Virsh edit XML

BM-2cU · March 8, 2015, 7:32pm

Hi there,

I am running a Whonix Workstation 9.6 physical build on KVM using lvm logical volume.
Everything is fine except I cannot change the machine’s xml using virsh edit in order to make the changes to deactivate the kvmclock, it always returns to it’s original version.

how I proceed:

stop the lvm group (and all its logical volumes)
virsh dumpxml XYZ machine > XYZ.xml file
undefine the machine XYZ (this deletes the virsh xml)
edit the copied XYZ.xml file (add the line )
virsh define XYZ.xml

This is how it should be (?)…
But if I edit the virsh xml again, the inserted line is gone :-[

What am I missing here?

verifi · March 8, 2015, 10:41pm

I am running a Whonix Workstation 9.6 physical build on KVM using lvm logical volume. Everything is fine except I cannot change the machine's xml using virsh edit in order to make the changes to deactivate the kvmclock, it always returns to it's original version.

kvmclock is deactivated in the XML you don’t need to do it.

You can still edit a running machine’s XML but the changes won’t take effect until you stop and restart it. No need for undefining redefining anything. Simply edit the configuration that comes up by calling virsh edit machine name then save the changes and exit.

Why are you using LVM instead of the qcow images? An lvm misconfiguration could expose the real filesystem to malicious processes running on the guest. From what I know, the Whonix build script can still allow you to roll your own qcow image from source instead of using orebuilt ones provided here.

BM-2cU · March 9, 2015, 12:32am

At least I found the reason why this line got lost, virt-xml-validate gives me

Maybe this gets solved if I use the backport libvirt, but I don’t like it because it misses a lot of interfaces and cannot be 100% uninstalled.

kvmclock is not deactivated in the vm, it still shows up with

sudo cat /sys/devices/system/clocksource/clocksource0/current_clocksource kvm-clock

Why are you using LVM instead of the qcow images?

If I make a physical isolation build on kvm using lvm I have a far better performance. How does a lvm misconfiguration look like?

verifi · March 9, 2015, 1:38am

What version of libvirt are you running? Libvirt validation removes settings it doesn’t recognize from an edited XML file. Those settings can be about new features the old libvirt knows nothing about. Anything older than Jessie for host will give errors of features not being supported. Run libvirt 1.2.9 and above for best results.

About LVM check the warnings at the end of this page.

BM-2cU · March 9, 2015, 10:52am

@verifi

Thank-you for the advice. Using nas I use uuid for lvm anyway. Maybe it makes sense to investigate and compare security between lvm vg/lv and qcow.

I am still using libvirt from stable. I tried the backport version but then had big trouble with the devices of my other guests. A clean remove of the backport version didn’t work.

BM-2cU · March 9, 2015, 12:17pm

After removing (also configs) I installed from backport

libvirt-bin 1.2.9-9~bpo70+1 qemu-kvm 2.1+dfsg-9~bpo70+1 virt-manager 0.9.1-4

the problem with virt-xml-validate remains

element timer: Relax-NG validity error : Element domain has extra content: timer

verifi · March 9, 2015, 3:00pm

What timers are listed in your XML files?

BM-2cU · March 9, 2015, 4:34pm

Good question^^ there is no timer listed at all, just the utc offset.
As mentioned before I want add

My guess is that when removing the libvirt stable the virt-xml-validate remained or is not included/updated in the backport. First I will install a fresh Debian with libvirt directly from backport just to exclude this possibility.
If that doesn’t help I will download the qcow2 images and compare the xml files.

HulaHoop · March 10, 2015, 1:58pm

Try the files here, if they don’t work your best bet is using Debian Jessie because its been tested as fully compatible:

https://github.com/Whonix/whonix-libvirt/tree/master/usr/share/whonix-libvirt/xml

BM-2cU · March 10, 2015, 7:06pm

@HulaHoop, welcome back! 8)

I installed a fresh debian stable without qemu-kvm or libvirt.
Then I added qemu-kvm and libvirt from backport and installed the Whonix qcow using the kvm xml.

vhost-net fails at startup (should be kernel related? not a Whonix issue)

then checking with virt-xml-validate:

virt-xml-validate ~/Downloads/Whonix-Gateway_kvm-9.6.xmlRelax-NG validity error : Extra element devices in interleave Whonix-Gateway_kvm-9.6.xml:30: element devices: Relax-NG validity error : Element domain failed to validate content Whonix-Gateway_kvm-9.6.xml fails to validate

current_clocksource on the guest gives me tsc

sudo cat /sys/devices/system/clocksource/clocksource0/current_clock source tsc

even when I cut out all other elements from the clock element so it remains

<clock offset='utc'> <timer name='kvmclock' present='no'/> </clock>
the clock source on the guest tells me just tsc.

My conclusion is that I have to install qemu-kvm and libvirt from backport on a fresh install.
Otherwise I am fighting windmills^^

HulaHoop · March 10, 2015, 9:03pm

Thanks for the warm welcome

vhost-net fails at startup (should be kernel related? not a Whonix issue)

I have set KVM to prefer the kernel virtio network driver if present on the system or else it falls back to virtio-net. From what I gather, Debian stable kernel doesn’t enable vhost-net by default.

Juat ignore virt-xml-validate warnings. From my experience there is something buggy about it on Debian that makes it complain about perfectly good configurations as of recently.

By reporting tsc, it means your kvmclock clock is now gone and everything is working as expected.