Chrome OS devices/Crostini

From ArchWiki

Crostini is Google's umbrella term for making Linux application support easy to use and integrating well with Chrome OS.

This article describes how to install Arch Linux on a Chromebook in a container (via Crostini), without needing to enable developer mode, allowing apps to run alongside other Chrome/Android apps.

Highlights:

  • Officially supported, do not need to enable developer mode - leaves Chrome OS secure, no need to flash a BIOS etc.
  • Better battery life - battery life of Chrome with the functionality of Linux.
  • Audio (in/out) & OpenGL are supported, but USB devices support in only partially supported and development is still in progress.

Introduction

Enabling Linux support

Look for Linux under Settings and enable it. This installs a Debian Linux container that we will then replace with an Arch Linux container.

Settings > Linux > Enable

Crostini is still rolling out to Chromebooks. If you do not see an option to enable Linux, you may need to switch to the beta or developer channel, if it has not rolled out to the stable channel for your laptop yet. This can be done via Settings > About Chrome OS > Channel > Dev/Beta.

Replacing the default Debian Linux container with Arch Linux

The below instructions based on https://www.reddit.com/r/Crostini/wiki/howto/run-arch-linux.

Optional: Delete the Debian container

Warning: For the time being of Chrome 87, starting a vmc with a custom lxc image makes Termina think it is invalid and delete it. lxc delete penguin should not leave the space unusable. See [1]

If you have no use for Debian anymore, you can save some storage space by destroying and recreating the Termina VM (this will let you skip renaming / deleting existing container later). Beware this will also delete any other containers you may have under Termina.

Open the crosh terminal in Chrome (Ctrl+Alt+t).

vmc destroy termina
vmc start termina

Create the container

Open a new crosh terminal in Chrome (Ctrl+Alt+t). Create an Arch Linux container in Termina using VMC:

vmc container termina arch https://us.lxd.images.canonical.com/ archlinux/current

The following error will be shown after completion:

"Error: routine at frontends/vmc.rs:403 `container_setup_user(vm_name,user_id_hash,container_name,username)` failed: timeout while waiting for signal"

This is expected behaviour, proceed with following steps.

Open a shell in Termina and check if the Arch Linux container is present (it may a few minutes to show on the list):

vsh termina
lxc list

If the container is not started, start it:

lxc start arch

Launch a bash shell in the container:

lxc exec arch -- bash

Set up the user

The container creates a default user on install based on the email used to sign in to Chrome OS. The username can be seen with the following command:

grep 1000:1000 /etc/passwd|cut -d':' -f1

Optionally you can rename user/group, by default named by your GMail id:

# pkill -9 -u old-username
# groupmod -n new-username old-username
# usermod -d /home/new-username -l new-username -m -c new-username old-username

A password needs setting for the user:

# passwd username

You may additionally want to install sudo and add the user to the wheel group. Use after installation:

# visudo

Uncomment the following line to allow the wheel group to use sudo:

# %wheel ALL=(ALL) ALL

Add your user to the wheel group:

# usermod -aG wheel username

Leave the container:

# exit

Set up the container for use in Chrome OS

Login to the container using regular user account you just configured:

lxc console arch

Verify networking in the container. The command

$ ip -4 a show dev eth0

should return a non-empty output with the container's assigned IP address. If it is not empty, you can proceed, otherwise you are facing the issue described in #No network in container - follow the instructions listed there to address the issue.

Install the Crostini container tools, Wayland for GUI application support and XWayland for X11 application support:

Install the cros-container-guest-tools-gitAUR package. Additionally install wayland and xorg-xwayland to be able to use GUI tools.

Start/enable the following user units:

Template instance Purpose
[email protected] Wayland
[email protected] X11
[email protected] Wayland (low density)
[email protected] X11 (low density)

Make sure these user services are running successfully by checking their unit statuses. Now, when apps are installed in Arch Linux, they will automatically appear in the Chrome OS launcher. Exit from the container shell back to the Termina shell by pressing Ctrl+a q.

