Once upon a time I too had similar issues (start on boot service qubes hanging/underperforming) if I logged into the GUI desktop “too quickly” which, would require me to powercycle down to the offending qube (usually sys-net but, sometimes sys-firewall or also sys-usb on occasion).
I too launch all of my service qubes with no more than 512MB RAM, in most cases this ought be sufficient.
I think the best place to start would be to migrate to a minimal template for your sys-net. IMO, the base templates are unnecessarily bloated in general and, especially so for sys-net.
In my current implementation sys-usb and sys-net are isolated so, if this is not the case; please stop here. Should you have separate sys-usb and sys-net qubes, this is the process which has worked for me in the past …
Recreating sys-net can easily and safely be achieved thanks to the default SaltStack formula by doing the following:
- While you have a functioning
sys-net, update your minimal templates and, may as well
sudo qubes-dom0-update
in dom0 shell also.
-
Use Qubes Manger to select
sys-net, click on the “Settings” button & rename (or do this in dom0 via cli if you prefer)sys-nettosys-net-old. Additionally, disable “Start qube automatically on boot”. -
From the “System” menu drop-down, click/select Qubes Global Settings & change your default template under “qubes defaults” to the minimal template of your choosing (don’t forget to click “OK” button)
-
Open a dom0 shell and enter the following:
sudo qubesctl state.sls qvm.sys-net
(this ought rebuild your sys-net with the newly selected template)
-
Test out your newly created
sys-netby assigning it as a NetVM forsys-firewall, startingsys-firewall, opening a terminal insys-firewall& generating some traffic (ie:$ping qubes-os.org). If all goes well, you can change the NetVM setting for the remaining qubes which are currently configured to usesys-net-oldto usesys-net. -
Before you forget, go back into Qubes Global Settings & change your default template under “qubes defaults” back to the template of your choosing
-
Restart to confirm you’re happy with your new minimal
sys-net
If anything goes wrong, simply disable “Start qube automatically on boot” for your newly created sys-net and enable for sys-net-old while also switching the NetVM for guest qubes as necessary.
There’s no need to immediately remove/delete sys-net-old aside from HDD space which, ought not be too much as, it can serve as a fallback in case any of the above doesn’t work.