Re: [qubes-users] Why does sys-firewall needs so much RAM?

2018-05-27 Thread donoban 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 05/27/18 16:40, 799 wrote:> The only thing I am struggling with is
to install something so crucial
> like a firewall which is not coming from the Qubes Team. For me as
> a normal user it is hard to decide if qubes-mirage-firewall is 
> reasonable secure compared to the default sys-firewall.

Well, Thomas Leonard (talex) is a big open source contributor.

Author reputation apart, an unikernel is a more secure than normal
sys-firewall because it has tons of less complexity. An unikernel is a
kernel running a single process with unique address space, without
user system, etc... it only has the needed code/libs for running that
single process. A normal linux distribution like standard sys-firewall
has a lot of things not needed for the firewall task, even
fedora-minimal has a lot of functions and complexity compared to
mirage-firewall.

Also, a pretty vulnerable part of standard Qubes is the network stack
of linux. If a compromised sys-net has some exploit for that part of
code, it is likely to scale from it to sys-firewall using the same
explit and then to other AppVM's. So it is nice to have a total
different system between.

Another interesting difference is the programming language. Fedora or
debian sys-firewall has millions of lines of C or similar code, where
common security problems are relative easy to appear and hard to find
and fix. mirage-firewall is mostly based on OCaml, a functional
oriented language where this kind of programming errors are less
likely to happen.

> As far as I understand it is run a docker image (in dom0?).

No. Docker is used in some AppVM for build the mirage-firewall image.
I think docker is used for simplicity the build process. Once you have
your kernel image you pass it to dom0 and just boot a new VM with that
kernel.

> is there any official feedback regarding the qubes-mirage-firewall
> and what do the "Qubes Pro's" think about it.> If it is better,
> then why hasn't it be integrated in the Qubes Image?

Exists this issue:
https://github.com/QubesOS/qubes-issues/issues/3792

There is a problem with current mirage-firewall, the rules are
currently hard coded in the source. So you need to modify, rebuild and
reboot the VM for change them.

Also there is a fork which uses the module.img file (a dummy file in
the other version) for save the rules:
https://github.com/cfcs/qubes-mirage-firewall/tree/user_supplied_rules

This way you can edit the rules without rebuild the whole image, but I
think that you need to reboot the VM.

When I discovered this I wanted to add compatibility with Qubes
Manager for it, but it was pretty difficult with Qubes 3.2 format. Now
I'm using Qubes 4, I would like to try again.

> I will rebuild my sys-firewall from a fedora-26-minimal template
> and try to see if I can reduce memory.
> 
> Question: How can I check how much memory really is consumed?
> 
> [user@dom0 ~]$ xl list [...] sys-firewall shows 1.638 MB
> 
> 
> [user@sys-firewall ~]$ free -h totalusedfree
> shared  buff/cache available Mem:   1.4G133M
> 882M2.9M 454M1.1G Swap:  1.0G  0B
> 1.0G
> 
> Does this mean that only 133 MB is currently used by sys-firewall?
> 
> Maybe I made the mistake trusting the numbers in dom0: xl list?

sys-firewall has 1.4G asigned but only 133M used and 454M cached
(probably during boot process). It has 882M free and it (and part of
the cached) will be reduced when other VM needs more memory.

If you want try to stress your system opening disposable VM's to see
if it gets reduced. I have it with default setup (500min 4000max) and
currently it reports:

[user@sys-firewall ~]$ free -h
  totalusedfree  shared  buff/cache
available
Mem:   348M165M 94M2.6M 88M
  48M
Swap:  1.0G 14M1.0G

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsK3J4ACgkQFBMQ2OPt
CKUI7hAAt6GuZqV5/4J6UsPwv8K+EQcE2huPq3l5f/psY5KfSLVNqIGXS5nW9sT2
Q1/ZsyYyGD59B6w2+O+eu3oLCMluMJoS12lq8ZHUEpoyPsbolX62eGxlS6nDMKL/
Yd1fZE4i4PwBNxvBGOQnCos+p44+lc0kiQDTq4NLPadNXICQoyzsvTY0P0ck+V+m
jeDrueSY4g/n2+33he8NaNNe+kiMm7Eo6huyCeSFMDYk+QWp8wPbHH7s4+wfoP/h
niAHOD9g/bNORWOXEiz7iUSq7T3ZDcsyVyJxs10Avvx/ZYQXcxaxbIYx1ZNIMuOL
M5JDvRw8D0oK2tU6ee9Yal38DnK1eN3RKMNBdlxWpKD1ZwW3TpWMH25YD5OdbnpT
fE1yjvjW3N0clO99dt7CNkjD5m09fO63gqq4KFyXr51hUqu1ZANtzr7Sky55QgZy
OXmqZsbG9dRa5RFN/bUAQs3LK5WhEwzVcIxRyXsiPuGQQk0qFn0rH/7PEKr6/1sq
9vw6QrlDCFEzfxZEL6Vh3KQ0+8dXZACgwFTg/vo/nP7qvuIkFpLeUHNxKluMyLdi
OMPWwNcl7UZN9ojPQg2X2b8qYisw1IgD1UPmPRjm3lmhe5lDlxIFfIyfqJRlfht8
ktxMkRWzfufBG2S5dwCzYbSAKJB/oNd4SKEOowUfWlfDTwpaNHI=
=OKVC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group,

Re: [qubes-users] Why does sys-firewall needs so much RAM?

2018-05-27 Thread 799 
On 27 May 2018 at 16:13, donoban  wrote:

> [...]
> Also if you want to save more ram with sys-firewal, consider trying:
> https://github.com/talex5/qubes-mirage-firewall


I haven't heard of the "unikernel firewall", thanks.

More explanation found here:
http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/

The only thing I am struggling with is to install something so crucial like
a firewall which is not coming from the Qubes Team.
For me as a normal user it is hard to decide if qubes-mirage-firewall is
reasonable secure compared to the default sys-firewall.
As far as I understand it is run a docker image (in dom0?).

is there any official feedback regarding the qubes-mirage-firewall and what
do the "Qubes Pro's" think about it.
If it is better, then why hasn't it be integrated in the Qubes Image?

I will rebuild my sys-firewall from a fedora-26-minimal template and try to
see if I can reduce memory.

Question:
How can I check how much memory really is consumed?

[user@dom0 ~]$ xl list
[...]
sys-firewall shows 1.638 MB


[user@sys-firewall ~]$ free -h
  totalusedfree  shared  buff/cache
available
Mem:   1.4G133M882M2.9M454M
1.1G
Swap:  1.0G  0B1.0G

Does this mean that only 133 MB is currently used by sys-firewall?

Maybe I made the mistake trusting the numbers in dom0: xl list?
[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sR%2BUd%2B8DBmNkFcuJ4bUoiprmM06wykP%3DsBLyuwZqRApw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why does sys-firewall needs so much RAM?

2018-05-27 Thread awokd 
On Sun, May 27, 2018 2:13 pm, donoban wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 05/27/18 16:04, donoban wrote:
>> On 05/27/18 15:31, 799 wrote:
>>> Hello,
>>
>>> as I have only 16GB of RAM available I'd like to keep an eye on
>>> RAM consumption. I am wondering why my sys-firewall always need >
>>> 3 GB of RAM. What is running there that needs so much memory?
>>
>>> My sys-firewall is based on a fedora-minimal package which has
>>> some additional packages installed to work as a firewall AppVM.
>>> memory consumption according to qvm-ls is 3.083 MB after a fresh
>>> restart only having sys-net and sys-usb running.
>>
>>> my sys-usb is showing 284 MB RAM, my sys-net 384 MB
>>
>>
>> 364M here, could you check how much of this RAM is being really
>> used?
>>
>> Also check top and look what process are consuming too much
>> memory.
>>
>
> Also if you want to save more ram with sys-firewal, consider trying:
> https://github.com/talex5/qubes-mirage-firewall

Sys-firewall defaults to 500/4000 initial/max memory with memory balancing
enabled, so it should surrender memory it's not actually using to other
VMs as needed. You could drop max to 500 as well but leave balancing
enabled. That worked for me on 3.2. I've been relying on balancing in 4.0
except during a couple RCs when it wasn't working.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/27d4065848b55a539a39d6e9d48b24c4%40elude.in.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why does sys-firewall needs so much RAM?

2018-05-27 Thread donoban 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 05/27/18 16:04, donoban wrote:
> On 05/27/18 15:31, 799 wrote:
>> Hello,
> 
>> as I have only 16GB of RAM available I'd like to keep an eye on 
>> RAM consumption. I am wondering why my sys-firewall always need >
>> 3 GB of RAM. What is running there that needs so much memory?
> 
>> My sys-firewall is based on a fedora-minimal package which has 
>> some additional packages installed to work as a firewall AppVM. 
>> memory consumption according to qvm-ls is 3.083 MB after a fresh 
>> restart only having sys-net and sys-usb running.
> 
>> my sys-usb is showing 284 MB RAM, my sys-net 384 MB
> 
> 
> 364M here, could you check how much of this RAM is being really
> used?
> 
> Also check top and look what process are consuming too much
> memory.
> 

