Using Docker in AppVMs in Qubes OS

Running Docker in a Qubes OS AppVM requires one extra step: making Docker state directories persistent across reboots.

In Qubes OS, most of an AppVM root filesystem comes from its TemplateVM and is reset on reboot. In an AppVM, only these locations are persistent by default:

• /home/user
• /usr/local
• /rw (including /rw/config)

This design improves security by limiting persistence.

For Docker, you must persist these directories:

• /var/lib/docker
• /etc/docker
• /var/lib/containerd

Otherwise, images, containers, and Docker configuration are lost after reboot.

1. Install Docker in the TemplateVM: https://docs.docker.com/engine/install/

2. Shut down the TemplateVM so dependent AppVMs pick up the updated template.

3. In the AppVM, configure bind-dirs: https://doc.qubes-os.org/en/latest/user/advanced-topics/bind-dirs.html

bind-dirs mounts persistent storage from /rw onto non-persistent paths, so those paths behave as persistent in that specific AppVM.

4. Create /rw/config/qubes-bind-dirs.d/50_user.conf in the AppVM with:

binds+=('/var/lib/docker')
binds+=('/var/lib/containerd')
binds+=('/etc/docker')

Paths must match exactly and stay inside single quotes.

5. Apply the configuration: sudo /usr/lib/qubes/bind-dirs.sh Ensure it completes without errors.

6. Restart the AppVM.

After reboot, Docker data persists in that AppVM. Containers remain isolated per AppVM, while you can still reuse one TemplateVM for multiple AppVMs.