As of qubes 4.x and docker 19+, the below method now works again. Debian-10 added with bind-dir hack works out of the box again. Dont know about other templates.
(Docker)[https://www.docker.com] a software container platform. You may have heard of it.
(Qubes-OS)[https://www.qubes-os.org] "A Reasonably Secure Operating System"
It takes a little work to get Docker running on qubes because you have to modify a templatevm. But, once you do it, you have the ease of compartmentalization qubes is famous for.
As of this writing the versions im using are,
- Qubes-OS 4.0 rc3+
- Debian 10
- Docker 19.03.12
Make clone of the template vm of your choice. I named mine dockerhost. Dont do this for your templatevm as there are some intrusive changes, and docker has security implications.
These instructions are adapted from https://docs.docker.com/engine/installation/linux/docker-ce/debian/
sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg2 \
software-properties-common
before doing the next step, in the qubes manager, go to settings on the templatevm. under firewall rules, check on allow full access for 5 min.
curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88
you should see
pub 4096R/0EBFCD88 2017-02-22
Key fingerprint = 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
uid Docker Release (CE deb) <[email protected]>
sub 4096R/F273FCD8 2017-02-22
make sure the fingerprint matches, then install docker, and set yourself up to use it
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
$(lsb_release -cs) \
stable"
sudo apt update
sudo apt -y install docker-ce
In case dkms fails, run the following:
sudo apt -y purge aufs-dkms
sudo apt reinstall docker-ce
Then add required docker group and add Qubes's default user in it:
sudo groupadd docker
sudo usermod -aG docker user
If you are applying those changes in a shared TemplateVM, you might want to:
sudo systemctl disable docker
and actually add "docker" service manual startup in each AppVM's QubesOS setting service tab.
Else, if you want docker to run by default in each AppVM depending on that TemplateVM, run:
sudo systemctl enable docker
Make sure appvms get to keep any customizations you do
sudo su
then:
cat << EOF > /usr/lib/qubes-bind-dirs.d/50_user.conf
binds+=( '/var/lib/docker' )
binds+=( '/etc/docker' )
EOF
exit
Thats all for the templatevm. save and poweroff.
If it all worked, you should be able to make an appvm based on your dockerhost template, and run
docker run hello-world
The first time, it will download the hello-world docker image. If you restart the appvm, and docker run hello-world again, it should just run without having to download the image again.
By default, appvms only get 2G of storage. In the appvm settings from the qubes-manager, the first tab has "Disk Settings" where you can increase private storage size.
(Opal Raava on how to expose a docker service to the outside world)[https://groups.google.com/forum/#!topic/qubes-users/wFRFvO4LQ9k]
(More on persistent filesystems in qubes)[https://www.qubes-os.org/doc/bind-dirs/]