qubes-doc/user/managing-os/debian/debian.md

---
layout: doc
title: Debian Template
permalink: /doc/templates/debian/
redirect_from:
- /doc/debian/
- /en/doc/templates/debian/
- /doc/Templates/Debian/
- /wiki/Templates/Debian/
---

Debian template(s)
===============

If you would like to use Debian Linux distribution in your qubes, you can install one of the available Debian templates.

Updates for these templates are provided by ITL and are signed by this key:

    pub   4096R/47FD92FA 2014-07-27
          Key fingerprint = 2D43 E932 54EE EA7C B31B  6A77 5E58 18AB 47FD 92FA
    uid                  Qubes OS Debian Packages Signing Key

The key is already installed when you install (signed) template package. 
You can also obtain the key from [git repository][git] which is also integrity-protected using signed git tags.


Installing
----------

Templates can be installed with the following command:

Debian 7 (wheezy) - obsolete/archive:

    [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-7

Debian 8 (jessie) - oldoldstable:

    [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-8

Debian 9 (stretch) - oldstable:

    [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-9


Debian-10 templates are currently available from the testing repository.

Debian 10 (buster) - minimal:

    [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-10-minimal

Because this template was built *before* buster became stable, it cannot be updated without [manually accepting the change in status][5149].
Also, to install additional Qubes packages you will have to enable the qubes-testing repository.


Debian 10 (buster) - stable:

    [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-10

Because this template was built *before* buster became stable, it cannot be updated without [manually accepting the change in status][5149].


Upgrading
---------

To upgrade an existing Debian TemplateVM, please consult [this guide][Upgrading]


Known issues
------------

### Starting services


The Debian way (generally) is to start daemons if they are installed.
This means that if you install (say) ssh-server in a template, *all* the qubes that use that template will run a ssh server when they start. (They will, naturally, all have the same server key.) This may not be what you want.

So be very careful when installing software in Templates - if the daemon spawns outbound connections then there is a serious security risk.

In general, a reasonable approach would be, (using ssh as example):
- Install the ssh service.
- systemctl stop ssh
- systemctl disable ssh
- systemctl mask ssh
- Close down template

Now the ssh service will **NOT** start in qubes based on this template.

Where you **DO** want the service to run, put this in /rw/config/rc.local:

    systemctl unmask ssh
    systemctl start ssh

Don't forget to make the file executable.


### Unattended Upgrades

Some users have noticed that on upgrading to Stretch, the unattended-upgrade package is installed.

This package is pulled in as part of a Recommend chain, and can be purged.

The lesson is that you should carefully look at what is being installed to your system, particularly if you run dist-upgrade. 


### Package installation errors in Qubes 4.0

By default, templates in 4.0 only have a loopback interface.

Some packages will throw an error on installation in this situation.
For example, Samba expects to be configured using a network interface post installation.

One solution is to add a dummy interface to allow the package to install correctly:

    ip link add d0 type dummy
    ip addr add 192.168.0.1/24 dev d0
    ip link set d0 up


Contributing
----------------

If you want to help in improving the template, feel free to [contribute]


More information
----------------

* [Debian wiki](https://wiki.debian.org/Qubes)

[Upgrading]: /doc/template/debian/upgrade
[5149]: https://github.com/QubesOS/qubes-issues/issues/5149
[git]: https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-archive-keyring.gpg
[builder]: /doc/qubes-builder/
[contribute]: /doc/contributing/
Templates/Debian changed Initial page 2014-07-28 21:14:28 +00:00			`---`
wiki -> doc migration 2015-04-10 20:17:45 +00:00			`layout: doc`
Update page titles from CamelCase to lowercase-hyphen-separated (closes QubesOS/qubes-issues#1205) 2015-10-14 03:31:03 +00:00			`title: Debian Template`
Remove en/ from URLs (QubesOS/qubes-issues#1333) 2015-10-28 22:14:40 +00:00			`permalink: /doc/templates/debian/`
Change URIs from CamelCase to lowercase-hyphen-separated 2015-10-11 07:04:59 +00:00			`redirect_from:`
Add "/doc" prefix 2016-05-21 07:49:01 -07:00			`- /doc/debian/`
Remove en/ from URLs (QubesOS/qubes-issues#1333) 2015-10-28 22:14:40 +00:00			`- /en/doc/templates/debian/`
Change URIs from CamelCase to lowercase-hyphen-separated 2015-10-11 07:04:59 +00:00			`- /doc/Templates/Debian/`
			`- /wiki/Templates/Debian/`
Templates/Debian changed Initial page 2014-07-28 21:14:28 +00:00			`---`

Some more updates to templates 2015-04-23 05:26:43 +02:00			`Debian template(s)`
Templates/Debian changed Initial page 2014-07-28 21:14:28 +00:00			`===============`

Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 20:29:54 +00:00			`If you would like to use Debian Linux distribution in your qubes, you can install one of the available Debian templates.`
templates update 2015-04-23 16:14:55 +02:00
Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 20:29:54 +00:00			`Updates for these templates are provided by ITL and are signed by this key:`
templates update 2015-04-23 16:14:55 +02:00
			`pub 4096R/47FD92FA 2014-07-27`
			`Key fingerprint = 2D43 E932 54EE EA7C B31B 6A77 5E58 18AB 47FD 92FA`
			`uid Qubes OS Debian Packages Signing Key`

Actually use the new Debian upgrade page 2019-08-22 16:30:06 +00:00			`The key is already installed when you install (signed) template package.`
			`You can also obtain the key from [git repository][git] which is also integrity-protected using signed git tags.`
Templates/Debian changed Initial page 2014-07-28 21:14:28 +00:00
Update debian.md 2018-10-22 13:09:09 +00:00
Group version-specific documents together 2018-01-25 22:03:34 -06:00			`Installing`
			`----------`
Templates/Debian changed Initial page 2014-07-28 21:14:28 +00:00
Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 20:29:54 +00:00			`Templates can be installed with the following command:`
Templates/Debian changed Initial page 2014-07-28 21:14:28 +00:00
Updated info on Jessie and old releases 2017-06-29 23:05:02 -05:00			`Debian 7 (wheezy) - obsolete/archive:`
Some more updates to templates 2015-04-23 05:26:43 +02:00
templates update 2015-04-23 16:14:55 +02:00			`[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-7`
Some more updates to templates 2015-04-23 05:26:43 +02:00
Debian templates - Update information on available templates 2019-07-10 15:43:46 +00:00			`Debian 8 (jessie) - oldoldstable:`
Some more updates to templates 2015-04-23 05:26:43 +02:00
templates update 2015-04-23 16:14:55 +02:00			`[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-8`
document that there is no progress indicator since this caused a confused user to ask on the mailing list 2016-01-20 16:00:53 +01:00
Debian templates - Update information on available templates 2019-07-10 15:43:46 +00:00			`Debian 9 (stretch) - oldstable:`
Templates/Debian changed Initial page 2014-07-28 21:14:28 +00:00
Make it clear that Stretch template is available in Qubes 4.0 2017-11-28 00:52:39 +00:00			`[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-9`

Mention option for upgrading latest Debian stable template to stretch. 2016-05-21 20:22:30 +08:00
Actually use the new Debian upgrade page 2019-08-22 16:30:06 +00:00			`Debian-10 templates are currently available from the testing repository.`

			`Debian 10 (buster) - minimal:`

			`[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-10-minimal`

			`Because this template was built before buster became stable, it cannot be updated without [manually accepting the change in status][5149].`
			`Also, to install additional Qubes packages you will have to enable the qubes-testing repository.`

Debian templates - Update information on available templates 2019-07-10 15:43:46 +00:00
			`Debian 10 (buster) - stable:`

			`[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-10`

			`Because this template was built before buster became stable, it cannot be updated without [manually accepting the change in status][5149].`


Group version-specific documents together 2018-01-25 22:03:34 -06:00			`Upgrading`
			`---------`

