[unsupported by Whonix team] Whonix now can be used without libvirt

New versions of KVM no longer have memory issues of memory overfill. Libvirt’s no longer needed to run whonix. To get the correct command for running, install aqemu, create 2 VMs and attach both images. Aqemu will generate the appropriate commands for running the OS. The thing is that old qemu commands like accel=kvm make the networking not working between the VMs, that’s why aqemu is needed. With commands generated by aqemu you can run VMs from commandline and no modifications of firewalls are needed. Example command:
/usr/bin/qemu-system-x86_64 -monitor stdio -enable-kvm -m 320 -drive file="/home/user/Whonix-Gateway/Whonix-Gateway-9.2.0.0.qcow2",if=scsi -boot once=c,menu=on -net nic,vlan=0,macaddr=00:e0:2a:a1:e4:d2,model=rtl8139 -net user,vlan=0 -net nic,vlan=1,macaddr=00:e0:4c:c5:1a:d1,model=rtl8139 -net socket,vlan=1,listen=127.0.0.1:12222 -name “gateway”
/usr/bin/qemu-system-x86_64 -monitor stdio -smp 2,cores=1,threads=1,sockets=1 -cpu host -vga qxl -enable-kvm -m 1435 -full-screen -drive file="/home/user/Whonix-Workstation/Whonix-Workstation-9.2.0.0.qcow2",if=virtio -net nic,vlan=1,macaddr=DE:BE:BE:DE:A0:1C,model=rtl8139 -net socket,vlan=1,connect=127.0.0.1:12222 -no-frame -name “workstation”

Edit by Patrick:
changed title

Is there a help file on this? There’s none in the graphical interface. I also tried “aqemu -help” and “aqemu --help”.

There’s an option to save a vm as a template but I can’t see where to use/import a template. Can it use the xml files in the Whonix download?

The only remaining problem I have with Whonix on KVM is the failure of the hugepages option, but the networking seems to work just fine. Does AQEMU have an explicit option for huegpages? I found none in the (gui) wizard.

By not using libvirt you lose very important things:

  1. The sVirt security confinement that uses Apparmor automatically for Guest isolation.

  2. The safe and recommended settings I have provided in the libvirt xml configurations files.

The OP is probably the same one from this thread: Whonix Forum who insisted on running KVM directly without libvirt and I made it clear this was not supported (by me) nor recommended for the reasons I have given above.

To officially support this, we’d need a maintainer who supports the kvm without libvirt use case.

Until then, it’s discouraged since a lot is missing. (Leak tests, rng (random) device and probably much more.)

Having said this, and having you aware of this, feel free to discuss it. Eventually someone figures out and become the maintainer.

Denis, you do not have to import or use the supplied xml files when using qemu without libvirt. Moreover you do not have to create any bridges, the connection between vms is provided by --listen and --connect parts of the commands. Also all works fine. I activated also the workstation’s firewall and all continues to work fine. I did not have so far ip leaks. Speed is much faster than on libvirt or VB and equals to host’s. I think you can also use images from VB version if you convert them to qcow2. I do not use any hugepages or balloon parts of the commands because all works witout from the start. You may use my commands, only change mac addresses and the connect-listen port. Find the linux command to generate correct mac addresses. Of course you can change memory size and cpu options. One disadvantage vs libvirt is that you cannot no longer use USB passthrough because it simply does not work on new qemu versions. So you will have to think how to make exchange between host and guest.
Also to have good graphics on workstation you must use spice. Add the following to the workstation’s command: -spice port=5390,addr=127.0.0.1,password=mypassw,ipv4

And run the third command from terminal: spicec -h 127.0.0.1 -p 5390 -w mypassw
Of course you must install spicec software on your host to use that command. It opens a new window in which workstation runs. And you can make it fullscrenn by pressing shift+F11

One important thing is both your images must have permissions for your user! You may give permissions chown root:kvm name-of-image and your user must be in kvm group of course. Also beware if you start your images with libvirt the permissions to images will be returned to root and you will have to change them again.

Still sticking to my last statement:

Having that said, this could be interesting:

virsh domxml-to-native qemu-argv ~/Whonix-Gateway_qemu-*.xml

LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/qemu-system-x86_64 -name Whonix-Gateway -machine ubuntu,accel=tcg,usb=off -cpu qemu64,-kvmclock,+kvm_pv_eoi,+kvm_pv_unhalt -m 512 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid d67e18a8-ea3c-4c6d-81eb-99a6324506a6 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/Whonix-Gateway.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,clock=vm,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -drive file=/var/lib/libvirt/images/Whonix-Gateway.qcow2,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:6d:37:bc,bus=pci.0,addr=0x3 -netdev tap,id=hostnet1 -device virtio-net-pci,netdev=hostnet1,id=net1,mac=52:54:00:ac:89:1e,bus=pci.0,addr=0x4 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice port=5901,addr=127.0.0.1,disable-ticketing,disable-copy-paste,disable-agent-file-xfer,seamless-migration=on -device qxl-vga,id=video0,ram_size=262144000,vram_size=262144000,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x5 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x8 -object rng-random,id=rng0,filename=/dev/random -device virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x9 -msg timestamp=on

Looks like a much saner method to approach this to me.

Indeed, it may be used with kvm. No memory issues. Works faster than with libvirt and better security.

Tried building aqemu but failed. There must be something missing in the list of required libs. I get through cmake OK and the build ALMOST completes but it fails late
CMakeFiles/aqemu.dir/build.make:1366: recipe for target ‘CMakeFiles/aqemu.dir/Embedded_Display/vncview.o’ failed
make[2]: *** [CMakeFiles/aqemu.dir/Embedded_Display/vncview.o] Error 1
CMakeFiles/Makefile2:60: recipe for target ‘CMakeFiles/aqemu.dir/all’ failed
make[1]: *** [CMakeFiles/aqemu.dir/all] Error 2
Makefile:117: recipe for target ‘all’ failed
make: *** [all] Error 2

Back to libvirt and having to redo my partition table (SUCKS!)

[quote=“praedor, post:9, topic:711”]Tried building aqemu but failed. There must be something missing in the list of required libs. I get through cmake OK and the build ALMOST completes but it fails late
CMakeFiles/aqemu.dir/build.make:1366: recipe for target ‘CMakeFiles/aqemu.dir/Embedded_Display/vncview.o’ failed
make[2]: *** [CMakeFiles/aqemu.dir/Embedded_Display/vncview.o] Error 1
CMakeFiles/Makefile2:60: recipe for target ‘CMakeFiles/aqemu.dir/all’ failed
make[1]: *** [CMakeFiles/aqemu.dir/all] Error 2
Makefile:117: recipe for target ‘all’ failed
make: *** [all] Error 2

Back to libvirt and having to redo my partition table (SUCKS!)[/quote]

Got it to build, finally. Had to comment out part of vncview.cpp and then it built and works BUT cannot get Whonix to actually display. I can (apparently) get it to run but no screen, making it pretty useless. I’m just going to go back to standard kvm/qemu/libvirt.