-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LXC containers? #364
Comments
I gave a quick try at LXC, but I didn't manage to get it to work on my Arch laptop, so I got bored of it and gave up (maybe I should try again)... Instead I went for a lower level approach (dirty branch here: https://github.com/drinkcat/chroagh/commits/container.tmp), and I managed to "boot" Arch in a container, directly from Chrome OS. My idea is that it would be neat to start the crouton chroots in their own containers, so we can use systemd services, shut down chroots in a cleaner way (processes belonging to the chroot are clearly separated), control hardware access, etc. So, in short, kernel support is available, and it's something I'd really like to get working. The only issue I have now is that the kernel for Samsung ARM is still stuck on 3.4, so it lacks some features, like being able to rejoin an existing container (important for crouton), or create a new instance of Now, back to LXC, I see 2 options:
|
@kyle - Hadn't heard of 'LXC Containers' but after Googling it I think this @drinkcat - Are 'croagh' 'c_h_roagh' the same thing? I had a ' On Thu, Sep 12, 2013 at 12:04 AM, drinkcat [email protected] wrote:
DennyL@GMail |
|
@drinkcat, Thanx for clearing that up, I guess I didn't understand exactly I had downloaded your 'chroagh' repo (7a16b4b) but hadn't installed it and P.S. I'm due to get my 128GB SSD for my Acer C7 today so I'm excited! On Fri, Sep 13, 2013 at 10:44 AM, drinkcat [email protected] wrote:
DennyL@GMail |
@DennisLfromGA. First off, the container thing will not be in my next rebase, there is still quite a bit of work to be done, and I need to wait for kernel 3.8 to be pushed on the ARM Chromebook to get some important features. On the other hand, you are still welcome to test ArchLinux ,-) About containers vs chroot: A normal chroot just changes the root filesystem of the current process. This is by no means secure (there are easy ways to escape), and does not really isolate processes you run in the chroot from the outside. Namespaces are far more powerful. It's basically a set of kernel features that allows you to separate a set of process from another, very similar to a virtual machine, but without the overhead of that. You can choose at what level you want to isolate the processes: mount, PID, network, user, etc. (see this article for details: https://lwn.net/Articles/531114/). LXC, systemd-nspawn are tools using those features. My main reason for trying this out is issue drinkcat#8 by @kdb424. systemd, the init system shipped with Archlinux, is not able to start services, like ssh, in a chroot (unlike upstart used by Ubuntu). By using a PID namespace, you can start a "proper" init process, with PID 1, and you "boot" the system: you see init starting services, and then you get a login prompt: just like when you boot a regular Linux machine. When you are done with the container, you type "halt", and it shuts down, terminating all the processes in the container. So neat and satisfying ,-) Using a mount namespace is also useful: no more polluting of the output of Finally, user namespace allows a normal user (chronos on Chrome OS) to be root inside the chroot. I haven't tested that yet (it needs kernel 3.8), but I think that would mean we would not need to add UTS namespace would allow a different hostname in chroot. And network namespace could isolate the chroot from the network. Not quite sure why we would want either of that, but we could do it ,-) In short, quite a bit of potential I think. Still a lot of work to be done to see exactly what it can bring to crouton, and where are the limitations when using some of the namespaces. |
Thanx @drinkcat for the explanation, I'll read through the article you On Sat, Sep 14, 2013 at 12:12 AM, drinkcat [email protected] wrote:
DennyL@GMail |
Have you considered something like docker? It wraps the lxc subsystem in a pretty nice way. |
I'm trying to get docker going on my Google I/O Stumpy's. Docker wants a 3.8 kernel. Looks like Pixel's and Samsung 550's run a 3.8 kernel as of 7/22/2013, but not Stumpy yet.
Thanks... Later: Answered #2 myself, dev channel is using 3.8.11. Will report back when I've answered #1... |
The Samsung arm chromebook still appears to be on 3.4. On Sun, Sep 22, 2013 at 12:50 AM, TreverN [email protected] wrote:
|
Eventually all devices will be on 3.8, but it will be a while. |
Is there an easy way to test out 3.8 on one of the older devices?
|
Switching to dev channel is the easiest, assuming it has 3.8 enabled for dev channel. Otherwise you'd have to compile chromium yourself. |
Docker no longer requires a kernel to have aufs compiled into it. http://blog.docker.io/2013/11/docker-0-7-docker-now-runs-on-any-linux-distribution/ |
It seems that most chromebooks are using kernel >= 3.8. Is there any plan to utilize PID/user/mount namespaces? BTW, I think the stock wrapper, /sbin/minijail0 is very capable. It seems to support mount(including bind)/network/pid namespaces. But I'm not shure if it can be used by non-root user. |
Hmm. I have been checking daily for weeks for any updates pushed down the pipe but my Samsung Snowy (ARM v7) is still at 3.4.0. I'm hesitant to go upstream with associated risk. |
Yes, stable on the ARM is still 3.4. I've been battling the dev channel and crouton for awhile, so yesterday I power washed, and reverted to stable, so far crouton, with chromium, and xfce targets on default precise release are working very well. |
It looks like ARM may get 3.8 soon, I see kernel 3.8.11 being built in the Chromium OS builders: |
Yes, I think you're right @drinkcat - I had to powerwash and revert to stable, as even the most basic crouton functions weren't working on the dev channel. After reverting to stable, crouton (xfce, chromium) on precise works well. I expect that the dev channel will be upgraded soon, as there were a multitude of other issues, such as extension flags not being preserved, and random crashes, (more than usual) ... I wonder what the beta channel is like ? I'm surprised at the lack of testing on ARM systems, as it's by far the most popular platform for the Chromebooks, from the data I"ve seen. |
Dev channel is testing. |
right. But basic functionality, IMHO, such as extensions and flags still working, ctrl-keys in crosh behaving, not crashing frequently, should generally be supported in a dev channel. Again, IMHO. |
@dnschneid and all: I apologize for complaining about my issues with the Dev channel. I should be grateful that for almost a year, I was able to function ok with Crouton while running in it, and shouldn't have taken that for granted. Thank you for retaining Crouton support for those of us on the Samsung ARM, whose stable channel is kernel 3.4.0 and may be so for a while. Crouton has probably been the most useful software ever for Chromebook users. Thanks David, Drinkcat, and all Crouton developers. |
@tedm it sounds like beta channel would be ideal for you; it's a pretty happy medium between stability and previewing new features. |
Yeah, beta would probably be fine to move to for me, and also since USB sticks, and catching up, aren't needed to change channels anymore on the arm, just powerwashes, it's now simpler to change channels. If the desktop environments, or the clipboard extensions are ARM ready, I'm ready to test those. |
On my Acer C720 Chromebook (reports kernel 3.8.11 with uname -r), I have the docker 0.7.5 daemon running in a crouton chroot with Ubuntu raring. I'm using
However I can't yet start a container. Current error is
|
The issue appears to be that ChromeOS can see the mounts under
Whereas in Ubuntu raring chroot:
I see that @dnschneid, sorry for my ignorance - could take a moment to explain why the |
@air: /sys isn't mounted recursively, nor is it mounted shared such that new mounts will appear inside the chroot. |
Thanks @dnschneid, I patched my
This works - inside the chroot we can now see This brings us to the next error, a 'device busy' from lxc-start:
I'd like to run
So next step is perhaps to sanity check that LXC is capable of running anything. Any advice appreciated : ) |
So However with ChromeOS as the host, we are running a non-Ubuntu kernel 3.8.11, from Google. Ubuntu does not have headers for non-Ubuntu kernels, so It does appear possible to get ChromeOS kernel headers by building them, but it looks a bit hairy: http://superuser.com/questions/657845/cannot-install-3-4-linux-headers-on-acer-c7-chromebook-running-chrubuntu-12-04 I will give up on lxc-checkconfig for now. |
OK, so I didn't give up quite yet : ) Here's the output of
To get the magic |
You don't have to fully build the Linux headers to get the config file to check against. The only step you need is It looks like the LXC tool is just checking flags in the config. So e.g. Could someone more expert comment on what this means, maybe @ccaapton or @dnschneid? My interpretation here is that features required for LXC are simply not compiled into the ChromeOS kernel (3.8 branch); so LXC cannot function on Chromebooks. Is that correct? |
@perpen, could you post the container.json you used with nsinit? |
Hi, Just a quick heads up here about recent changes in the Chrome OS kernel. We've enabled some of the needed options to run Docker/LXC on R45 (current ToT). We've only enabled this on kernel versions 3.14 and 3.18. Container support isn't deemed solid in kernels before that, so unfortunately those platforms won't see it enabled. For reference, the platforms running the 3.14 kernel are Rockchip, the 2015 Chromebook Pixel and other Broadwell-based Chromebooks. |
kaboom — @olofj you're da bomb! |
Is there any chance that these kernel versions will trickle down to current ARM-based Chromebooks? |
Note that the recently introduced RK3288-based Chromebooks run 3.14. |
@olofj I'm really excited about your news, can't wait to try it! @ccaapton no I didn't try uid remapping, I suppose we could remap chronos to root but I'm not sure about the benefit? I would quite like being able to load modules from the container for example (although I didn't test that). @bendavis78 for the container config I have been using you can have a look at https://github.com/perpen/chromeos-nsinit. As I said earlier I did not test nsinit with the vanilla kernel, so if you try it please let me know the result. |
@olofj That's a good news. And it's nice to see you show up here to tell us that. :) |
wondering if anyone has written a howto for this yet? with latest docker, here is how far i get sudo docker -d --storage-driver=vfs --iptables=false -g ~/data/docker Any ideas on how to solve the cgroup mount error? and with -D output sudo docker -d --storage-driver=vfs --iptables I've been using docker in virtualbox on my chrombook for a bit, and would love to be able to move out of virtualbox. sudo docker version |
Given that there was no answer since June 27th I guess we shouldn't be holding our breath for LXC to come to life inside a crouton chroot? No major architectural overhaul planned by chance. Will use chroot to code but will probably need to lxc-start my containers on a seperate box...can't give up on the sheer speed this chrome os chroot combo offers... |
An interesting question has been posed in the 'Chromium OS Discuss forum' - Docker support in kernel. |
Did anyone get this working? I have chrome book pixel, which is supposedly supported by the update. I am on the beta channel, do I have to get on the dev channel for this? I can |
In fact, Chrome OS is an obsolete platform. Google gave up on developers a long time ago. Let's see what it will be with the Andromeda project. But IMHO, you will lose less time by migrating to Linux/macOS/Windows platforms. |
@HLFH bummer, I really liked working in it. It's been good. I got by working on c9 and crouton crust for a while but now I need to get real work done. Welp, guess I'm going with Linux. I'm diving into Linux Mint on my old PC. |
I thought this is their way of getting developers to use their google cloud platform? I get it, but I can't pay into that. Maybe if their next chromebook/andromedia-like machine included X years of cloud support on it, but that still doesn't address the problem of dev needs being met secondarily. It's getting in the way of my work trying to find work around, but it's part of the dev life I suppose. |
@dnschneid Chrome Dev Editor is discontinued. No Arch Linux support for Crouton. And apparently, Google gave up not only on developers but also on the American people: Eric Schmidt & Google were supporting the globalist Clinton: we've seen a lot of people showing evidence that Google Search was biased in favor of Hillary Clinton during the Democratic Party presidential primaries, and during the US presidential election. |
I think that this is not the appropriate forum for your political complaints. |
Chrome Dev Editor is discontinued. No Arch Linux support for Crouton. ≠ Chrome OS is an obsolete platform |
I was mostly just disappointed that no political candidate made a platform of pushing a timeline for crouton to use containers, and that nobody in the media commented on the candidates' preferred proportion of salad to croutons. Priorities, people! |
I don't see the big deal about lxc containers. Few chromebooks are powerful enough to really use containers and VMs IMHO. On an i7 desktop with 16GB of RAM, I use docker and core os, and virtualbox, but I wouldn't see a big use of these on chromebooks. I'm waiting for my Toshiba 2 to be able to run Android apps. It's not a deal killer if it doesn't, as this doesn't have a touch screen. I read that Trump (uggh) uses a Samsung phone, but his staffers use iphones. I am not sure what I'm going to get after my Nexus 6, but probably not the Pixel, just too pricey. I like the security of the iphones, but not a big apple fan either. |
re: arch - I got my Pine64 1.2Ghz / 1GB computer, only like 6 months after I paid for it... anyways, I was bummed that there was little Arch support for it, as that is what I would want to. But a BSP and version called Longsheep ubuntu loaded right up, and works fine. It's at work now as a dedicated nInvaders character based game system. Not bad for $19.00. |
Uh, this long and old thread pops up again. Containers probably won't be possible on chromebooks in the short run as the hardware limitations and, more importantly, if containers are directly available on chromebook one day, we probably won't need crouton any more. |
I don't want to add too much more to this old thread but some recent development has added some fuel to it, inadvertantly maybe.
In fact ARC++ is Android apps (Google Play) in a container on CrOS and it works extremely well, my Dell Chromebook 13 uses it almost flawlessly. I say almost because 'nougat' hasn't hit yet which allows resizing windows and such.
Agree, probably not using chroots but hopefully something similar in a container. Just my 2 cents, |
I am wondering if it is possible to run LXC containers in my chroot. Has anyone tried this? I tried to create one in ubuntu precise but got an error "wrong fs type on /dev/shm"
I think running a container inside a chroot may not be a supported use case for lxc yet. But for chromeos it's sort of our only option, aside from doing a dev_install and some portage overlay magic?
I'm just kind of rambling here, but I couldn't find any information about LXC on chromeOS and this seemed like a reasonable enough place to find some.
The text was updated successfully, but these errors were encountered: