Whonix 15: increasing allocated CPU number makes the VM incredibly slow

onion_knight · May 7, 2019, 9:07am

Weird bug. Happens both in live-boot and persistent modes.

I noticed my Whonix 15 Workstation was incredibly slow: slow boot, very slow reaction times, whatever I would do (simple terminal tasks, browsing, etc.), everything is slow and almost freezing, although I have allocated 4GB of RAM and up to 4 CPUs.

I tested the .qcow2 disk in other VM, and it worked just fine.

I tried reinstalling everything, worked very fast as expected with default settings.

Then I increased the CPU count to 4, and it was again very slow. Decreased to 1 (default), fast again…

What could be the cause of such behavior?

I should add just in case that I am using kernel 5.0.6, so I had to uncomment the parameter

 <blkiotune>
    <weight>250</weight>
</blkiotune>

I see that the default CPU setting is “host-passthrough”. Could it be related (didn’t test with other options)?

Here are some stats to compare:

“fast” boot with default CPU number (1):

user@host:~$ sudo systemd-analyze time
Startup finished in 1.318s (kernel) + 7.430s (userspace) = 8.749s 
graphical.target reached after 3.097s in userspace

“slow” boot with 4 CPU:

user@host:~$ sudo systemd-analyze time
Startup finished in 8.774s (kernel) + 20.572s (userspace) = 29.346s 
graphical.target reached after 20.551s in userspace

HulaHoop · May 7, 2019, 8:55pm

That’s because I use CPU pinning by default to isolate VM CPUs from eachother to prevent side-channel attacks on crypto if there is a vuln in OpenSSL. So even if you add more cores you are essentially overloading a single real one with this setting until it is removed.

To get rid of this behavior remove the

cpuset='1'

in the vcpu tag.

HulaHoop · May 7, 2019, 9:14pm

Added because you are not the first to run into this:

Whonix ™ for KVM

Patrick · May 7, 2019, 9:47pm

The pinning parameter cpuset='1' must be removed in the vcpu tag in the XML settings to allow adding more cores to a VM, otherwise performance issues and lockups will happen.

Ok, that must be removed but what must be done to add other CPUs?

CPU pinning is done to safeguard processes in other VMs that run cryptographic operations from side-channel attacks in case of a vulnerability in a crypto library.

That might imply that adding vCPUs does undermine protection gained from CPU pinning? Can vCPUs (or any real core) be added without undermining protection gained from CPU pinning

HulaHoop · May 8, 2019, 7:53pm

Just increment the number between the vcpu tags higher to increase their no.

Yes you would pin the additional ones to different physical cpus than the ones of say Whonix GW. Needs to be done 1:1.

Attempting to overcommit the no. of vcpus when pinned will cause problems like overcommitting RAM does, if their is no ballooning (because security) and if its all allocated at once (this I will change to allocate as is basis soon with Buster).