Slashdot Mirror
Chrome OS Could Be Getting Containers for Running Linux VMs (zdnet.com)
Chromebook users may soon have a simpler way to run their favorite Linux distribution and applications on Google's Chrome OS hardware. From a report: As spotted by Chrome Unboxed, there's a newly merged commit in Chromium Gerrit describing a "new device policy to allow Linux VMs on Chrome OS." A related entry suggests support could come with Chrome OS version 66, which is due out in stable release around April 24, meaning Google might announce it at its annual IO developer conference, which starts on May 8. Developers can already use a tool called Crouton to install and run Linux on Chrome OS, but there is a security trade-off because Chrome OS needs to be switched to developer mode to use it. There's also a Crouton extension called Xiwi to enable using an OS in a browser window on Chrome OS. However, it too requires developer mode to be enabled. A recent commit suggests Chrome developers are working on a project called Crostini that may solve the developer mode problem by allowing Linux VMs to run inside a container.
This should suffice: https://store.google.com/produ...
I would be surprised if this was virtualization for containers. Think more of lxc, docker, etc.
I'd rather flash the firmware and then install Cloud Ready, Windows, and GalliumOS. Or at least I would if I cared that much about CrOS. My C720 practically always runs Windows 10, booting into GalliumOS only when I need to unfuck something Windows won't let me unfuck.
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Modern CPUs that do virtualization on the die mean you don't need massive horsepower to do virtualization. You probably want text-mode Linux rather than a GUI in your VM unless you have extra RAM to spare, though.
You also don't need virtualization for containers.
I have virtualbox installed on my hacked celes (Samsung chromebook 3). It is nothing to write home to mommy about, but it can run another OS fairly well, all things considered.
To be fair though, the Celes has a celeron CPU, instead of the more "atom like" cpus in most other intel chromebooks.
If you want one that is better suited to virtualization/daily driving, you want this guy (especially if you want to upgrade the internal storage to something more reliable than eMMC/microSD)
https://www.amazon.com/dp/B015...
Features an i3 processor, with NGFF SSD socket.
Linux VMs to run inside a container
That commit in the article has absolutely NOTHING to do with containers. There is almost no reason to run a VM inside of a container. Sometimes you run a container in a VM.
And better yet, containers and VMs are two ENTIRELY DIFFERENT CONCEPTS.
Docker: LXI Containers
VirtualBox: Hardware Virtualization
These are NOT INTERCHANGEABLE. They may be used as substitutes for each other or in conjunction with each other, but the connotations here are WRONG. Obviously, the "editors" here are too busy blaming things on Russia and Pai to bother checking articles and summaries. Now that I have gone back and reread the summary, I noticed that msmash wrote this which means that she is purely ignorant. Sad.
Well... as someone who still runs solaris (yeah yeah, get over it) I run virtualbox (VM) instances inside Solaris Zones (Proper Containers) on x86_64 (backed by ZFS vols)
This setup has been my daily driver work desktop for years (ie: Run mandated windows SOE desktop, perform vagrant style spin ups of whatever the hell we are fighting then push the images to environment du jour).
In addition of testimony of other users about running Virtual Box and using VT-x CPUs extensions,
keep in mind that TFS mentions *containers*.
i.e.: sort of super-chroots that uses in-kernel features (Cgroups) to partition more than just file system directories, but every other ressources too like CPU scheduling, etc. (unlike vanilla chroot. So they are a bit more secure)
Everything runs under the same kernel (so a bit less secure than full-blown emulators like qemu, virtualbox, etc.) there's no emulation at all, and a single kernel is responsible for scheduling all the resources among containers.
So basically, containers (e.g.: LXC, Docker, etc.) are as light-weight as a chroot. You can run a couple of them even on a Raspberry Pi. Any half decent chrome book would have no problems at all.
The only actual limits would be RAM depending on how much software will be running at the same time among all the containers.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You don't run "Linux VMs inside a container", you run processes or Linux distributions inside containers.
I went several layers deep into TFA and I must admit, I'm still confused as to what exactly is being added to ChromeOS, so I wouldn't blame the editors here who are unlikely to be as knowledgeable about the ins and outs of virtualization, containers, UML, chroot, etc.
Here's the problem: The reports claim Google is using both terms. The commit reads this:
Clears it up right? Well, kinda, except according to the same website, crosh has recently had commands added for "running programs inside a container".
This could mean one of eleventeen things. They include:
1. Both LXC style container technology and VMWare style VMs are coming to ChromeOS.
2. Google is using the term "container" to describe some kind of lightweight VM type technology that'll appear in ChromeOS.
5. Google has no idea what VMs are and/or has no idea what containers are, and has confused them, and is planning an LXC style sandboxing environment for ChromeOS.
6. Like 5. but Google knows, it just doesn't care. 9. chromeunboxed is actually making shit up.
I have no idea what the truth is. I'm guessing 6 simply because the low spec of most Chromebooks would make 2 less likely.
You are not alone. This is not normal. None of this is normal.
Comment removed based on user account deletion
I know nothing about ChromeOS code. So clearly I shouldn't be surprised that I'm struggling to make since of this commit. But the size of this change seems small enough that I might expect to at least be able to make the two ends meet (the part storing and managing the new policy key and the part that reads that key and acts upon it).
https://chromium-review.google...
