Setting up Docker for Qubes OS
I have always wanted to have a machine that is reasonably secure. I am not talking NSA level security here, but secure enough so that I do not have any headaches with viruses, malware etc. On top of that, I wanted to reduce the information that advertisers and marketing companies have on me.
Qubes-OS
The solution came with Qubes OS. I have been following the project for quite a while now and finally decided to give it a try. So far, very impressed and very satisfied with my system. Everything is isolated as it should and it is working as expected.
Docker
One thing that troubled me though was how I was going to install docker on my code
VM. Since I do rely on docker
and docker compose
for many projects, I wanted to have that available for my code
VM.
My initial attempts worked reasonable. I installed docker on my code
VM, run my commands, and started coding as usual. However once my code
VM restarted the changes were lost and that was a bummer.
I then went to install docker
in the template that my code
VM is based on (debian-12-xfce
).
Success!
Everything worked perfectly fine and I am up and running.
Isolation
Well, it did work, but had a small side effect. When I decided to create a new VM to do some different coding, the docker environments from my code
VM interfered with my new one.
I had to find a way where although docker
in installed in the template, any children VMs would have their docker images in the /home
folder, where we would have persistence but also isloation.
The solution was quite simple. All I had to do is open a terminal to my template VM (debian-12-xfce
) and create the file /etc/docker/daemon.json
with the following contents:
{
"data-root": "/home/user/.docker-images",
"group": "user"
}
With the above, any images in my code
VM will be created under /home/user/.docker-images
and reside there persistent.
NOTE: The reason for the
group
entry beinguser
, is because we need to ensure that theuser
group owns docker’s sock file. If not, then we will not have permissions to access it and docker will not work.
I hope this helps.