[Help Welcome] KVM Development - staying the course

What’s the status of KVM vs Protocol Leak and Fingerprinting Protection‎ ? Up to date? Specifically…

CPU model and capabilities.

Hidden or non-hidden?

Obsolete. Output will show exact host CPU flags and properties. Don’t have a choice.

No longer hidden from guest.

2 Likes

Do Whonix KVM VMs have a virtual DVD or floppy drive by default?

No. I exclude the virtual DVD drive to decrease attack surface.

1 Like

What’s a good virtual CPU count for KVM?

Currently it’s 1.

Maybe 2 would be better? Any disadvantages of that?

Would that workaround bug Slow shutdown of version 15 workstation and gateway?

Maybe if there are 4 physical CPUs, one should not assign 4 virtual CPUs to a KVM VM? Could have a similar issue as VirtualBox?
https://www.virtualbox.org/ticket/19500

Which performance benefit are you referring to?

In my experience one seems to cut it for most tasks including hd video playback. Building Whonix of course needs more cpus allocated, but not many are doing that. The disadvantage is we over commit resources which puts a hard limit on use with dual core machines unless a user decides to edit the settings manually. (yes there are dual core machines out there with 4gb ram go figure). Adding one more core to ws pushes total requirement for Whonix to 3 cores because we don’t allow gw and ws to use same cores.

No this looks like a strange software bug that I hope gets ironed out by stable next.

Yeah you should never assign all cores to VMs. At least one free one should be left to the host or you run into deadlocks and freezing of the host.

1 Like

Bumping up vcpu core count while only one is pinned doesn’t give you increased cpu perf, but results in terrible stability and freeze ups of the VM.

1 Like

HulaHoop via Whonix Forum:

No this looks like a strange software bug that I hope gets ironed out by stable next.

Alright. Since that bug

doesn’t get fixed, there’s no urgency to change anything.

In my experience one seems to cut it for most tasks including hd video
playback.

OK.

Building Whonix of course needs more cpus allocated, but not many are
doing that.

Agreed. Not a criteria.

The disadvantage is we over commit resources which puts a hard limit
on use with dual core machines unless a user decides to edit the
settings manually. (yes there are dual core machines out there with 4gb
ram go figure). Adding one more core to ws pushes total requirement for
Whonix to 3 cores because we don’t allow gw and ws to use same cores.

OK. Maybe CPU assignment could be more automatic, better once
Whonix-Host is a reality.

13 posts were split to a new topic: Host to KVM VM Communication

Please review:
KVM: Difference between revisions - Whonix

1 Like

What an excellent edit. I always welcome prefixing things with GNU :slight_smile:
Seriously thanks for clarifying which tool to use though.

1 Like

https://www.whonix.org/w/index.php?title=KVM&type=revision&diff=58711&oldid=58390

virsh -c qemu:///system net-autostart default
==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems

Could you please check all Whonix ™ for KVM if it mentions becoming root or suggests using sudo whenever required?

I don’t see how virsh -c qemu:///system net-autostart default could work without root/sudo since this is a system wide change? It’s on a Kicksecure based host for development purposes. Perhaps that broke pkexec or something and therefore sudo is required?

1 Like

Confirmed. You are right sudo is required for defining and interacting with the virsh net command. Otherwise a regular user cannot even see the networks.

This is even the case in upstream documentation:

I will modify the wiki.

1 Like

Also related: interacting with virt-manager without having to input the root password every time you will have to add the user to the libvirt and kvm groups

That specific message is related to polkit policy that can have a rule added to deal with it:

1 Like

KVM: Difference between revisions - Whonix

HulaHoop via Whonix Forum:

Also related: interacting with virt-manager without having to input the root password every time you will have to add the user to the libvirt and kvm groups

It was indeed related to forgotten application of addgroups and reboot
instructions.

1 Like

13 posts were split to a new topic: Whonix Software Signature Verification Documentation Discussion - VirtualBox vs KVM - GPG / signify / codecrypt

Could you review KVM: Difference between revisions - Whonix please?

1 Like

Not sure what we wanted to use comments earlier?

New answer. “Comments in libvir xml files now possible.”

Could you try please if now comments can be persisted?

1 Like

Doesn’t work for me unfortunately. Either not supported in this version of libvirt or it’s non-functional. The metadata tag has been in use fr a long time according tot the libvirt manual, but it is for defining custom app XML schema:

The metadata node can be used by applications to store custom metadata in the form of XML nodes/trees. Applications must use custom namespaces on their XML nodes/trees, with only one top-level element per namespace (if the application needs structure, they should have sub-elements to their namespace element). Since 0.9.10.

Unrelated but interesting - when searching he manual I found there is a new feature for disk BackingStores added which seems to me similar to the concept of Qubes Templates. Theoretically one could have one main disk image that shares common elements of both GW and WS while a second one contains only the diff, saving on image sizedramatically, but probably too complex to implement.

1 Like