Whonix Workstation v Custom Workstation issue

Temple · September 17, 2016, 8:33am

What could cause the following and is there anything I could do to speed things up.

Scenario a = Whonix Gateway > Whonix Workstation. I have a website installed on a nginx server, it communicates with a mysql database and the average page loading times are really slow, it’s taking around 40+ seconds from my testing it seems to be the communication between the webapp and the mysql database which is causing the slow loading times.

Scenario b = Whonix Gateway > Debain vm forced to use Whonix Gateway to torifry traffic. The exact same website, server settings and mysql settings. Now my loading times are down to 5-10 seconds a lot faster and manageable for a tor hidden service.

Scenario c = Standalone Debian vm. The exact same website, server settings and mysql settings, the page load times are almost instant.

I have no problem with the Scenario b loading times, I just want to get Scenario a down to the same loading times. In scenario b the custom debain vm is still been forced to use the Whonix Gateway so I really don’t know why the workstation in scenario a is so much slower to load my pages. I really wanted to use both Whonix Gateway and Whonix Workstation to run a hidden service but I feel those loading times will drive people away

In all 3 scenarios the vm are using the same amount of ram.

Is there a reason for this? Is there a possible way to fix it? Finally would an upgrade to a SSD fix scenario a? I don’t want to pay the upgrade fee if it would have no bearing on the loading times.

HulaHoop · September 17, 2016, 3:29pm

Unrelated advice:

Stay away from mysql because Oracle has not bothered to patch a serious 0day for 4 (!) months.
https://www.phoronix.com/scan.php?page=news_item&px=MySQL-Crit-0-Day

HulaHoop · September 17, 2016, 3:32pm

Are you running the exact same package versions in scenarios a vs b?

What VM settings do you have for the Debian VM? Did you import the Whonix-workstation-custom xml?

Could be a matter of different performance settings. Would help if you post the XML for the 8.2 VM.

Temple · September 18, 2016, 4:16pm

Hi sorry for the delay I have made a pastebin for you to take a look at.

http://pastebin.com/n5GVpPS1

HulaHoop · September 18, 2016, 10:04pm

OK it does diverge a lot but since Whonix 13 released I have changed the settings file considerably and ripped out a lot of useless features to lessen surface of attack. Please try changing the 8.2 settings to match this and tell me about performance:

Please backup this settings file first! so you can reuse it to test. Take care to change the disk file path as needed:

github.com

Whonix/whonix-libvirt/blob/17314e8f5cc9119aa40000334440c62930b3ce2d/usr/share/whonix-libvirt/xml/Whonix-Custom-Workstation.xml

<domain type='kvm'>
  <name>Whonix-Custom-Workstation</name>
  <description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
  <memory unit='KiB'>1048576</memory>
  <memoryBacking>
   <nosharepages/>
  </memoryBacking>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <vcpu placement='static' cpuset='1'>1</vcpu>
  <os>
    <type>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <hap/>
    <pvspinlock state='off'/>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='forbid'>qemu64</model>
    <feature policy='disable' name='tsc'/>

This file has been truncated. show original

If things turn out bad, we can take a look at changing one thing at a time in the 8.2 to see what change brings thi disappointing performance.

Temple · September 18, 2016, 10:21pm

Thanks I’ll test this and report back to you. Ty for the help.

Temple · September 18, 2016, 11:55pm

I used the conf on the custom debiam vm, it booted up and everything inside worked fine, website loaded fine etc. The only issue is on shutdown I get the following error

systemd failed to shutdown[1]: failed to finalize DM devices, ignoring
reboot:system halted.

I also tested the custom conf on my Whonix Workstation but it’s still taking around 30-40 seconds to load my webpages, if I was to use the custom version on a custom vm to host a hidden service, am I correcting in thinking that dns leaks are still not possible whilst using the custom version?

The cusom one will load the webapp at a decent usable pace.

