-
Notifications
You must be signed in to change notification settings - Fork 44
Chromebook Investigation
Using G-suite for signing in was the easiest and most straightforward way of setting up user accounts. You can enforce 2FA and use a yubi key as your auth method allowing easy and secure access to devices. G-suite can easily be set up as an identity provider in keycloak so you can use the same account you use for logging in to your Chromebook to seamlessly access ACP services.
Firstly you need a G-suite domain set up. You can then turn on Device Management. This allows you to control a variety of settings as well as pre-installing a number of chrome and android applications.
- Go to the Google Admin Console
- Go to Device Management -> Chrome Management -> User settings
- Go to Apps and Extensions
- Click Mangage-Force-installed Apps
I recommend Cog-System Info, Caret, Zed Code Editor and Ublock Origin as a baseline.
Firstly you need to check if the device supports Android applications for ChromeOS here. If you're device is on the stable channel instead of beta you can skip the next step.
Installing on beta channel:
- Follow this guide to create an organisational unit for chrome devices.
- Go to Device Management -> Chrome devices
- Move the devices into the organisational unit
- Go to Device Management -> Chrome Management -> Device settings and select the organisational unit you created on the left
- Go to Release Channel and change this to Move to Beta channel
- Restart the effected Chromebooks
Assuming that your device now has access to correct release channel:
- Go to Device Management -> Chrome Management -> User settings
- Go to Android Applications and set 'Android applications on Chrome Devices to Allow'
ChromeOS splits the networks between Android Applications and Chrome Applications. The native chrome VPN doesn't work with authd so you will need to install the openvpn client for android.
To do this you need to authorise the app though the admin console and then you can force install it on devices in your organisation.
Authd in the UK has been adapted to support the android version of OpenVPN but this has not been rolled out to Ireland. This is due to the fact that the Android client can't support inline certs.
When downloading a profile you will be provided with a zip file containing the profile, ca, cert and key. You need to unzip this profile by double clicking it, this creates a new mount point so you then copy and paste the contents to a folder in your documents. You can then use the vpn client to load the profile and connect. Note that due to the network segregation you have to use the Google Chrome android app NOT the native chrome. This can be downloaded and installed via the play store in the same way as OpenVPN.
Termux is an android app available from the play store. This can be used as your terminal. Some commands to get up and running follow:
apt update
apt upgrade
apt install coreutils
pkg upgrade
pkg install termux-tools proot util-linux net-tools
pkg install openssh tracepath tree git curl gnupg tar
To get kubectl you will have to curl the binary into your path:
curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \
chmod a+x kubectl && \
mv kubectl /data/data/com.termux/files/usr/bin/
ChromeOS can't run a Docker dæmon so you will have to just install the cli and then connect to a remote docker host.
curl -LO https://download.docker.com/linux/static/stable/x86_64/docker-17.06.0-ce.tgz && \
tar -xzvf docker-17.06.0-ce.tgz && \
mv docker/docker /data/data/com.termux/files/usr/bin/
I did try and have docker-machine provision you a host on the Chromebook. Unfortunately android does ipv6 local dns by defeault and this can't be overridden in termux which prevents interaction with aws or google cloud api.
Google Cloud offers a shell that can be used as a remote workspace, it comes pre-installed with Docker, kubectl, gpg, git etc. It has a unique shell per IAM user and persists your home directory, files can be downloaded and uploaded easily from your chromebook. So I think this is a good alternative to a lot of the termux stuff unless you need vpn and is probably the easiest way to quickly get a usable docker client.