Docker and Fedora 31
101 views
Skip to first unread message
Frédéric Pierret
Apr 13, 2020, 4:05:00 AM4/13/20
to qubes-users
Hi all,
For those who are using docker and also gave a chance to Fedora 31 testing template, you may know that there is a "Cgroups Exception" for Fedora 31. According to the official page https://docs.docker.com/engine/install/fedora/, they suggest to:
"""
For Fedora 31 and higher, you need to enable the backward compatibility for Cgroups.
$ sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
"""
That does not really fit Qubes. Globally, it's a matter of adding a kernel options to your VM where you run your dockers. Assming this VM is called 'work-docker', in dom0:
1) Check your VM kernel opts:
qvm-prefs work-docker kernelopts
For me, it was only 'nopat'
2) Add the docker suggested option and your already present kernelopts:
qvm-prefs --set work-docker kernelopts 'nopat systemd.unified_cgroup_hierarchy=0'
That's all. You can continue to use your dockers in your Fedora 31 AppVM.
Another useful trick thanks to Qubes, is to use 'bind-dirs' (https://www.qubes-os.org/doc/bind-dirs/) for '/var/lib/docker'. It allows you to not modify default dockers location or symlink or copy paste at early boot or whatever.
Best,
Frédéric
For those who are using docker and also gave a chance to Fedora 31 testing template, you may know that there is a "Cgroups Exception" for Fedora 31. According to the official page https://docs.docker.com/engine/install/fedora/, they suggest to:
"""
For Fedora 31 and higher, you need to enable the backward compatibility for Cgroups.
$ sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
"""
That does not really fit Qubes. Globally, it's a matter of adding a kernel options to your VM where you run your dockers. Assming this VM is called 'work-docker', in dom0:
1) Check your VM kernel opts:
qvm-prefs work-docker kernelopts
For me, it was only 'nopat'
2) Add the docker suggested option and your already present kernelopts:
qvm-prefs --set work-docker kernelopts 'nopat systemd.unified_cgroup_hierarchy=0'
That's all. You can continue to use your dockers in your Fedora 31 AppVM.
Another useful trick thanks to Qubes, is to use 'bind-dirs' (https://www.qubes-os.org/doc/bind-dirs/) for '/var/lib/docker'. It allows you to not modify default dockers location or symlink or copy paste at early boot or whatever.
Best,
Frédéric
Rune Philosof
May 6, 2020, 9:44:16 AM5/6/20
to qubes-users
mandag den 13. april 2020 kl. 10.05.00 UTC+2 skrev Frédéric Pierret:
qvm-prefs --set work-docker kernelopts 'nopat systemd.unified_cgroup_hierarchy=0'
I wish I had been able to find this using duckduckgo.com when I searched for "qubes fedora 31 docker".
But I eventually discovered the solution as well.
Also discovered an alternative solution. Switch to HVM for the appVM and use podman instead.
What are the disadvantages to using HVM?
https://www.qubes-os.org/doc/linux-hvm-tips/#qubes-agents states that the agents won't work.
But I have not found any features not working for the HVM appVM (it is based on the qubes template fedora 31).
--
Rune
Rune Philosof
May 6, 2020, 2:21:07 PM5/6/20
to qubes-users
On Wed, May 6, 2020 at 3:44 PM Rune Philosof <rune.p...@gmail.com> wrote:
Also discovered an alternative solution. Switch to HVM for the appVM and use podman instead.
It would be even nicer if the switch to HVM wasn't necessary.
But that would require at least kernel 5.2 (https://github.com/torvalds/linux/commit/76f969e8948d82e78e1bc4beb6b9465908e74873).
Has any of you tried installing a >5.2 kernel in dom0?
I couldn't find any newer kernels in the unstable qubes repo.
--
Rune
Frédéric Pierret
May 6, 2020, 2:34:40 PM5/6/20
to qubes...@googlegroups.com
On 2020-05-06 20:20, Rune Philosof wrote:
> On Wed, May 6, 2020 at 3:44 PM Rune Philosof <rune.p...@gmail.com <mailto:rune.p...@gmail.com>> wrote:
>
> Also discovered an alternative solution. Switch to HVM for the appVM and use podman instead.
>
>
> It would be even nicer if the switch to HVM wasn't necessary.
> But that would require at least kernel 5.2 (https://github.com/torvalds/linux/commit/76f969e8948d82e78e1bc4beb6b9465908e74873).
> Has any of you tried installing a >5.2 kernel in dom0?
> I couldn't find any newer kernels in the unstable qubes repo.
There is kernel-latest for this purpose on Qubes. Enable current-testing repository in dom0 you will have 5.6.X latest kernels. BTW, it's one I'm currently running on dom0.
>
> Also discovered an alternative solution. Switch to HVM for the appVM and use podman instead.
>
>
> It would be even nicer if the switch to HVM wasn't necessary.
> But that would require at least kernel 5.2 (https://github.com/torvalds/linux/commit/76f969e8948d82e78e1bc4beb6b9465908e74873).
> Has any of you tried installing a >5.2 kernel in dom0?
> I couldn't find any newer kernels in the unstable qubes repo.
Best,
Frédéric
Reply all
Reply to author
Forward
0 new messages