Automation and Bridging Container (Penguin) and Host

[Jan Drake]

Greetings,

We are exploring using chromebooks instead of PCs across our organization.  In testing so far, it works great; however, there is a chicken and egg problem we have.

We want to make this super easy for a developer to rehydrate their environment without using a third party service, just google bits.   Context is enterprise-enrolled chromebook.

The ideal use case is when they login we seamlessly launch a process in the user's context which configures the local machine for them, such as:

- Turn on linux

- Create a chromebook file system folder

- Share that folder with linux

- Download something to share with linux

- launch a linux terminal that automatically runs a script from the shared directory

- Wait a bit

- Enjoy accolades of happy developer whose entire environment is now restored.

We have tried to do this multiple ways which is complicated because chromebook won't allow security keys to be used by containers/vms/etc (not even in Parallels app that google partners with) and we require all signons to be done with hardware keys.

Any thoughts on how to do this?  Happy to write an app as needed or whatever.  Login apps kinda seemed like the right place to be embedding this functionality but can't find how to write one.

Regardless, thank you in advance for helpful ideas, pointers, etc.

Best,

JanMan

[Dmitry Torokhov]

We support using Ansible playbooks to configure the linux container. Please see https://chromeenterprise.google/policies/#CrostiniAnsiblePlaybook

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
https://groups.google.com/a/chromium.org/group/chromium-os-dev

[Jan Drake]

Thank you.  Does the request for the ansible script come from the chromebook security context or from the container context?

In other words can I know the ansible request is coming from an authenticated user and know their identity to customize the script for them?

Jqn

[Jan Drake]

Dmitry was kind enough to answer one part of the puzzle below.  

Are there answers for the other parts?

Ultimately we need to remotely configure an enterprise enrolled chromebook at the chromeos layer after a powerwash and upon enrollment without using a third party.  

And then we need to config crostini as well which ansible support may provide.

Jan

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
https://groups.google.com/a/chromium.org/group/chromium-os-dev

---
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-os-dev/dbyu6dt_vMw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-os-d...@chromium.org.

[Dmitry Torokhov]

The request comes from the host (chromeos) rather than the container, however as far as I understand the playbook should be stored in a universally accessible location, meaning that no client authentication is required in order to download it. ChromeOS will validate the playbook using the hash specified in the policy.

The policy is a per-user, so it should be possible to tailor it to individual users.

[Jan Drake]

So it seems our ansible script would have to be on a public url and there would be no reliable indication to the server providing that script that the request came from a trusted chromebook?  Thus, anything we host about configuration would be public knowledge and a bad actor (MITM for instance) or a compromise of the gsuite admin interface could result in injecting harmful content into crostini?

The above sounds problematic, is it a correct description of the scenario for using the ansible policy with chromebooks?

Jan

[Jan Drake]

:) We share this perspective.  Let us find out together.

On Mon, Feb 27, 2023 at 9:04 PM Christen Vaden <nichole...@gmail.com> wrote:

Idk 

Get Outlook for iOS

---

From: 'Jan Drake' via ChromiumOS Development <chromiu...@chromium.org>
Sent: Monday, February 27, 2023 11:02:52 PM
To: Dmitry Torokhov <dt...@chromium.org>
Cc: ChromiumOS Development <chromiu...@chromium.org>
Subject: Re: [cros-dev] Automation and Bridging Container (Penguin) and Host

 

---
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-d...@chromium.org.

[Dmitry Torokhov]

The content of the ansible playbook is validated by comparing the hash delivered via a Chrome policy with the hash of the downloaded data, so intercepting/substituting the data should not be an issue. Compromising admin console - yes, but I think in this case an attacker can wreak greater havoc than delivering harmful content into VMs.

+Olya Kalitova could you please confirm if policy data has to be publicly visible or we can reuse primary user's auth?