Once again thanks for your help.

HulaHoop · September 19, 2016, 2:36pm

systemd failed to shutdown[1]: failed to finalize DM devices, ignoring
reboot:system halted.

Yes the reason for that is that I removed ACPI to get rid of the fine grained timer acpi_pm. This is important for security but the side effect is you cannot gracefully shutdown machines anymore.

I also tested the custom conf on my Whonix Workstation but it’s still taking around 30-40 seconds to load my webpages, if I was to use the custom version on a custom vm to host a hidden service, am I correcting in thinking that dns leaks are still not possible whilst using the custom version?

Yes correct.

Thanks for testing. I think your results rule out my custom settings as the cause for the slowdown. There must be a difference in the base package versions between Whonix and Debian 8.2. (I assume you run both completely updated?) Debian 8.6 came out a few days ago BTW.

With that said I am still interested in finding the cause in Whonix for these differences as it would be a disappointment if server admins are pushed away because of performance problems.

Temple · September 19, 2016, 2:41pm

Oh that makes sense, I’ll take a small side effect such as this for increased security :).

I do indeed run them both fully updated, what’s even more strange I tested simple machine forums and that has no performance issue under the Whonix machine at all, it just loads and works fast.

It can’t be the code(laravel app) though as it’s working lighting fast under a regular vm and still pretty fast under the custom Debian version. I’m feeling more relaxed now I know the custom Debian version can’t have any dns leaks, it’s just to host a hidden service soit won’t be used for browsing, the hidden service is fully legal but I still wanted to make sure that it would be secure enough and that the vm thinks 10.152.152.10/11 is it’s own ip address with no dns leaks and it seems it is indeed.

I’ll upgrade to 8.6

Thanks for your time and help.

HulaHoop · September 19, 2016, 2:53pm

My guess is the difference we are seeing is because of the cluster_size feature we enable for qcow image files:

While it provides very good perf gains when the guest is writing larger files, it can be a source of reduced performance when small files are being read/written.

@Temple

Please convert the Whonix qcow2 file using these parameters and test if there’s a difference. It might not be possible to change this after the fact but I don’t know.

qemu-img convert -p -O qcow2 -o preallocation=metadata $whonix_version_old.qcow2 $whonix_version_new.qcow2

(Again please backup first)

Temple · September 19, 2016, 4:16pm

Hi I’ll do that in a moment and check back with you I just want to make sure before I do it as to avoid any mistakes.

I input that command in terminal on the host machine and not inside the Whonix Workstation correct? I don’t want to make any mistakes here haha.

Also will I change the name to Whonix_Workstation.qcow2 instead of whonix_version_old?

Once you reply I’ll get to it and make the changes.

HulaHoop · September 20, 2016, 1:37am

Yes

Temple · September 20, 2016, 3:36pm

Ok it’s converting right now, I’ll report back and edit this reply once, it’s finished and I have tested it.

It finished converting and I loaded the Workstation with the new file as source, it loads up fine but the mysql connection is still slow.

In the mean time I have rented a cheap vps and installed Whonix and the same webapp on the vps and it loads normal speed in the vps version so I’m even more stumped now. I would think it’s a problem with the dedicated server but it can’t be that due to the other vm loading the webpages at a much faster pace.

I’m starting to think I should uninstall and redo it all over again if you don’t have any other ideas.

HulaHoop · September 20, 2016, 4:29pm

Thanks for testing - very useful information and surprising indeed. This rules out Whonix and the qcow2 disk settings so I can only conclude its a strange, machine specific quirk you ran into.

I’m starting to think I should uninstall and redo it all over again if you don’t have any other ideas.

That’s a good option. Please let me know if that fixes anything.

Temple · September 21, 2016, 8:44pm

Hi I reinstalled everything and it’s working like a charm, same speed as the custom workstation so i really don’t know what caused the issue but it’s now working.

Thank you for all the help and patience.