Skip to content

Instantly share code, notes, and snippets.

@tlaurion

tlaurion/Docker-on-qubes.md

Forked from xahare/Docker-on-qubes.md
Last active September 12, 2020 16:50
Show Gist options
  • Save tlaurion/9113983bbdead492735c8438cd14d6cd to your computer and use it in GitHub Desktop.
Save tlaurion/9113983bbdead492735c8438cd14d6cd to your computer and use it in GitHub Desktop.
Download ZIP
How to run docker on Qubes-OS
Raw
Docker-on-qubes.md

Docker on Qubes

As of qubes 4.x and docker 18, the below method no longer works. I suspect more needs to be added to bind-dirs, but have not been able to make it work. For now, you can make a stand alone appvm, based on template to still get qubes integration. Debian-9 works out of the box. Dont know about other templates.

(Docker)[https://www.docker.com] a software container platform. You may have heard of it.

(Qubes-OS)[https://www.qubes-os.org] "A Reasonably Secure Operating System"

It takes a little work to get Docker running on qubes because you have to modify a templatevm. But, once you do it, you have the ease of compartmentalization qubes is famous for.

As of this writing the versions im using are,

  • Qubes-OS 3.2
  • Debian 9 (Fedora is fine too)
  • Docker 17.06

TemplateVM

Make clone of the template vm of your choice. I named mine dockerhost. Dont do this for your templatevm as there are some intrusive changes, and docker has security implications.

These instructions are adapted from https://docs.docker.com/engine/installation/linux/docker-ce/debian/

sudo apt-get install \
   apt-transport-https \
   ca-certificates \
   curl \
   gnupg2 \
   software-properties-common

before doing the next step, in the qubes manager, go to settings on the templatevm. under firewall rules, check on allow full access for 5 min.

curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88

you should see

pub   4096R/0EBFCD88 2017-02-22
      Key fingerprint = 9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
uid                  Docker Release (CE deb) <docker@docker.com>
sub   4096R/F273FCD8 2017-02-22

make sure the fingerprint matches, then install docker, and set yourself up to use it

sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
   $(lsb_release -cs) \
   stable"
sudo apt-get update
sudo apt-get -y install docker-ce

the above command ate my copy pasta when i ran it, so for ease of cutting and pasting, heres the next block on its own

sudo groupadd docker
sudo usermod -aG docker user
sudo systemctl enable docker

and, make sure appvms get to keep any customizations you do

sudo cat << EOF > /usr/lib/qubes-bind-dirs.d/50_user.conf
binds+=( '/var/lib/docker' )
binds+=( '/etc/docker' )
EOF

Thats all for the templatevm. save and poweroff.

AppVM

If it all worked, you should be able to make an appvm based on your dockerhost template, and run

docker run hello-world

The first time, it will download the hello-world docker image. If you restart the appvm, and docker run hello-world again, it should just run without having to download the image again.

By default, appvms only get 2G of storage. In the appvm settings from the qubes-manager, the first tab has "Disk Settings" where you can increase private storage size.

Links

(Opal Raava on how to expose a docker service to the outside world)[https://groups.google.com/forum/#!topic/qubes-users/wFRFvO4LQ9k]

(More on persistent filesystems in qubes)[https://www.qubes-os.org/doc/bind-dirs/]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment