Running VMs without xorg to trim down RAM ?

60 views

Skip to first unread message

Jane Jok

unread,

Mar 27, 2017, 9:10:46 AM3/27/17

to qubes-users

Okay, so here's the gist:

I have a configured netvm and firewallvm

I don't need to be able to properly run a terminal there most of the time because everything I wanted to do, is already done there (scripts, firewall rules, etc etc etc etc)

I am running this qubes install on a laptop so RAM is like, in great demand.

Wanted to trim off a few more MB RAM from each of my firewallvms and some other servicevms I have (USB, etc).

Seems like running VM at equivalent of init 3 should be possible, however, trying to run init3 command or any flavor of systemctl isolate multi-user.target does not produce desired result (Xorg still runs, it seems)

So the questions are

1) is it possible to configure a VM to run a "minimum" set of services a-la init 3 without all the fancy GUI stuff?

2) how to return it to "normal" operation (by using the "run a command in vm" functionality perhaps) if I temporarily need the GUI again?

Reg Tiangha

unread,

Mar 27, 2017, 9:57:12 AM3/27/17

to qubes...@googlegroups.com

That is an interesting question. I don't know the answer myself (though
I would like to know too, just for curiosity's sake), but here are some
RAM saving tips instead:

- For your service VMs, make sure to limit the upper RAM amounts. For
example, by default, sys-firewall's upper limit for RAM will be like
4GB; you can cut that down to 300-400 MB, and you might be able to bump
down the lower limit to 250 MB (if it doesn't start up properly from
cold boot, then bump that lower limit up until it does).

- In fact, take a look at all of your Template and App VMs and adjust
those upper RAM limits accordingly. For my Template VMs, I usually have
their upper limits at 2GB or less, since they rarely need more than
1-1.5 GB when updating.

- If you don't use the advanced features of the Qubes firewall (for
example, to restrict an Email VM or Banking VM to only allow traffic to
certain websites and not others using Qubes Manager to configure those
rules), you can switch to using Qubes Mirage Firewall which uses a
Mirage unikernel rather than a full-blown Linux distribution. I have
mine running on 64MB of RAM, but you could probably go down to as low as
30 or 32MB and still have it be reliable. If you *do* use those advanced
firewall features, you could still use Mirage Firewall for most VMs, and
only turn on sys-firewall for those VMs that need it on demand, rather
than having it run all the time:

https://github.com/talex5/qubes-mirage-firewall/

- Finally, if for whatever reason you need a shell into a VM (for
example, the machine is on but it has the yellow indicator in Qubes
Manager and it won't launch any programs), you can use virsh in dom0:

virsh -c xen:/// console <vm-name>

Reply all

Reply to author

Forward

0 new messages