But I can't. All I see are things related to storing and managing the key. I don't understand how this newly created "thing" has any effect on the operation of the OS. Where is that policy checked? I assume there's some application layer outside of this structure that's acting upon the value of this new key, yes? Where could one find that?
Come on!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Touchscreen Chromebooks have been running android apps for about a year or so. ChromeOS has a full strength, desktop grade browser which is a much better experience than any mobile browser. Android apps are surprisingly good on ChromeOS now... Devices like Samsung's Chromebook Plus are basically what tablets want to be when they grow up. The bonus is being able to run Linux, and by adding container support, it would make that experience better and potentially much more secure than running crouton. One of the best features of ChromeOS devices is how easy to manage and restore they are compared to "full strength" OS devices.
-- $G
Container is a generic term. Solaris provides a service called Zones, which are based on FreeBSD Jails (but with a few improvements over the older Jails, such as full network-stack virtualisation and support for SysV IPC, both of which I think are now supported in FreeBSD). Linux provides a bunch of services that can be cobbled together to provide more or less the same abstractions.
I am TheRaven on Soylent News
I used to run Windows 98 and Fedora 1.0 in an x86 emulator on a 1.25GHz PowerPC Mac with 1GB of RAM. Even most low-end Chromebooks are more powerful than that old machine. The overhead of the virtualisation is pretty low (10-20%) and if it's a container then it's negligible. The real cost is from the stuff that you run inside the VM.
I am TheRaven on Soylent News
This is Awesome! Currently using crouton, and it works well, it's just a hack. It would be exceptionally nice for it to be an officially supported feature. What other company would do this for the niche geek market? I am often tempted to boycott google products because of their work place politics and scary knowledge they posess about what I am thinking based on what I have entered into a search box... but if they keep producing things that work and are open... maybe they can have my data. Just layoff the stupid workplace politics...
So, they're making Chrome OS move toward Android. Anyone surprised?
I'm only surprised that Google can't make Chrome for Android worth half a shit, which is the only reason ChromeOS even exists. It remains grossly inferior to the real Chrome.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Android apps are surprisingly good on ChromeOS now.
Dude, do you own a Chromebook?
I have a samsung chromebook 3 and IMHO APK's on chromebook suck, at least on the graphic support, and that's the only thing you'd care about running an android application. It feels like running an android VM.
Running a container has exactly the same cost as launching a process. A container IS just a process -- restricted to a certain folder which it sees as the "root" folder, restricted to a particular artificial view of the filesystem as dictated by the container definition, and with limited permissions, and with network interfaces, IP addresses, etc defined by the container definition. Effectively the container is simply an elaborate definition of how to launch a process in a particular way, taking advantage of a number of Linux kernel features that can change the perceived environment seen by the process.
/sbin/init to start things running.
The process launched within a container can even believe it is root, seemingly having all of the privileges of root -- within the restrictions defined by the container.
Now that single process can launch other processes -- but those child processes also see the same environment as the parent process. So in principle, you could have a container that defines a root folder that "looks like" an Ubuntu distribution, and the single process you launch is
I'll see your senator, and I'll raise you two judges.
He said "now"... that might suggest that the comment is only relevant to chromebooks that have come out more recently.
File under 'M' for 'Manic ranting'
The upside of Chromebooks is that Linux is almost guaranteed to have drivers that work with the hardware. Sure my Celeron 3215U isn't super powerful but it works for my needs. I probably should have gotten a Dell CB13, but eh, maybe in the future.
People who don't think of themselves as so important that anyone else would find anything they might do interesting enough to bother to snoop on.
In practice, the biggest potential security issue are passwords, and on ChromeOS, those are kept locally on the device, and never uploaded to Google.
For most people, everything else that might get uploaded isn't going to be interesting enough for anybody else to care
File under 'M' for 'Manic ranting'
I don't know infosec from hookers and blow, but I can tell you that a Chromebook in the hands of your children (or older parents, for that matter) is pretty darned sweet. Kids try very hard to fuck things up - even Android tablets are not immune. But the most involved thing I've ever had to do on one of the Chromebooks is to uninstall a naughty extension. They are limited, but I really don't care if Google watches my kids do their homework or monitors how many variations of the Tide Pod Challenge they watch. Eventually they'll probably want a Mac or Windows machine, but for now it is family IT guy bliss.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I think technically you're supposed to pay Oracle $1 each time you say, read or write the word 'container'.
Container. Container. Container.
I've got some S&P tracker ETFs so I guess that means I own some ORCL shares indirectly.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Everyone is worth spying on. If you have $10 in your bank account, you're worth a few seconds of a robot's time to try to rip off. As Geddy Lee explained: "Ten bucks is ten bucks."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
You're part of the problem.
Well, yes, because you are defining something that has no effect on you to be a "problem". It might be, but it's not your problem.
In a few generations they will know exactly how to tweak people to get them to do things they wouldn't normally do.
They already do that. Advertising would be the most obvious example. But if you think the big corporations have more control over us now compared to when they controlled the 3 major TV networks and the one or two local newspapers, well let's just say we disagree.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Touchscreen Chromebooks have been running android apps for about a year or so. ChromeOS has a full strength, desktop grade browser which is a much better experience than any mobile browser. Android apps are surprisingly good on ChromeOS now.
You know else runs Android apps surprisingly good? ANDROID.
Yes, they containers and virt are different yet very related. So besides bashing the article, you should advise us of what the source changes are pointing towards.