Replace the default Debian container with Arch Linux

The default Debian container is named penguin. Renaming the "arch" container created above to it will cause Chrome OS to launch Linux apps from the arch container. Stop the Arch Linux container:

lxc stop --force arch

Stop the Debian container and rename it to "debian" (this step can be skipped if you have already removed the Debian container):

lxc stop --force penguin
lxc rename penguin debian

Rename the Arch container to "penguin" and start it:

lxc rename arch penguin
lxc start penguin

Restart the Linux subsystem to apply the changes. After restart, verify that no failed system or user units are listed.

The following command should report the IP address assigned for container:

ip -4 a show dev eth0

Troubleshooting

Arch container fails to start after update to Chrome OS 81

Most of custom containers stopped working with Chrome OS 81 update. The root cause is LXC version update, as a result container fails to start with following error:

lxc penguin 20200411193357.312 WARN     initutils - initutils.c:setproctitle:324 - Invalid argument - Failed to set cmdline
lxc penguin 20200411193357.395 WARN     conf - conf.c:lxc_map_ids:2919 - newuidmap is lacking necessary privileges
lxc penguin 20200411193357.395 WARN     conf - conf.c:lxc_map_ids:2925 - newgidmap is lacking necessary privileges
lxc penguin 20200411193357.400 WARN     conf - conf.c:lxc_map_ids:2919 - newuidmap is lacking necessary privileges
lxc penguin 20200411193357.400 WARN     conf - conf.c:lxc_map_ids:2925 - newgidmap is lacking necessary privileges
lxc penguin 20200411193357.477 ERROR    conf - conf.c:run_buffer:335 - Script exited with status 32
lxc penguin 20200411193357.477 ERROR    conf - conf.c:lxc_setup:3589 - Failed to run mount hooks
lxc penguin 20200411193357.477 ERROR    start - start.c:do_start:1263 - Failed to setup container "penguin"
lxc penguin 20200411193357.478 ERROR    sync - sync.c:__sync_wait:62 - An error occurred in another process (expected sequence number 5)
lxc penguin 20200411193357.478 WARN     network - network.c:lxc_delete_network_priv:2561 - Failed to rename interface with index 17 from "eth0" to its initial name "veth421fa9d1"
lxc penguin 20200411193357.478 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:842 - Received container state "ABORTING" instead of "RUNNING"
lxc penguin 20200411193357.479 ERROR    start - start.c:__lxc_start:1939 - Failed to spawn container "penguin"
lxc penguin 20200411193357.701 WARN     conf - conf.c:lxc_map_ids:2919 - newuidmap is lacking necessary privileges
lxc penguin 20200411193357.701 WARN     conf - conf.c:lxc_map_ids:2925 - newgidmap is lacking necessary privileges
lxc 20200411193357.706 WARN             commands - commands.c:lxc_cmd_rsp_recv:132 - Connection reset by peer - Failed to receive response for command "get_state"
lxc 20200411193357.707 WARN             commands - commands.c:lxc_cmd_rsp_recv:132 - Connection reset by peer - Failed to receive response for command "get_state"

Solution

After some troubleshooting, I made my container work by removing just two empty dirs from the container image. Navigate to crosh and execute following:

vmc start termina
vsh termina
lxc file delete penguin/var/lib/lxc
lxc file delete penguin/var/lib/lxcfs

Restart Linux subsystem and container started should start normally.

No network in container

Note: In systemd v249, the problem seems to have disappeared, and everything works as it should. However, in systemd v250, the probelm seems to appear again. The above claims regarding v249 and v250 need to be confirmed with more user reports.

As was reported by multiple sources, systemd-networkd and systemd-resolved services in systemd-244.1 are not working properly for unprivileged LXC containers, which ends up in missing network connectivity inside the Crostini container. Users may see only IPv6 address but no IPv4 address for the arch container (for example, using ip a command).

One possible solution is stated here: LXD#No IPv4 with systemd-networkd.

Alternatively, another solution is to completely disable systemd-networkd/systemd-resolved and perform network configuration by dhclient service instead. First, install dhclient, then, as the root user, run:

dhcpcd eth0
systemctl disable systemd-networkd
systemctl disable systemd-resolved
unlink /etc/resolv.conf
touch /etc/resolv.conf
systemctl enable dhclient@eth0
systemctl start dhclient@eth0

NetworkManager and dhcpcd also can be used to address the issue if you prefer them over the dhclient solution.

ping doesn't work

Note: Due to some changes, either in crostini/lxd or in the archive with the Arch Linux container, it is now necessary to set capability to the /usr/bin/ping

If you get

ping: socket: permission denied

when trying to ping from a user other than root, you need to set the capability flag on the /usr/bin/ping file to fix it.

