Interesting to see Chrome OS adopt process compartmentalization techniques such as this, specifically adopting `cgroups'. Afaik, cgroups isn't enabled by default and requires customizing the kernel before you can enable it. At the very least, container tools such as Docker require symlinks too to invoke chroot-like filesystem isolation and this is also not available.
It'll interesting to see where they'll go with this, specifically since Google also work on Kubernetes and that new OS, Fuchsia.
Speaking of which, it is now possible to run full linux and android apps on chromebooks which support containers (and vms?) in a tab with the new official Google Crostini project. Makes the Pixelbook more attractive.
> Afaik, cgroups isn't enabled by default and requires customizing the kernel before you can enable it.
cgroups are supported on every distribution's kernel I've ever touched in the past 5 years. Not to mention that they were originally developed (in part) by Google, though they had a different purpose back then. They're also a requirement for systemd to work properly, so any distribution that needs to run systemd will have them enabled in their kernels.
> At the very least, container tools such as Docker require symlinks too to invoke chroot-like filesystem isolation and this is also not available.
Docker (or rather runc) uses pivot_root and mount namespaces to implement filesystem isolation -- not symlinks (though I'm not sure what you mean here to be frank). These features have been in Linux for more than 10 years.
No, cgroups is enabled on every major linux distro (though I'm too lazy to check if every configurable is set such that it will run this particular Android container). It's well-established base linux technology at this point, certainly nothing weird.
I think OP might be referring to the fact that Android kernels disable most functionality required to run most standard Linux container tech. AFAIK it's not possible to run Docker even on rooted devices if they are running a (close to) vanilla kernel, whereas you can run Docker just fine on Linux single board computers that run similar processors.
The host OS in this case is ChromeOS, though. But OK.
I took the point to be "cgroups is weird, nonstandard and by implication dangerous" when the truth is more "cgroups is standard equipment, sorta boring, and the obvious way to implement a container like this".
You can run LXC on Android, and have been able to for several years. So on Android enough of the kernel features are there (though to be honest you only really need a pid+mnt namespaces and most people wouldn't tell the difference).
cgroups are a dependency of systemd, so they're extremely standard. (I'm not sure what you mean by "customizing"; there are no binary builds of the Linux kernel available from the kernel developers, so everyone builds their own kernel.)
Not sure what you mean by symlinks either - the right primitives for secure filesystem isolation (pivot_root, etc.) are also very common. pivot_root is the normal way to switch from an initramfs to the real root filesystem, so it's also extremely prevalent.
I don't work on Chrome OS, but my understanding is that one of the things that makes this possible is that Chrome OS requires device manufacturers to upstream kernel drivers for a device to be supported. This means that -- unlike Android -- it's always possible to rebuild a new kernel from source using the Chrome OS source tree.
It'll interesting to see where they'll go with this, specifically since Google also work on Kubernetes and that new OS, Fuchsia.