QubesOS: Automatically Install and Configure Docker-CE in Debian
If you’re a QubesOS user, or even just Debian or Ubuntu, here’s how to install Docker Community Edition (Docker-CE) in your operating environment.
Why use Docker in Qubes? While QubesOS uses hypervisor virtualization (VMs) to separate operating system components for improved security, Docker uses container virtualization to predictably package OS components and workflows.1 Each serves a purpose, and they work brilliantly together!
The Qubes-Docker principle is this: the Qubes hypervisor will spin up read-only root filesystems in your AppVMs (and read-write /home/user/
); and Docker will be used to run applications with extensive or complicated dependencies, or with components that potentially expose your TemplateVM and AppVMs with an unreasonably large attack surface. Docker will also be configured to store images in /home/user/docker
.
Install Docker-CE in Debian 9 (Stretch)
I’m a huge fan of automatiion and code re-use; and that includes installation methods. I’ve used Neil Hermosilla’s code repeatedly and I like his style. One handy extra is that it is designed to overcome issues around installs (or attempts) of previous Docker versions and editions. Here’s how to apply it!
Debian 9 (Stretch)
If you’re on straight Debian (and probably Ubuntu as well), all you need to do is download Neil’s script, make it executable, and run it as a non-root user(!).1
2
3
4
5
6#1: Install dependencies: Git and cURL
sudo apt-get install git curl
#2: Install Docker-CE
wget https://gist.githubusercontent.com/upbeta01/3b968320b3a579c326ab6cd2a195b10d/raw/196eb33a6e4b5ef9abae98d9e221ebd62a61fd65/install-docker-deb9.sh
sudo chmod +x ./install-docker-deb9.sh
bash ./install-docker-deb9.sh
QubesOS (R4.0) on Debian 9 TemplateVM
Installation on QubesOS is slightly trickier because of firewall restrictions on TemplateVMs. You will need to run your Debian-based TemplateVM, as well as a DispVM (or regular AppVM) to complete the installation.
Install Git and cURL in the QubesOS TemplateVM.1
sudo apt-get install git curl
Download required files in a QubesOS disposable/separate AppVM, then copy them to the TemplateVM.1
2
3
4# Get the Docker GPG key.
wget https://download.docker.com/linux/debian/gpg && qvm-copy-to-vm d9-template ./gpg
# Get the installation script.
wget https://gist.githubusercontent.com/upbeta01/3b968320b3a579c326ab6cd2a195b10d/raw/196eb33a6e4b5ef9abae98d9e221ebd62a61fd65/install-docker-deb9.sh && qvm-copy-to-vm d9-template ./install-docker-deb9.sh
Execute the installation script in the TemplateVM.
The aufs DKMS module will fail to build for the 4.*.pvops.qubes.x86_64 kernel (and complain loudly), but will succeed for the Debian one, so ignore the errors. Ensure that the command to run the installer is not run as root - the parts requiring root priviledges will prompt you for user input during the script execution.1
2
3cd ~/QubesIncoming/d9-dvm/
sudo chmod +x ./install-docker-deb9.sh \
bash ./install-docker-deb9.sh
One final thing to do is to change the Docker directory from its default to users’ private storage area instead. This is necessary to ensure that images obtained with docker pull
are retained between VM reboots.2
Start in the TemplateVM by disabling Docker. Shutdown the TemplateVM after this step with (user@dom0:~$qvm-shutdown d9-template
).1
sudo systemctl disable docker
Next, in the AppVM intended for Docker use, add the following line to /rw/config/rc.local
. This will ensure that the daemon is started when that AppVM is started, and Docker image pulls will be saved in the /home/user/docker
directory. (It’s worth noting that the private storage allocation for that VM may need to be increased to accommodate large Docker images.)1
dockerd --data-root /home/user/docker
Done! :)