On supported Chromebook, starting with Chrome OS 69, a new feature called Linux Apps was introduced.
This allows Chrome OS users, on supported to install normal Linux applications from the Debian repository and have them integrate with the underlying Chrome OS desktop.
The feature has evolved quite a bit since its introduction, including recent work on getting sound, USB and even GPU acceleration to those applications.
On a supported Chromebook, search for “Terminal” in your application list.
Screenshot 2019-01-17 at 3.23.15 PM.jpg2400×1600 559 KB
Selecting it will trigger installation of the Linux Apps support package:
Screenshot 2019-01-17 at 3.24.48 PM.jpg2400×1600 934 KB
Screenshot 2019-01-17 at 3.25.10 PM.jpg2400×1600 912 KB
Once installed, you get presented with a terminal emulator on a system called
Screenshot 2019-01-17 at 3.28.10 PM.jpg2400×1600 283 KB
From there, you can install regular Debian packages:
Screenshot 2019-01-17 at 3.28.54 PM.jpg2400×1600 718 KB
When installing something that comes with a GUI, the appropriate launcher will be added to your Chrome OS launcher. Click on it, and it’ll start the program:
Screenshot 2019-01-17 at 3.32.39 PM.jpg2400×1600 906 KB
Pretty nice and simple, even comes with integration in the file explorer!
Under the hood
Where it gets interesting is how this was all put together.
Chrome OS is designed to be extremely safe, as much of the system as possible is read-only with the majority of user data stored in the cloud and synced as needed.
So how is it that you can now get root access and install whatever you want on your Chromebook?
Well, containers, LXD containers specifically.
When you install the Linux apps support, a small read-only virtual machine is setup (it’s called
termina), LXD runs inside that virtual machine and is provided some amount of persistent storage for the containers.
A default container, called
penguin is then created for you from a small Debian based image distributed by Google. That container is passed a number of devices and sockets so it can interact with the Chrome OS desktop.
ChromeOS itself also knows how to interact with the container to pull things like the list of installed desktop applications, access the files stored in the container, …
Using LXD directly
So the default setup is nice and all, but this all means that you actually do have a working LXD daemon on your Chromebook, so can’t you start more containers, run different Linux distributions, … ?
Yes, yes you can.
The first thing you’ll want to do is get into the VM itself rather than inside the container.
To do so, you need to get a
crosh terminal by pressing
<ctrl>+<alt>+t, this will look like this:
Screenshot 2019-01-17 at 3.33.44 PM.jpg2400×1600 388 KB
vmc start termina
This will get you a shell inside the
termina virtual machine.
From there, you can directly interact with LXD:
Screenshot 2019-01-17 at 3.34.17 PM.jpg2400×1600 495 KB
As you can see, there is that
penguin container running in there.
Screenshot 2019-01-17 at 3.39.43 PM.jpg2400×1600 703 KB
And you can launch a few more containers of various Linux distributions and interact with LXD as you normally would on any system.
Getting the LXD client tool inside the
Having to do that
vmc dance every time you want to interact with LXD may get a bit annoying after a while. Not to mention that
termina is seriously locked down so it’s not a particularly great environment to work from.
As LXD can be driven over the network, how about we access it from that
penguin container instead?
First thing, you’ll want LXD to listen to the network and setup a trust password, do this from within
- lxc config set core.https_address :8443
- lxc config set core.trust_password some-password
Then we’ll want to copy a working LXD client that will work on Debian.
If you followed the previous instructions, you’ll have an Ubuntu 18.04 container called
c1 which conveniently come with a pre-installed version of the LXD client which we can copy into the
Screenshot 2019-01-17 at 3.54.55 PM.jpg2400×1600 459 KB
With that done, you can now get yourself a normal
Terminal shell and run:
Screenshot 2019-01-17 at 3.52.50 PM.jpg2400×1600 620 KB
Here you need to look for the gateway address of the
penguin container, this will be the
termina VM and so the address of our LXD server. After that, you add it as a remote and make it the default remote so all LXD commands go to it by default.
After that, you can interact with LXD exactly as you would on any other system, including now having a nicely working shell to drive it from
Low level details
For this feature to be supported, you need a Chromebook that’s still actively supported by Chrome OS and have hardware support for virtualization. Both x86_64 and aarch64 machines will work with this feature.
LXD is configured in a way which only allows for unprivileged containers to be run.
This combined with the intermediate virtual machine that’s used on a per-user basis makes the entire environment extremely safe and makes attacking the host largely impossible (you’d need both a container & VM escape).
Currently most Chromebooks use LXD 3.0.0 but an update is actively rolling-out now bringing them to 3.0.2. Storage is using btrfs, allowing for fast container creation, snapshots and copies.
It’s possible to install and run Docker inside the LXD container though not all images will work properly as they may not have been designed with unprivileged containers in mind and so may be surprised when some specific actions are rejected by the kernel.
The original version of this blog was posted here.