Re: [qubes-users] Why does sys-firewall needs so much RAM?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/27/18 16:40, 799 wrote:> The only thing I am struggling with is to install something so crucial > like a firewall which is not coming from the Qubes Team. For me as > a normal user it is hard to decide if qubes-mirage-firewall is > reasonable secure compared to the default sys-firewall. Well, Thomas Leonard (talex) is a big open source contributor. Author reputation apart, an unikernel is a more secure than normal sys-firewall because it has tons of less complexity. An unikernel is a kernel running a single process with unique address space, without user system, etc... it only has the needed code/libs for running that single process. A normal linux distribution like standard sys-firewall has a lot of things not needed for the firewall task, even fedora-minimal has a lot of functions and complexity compared to mirage-firewall. Also, a pretty vulnerable part of standard Qubes is the network stack of linux. If a compromised sys-net has some exploit for that part of code, it is likely to scale from it to sys-firewall using the same explit and then to other AppVM's. So it is nice to have a total different system between. Another interesting difference is the programming language. Fedora or debian sys-firewall has millions of lines of C or similar code, where common security problems are relative easy to appear and hard to find and fix. mirage-firewall is mostly based on OCaml, a functional oriented language where this kind of programming errors are less likely to happen. > As far as I understand it is run a docker image (in dom0?). No. Docker is used in some AppVM for build the mirage-firewall image. I think docker is used for simplicity the build process. Once you have your kernel image you pass it to dom0 and just boot a new VM with that kernel. > is there any official feedback regarding the qubes-mirage-firewall > and what do the "Qubes Pro's" think about it.> If it is better, > then why hasn't it be integrated in the Qubes Image? Exists this issue: https://github.com/QubesOS/qubes-issues/issues/3792 There is a problem with current mirage-firewall, the rules are currently hard coded in the source. So you need to modify, rebuild and reboot the VM for change them. Also there is a fork which uses the module.img file (a dummy file in the other version) for save the rules: https://github.com/cfcs/qubes-mirage-firewall/tree/user_supplied_rules This way you can edit the rules without rebuild the whole image, but I think that you need to reboot the VM. When I discovered this I wanted to add compatibility with Qubes Manager for it, but it was pretty difficult with Qubes 3.2 format. Now I'm using Qubes 4, I would like to try again. > I will rebuild my sys-firewall from a fedora-26-minimal template > and try to see if I can reduce memory. > > Question: How can I check how much memory really is consumed? > > [user@dom0 ~]$ xl list [...] sys-firewall shows 1.638 MB > > > [user@sys-firewall ~]$ free -h totalusedfree > shared buff/cache available Mem: 1.4G133M > 882M2.9M 454M1.1G Swap: 1.0G 0B > 1.0G > > Does this mean that only 133 MB is currently used by sys-firewall? > > Maybe I made the mistake trusting the numbers in dom0: xl list? sys-firewall has 1.4G asigned but only 133M used and 454M cached (probably during boot process). It has 882M free and it (and part of the cached) will be reduced when other VM needs more memory. If you want try to stress your system opening disposable VM's to see if it gets reduced. I have it with default setup (500min 4000max) and currently it reports: [user@sys-firewall ~]$ free -h totalusedfree shared buff/cache available Mem: 348M165M 94M2.6M 88M 48M Swap: 1.0G 14M1.0G -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsK3J4ACgkQFBMQ2OPt CKUI7hAAt6GuZqV5/4J6UsPwv8K+EQcE2huPq3l5f/psY5KfSLVNqIGXS5nW9sT2 Q1/ZsyYyGD59B6w2+O+eu3oLCMluMJoS12lq8ZHUEpoyPsbolX62eGxlS6nDMKL/ Yd1fZE4i4PwBNxvBGOQnCos+p44+lc0kiQDTq4NLPadNXICQoyzsvTY0P0ck+V+m jeDrueSY4g/n2+33he8NaNNe+kiMm7Eo6huyCeSFMDYk+QWp8wPbHH7s4+wfoP/h niAHOD9g/bNORWOXEiz7iUSq7T3ZDcsyVyJxs10Avvx/ZYQXcxaxbIYx1ZNIMuOL M5JDvRw8D0oK2tU6ee9Yal38DnK1eN3RKMNBdlxWpKD1ZwW3TpWMH25YD5OdbnpT fE1yjvjW3N0clO99dt7CNkjD5m09fO63gqq4KFyXr51hUqu1ZANtzr7Sky55QgZy OXmqZsbG9dRa5RFN/bUAQs3LK5WhEwzVcIxRyXsiPuGQQk0qFn0rH/7PEKr6/1sq 9vw6QrlDCFEzfxZEL6Vh3KQ0+8dXZACgwFTg/vo/nP7qvuIkFpLeUHNxKluMyLdi OMPWwNcl7UZN9ojPQg2X2b8qYisw1IgD1UPmPRjm3lmhe5lDlxIFfIyfqJRlfht8 ktxMkRWzfufBG2S5dwCzYbSAKJB/oNd4SKEOowUfWlfDTwpaNHI= =OKVC -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, sen
Re: [qubes-users] Why does sys-firewall needs so much RAM?
On 27 May 2018 at 16:13, donoban wrote: > [...] > Also if you want to save more ram with sys-firewal, consider trying: > https://github.com/talex5/qubes-mirage-firewall I haven't heard of the "unikernel firewall", thanks. More explanation found here: http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/ The only thing I am struggling with is to install something so crucial like a firewall which is not coming from the Qubes Team. For me as a normal user it is hard to decide if qubes-mirage-firewall is reasonable secure compared to the default sys-firewall. As far as I understand it is run a docker image (in dom0?). is there any official feedback regarding the qubes-mirage-firewall and what do the "Qubes Pro's" think about it. If it is better, then why hasn't it be integrated in the Qubes Image? I will rebuild my sys-firewall from a fedora-26-minimal template and try to see if I can reduce memory. Question: How can I check how much memory really is consumed? [user@dom0 ~]$ xl list [...] sys-firewall shows 1.638 MB [user@sys-firewall ~]$ free -h totalusedfree shared buff/cache available Mem: 1.4G133M882M2.9M454M 1.1G Swap: 1.0G 0B1.0G Does this mean that only 133 MB is currently used by sys-firewall? Maybe I made the mistake trusting the numbers in dom0: xl list? [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sR%2BUd%2B8DBmNkFcuJ4bUoiprmM06wykP%3DsBLyuwZqRApw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Why does sys-firewall needs so much RAM?
On Sun, May 27, 2018 2:13 pm, donoban wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 05/27/18 16:04, donoban wrote: >> On 05/27/18 15:31, 799 wrote: >>> Hello, >> >>> as I have only 16GB of RAM available I'd like to keep an eye on >>> RAM consumption. I am wondering why my sys-firewall always need > >>> 3 GB of RAM. What is running there that needs so much memory? >> >>> My sys-firewall is based on a fedora-minimal package which has >>> some additional packages installed to work as a firewall AppVM. >>> memory consumption according to qvm-ls is 3.083 MB after a fresh >>> restart only having sys-net and sys-usb running. >> >>> my sys-usb is showing 284 MB RAM, my sys-net 384 MB >> >> >> 364M here, could you check how much of this RAM is being really >> used? >> >> Also check top and look what process are consuming too much >> memory. >> > > Also if you want to save more ram with sys-firewal, consider trying: > https://github.com/talex5/qubes-mirage-firewall Sys-firewall defaults to 500/4000 initial/max memory with memory balancing enabled, so it should surrender memory it's not actually using to other VMs as needed. You could drop max to 500 as well but leave balancing enabled. That worked for me on 3.2. I've been relying on balancing in 4.0 except during a couple RCs when it wasn't working. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/27d4065848b55a539a39d6e9d48b24c4%40elude.in. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Why does sys-firewall needs so much RAM?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/27/18 16:04, donoban wrote: > On 05/27/18 15:31, 799 wrote: >> Hello, > >> as I have only 16GB of RAM available I'd like to keep an eye on >> RAM consumption. I am wondering why my sys-firewall always need > >> 3 GB of RAM. What is running there that needs so much memory? > >> My sys-firewall is based on a fedora-minimal package which has >> some additional packages installed to work as a firewall AppVM. >> memory consumption according to qvm-ls is 3.083 MB after a fresh >> restart only having sys-net and sys-usb running. > >> my sys-usb is showing 284 MB RAM, my sys-net 384 MB > > > 364M here, could you check how much of this RAM is being really > used? > > Also check top and look what process are consuming too much > memory. > Also if you want to save more ram with sys-firewal, consider trying: https://github.com/talex5/qubes-mirage-firewall -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsKvPEACgkQFBMQ2OPt CKWJ+BAAhpPuoCrI0kx2OAPplvYZwh5HZNqYql8jvKsLlLvwc/sFIi8fqY1qt4Ro rs2xfryZSiCuOCJvqd+aB1DvDs4WhJoTVJLDDR0mlV8mH6GVlDDfOY0z+e/wjhSV fkhM4wzcJ5PJZzv7uFZThSqwE4i7rARjbLKmtR8BECa4JSlo4KQCbNX+azsAv4i8 iNMAQGVy3sbpip25VOnnPYkYrp92n/bEC49f7TckEdF+gI3pP33BeIAn7IH7n8oo EP9hrtc1ccXGbHAx2MyyLDB0/kTS4lgIUoU3cxT+XvNU7V98NPX3Lf/srEmlcOUA 3BPe+L30V93pPWByUhtp5DadGGmSm0XPCdyNJdiJr+NFRGRCQZaT78cxQ2Dfbk9h OBT3DWFsAaB+GGh3TeXcLPgjkOWfA+Qq26rC9NUnXJUw3P1S+gbUZwj8fHivpguy OJybVRx3oRMbqaSarimxYViSv5MP+vjk0kI7B4Bn750Q4HJgfVgzPPjeWmRgNlOJ 31hxbi2F1olS/pxEpcLXglVRETP+CBOvTNCz+9mUKkLadDXmbq7pBxT+CYlsZP+L HhThQG2vN7qiMg9m21E+wMDhkR0oC2FMy1m4kKaHkNPAUEXptLJLZ7eKyDHGmXIM 73gtdaHNFZgR+HFoK2gH4LfPALJ6lL2lNuKg1ugXZzvtchLuRwU= =QoUp -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fe006907-9805-8ab8-b595-46247607ecce%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Why does sys-firewall needs so much RAM?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/27/18 15:31, 799 wrote: > Hello, > > as I have only 16GB of RAM available I'd like to keep an eye on > RAM consumption. I am wondering why my sys-firewall always need > 3 > GB of RAM. What is running there that needs so much memory? > > My sys-firewall is based on a fedora-minimal package which has > some additional packages installed to work as a firewall AppVM. > memory consumption according to qvm-ls is 3.083 MB after a fresh > restart only having sys-net and sys-usb running. > > my sys-usb is showing 284 MB RAM, my sys-net 384 MB > 364M here, could you check how much of this RAM is being really used? Also check top and look what process are consuming too much memory. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsKuvYACgkQFBMQ2OPt CKVBrA//djxwJ3y+Hh6HYaN57ZcggA65PBV8ToaDBMeKoYKSmcAdjWJQV37E0M18 YzN0Us96XV82thKd3QwkxgR2zXIcVItNa2oR6J5KXJ65E6LOqtv+qp5cmX7jeWW1 W+zVasR/79IWM9U6AG7bC1X9LCd1xXCXJ74SS2VlnhReL51wRKVn1cpeGBePF78q Yf8SsuZVcjy813tPfbx7OLY0cm6guKib8VbzvjoAOR5qCZYySDyVQbPAqssP6WUY QTFwPJGvsgAiAX3vYyCR8foCRLenAxGmqhvg0vXTy7MQuq/87SU2/dy88z/RJhQP nhYzO1gcqjx8detd496GzjLnpiTa0NAvyOxVyMj/g4eJUAErz5qLxncqrFK2aRtT xrqgcZAXmajf2Qv2LtZ3czjJeDDNfO1d5DzxWf/riUHeQvYuTJpqD99TtCdGmNf1 yYrKIFGh0G5vC7JdDNnSbsgLEO3uWq3CmLd4/f0x+BgJbqV/dW+O8EeXnGt0Lymp //HY1HEybwIKyEIjJJJXPcu5C6nivcLQPOEdqXA1R5LaOx8aQrW3B+8mNqbVpk0U NQQj6yOAMZijP4Spdt0AbqveKRW3IHYBkbhD5Xqpw9bj7CijIMQrFioyBH+Bbzgn SCzuJe/jjHqCa5LicAcGiuYsz/+l/3XsNQOQAmbeDtra0hTgEtU= =WXtS -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a71574e-ab13-5df5-35a8-1daf88c07752%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Why does sys-firewall needs so much RAM?
Hello, as I have only 16GB of RAM available I'd like to keep an eye on RAM consumption. I am wondering why my sys-firewall always need > 3 GB of RAM. What is running there that needs so much memory? My sys-firewall is based on a fedora-minimal package which has some additional packages installed to work as a firewall AppVM. memory consumption according to qvm-ls is 3.083 MB after a fresh restart only having sys-net and sys-usb running. my sys-usb is showing 284 MB RAM, my sys-net 384 MB [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uuD4wCdYj9Y%2BFqff6e2Ei53BUrkg-zHTDPmryFg%3DFeEQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.