecated (as all of it's performance improvements that actually ended up helping were backported to qcow2) the features are handled by feature flags in the qcow2 format, so there's technically no need for a "qcow3" format as long as you don't use the features that qed didn't support (i.e. snapshots, etc.), qcow2 should be as fast iggy: thanks alot for your help np

#40

Yeah, block devices / lvm are not very suitable for this. I mean, they’re pretty cool for advanced users. You can do lots of cool geeky stuff such as sometimes booting the partition on bare metal and some times using it in a VM. However, they’re not the best tool for Whonix. Not for security reasons. Difficult to redistribute. (And may result in data loss when used wrong. More difficult to use.)

Sounds like, qcow2 is a good choice and we just keep it?

With your permission I'd like to move the IRC logs into dev kvm so we don't lose this info if the forum software goes beserk.

Sure. Whatever you find useful. Especially (not exclusively) the /Dev pages are extra non-controversial. Whatever helps us moving this forward. :slight_smile: