Whonix 8.6 KVM Error in Debian Stable

I am using debian wheezy with mempo kernel (grsec / PAX) and KVM v1.1

when I try to import the xml file for whonix v8.6, I receive the following error:

error: Failed to define domain from Whonix-Gateway_kvm-8.6.2.8.xml error: internal error Unknown controller type 'pci

when I run virt-xml-validate, I receive:

Whonix-Gateway_kvm-8.6.2.8.xml:24: element pm: Relax-NG validity error : Element domain has extra content: pm Whonix-Gateway_kvm-8.6.2.8.xml fails to validate

I tried deleting this section in the xml file

then receive this error:

Relax-NG validity error : Extra element devices in interleave Whonix-Gateway_kvm-8.6.2.8.xml:24: element devices: Relax-NG validity error : Element domain failed to validate content Whonix-Gateway_kvm-8.6.2.8.xml fails to validate

I was recommended to upgrade to debian testing to use the latest version of KVM, but I was hoping I wouldn’t have to do that. Is there any other solution to get this working on debian wheezy?

We need to fix the xml file. Either by removing the problematic parts or by shipping a separate one for Debian stable. HulaHoop (KVM maintainer?) has been notified. Stay tuned.

Thanks Patrick! I will eagerly await the fix.

Hi ghost, I have a solution in mind but it will need a little effort from you if that’s alright.

I will need you to

1. create a virtual machine through the virt-manager gui with the settings I post here, but do not use it for Whonix images.

2. Dump the xml for that vm on your desktop

3. paste the contents here so I can tweak them for you to test.

4. 512MB ram, IDE disk controller, 2 NICs, Display mode set to SPICE, RNG (if you don’t see an RNG available tell me as that was recently supported and could be the cause of your problems - maybe removing it will make it work for you)

You can add hardware later if the option is not available during the vm creation process.

2. Dump the xml for this vm you created:

virsh dumpxml [b]GuestID > /path/to your desktop/guest.xml[/b]

GuestID is the name you used for your vm.

right-click edit the xml in your text editor.
CTRL-A then cut

3. Paste the contents between a tag here on the forum for me to take a look.

I dont see RNG. After adding spice it asks me if I would like to add Spice agent channels, I selected yes and it added a channel device with the following details:
Device type: spicevmc
Target type: virtio
Target name: com.redhat.spice.0

So I tried removing RNG from the Whonix xml to check if it was the problem

/dev/random

still receive the same error

error: Failed to define domain from Whonix-Gateway_kvm-8.6.2.8.xml error: internal error Unknown controller type 'pci'

here is the xml file for the virtual machine I just created with the config requested (except for RNG)

<domain type='kvm' id='4'> <name>kali</name> <uuid>8e623339-2f3c-d62d-18fb-7da9fcb54dd5</uuid> <memory unit='KiB'>524288</memory> <currentMemory unit='KiB'>524288</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64' machine='pc-1.1'>hvm</type> <boot dev='cdrom'/> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>destroy</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/kali-1.img'/> <target dev='hda' bus='ide'/> <alias name='ide0-0-0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> <disk type='block' device='cdrom'> <driver name='qemu' type='raw'/> <source dev='/dev/sr0'/> <target dev='hdc' bus='ide'/> <readonly/> <alias name='ide0-1-0'/> <address type='drive' controller='0' bus='1' target='0' unit='0'/> </disk> <controller type='usb' index='0'> <alias name='usb0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> </controller> <controller type='ide' index='0'> <alias name='ide0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> </controller> <controller type='virtio-serial' index='0'> <alias name='virtio-serial0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </controller> <interface type='network'> <mac address='00:11:22:aa:bb:cc'/> <source network='default'/> <target dev='vnet0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <interface type='network'> <mac address='00:11:22:aa:ff:cc'/> <source network='default'/> <target dev='vnet1'/> <model type='virtio'/> <alias name='net1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </interface> <serial type='pty'> <source path='/dev/pts/2'/> <target port='0'/> <alias name='serial0'/> </serial> <console type='pty' tty='/dev/pts/2'> <source path='/dev/pts/2'/> <target type='serial' port='0'/> <alias name='serial0'/> </console> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0'/> <alias name='channel0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <input type='tablet' bus='usb'> <alias name='input0'/> </input> <input type='mouse' bus='ps2'/> <graphics type='spice' port='5900' autoport='yes'/> <sound model='ich6'> <alias name='sound0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </sound> <video> <model type='qxl' vram='65536' heads='1'/> <alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <memballoon model='virtio'> <alias name='balloon0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </memballoon> </devices> <seclabel type='none'/> </domain>

Alright I think I found the source of your problem try this and seeif it it validates. paste whatever error yo get in full here please.

create a new text file. Paste this then name the file so it has an .xml ending.

run:
virt-xml-validate /filepath/whatevernameyouchoose.xml

<domain type='kvm'> <name>Whonix-Gateway</name> <memory unit='KiB'>524288</memory> <currentMemory unit='KiB'>524288</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup' track='guest'/> <timer name='kvmclock' present='no'/> <timer name='pit' present='no'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/Whonix-Gateway.qcow2'/> <target dev='hda' bus='ide'/> </disk> <controller type='usb' index='0' model='ich9-ehci1'> </controller> <controller type='usb' index='0' model='ich9-uhci1'> </controller> <controller type='usb' index='0' model='ich9-uhci2'> </controller> <controller type='usb' index='0' model='ich9-uhci3'> </controller> <controller type='ide' index='0'> </controller> <controller type='virtio-serial' index='0'> </controller> <interface type='network'> <source network='default'/> <model type='virtio'/> </interface> <interface type='network'> <source network='Whonix'/> <model type='virtio'/> </interface> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0'/> </channel> <input type='tablet' bus='usb'/> <input type='mouse' bus='ps2'/> <graphics type='spice' autoport='yes'> <clipboard copypaste='no'></clipboard> </graphics> <sound model='ich6'> </sound> <video> <model type='qxl' ram='65536' vram='65536' heads='1'/> </video> <memballoon model='virtio'> </memballoon> <rng model='virtio'> <backend model='random'>/dev/random</backend> </rng> </devices> </domain>

Relax-NG validity error : Extra element devices in interleave gateway-new:24: element devices: Relax-NG validity error : Element domain failed to validate content gateway-new fails to validate

@HulaHoop when I remove…

<sound model='ich6'> </sound> <video> <model type='qxl' ram='65536' vram='65536' heads='1'/> </video> <memballoon model='virtio'> </memballoon> <rng model='virtio'> <backend model='random'>/dev/random</backend> </rng>

Then it validates.

Removing

<video> <model type='qxl' ram='65536' vram='65536' heads='1'/> </video>

alone doesn’t help.

But removing that and.

<rng model='virtio'> <backend model='random'>/dev/random</backend> </rng>

Makes it validate.

The full version that validates for me is this.

<domain type='kvm'>
  <name>Whonix-Gateway</name>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup' track='guest'/>
    <timer name='kvmclock' present='no'/>
    <timer name='pit' present='no'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/Whonix-Gateway.qcow2'/>
      <target dev='hda' bus='ide'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
    </controller>
    <controller type='ide' index='0'>
    </controller>
    <controller type='virtio-serial' index='0'>
    </controller>
    <interface type='network'>
      <source network='default'/>
      <model type='virtio'/>
    </interface>
    <interface type='network'>
      <source network='Whonix'/>
      <model type='virtio'/>
    </interface>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
    </channel>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <clipboard copypaste='no'></clipboard>
    </graphics>
    <sound model='ich6'>
    </sound>
    <memballoon model='virtio'>
    </memballoon>
  </devices>
</domain>

It validates. But I haven’t tested it. Not sure if it works. Not thought about if it’s sane.

<domain type='kvm' id='4'> <name>kali</name> <memory unit='KiB'>524288</memory> <currentMemory unit='KiB'>524288</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup' track='guest'/> <timer name='kvmclock' present='no'/> <timer name='pit' present='no'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>destroy</on_reboot> <on_crash>destroy</on_crash> <devices> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <target dev='hda' bus='ide'/> </disk> <controller type='usb' index='0'> <alias name='usb0'/> </controller> <controller type='ide' index='0'> </controller> <controller type='virtio-serial' index='0'> </controller> <interface type='network'> <source network='default'/> <target dev='vnet0'/> <model type='virtio'/> </interface> <interface type='network'> <source network='default'/> <target dev='vnet1'/> <model type='virtio'/> </interface> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0'/> </channel> <input type='tablet' bus='usb'> </input> <input type='mouse' bus='ps2'/> <graphics type='spice' port='5900' autoport='yes'/> <sound model='ich6'> <alias name='sound0'/> </sound> <video> <model type='qxl' vram='65536' heads='1'/> </video> <memballoon model='virtio'> </memballoon> </devices> </domain>

Whonix Forum validates for me (debian stable).

Attempt with as minimal changes as I could. Please improve if possible.

For diff, kompare, meld, etc…

Original:
https://raw.githubusercontent.com/Whonix/Whonix/master/libvirt/Whonix-Gateway_kvm.xml

<domain type='kvm'>
  <name>Whonix-Gateway</name>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup' track='guest'/>
    <timer name='kvmclock' present='no'/>
    <timer name='pit' present='no'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/Whonix-Gateway.qcow2'/>
      <target dev='hda' bus='ide'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
    </controller>
    <controller type='ide' index='0'>
    </controller>
    <controller type='virtio-serial' index='0'>
    </controller>
    <interface type='network'>
      <source network='default'/>
      <model type='virtio'/>
    </interface>
    <interface type='network'>
      <source network='Whonix'/>
      <model type='virtio'/>
    </interface>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
    </channel>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <clipboard copypaste='no'></clipboard>
    </graphics>
    <sound model='ich6'>
    </sound>
    <video>
      <model type='qxl' vram='65536' heads='1'/>
    </video>
    <memballoon model='virtio'>
    </memballoon>
  </devices>
</domain>

diff:

24,27d23
<   <pm>
<     <suspend-to-mem enabled='no'/>
<     <suspend-to-disk enabled='no'/>
<   </pm>
46d41
<     <controller type='pci' index='0' model='pci-root'/>
66c61
<       <model type='qxl' ram='65536' vram='65536' heads='1'/>
---
>       <model type='qxl' vram='65536' heads='1'/>
70,72d64
<     <rng model='virtio'>
<       <backend model='random'>/dev/random</backend>
<     </rng>

http://www.diffchecker.com/wrktfpya

<domain type='kvm' id='4'> <name>kali</name> <memory unit='KiB'>524288</memory> <currentMemory unit='KiB'>524288</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup' track='guest'/> <timer name='kvmclock' present='no'/> <timer name='pit' present='no'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>destroy</on_reboot> <on_crash>destroy</on_crash> <devices> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <target dev='hda' bus='ide'/> </disk> <controller type='usb' index='0'> <alias name='usb0'/> </controller> <controller type='ide' index='0'> </controller> <controller type='virtio-serial' index='0'> </controller> <interface type='network'> <source network='default'/> <target dev='vnet0'/> <model type='virtio'/> </interface> <interface type='network'> <source network='default'/> <target dev='vnet1'/> <model type='virtio'/> </interface> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0'/> </channel> <input type='tablet' bus='usb'> </input> <input type='mouse' bus='ps2'/> <graphics type='spice' port='5900' autoport='yes'/> <sound model='ich6'> <alias name='sound0'/> </sound> <video> <model type='qxl' vram='65536' heads='1'/> </video> <memballoon model='virtio'> </memballoon> <rng model='virtio'> <backend model='random'>/dev/random</backend> </rng> </devices> </domain>

We sorted out on irc, that it is best to install a more recent version of KVM from debian backports (because the one in debian stable does not support rng device):

Packages needed from backports: qemu-kvm libvirt virt-manager and possibly: apparmor-profiles to correct a bug that prevents kvm from binding to internal network NICs.

I managed to get the network started by putting apparmor profiles libvirtd and dnsmasq in complain mode. But I could then only start the network running as sudo. Is defining the domain have to be run as sudo as well? How can I manage to do this as user? I already added my user to the libvirt group but when I run as user I get the following error:

error: Failed to start network Whonix
error: Cannot open network interface control socket: Operation not permitted

could grsec be blocking this?

Patrick it turns out the source of confusion was that the virsh instructions are documented without running them as sudo. This doesn’t allow internal network creation or startup.

Also the only backports available are just qemu-kvm and libvirt other components I listed are not available as backports.

I actually just restarted my comp and it turns out that the apparmor profile dnsmasq and possibly libvirtd block the VM’s from starting now, even as sudo

Maybe setting profiles to complain then, start VM, then back to enfording is solution or maybe the apparmor profiles just needed to be restarted for enforcement to work

in Ubuntu this bug was already fixed in apparmor v2.6 Bug #697239 “dnsmasq profile doesn't work with libvirt” : Bugs : apparmor package : Ubuntu

With Debian testing in the host, I arrived directly to the same issue as gh0st66.

$ virsh net-autostart Whonix
Network Whonix marked as autostarted

$ virsh net-start Whonix
error: Failed to start network Whonix
error: Cannot open network interface control socket: Operation not permitted

With sudo

$ sudo virsh net-autostart Whonix
error: failed to get network 'Whonix'
error: Network not found: no network with matching name 'Whonix'

[quote=“gh0st66, post:18, topic:368”]I actually just restarted my comp and it turns out that the apparmor profile dnsmasq and possibly libvirtd block the VM’s from starting now, even as sudo

Maybe setting profiles to complain then, start VM, then back to enfording is solution or maybe the apparmor profiles just needed to be restarted for enforcement to work

in Ubuntu this bug was already fixed in apparmor v2.6 https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/697239[/quote]

The dnsmask profile does not exist in ‘testing’ and I disabled libvirtd in AppArmor (2.8-5) to no avail.

Note: libvirt is not shipped by default in Debian testing yet. Have to install libvirt-bin.

for anyone who is using debian stable, so far it seems that you may need to do the following steps in order to use kvm with apparmor

1. put the apparmor profiles “nsmasq” and “libvirtd” profiles into complain mode

sudo aa-complain /usr/sbin/libvirtd sudo aa-complain /usr/sbin/dnsmasq

2. import the Whonix xml config files as sudo: (refer to Whonix ™ for KVM for more info)

sudo virsh define ~/Whonix-Gateway/Whonix-Gateway_kvm-*.xml sudo virsh net-define ~/Whonix-Gateway/Whonix_network-*.xml sudo virsh define ~/Whonix-Workstation/Whonix-Workstation_kvm-*.xml

3. start networks and VM’s:

sudo virsh net-start Whonix sudo virsh net-start default sudo virsh start Whonix-Gateway sudo virsh start Whonix-Workstation

4. put apparmor profiles back into enforce mode:

sudo aa-enforce /usr/sbin/libvirtd sudo aa-enforce /usr/sbin/dnsmasq

The only downside is that you have to repeat steps 1, then sudo start both ‘default’ and ‘Whonix’ networks again each time after you restart your computer want to start the VM’s again. Then when VMs are running, repeat step 4 to enforce apparmor profiles again.