Failure - Building mirage unikernel with debian-10 and Docker CE

[799]

Hello,

this maybe off-topic because it may be more a debian10 / docker / mirage topic, but maybe someone has been able to build the mirage firewall with a more recent template than fedora-30.

Has someone successfully build the mirage kernel on an AppVM which is newer that fedora-30?

I tried to do so with an AppVM based on a debian-10 template and Docker CE (version 20.10.9)

Docker installed correctly and has been verified by the "docker run hello-world" command.

Trying to build mirage gives the following error:

 ./build-with-docker.sh'
[...]

Step 8/8 : CMD opam config exec -- mirage configure -t xen &&     opam config exec -- make tar
 ---> Using cache
 ---> af7a122a9bdb
Successfully built af7a122a9bdb
Successfully tagged qubes-mirage-firewall:latest
Building Firewall...
mirage: unknown option `-t'.
Usage: mirage configure [OPTION]...
Try `mirage configure --help' or `mirage --help' for more information.
create temporary file /home/opam/qubes-mirage-firewall/bos-1cf2b3.tmp: Permission denied

To reproduce my notes during installation (all from dom0):

TemplateVM=debian-10
MirageFWBuildVM=debian-10-miragbuildvm
MirageFWAppVM=sys-mirage-fw

# create a temporary BuildVM to build the mirage kernel
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM
qvm-volume resize $MirageFWBuildVM:private 10GB
qvm-prefs --set $MirageFWBuildVM netvm sys-firewall

# prequisitis to add the docker repository
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
    'curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
  'echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list'

# update system & install & test docker
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'apt-get update --allow-releaseinfo-change'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'apt-get update && apt-get -y upgrade'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'apt-get -y install apt-transport-https ca-certificates curl gnupg lsb-release git'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'apt-get -y install docker-ce docker-ce-cli containerd.io'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'docker run hello-world'

# Launch docker & build mirage
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM  'systemctl start docker'
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM 'git clone https://github.com/mirage/qubes-mirage-firewall.git && \
    cd qubes-mirage-firewall && \
    mkdir -p /home/opam/qubes-mirage-firewall && \
    ./build-with-docker.sh'

799