The future of Chrome OS? Containers as Extensions!

I recently ran across this article (https://chromeunboxed.com/news/containers-and-chromebooks-the-future-of-chrome-os/). In it, the author discusses a new option for the crosh (Chrome OS Shell) that suggests running arbitrary commands in containers. The author mused on the implications and such but didn't get into detail on what the OS will do, support and how. This article will walk through the theoretical possibility of running a custom "HelloName" container but will not attempt to run one. Primarily due to my lack of time to learn to create and manage an OCI image.

Let's assume we are trying to run a container named "HelloName". Presumably, the syntax would look like this "crosh c HelloName FirstName". This container would echo "Hello FirstName" to stdout.

Here is the new command when running "advanced_options":

c <container name> [args]  
  Run a program inside a container

Exciting eh? Let's dig into the source and see what's going on.

Crosh: Mounting the image:

The first step crosh is doing is mounting the image. This will recursively scan the ~/Extensions/* directories reading each manifest.json. It's looking for a manifest.json with a name matching the name of the container provided in our command (HelloName). It also takes into account the version of the extension and will rerun a container using the new version.

Once a container with a matching name is found, the contents of the extension directory is copied to a temp directory and the Chrome OS Image Loader service is told to mount the image via a dbus command. This is a good idea as it allows for a container to continue to run without running into race conditions surrounding partial file changes in the extensions directory.

Crosh: Running the command

The next step involves creating/recreating the container and running the command.

Similar to how docker would start and run a container, the code is doing exactly the same thing. The container ID is also the name of the container. In our case "HelloName".

Conclusion

1. Chrome OS is looking in the ~/Extensions directory for containers. This directly also contains extensions you've installed on the browser. Presumably, this means containers will be distributed as Chrome extensions.
2. Due to the fact that ~/Extensions is being recursively searched for manifest.json files. A normal chrome extension could also provide it's own container in addition to it's extension configuraton.
3. Extended Open Container Initiative (OCI) images are what are supported. This is good foresight on Google's part. OCI was created and ratified by many of the large players in the container community.
4. Mounting and management of containers is performed by sending dbus commands to a management service. Presumably, this service is performing some signature checks to ensure the container is blessed by the mother ship.

I'd really like to see somebody run a generic OCI image on their Chromebook. Let me know if you see it working, I'd love to test it.