Skip to content

Instantly share code, notes, and snippets.

@coderpatros
Forked from xahare/Docker-on-qubes.md
Last active March 9, 2020 11:55
Show Gist options
  • Save coderpatros/804fb2f64b3ec76c4f5c070d9d7438df to your computer and use it in GitHub Desktop.
Save coderpatros/804fb2f64b3ec76c4f5c070d9d7438df to your computer and use it in GitHub Desktop.
How to run docker on Qubes-OS

Docker on Qubes

(Docker)[https://www.docker.com] a software container platform. You may have heard of it.

(Qubes-OS)[https://www.qubes-os.org] "A Reasonably Secure Operating System"

It takes a little work to get Docker running on qubes because you have to modify a templatevm. But, once you do it, you have the ease of compartmentalization qubes is famous for.

As of this writing the versions im using are,

  • Qubes-OS 4.0
  • Debian 9 (Fedora is fine too)
  • Docker 18.09

TemplateVM

Make clone of the template vm of your choice. I named mine dockerhost. Dont do this for your templatevm as there are some intrusive changes, and docker has security implications.

These instructions are adapted from https://docs.docker.com/engine/installation/linux/docker-ce/debian/

sudo apt-get install \
   apt-transport-https \
   ca-certificates \
   curl \
   gnupg2 \
   software-properties-common

before doing the next step, in the qubes manager, go to settings on the templatevm. under firewall rules, check on allow full access for 5 min.

curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88

you should see

pub   4096R/0EBFCD88 2017-02-22
      Key fingerprint = 9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
uid                  Docker Release (CE deb) <[email protected]>
sub   4096R/F273FCD8 2017-02-22

make sure the fingerprint matches, then install docker, and set yourself up to use it

sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
   $(lsb_release -cs) \
   stable"
sudo apt-get update
sudo apt-get -y install docker-ce

the above command ate my copy pasta when i ran it, so for ease of cutting and pasting, heres the next block on its own

sudo groupadd docker
sudo usermod -aG docker user
sudo systemctl enable docker

Thats all for the templatevm. save and poweroff.

AppVM

To make sure your appvms get to keep any customizations you need to do this in each AppVM as root

mkdir -p /rw/config/qubes-bind-dirs.d
cat << EOF > /rw/config/qubes-bind-dirs.d/50_user.conf
binds+=( '/var/lib/docker' )
binds+=( '/etc/docker' )
EOF

Restart the AppVM

If it all worked, you should be able to make an appvm based on your dockerhost template, and run

docker run hello-world

The first time, it will download the hello-world docker image. If you restart the appvm, and docker run hello-world again, it should just run without having to download the image again.

By default, appvms only get 2G of storage. In the appvm settings from the qubes-manager, the first tab has "Disk Settings" where you can increase private storage size.

Links

(Opal Raava on how to expose a docker service to the outside world)[https://groups.google.com/forum/#!topic/qubes-users/wFRFvO4LQ9k]

(More on persistent filesystems in qubes)[https://www.qubes-os.org/doc/bind-dirs/]

@greenrd
Copy link

greenrd commented Mar 8, 2020

The sudo cat command doesn't actually work. You need to run sudo bash, and then within the bash sub-shell, run the cat command.

@coderpatros
Copy link
Author

Thanks @greenrd I've updated them to be commands run as root

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment