qubes-doc/managing-os/templates/debian.md

---
layout: doc
title: Debian Template
permalink: /doc/templates/debian/
redirect_from:
- /doc/debian/
- /en/doc/templates/debian/
- /doc/Templates/Debian/
- /wiki/Templates/Debian/
---

Debian template(s)
===============

If you would like to use Debian Linux distribution in your qubes, you can install one of the available Debian templates.

Updates for these templates are provided by ITL and are signed by this key:

    pub   4096R/47FD92FA 2014-07-27
          Key fingerprint = 2D43 E932 54EE EA7C B31B  6A77 5E58 18AB 47FD 92FA
    uid                  Qubes OS Debian Packages Signing Key

The key is already installed when you install (signed) template package. You
can also obtain the key from [git
repository](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-archive-keyring.gpg),
which is also integrity-protected using signed git tags.

Install
-------

Templates can be installed with the following command:

Debian 7 (wheezy) - old stable:

    [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-7

Debian 8 (jessie) - stable:

    [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-8

Debian 9 (stretch) - testing:

A prebuilt template is not yet available, but there are two options for
achieving a stretch template:

* Build an experimental stretch template from source.

* Clone a `debian-8` template and then modify `/etc/apt/sources.list` and 
`/etc/apt/sources.list.d/qubes-r3.list` to pull from stretch repos rather 
than jessie repos. After that, an `apt-get dist-upgrade` followed by a 
reboot should "just work."


Known issues
------------

###Starting services


The Debian way (generally) is to start daemons if they are installed.
This means that if you install (say) ssh-server in a template, *all* the qubes that use that template will run a ssh server when they start. (They will, naturally, all have the same server key.) This may not be what you want.

So be very careful when installing software in Templates - if the daemon spawns outbound connections then there is a serious security risk.

In general, a reasonable approach would be, (using ssh as example):
- Install the ssh service.
- systemctl stop ssh
- systemctl disable ssh
- systemctl mask ssh
- Close down template

Now the ssh service will **NOT** start in qubes based on this template.

Where you **DO** want the service to run, put this in /rw/config/rc.local:

    systemctl unmask ssh
    systemctl start ssh

Don't forget to make the file executable.


###Unattended Upgrades

Some users have noticed that on upgrading to Stretch, the unattended-upgrade package is installed.

This package is pulled in as part of a Recommend chain, and can be purged.

The lesson is that you should carefully look at what is being installed to your system, particularly if you run dist-upgrade. 


###Contributing

If you want to help in improving the template, feel free to [contribute](/wiki/ContributingHowto).

More information
----------------

* [Debian wiki](https://wiki.debian.org/Qubes)
Templates/Debian changed Initial page 2014-07-28 17:14:28 -04:00			`---`
wiki -> doc migration 2015-04-10 16:17:45 -04:00			`layout: doc`
Update page titles from CamelCase to lowercase-hyphen-separated (closes QubesOS/qubes-issues#1205) 2015-10-13 23:31:03 -04:00			`title: Debian Template`
Remove en/ from URLs (QubesOS/qubes-issues#1333) 2015-10-28 18:14:40 -04:00			`permalink: /doc/templates/debian/`
Change URIs from CamelCase to lowercase-hyphen-separated 2015-10-11 03:04:59 -04:00			`redirect_from:`
Add "/doc" prefix 2016-05-21 10:49:01 -04:00			`- /doc/debian/`
Remove en/ from URLs (QubesOS/qubes-issues#1333) 2015-10-28 18:14:40 -04:00			`- /en/doc/templates/debian/`
Change URIs from CamelCase to lowercase-hyphen-separated 2015-10-11 03:04:59 -04:00			`- /doc/Templates/Debian/`
			`- /wiki/Templates/Debian/`
Templates/Debian changed Initial page 2014-07-28 17:14:28 -04:00			`---`

Some more updates to templates 2015-04-22 23:26:43 -04:00			`Debian template(s)`
Templates/Debian changed Initial page 2014-07-28 17:14:28 -04:00			`===============`

Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 15:29:54 -05:00			`If you would like to use Debian Linux distribution in your qubes, you can install one of the available Debian templates.`
templates update 2015-04-23 10:14:55 -04:00
Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 15:29:54 -05:00			`Updates for these templates are provided by ITL and are signed by this key:`
templates update 2015-04-23 10:14:55 -04:00
			`pub 4096R/47FD92FA 2014-07-27`
			`Key fingerprint = 2D43 E932 54EE EA7C B31B 6A77 5E58 18AB 47FD 92FA`
			`uid Qubes OS Debian Packages Signing Key`

			`The key is already installed when you install (signed) template package. You`
			`can also obtain the key from [git`
			`repository](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-archive-keyring.gpg),`
			`which is also integrity-protected using signed git tags.`
Templates/Debian changed Initial page 2014-07-28 17:14:28 -04:00
			`Install`
			`-------`

Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 15:29:54 -05:00			`Templates can be installed with the following command:`
Templates/Debian changed Initial page 2014-07-28 17:14:28 -04:00
Update Debian.md 2015-08-30 14:31:11 -04:00			`Debian 7 (wheezy) - old stable:`
Some more updates to templates 2015-04-22 23:26:43 -04:00
templates update 2015-04-23 10:14:55 -04:00			`[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-7`
Some more updates to templates 2015-04-22 23:26:43 -04:00
Update Debian.md 2015-08-30 14:31:11 -04:00			`Debian 8 (jessie) - stable:`
Some more updates to templates 2015-04-22 23:26:43 -04:00
templates update 2015-04-23 10:14:55 -04:00			`[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-8`
document that there is no progress indicator since this caused a confused user to ask on the mailing list 2016-01-20 10:00:53 -05:00
Update Debian.md 2015-08-30 14:31:11 -04:00			`Debian 9 (stretch) - testing:`
Templates/Debian changed Initial page 2014-07-28 17:14:28 -04:00
Mention option for upgrading latest Debian stable template to stretch. 2016-05-21 08:22:30 -04:00			`A prebuilt template is not yet available, but there are two options for`
			`achieving a stretch template:`

Clean up text 2016-05-21 10:42:21 -04:00			`* Build an experimental stretch template from source.`
Mention option for upgrading latest Debian stable template to stretch. 2016-05-21 08:22:30 -04:00
Clean up text 2016-05-21 10:42:21 -04:00			* Clone a `debian-8` template and then modify `/etc/apt/sources.list` and
			`/etc/apt/sources.list.d/qubes-r3.list` to pull from stretch repos rather
			than jessie repos. After that, an `apt-get dist-upgrade` followed by a
			`reboot should "just work."`
document that there is no progress indicator since this caused a confused user to ask on the mailing list 2016-01-20 10:00:53 -05:00

Templates/Debian changed Initial page 2014-07-28 17:14:28 -04:00			`Known issues`
			`------------`

Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 15:29:54 -05:00			`###Starting services`


			`The Debian way (generally) is to start daemons if they are installed.`
			`This means that if you install (say) ssh-server in a template, all the qubes that use that template will run a ssh server when they start. (They will, naturally, all have the same server key.) This may not be what you want.`

			`So be very careful when installing software in Templates - if the daemon spawns outbound connections then there is a serious security risk.`

			`In general, a reasonable approach would be, (using ssh as example):`
			`- Install the ssh service.`
			`- systemctl stop ssh`
			`- systemctl disable ssh`
			`- systemctl mask ssh`
			`- Close down template`

			`Now the ssh service will NOT start in qubes based on this template.`

			`Where you DO want the service to run, put this in /rw/config/rc.local:`

			`systemctl unmask ssh`
			`systemctl start ssh`

			`Don't forget to make the file executable.`


			`###Unattended Upgrades`

			`Some users have noticed that on upgrading to Stretch, the unattended-upgrade package is installed.`

			`This package is pulled in as part of a Recommend chain, and can be purged.`

			`The lesson is that you should carefully look at what is being installed to your system, particularly if you run dist-upgrade.`


			`###Contributing`

Templates/Debian changed Initial page 2014-07-28 17:14:28 -04:00			`If you want to help in improving the template, feel free to [contribute](/wiki/ContributingHowto).`
Add link to Debian wiki about Qubes 2016-09-14 19:22:29 -04:00
			`More information`
			`----------------`

			`* [Debian wiki](https://wiki.debian.org/Qubes)`