# setcap cap_net_raw+ep /usr/bin/ping

This should solve the problem

App not opening in chrome OS (infinite spinner)

I found that launching a console (lxc console penguin) session prevents apps from launching in Chrome OS. Launching results in an infinite spinner. In that case, I have to stop and start the container to get the Chrome OS launcher working

lxc stop penguin
lxc start penguin

Instead of using an lxc console session, I use a regular Linux terminal GUI launched from Chrome OS that prevents this issue.

Audio playback/input

Crostini support audio playback starting Chrome OS 74. With cros-container-guest-tools-gitAUR installed both ALSA and PulseAudio playback should work after PulseAudio configuration. Audio input is supported starting Chrome OS 79.

Enter the following command in the container (in case you did not):

$ cp -rT /etc/skel/.config/pulse ~/.config/pulse

Video playback

mpv can play videos using software rendering without any addition configuration, however this is CPU consuming and laggy experience for modern video codecs like H265. For hardware accelerated playback GPU acceleration is required. Take into account, that GPU acceleration for Crostini is based on Virgil 3D GPU project, so no real GPU device pass-though is performed and hardware-specific APIs like VA-API or VPDAU are not available. However OpenGL acceleration can be used, i.e. this is example of mpv.conf which enabled accelerated video and audio playback on Google Pixelbook starting Chrome OS 77:

vo=gpu
ao=alsa

GPU acceleration

On Google Pixelbook GPU acceleration works with Arch out-of-the-box starting Chrome OS 77. Also no flags need to be enabled on recent released of Chrome OS:

$ glxinfo -B
name of display: :0
display: :0  screen: 0
direct rendering: Yes
Extended renderer info (GLX_MESA_query_renderer):
    Vendor: Red Hat (0x1af4)
    Device: virgl (0x1010)
    Version: 19.1.4
--> Accelerated: yes <--
    Video memory: 0MB
    Unified memory: no
    Preferred profile: core (0x1)
    Max core profile version: 4.3
    Max compat profile version: 3.1
    Max GLES1 profile version: 1.1
    Max GLES[23] profile version: 3.2
OpenGL vendor string: Red Hat
OpenGL renderer string: virgl
OpenGL core profile version string: 4.3 (Core Profile) Mesa 19.1.4
OpenGL core profile shading language version string: 4.30
OpenGL core profile context flags: (none)
OpenGL core profile profile mask: core profile

OpenGL version string: 3.1 Mesa 19.1.4
OpenGL shading language version string: 1.40
OpenGL context flags: (none)

OpenGL ES profile version string: OpenGL ES 3.2 Mesa 19.1.4
OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.20

Unlock the keyring when starting the container

If you have problems with programs that use gnome-keyring-daemon, you need to write a user systemd daemon (see Systemd/User#Writing user units) that will run the keyring daemon when the container starts.

Create the following two files:

/etc/systemd/user/gnome-keyring.service
[Unit]
Description=Keyring

[Service]
ExecStart=/usr/local/bin/export-keys
KillUserProcesses=no

[Install]
WantedBy=default.target
Warning: Leaving the password in plain text is potentially dangerous. You can replace echo random-password with cat ~/.password by creating the appropriate file in your home folder.
/usr/local/bin/export-keys
#!/bin/bash
killall gnome-keyring-daemon
echo random-password | gnome-keyring-daemon --components=secrets,ssh,pkcs11 --unlock --foreground

Give the file launch rights:

# chmod a+x /usr/local/bin/export-keys

Then, start/enable the gnome-keyring.service user unit and run

$ echo -n login > ~/.local/share/keyrings/default

Fullscreen video, games and mouse capture

Currently Crostini has limited support for mouse capture starting with Chrome OS 79. You must enable the flag chrome://flags/#exo-pointer-lock to get mouse capture. The closed issue relating to mouse capture is https://bugs.chromium.org/p/chromium/issues/detail?id=927521.

See also