Actually use the new Debian upgrade page 2019-08-22 16:30:06 +00:00			`To upgrade an existing Debian TemplateVM, please consult [this guide][Upgrading]`
document that there is no progress indicator since this caused a confused user to ask on the mailing list 2016-01-20 16:00:53 +01:00

Templates/Debian changed Initial page 2014-07-28 21:14:28 +00:00			`Known issues`
			`------------`

Update debian.md Added some clarifying info about updating to Stretch Closes #426 2017-05-20 21:48:23 +00:00			`### Starting services`
Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 20:29:54 +00:00

			`The Debian way (generally) is to start daemons if they are installed.`
			`This means that if you install (say) ssh-server in a template, all the qubes that use that template will run a ssh server when they start. (They will, naturally, all have the same server key.) This may not be what you want.`

			`So be very careful when installing software in Templates - if the daemon spawns outbound connections then there is a serious security risk.`

			`In general, a reasonable approach would be, (using ssh as example):`
			`- Install the ssh service.`
			`- systemctl stop ssh`
			`- systemctl disable ssh`
			`- systemctl mask ssh`
			`- Close down template`

			`Now the ssh service will NOT start in qubes based on this template.`

			`Where you DO want the service to run, put this in /rw/config/rc.local:`

			`systemctl unmask ssh`
			`systemctl start ssh`

			`Don't forget to make the file executable.`


Update debian.md Added some clarifying info about updating to Stretch Closes #426 2017-05-20 21:48:23 +00:00			`### Unattended Upgrades`
Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 20:29:54 +00:00
			`Some users have noticed that on upgrading to Stretch, the unattended-upgrade package is installed.`

			`This package is pulled in as part of a Recommend chain, and can be purged.`

			`The lesson is that you should carefully look at what is being installed to your system, particularly if you run dist-upgrade.`


Explain why Debian packages may fail to install correctly on 4.0 2018-03-22 00:35:56 +00:00			`### Package installation errors in Qubes 4.0`

			`By default, templates in 4.0 only have a loopback interface.`

Actually use the new Debian upgrade page 2019-08-22 16:30:06 +00:00			`Some packages will throw an error on installation in this situation.`
			`For example, Samba expects to be configured using a network interface post installation.`
Explain why Debian packages may fail to install correctly on 4.0 2018-03-22 00:35:56 +00:00
			`One solution is to add a dummy interface to allow the package to install correctly:`

Fix typo: "thow" and remove extraspaces Fix typo: "thow" and remove extraspaces 2019-02-08 21:18:08 +07:00			`ip link add d0 type dummy`
Explain why Debian packages may fail to install correctly on 4.0 2018-03-22 00:35:56 +00:00			`ip addr add 192.168.0.1/24 dev d0`
			`ip link set d0 up`



Update debian.md Added some clarifying info about updating to Stretch Closes #426 2017-05-20 21:48:23 +00:00			`Contributing`
			`----------------`
Add note on services in Debian templates and install problems Closes QubesOS/qubes-issues/2621 2017-02-09 20:29:54 +00:00
Actually use the new Debian upgrade page 2019-08-22 16:30:06 +00:00			`If you want to help in improving the template, feel free to [contribute]`
Add link to Debian wiki about Qubes 2016-09-15 01:22:29 +02:00
Group version-specific documents together 2018-01-25 22:03:34 -06:00
Add link to Debian wiki about Qubes 2016-09-15 01:22:29 +02:00			`More information`
			`----------------`

			`* [Debian wiki](https://wiki.debian.org/Qubes)`
Update debian.md Added some clarifying info about updating to Stretch Closes #426 2017-05-20 21:48:23 +00:00
Actually use the new Debian upgrade page 2019-08-22 16:30:06 +00:00			`[Upgrading]: /doc/template/debian/upgrade`
Debian templates - Update information on available templates 2019-07-10 15:43:46 +00:00			`[5149]: https://github.com/QubesOS/qubes-issues/issues/5149`
Actually use the new Debian upgrade page 2019-08-22 16:30:06 +00:00			`[git]: https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-archive-keyring.gpg`
			`[builder]: /doc/qubes-builder/`
			`[contribute]: /doc/contributing/`