[qubes-users] Failure - Building mirage unikernel with debian-10 and Docker CE

799 · October 16, 2021, 5:24pm

Hello,

this maybe off-topic because it may be more a debian10 / docker / mirage topic, but maybe someone has been able to build the mirage firewall with a more recent template than fedora-30.

Has someone successfully build the mirage kernel on an AppVM which is newer that fedora-30?
I tried to do so with an AppVM based on a debian-10 template and Docker CE (version 20.10.9)

Docker installed correctly and has been verified by the “docker run hello-world” command.

Trying to build mirage gives the following error:

./build-with-docker.sh’
[…]
Step 8/8 : CMD opam config exec – mirage configure -t xen && opam config exec – make tar
—> Using cache
—> af7a122a9bdb
Successfully built af7a122a9bdb
Successfully tagged qubes-mirage-firewall:latest
Building Firewall…
mirage: unknown option -t'. Usage: mirage configure [OPTION]... Try mirage configure --help’ or `mirage --help’ for more information.
create temporary file /home/opam/qubes-mirage-firewall/bos-1cf2b3.tmp: Permission denied

To reproduce my notes during installation (all from dom0):

TemplateVM=debian-10
MirageFWBuildVM=debian-10-miragbuildvm
MirageFWAppVM=sys-mirage-fw

create a temporary BuildVM to build the mirage kernel

qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM
qvm-volume resize $MirageFWBuildVM:private 10GB
qvm-prefs --set $MirageFWBuildVM netvm sys-firewall

prequisitis to add the docker repository

qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM
‘curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg’
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM
‘echo “deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable” | tee /etc/apt/sources.list.d/docker.list’

update system & install & test docker

qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM ‘apt-get update --allow-releaseinfo-change’
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM ‘apt-get update && apt-get -y upgrade’
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM ‘apt-get -y install apt-transport-https ca-certificates curl gnupg lsb-release git’
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM ‘apt-get -y install docker-ce docker-ce-cli containerd.io’
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM ‘docker run hello-world’

Launch docker & build mirage

qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM ‘systemctl start docker’
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM ‘git clone https://github.com/mirage/qubes-mirage-firewall.git &&
cd qubes-mirage-firewall &&
mkdir -p /home/opam/qubes-mirage-firewall &&
./build-with-docker.sh’

799