Since this page is apparently the top result on google, Heres a link to how to do it.
https://martingladdish.co.uk/technology/setting-up-docker-under-qubesos/
That page has more detail, but here are the instructions in case its down.
- Install docker engine, following the instruction on https://www.docker.com. NOT DESKTOP as that wont work in Qubes (unless you enable nested virtualization)
- Make the below /etc/docker/daemon.json
- Add "dockerd &" to your appvms (NOT TEMPLATE) /rw/config/rc.local
/etc/docker/daemon.json
{
"data-root": "/home/user/docker",
"group": "user"
}
Tried this with the debian-11 template on August 23, 2023. Martin did this with fedora-33 in 2021.
If you have trouble, you can ask for help at https://forum.qubes-os.org/
To do this in Qubes-OS 3.x, look at the history of this page.
Since there is not a documented reliability concern for "bind-dirs" facility, mainly just a matter of "that's a whole lotta words, too bad I'm not readin' 'em" when it comes to documentation, immediately followed by struggles to understand why things are not working; here we provide "the Qubes way" of solving for both that does not leave "bind-dirs" in a broken state.
Configure TemplateVM
Enable
docker
service for AppVM(s)Remember to change
$QUBENAME
to be the name of your target AppVM/Qube:qvm-service --enable $QUBENAME docker
Verification inside AppVM
Exit the dom0 shell.
Shutdown your TemplateVM, saving all changes.
Launch a terminal in your AppVM to perform verifications:
After exiting busybox, you can verify "bind-dirs" is working as intended by restarting the AppVM (
sudo reboot
), then launching a new AppVM terminal verify the busybox image persisted between restarts (optionally removing the image):Why would I do it this way?
Generally, this eliminates any configuration steps from being "inside the AppVM", any time we have to modify
/rw/
directly from "inside" an AppVM we're taking an "advanced approach" to administration of our Qubes meant for solving problems that can't be solved by any regular means. To illustrate: Why bootstrap docker from the TemplateVM? Why not bootstrap everything fromrc.local
? Because it is inconvenient, and not necessary, unless you are trying to keep everything outside of the TemplateVM and only need docker in a single AppVM.These means and reasons apply to more than just docker.
EDIT: removed unnecessary packages from
apt install
command and corrected incorrect package name, added commands to disablecontainerd
anddocker
daemons in the TempalteVM, removedqvm-service --enable
call for containerd as suggested by @runephilosof-abtion