On Sunday, 5 June 2016 19:20:43 UTC+10, [email protected] wrote:
>
> On Sat, June 4, 2016 13:58, [email protected] <javascript:> wrote:
>
> > On Sat, June 4, 2016 12:35, "Holger Levsen" <[email protected]
> <javascript:>> wrote:
> >
> >> did you try XFCE instead of KDE? XFCE is much more ressource friendly.
> >
> >
> > Thanks for the tip! I must try a full install; unfortunately that will
> > take me offline for some hours, for obvious reasons...
>
> I manually configured a 4GiB encrypted swap partition on an old hard disk,
> and separately an encrypted LVM for Qubes, plus /boot and biosboot.
>
> The good news is that Qubes R3.1 starts, and LXDE is smooth.
>
> The bad news is that Qubes doesn't use the swap, and important things fail
> due to out-of-memory.
>
Firstly, I would recommend setting Dom to use only 1 GB of RAM. This is
best set after initial install and tell it to
NOT create ANY of the VMs.. That way you can define everything after first
boot.
Set each VM to have 256 MB RAM. IF you have Memory Balancing on, then set
Maximum to 356 for NetVM and ProxyVM
So install Qubes, but don't create any VMs, create them yourself AFTER you
have configured Dom0 using the
live DVD /USB after the install.
You say you have 2 GB RAM, so have 512 for Dom0, but better for 1 GB.
Then you have 1 GB to share among the other VMs.
You can go as low as 50 MB for a NetVM. I've got mine running at that.
Min 256 for a ProxyVM (depending on how many firewall rules it will have to
handle.)
So then you have 700MB (rough)) for all other VMs.
> I think the rest is best explained in chronological order.
>
> In the Qubes installer, I elected to configure all the default qubes plus
> the option to route all system/update traffic through Whonix
> ("experimental"). During the final stage when it shows a progress bar and
> configures various qubes, I received the following modal dialog while it
> was configuring networking:
>
> --- begin dialog box
> [title bar: "[Dom0]"]
>
> Setting up networking failure!
>
> ['/usr/sbin/service', 'qubes-netvm', 'start'] failed:
> Redirecting to /bin/systemctl start qubes-netvm.service
> Job for qubes-netvm.service failed. See 'systemctl
> status qubes-netvm.service' and 'journalctl -xn' for
> details.
>
> [Close]
> --- end dialog box
>
> When I hit "Close", the installer immediately finished. I do not know
> whether it just bailed, and left important configuration undone, or if it
> really finished. Thence to the Qubes login screen.
>
> Running "systemctl status -l qubes-netvm.service", the pertinent lines
> read in pertinent part (sorry, all of this is manually copied and
> retyped):
>
> --- begin quote
> ERROR: ERROR: insufficient memory to start VM 'sys-firewall'
> qubes-netvm.service: main process exited, code=exited, status=1/FAILURE
> --- end quote
>
> On startup, exactly two qubes are running: dom0 and sys-net. top(1)
> (which I grit my teeth running in dom0; is it part of the TCB?) shows less
> than 30M free memory, and... 0 swap!
>
> Specific questions:
>
> (a) How do I not only add my swap partition, but make Qubes automatically
> unlock and use it at boot? I think this start config issue is probably a
> Qubes-specific question, because Qubes is not really like other Linux
> distributions in these under-the-hood system things. ;-)
>
> (b) Related to (a), how do I make sure in the Qubes startup configuration
> that it unlocks both the LVM partition and the swap partition with the
> same LUKS passphrase? It is not good to type the passphrase multiple
> times, e.g. in public with shoulder surfers and possibly security cameras
> around. (Or better yet, swap with a one-time ephemeral key.)
>
> (c) If I can get sufficient qubes started, how do I verify that all
> network traffic (including update traffic) is routed through sys-whonix?
> IOW in which qube do I fire up tcpdump(1) or check the logs, and really
> get a global view of which packets are coming in/out? I am accustomed to
> watching traffic (through pf and on physical interfaces). I just need to
> know where in the Qubes intranet to get a global view, *without* risking
> compromise to dom0 or another important qube with a tcpdump(1) or
> libpcap(3) bug.
>
> Thanks in advance!
>
> Almost no longer,
>
> "Uncubed" (un-uncubed?)
>
>
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/f0d3f5bb-a8b7-41f0-a9ec-c949c040a21c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