Also if you want to save more ram with sys-firewal, consider trying:
https://github.com/talex5/qubes-mirage-firewall
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsKvPEACgkQFBMQ2OPt
CKWJ+BAAhpPuoCrI0kx2OAPplvYZwh5HZNqYql8jvKsLlLvwc/sFIi8fqY1qt4Ro
rs2xfryZSiCuOCJvqd+aB1DvDs4WhJoTVJLDDR0mlV8mH6GVlDDfOY0z+e/wjhSV
fkhM4wzcJ5PJZzv7uFZThSqwE4i7rARjbLKmtR8BECa4JSlo4KQCbNX+azsAv4i8
iNMAQGVy3sbpip25VOnnPYkYrp92n/bEC49f7TckEdF+gI3pP33BeIAn7IH7n8oo
EP9hrtc1ccXGbHAx2MyyLDB0/kTS4lgIUoU3cxT+XvNU7V98NPX3Lf/srEmlcOUA
3BPe+L30V93pPWByUhtp5DadGGmSm0XPCdyNJdiJr+NFRGRCQZaT78cxQ2Dfbk9h
OBT3DWFsAaB+GGh3TeXcLPgjkOWfA+Qq26rC9NUnXJUw3P1S+gbUZwj8fHivpguy
OJybVRx3oRMbqaSarimxYViSv5MP+vjk0kI7B4Bn750Q4HJgfVgzPPjeWmRgNlOJ
31hxbi2F1olS/pxEpcLXglVRETP+CBOvTNCz+9mUKkLadDXmbq7pBxT+CYlsZP+L
HhThQG2vN7qiMg9m21E+wMDhkR0oC2FMy1m4kKaHkNPAUEXptLJLZ7eKyDHGmXIM
73gtdaHNFZgR+HFoK2gH4LfPALJ6lL2lNuKg1ugXZzvtchLuRwU=
=QoUp
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe006907-9805-8ab8-b595-46247607ecce%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why does sys-firewall needs so much RAM?

2018-05-27 Thread donoban 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 05/27/18 15:31, 799 wrote:
> Hello,
> 
> as I have only 16GB of RAM available I'd like to keep an eye on
> RAM consumption. I am wondering why my sys-firewall always need > 3
> GB of RAM. What is running there that needs so much memory?
> 
> My sys-firewall is based on a fedora-minimal package which has
> some additional packages installed to work as a firewall AppVM. 
> memory consumption according to qvm-ls is 3.083 MB after a fresh
> restart only having sys-net and sys-usb running.
> 
> my sys-usb is showing 284 MB RAM, my sys-net 384 MB
> 

364M here, could you check how much of this RAM is being really used?

Also check top and look what process are consuming too much memory.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsKuvYACgkQFBMQ2OPt
CKVBrA//djxwJ3y+Hh6HYaN57ZcggA65PBV8ToaDBMeKoYKSmcAdjWJQV37E0M18
YzN0Us96XV82thKd3QwkxgR2zXIcVItNa2oR6J5KXJ65E6LOqtv+qp5cmX7jeWW1
W+zVasR/79IWM9U6AG7bC1X9LCd1xXCXJ74SS2VlnhReL51wRKVn1cpeGBePF78q
Yf8SsuZVcjy813tPfbx7OLY0cm6guKib8VbzvjoAOR5qCZYySDyVQbPAqssP6WUY
QTFwPJGvsgAiAX3vYyCR8foCRLenAxGmqhvg0vXTy7MQuq/87SU2/dy88z/RJhQP
nhYzO1gcqjx8detd496GzjLnpiTa0NAvyOxVyMj/g4eJUAErz5qLxncqrFK2aRtT
xrqgcZAXmajf2Qv2LtZ3czjJeDDNfO1d5DzxWf/riUHeQvYuTJpqD99TtCdGmNf1
yYrKIFGh0G5vC7JdDNnSbsgLEO3uWq3CmLd4/f0x+BgJbqV/dW+O8EeXnGt0Lymp
//HY1HEybwIKyEIjJJJXPcu5C6nivcLQPOEdqXA1R5LaOx8aQrW3B+8mNqbVpk0U
NQQj6yOAMZijP4Spdt0AbqveKRW3IHYBkbhD5Xqpw9bj7CijIMQrFioyBH+Bbzgn
SCzuJe/jjHqCa5LicAcGiuYsz/+l/3XsNQOQAmbeDtra0hTgEtU=
=WXtS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7a71574e-ab13-5df5-35a8-1daf88c07752%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Why does sys-firewall needs so much RAM?

2018-05-27 Thread 799 
Hello,

as I have only 16GB of RAM available I'd like to keep an eye on RAM
consumption.
I am wondering why my sys-firewall always need > 3 GB of RAM.
What is running there that needs so much memory?

My sys-firewall is based on a fedora-minimal package which has some
additional packages installed to work as a firewall AppVM.
memory consumption according to qvm-ls is 3.083 MB after a fresh restart
only having sys-net and sys-usb running.

my sys-usb is showing 284 MB RAM, my sys-net 384 MB

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uuD4wCdYj9Y%2BFqff6e2Ei53BUrkg-zHTDPmryFg%3DFeEQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.