Chrome OS Crostini
As you might or might not be aware, Chrome OS has the ability to run Linux apps. Since Chrome OS is built on top of Linux, the historical approach, Crouton, was based on chroot. It allows to seggregate a full files system and run from it using the Chrome OS kernel. This means no performance penalty since there is a direct access to the hardware, unlike virtualization. However, this native hardware access has always been a security flaw for Chrome OS, where everything is normally sandboxed and locked (including the file system). This is why Crouton can only be installed and run in developer mode, which disables OS boot verification and may void warranty. Oh, and switching to developer mode is not a light operation: it wipes your device.
Nowadays, most developers rely on Unix based tools. Not having a way to run Linux commands that complies with Chrome OS security was becoming more and more of an issue. That’s probably why Google started to work on the Crostini Project.
Crostini isolates the Linux environment in a Virtual Machine (VM). A custom VM monitor, crosvm, relies on KVM under the hood for running the VM. The image, named Termina, is a light linux image, intended to boot very fast and start containers.
Because yes, the Termina VM only is a sandbox for containers: it doesn’t access to the hardware directly, it does access to the hardware exposed and sandboxed by crosvm.
Within this secure Termina VM, a container is span up via the LXD runtime. By default, it is a Debian container named Penguin. This container is where the end user is running commands/apps.
It sounds like quite a complex setup, but the Chrome OS engineers have made the whole thing very easy to use. You don’t have to worry about all the internals, just launch the Terminal app: it automatically spins ups Termina, followed by Penguin, and displays a prompt.
This way we’ve got our Linux environment running isolated from the rest of Chrome OS. There is however the abolity to access the Linux filesystem, sitting within Termina, from Chrome OS. And vice versa: you can mount Chrome OS folders into Termina. All via the Files app.
I skipped a lot of architecture details for the sake of simplifcation, but if you’re interested I recommend the Crostini technical documentation, you can find a lot of exciting details there.
I also recommend to have a look at the following keynote from Google I/O 2019. They go through some bits of the Crostini architecture, and even show how to play with the VM and containers in the end.