Crostinis and croutons
Chrome OS Pixelbook Field Notes
My notes on Chromes OS, Crostini, Crouton, and Google Pixelbook.
System Utilities
crossystem
You can use the Chrome OS firmware/system interface utility
Common commands you should know for getting started.
List all settings:
localhost ~ # crossystem --allEnable boot from USB (with CTR+U):
localhost ~ # crossystem dev_boot_usb=1See Generic Chrome OS Device Instructions for more examples.
LXC, vmc, and friends
Inside a
Start an Ubuntu 18.04 based VM:
crosh> vmc start termina
(termina) chronos@localhost ~ $ lxc list
+---------+---------+-----------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+-----------------------+------+------------+-----------+
| penguin | RUNNING | 172.17.0.1 (docker0) | | PERSISTENT | 0 |
| | | 100.115.92.206 (eth0) | | | |
+---------+---------+-----------------------+------+------------+-----------+
(termina) chronos@localhost ~ $ lxc launch ubuntu:18.04 seatec
Creating seatec
Starting seatecList containers:
(termina) chronos@localhost ~ $ lxc list
+---------+---------+-----------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+-----------------------+------+------------+-----------+
| penguin | RUNNING | 172.17.0.1 (docker0) | | PERSISTENT | 0 |
| | | 100.115.92.206 (eth0) | | | |
+---------+---------+-----------------------+------+------------+-----------+
| seatec | RUNNING | 100.115.92.198 (eth0) | | PERSISTENT | 0 |
+---------+---------+-----------------------+------+------------+-----------+Get a root shell and set the ubuntu user’s initial password:
(termina) chronos@localhost ~ $ lxc exec seatec -- /bin/bash
root@seatec:~# passwd ubuntu
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@seatec:~# exit
exitLogin via console:
(termina) chronos@localhost ~ $ lxc console seatec
To detach from the console, press: <ctrl>+a q
Ubuntu 18.04.1 LTS seatec console
seatec login: ubuntu
Password:
run-parts: /etc/update-motd.d/98-fsck-at-reboot exited with return code 1
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.Use CTRL+a q to exit console.
U2F key functionality
The Pixelbook contains a built-in hardware U2F module; you can activate and use it by pressing the power button as needed.
To enable this experimental feature:
Start a
crosh> u2f_flags g2f
### IMPORTANT: The U2F feature is experimental and not suitable for
### general production use in its current form. The current
### implementation is still in flux and some features (including
### security-relevant ones) are still missing. You are welcome to
### play with this, but use at your own risk. You have been warned.You can check U2F functionality with this U2F Demo.
Step 1: Register U2F token
- Leave the example values under Step 1 as-is
- Select Register Token
- Tap power button when the message Unplug and plug-in your U2F Security Key now. appears
- You should observe a green check-mark and the phrase Registered okay!
Step 2: Login with U2F token
- Select Test Login
- Tap power button when the message Unplug and plug-in your U2F Security Key now. appears
- You should observe a green check-mark and the phrase Login Accepted!
You should heed the warning observed when enabling, and not use this feature for anything too serious right now.
Crouton
These are my notes on Crouton.
You can still use this solution alongside Crostini to get different Linux userland experiences via fancy chroot while also maintaining device hardware support, etc. that is currently not yet present in the official Crostini container based solution.
Here are some example Crouton post-install tips which appear after installing a new environment. You should take note of these tips:
- Audio from the chroot will forward to CRAS (Chromium OS audio server), through an ALSA plugin.
- Future Chromium OS upgrades may break compatibility with the installed version of CRAS. Should this happen, simply update your chroot.
- You can flip through your running chroot desktops and Chromium OS by hitting Ctrl+Alt+Shift+Back and Ctrl+Alt+Shift+Forward.
- You can start KDE via the startkde host command: sudo startkde
Enter the chroot in the simplest way from the Chrome browser using:
CTR+ALT+T
crosh> shell
chronos@localhost / $ sudo enter-chrootDocker on Crostini
You can enable Docker on the Pixelbook, and run reasonable Docker workloads for experimentation, development, and testing.
This guide should have you up and running in little time.
Install Software
You must first install some dependencies used to fetch and install the Docker software source.
sudo apt-get updatesudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
software-properties-commonAdd Docker signing key:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo apt-key add -Add Docker repository:
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable"Install Docker CE:
sudo apt-get update && \
sudo apt-get install -y docker-ceEdit configuration
NOTE: The ChromeOS Crostini security model doesn’t permit persisting settings like these, so you must perform these steps any time you restart or power cycle the device.
As of ChromeOS 70, a regression in Runc that prevents Docker containers from launching exists. You might meet with an error like:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"could not create session key: function not implemented\"": unknownTo work around this, you must set unset a specific blacklisted syscall (“keyctl errno 38”). You do so by accessing crosh with CTR+ALT+T. Then use the following steps:
crosh> vmc start termina
(termina) chronos@localhost ~ $ lxc profile unset default security.syscalls.blacklist
(termina) chronos@localhost ~ $ lxc profile apply penguin default
(termina) chronos@localhost ~ $ lxc restart penguinThis restart will often hang, and require CTRL+C along with trying again before it works. If it works properly,
(termina) chronos@localhost ~ $ lxc list
+---------+---------+-----------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+-----------------------+------+------------+-----------+
| penguin | RUNNING | 172.17.0.1 (docker0) | | PERSISTENT | 0 |
| | | 100.115.92.194 (eth0) | | | |
+---------+---------+-----------------------+------+------------+-----------+
(termina) chronos@localhost ~ $ CTRL+D
crosh> CTRL+DThis will lift the syscall blacklist.
Add User to Docker Group
If you want to run docker as your own container user, you need to add that username to the docker group so. You must do this in a Penguin container Terminal session:
$ sudo usermod -aG docker $(whoami)You’ll need to close all instances of Terminal and start a new one for this change to take effect.
Run Example Container
Once you start a new Terminal instance, the example Docker container should run as basic functionality indicator:
$ docker run hello-world
...snip...
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
198f93fd5094: Pull complete
Digest: sha256:56433a6be3fda188089fb548eae3d91df3ed0d6589f7c2656121b911198df065
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
...snip...