DEV Community

Peter Benjamin (they/them)
Peter Benjamin (they/them)

Posted on • Edited on

A Minimal Chromebook Setup for Development & Hacking

Table of Contents

The TLDR Version

  • If you buy a Chromebook, stay within the confines and stick with ChromeOS; it’s not worth hacking to enable dual-booting, side-loading, or wiping of ChromeOS for a Linux distro.
    • If you insist on a Linux distro, just buy a used Lenovo; it will be more capable, versatile, and compatible with your Linux distro out-of-the-box.
    • Whatever you do, DO NOT enable "Dev Mode".
  • Best-in-class Chromebook hardware ≤ $500 (in order): Samsung Chromebook Pro (approx. $500), Asus Chromebook Flip C302 (approx. $450), Acer Chromebook for Work (approx. $400).
    • Otherwise, aim for an Intel-based chip (e.g. Celeron) and a minimum of 4 GB RAM.
  • Secure Shell: the Chrome extension for SSH. Multi-Factor Authentication (MFA) highly recommended.
  • Termux: a full-featured terminal-emulator Android-app with lots of developer-friendly plugins, like access to clipboard, notifications, external storage, and more.
  • GUI-based editors are also available as Chrome Apps, like Caret, Zed, & Text.
    • Chrome Dev Editor was a really nice IDE that almost matched modern desktop-based editors on features (e.g. Atom & VS Code), but it is not longer in active development, unfortunately.

Introduction

I decided to share my recommended Chromebook development setup because I am
tired of seeing the same misinformed and misguided recommendations that lead to:

  • A painful development experience
  • A cheap Linux machine with terrible driver support
  • Wildly insecure and highly risky machines

So, how will my recommendation be different than those previously listed?

I have my own SOLID set of guiding principles that I will discuss in detail.

Note: Keep in mind that there is no setup without its own set of drawbacks.

The SOLID Principles

Security

ChromeOS comes with a set of really — and I mean REALLY — strong security
controls built-in. So much so that CoreOS, a specialized server operating system
for containers, is based on ChromeOS.

So, it is justifiably cringe-worthy that the first recommendation would be
“disable all those secure features and turn on Dev Mode”.

Why is Dev Mode insecure?

  • Disables Verified Boot.
    • Verified Boot ensures that ChromeOS is booting using known-good firmware, kernel, init, modules, fs metadata, policies, …etc.
    • By disabling Verified Boot, you’re essentially allowing persistent compromises.
  • Enables VT2 (Linux terminal).
  • Activates passwordless root shell access. Yes, you read that right.
  • Access to unencrypted content of your Chrome profile.

On top of that, adding Crouton to side-load Linux distributions adds another huge vector. You’re essentially running un-vetted code as root on your Chromebook. Not only that, but nothing is stopping code running as root in a chrooted environment from escaping the chroot and infecting the rest of ChromeOS.

Essentially, dev mode by default is less physically secure than a standard laptop running Linux -  David Schneider (creator of Crouton)

If you insist on a Linux distribution, you are better served by finding an old, used, cheap Lenovo Thinkpad and installing your favorite Linux distribution on it. You’ll have a more secure environment than a Chromebook in Dev Mode and a better overall experience than a Chromebook running a Linux distribution.

Ownership Cost

  • Avoid any recommendations that would unnecessarily raise the cost of ownership (e.g. buying additional hardware/software to perform needed tasks).
  • Keep costs as low as possible.

Leverage Native Capabilities

  • Leverage the native capabilities of the platform (e.g. web apps > android apps > containers).
  • Avoid unnecessary hacks that impact performance.

Inherent Restrictions

  • The Chromebook stack (hardware & software) is optimized for ChromeOS.
    • Thus, you should accept and embrace the inherent restrictions that come with the decision of using a Chromebook. They ultimately force you treat your machine as cattle, not pets.
    • Your profile, preferences, settings, files are stored in the cloud. If you lose your Chromebook, you can just replace it and keep going with little disruption and inconvenience.
  • Attempts at bypassing or mitigating these restrictions will result in compromises that will impact one or more aspects of the stack (incompatible drivers, slow/weak performance, poor battery life, lack of security …etc).

Developer Experience

  • Strive for the smoothest developer experience possible.
  • I define Developer experience as, but not limited to:
    • battery life
    • performance
    • productivity
    • tooling
    • flexibility/versatility of working offline

The Details

I have been using a Chromebook as my primary personal machine for a few years now. So, I have experimented with a variety of different hardware and software combinations. I am also very familiar with the initial pains of getting acclimated to this new setup. But, once I’ve adapted to it, I noticed that I have applied the same philosophy to my work setup.

I also consider myself a pro user with often conflicting needs:

On the one hand, as a Software Engineer, I prefer to work on my personal and work-related projects on remote development environments (I would also like to be able to do local/offline development when absolutely needed).
On the other hand, as an Information Security Engineer, SSH'ing into a remote server is not an option and I certainly need to be able to — erm, do some things 😏 — directly from my local machine.

Here is where I have landed…

Hardware

  • Prefer Intel-based chips over ARM ones.
    • Most developer programs & tools are built for and supported on Intel chips first.
  • Prefer larger RAM.
    • A minimum of 4GB RAM.
    • I found that 2GB is barely usable, especially with the recently added support for Android apps.
  • Prefer larger storage.
    • 64GB storage is nice, but 32GB will work too.
    • You need to take into account how much local development versus remote development you are comfortable with.

Based on these loose hardware recommendations, the following are the top 3:

  • Asus Chromebook Flip C302 (~$450)
    • Intel m3
    • 4GB RAM
    • 64GB storage.
  • Samsung Chromebook Pro (~$500)
    • Intel m3
    • 4GB RAM
    • 32GB storage
    • Stylus included
  • Acer Chromebook for Work (~$400)
    • Intel 6th-gen i3
    • 4GB RAM
    • 32GB storage.

Alternatively, these are significantly more affordable and could be sufficient for your use-case:

  • Samsung Chromebook 3 (approx. $200)
  • 2017 Samsung Chromebook 11.6inch (approx. $250)
  • ASUS C300 (approx. $200)

Software

I will be straight-forward with you here: get comfortable living in the terminal.

GUI-based IDEs/editors for local software development on Chromebooks are not there yet, but they are getting better.

There are some lightweight GUI editors, but they lack many critical features needed for software development (e.g. git integration, search-and-replace, auto-completion …etc). These lightweight GUI editors are good for light editing/note-taking at best.

This is a good thing and I'll tell you why:

The Kubernetes and Docker container movement has ushered in an era of DevOps that can be summarized as "Pets versus Cattle":

In the old way of doing things, we treat our servers like pets, for example Bob the mail server. If Bob goes down, it’s all hands on deck. The CEO can’t get his email and it’s the end of the world. In the new way, servers are numbered, like cattle in a herd. For example, www001 to www100. When one server goes down, it’s taken out back, shot, and replaced on the line. - Randy Bias

Here is the baseline software stack I use for development (all of which are installed on the server):

  • Secure Shell: a Chrome extension, set to “open as window”, is my go-to SSH client to remote into remote development environments (public cloud for work, private home servers for personal projects)
    • Public Service Announcement: since installing client-side certificates on Chromebooks are excruciatingly difficult, I resort to password-based SSH authentication for my servers. But if you do this, please do yourself a favor and enable Multi-Factor Authentication (MFA) for SSH (DUO is great!)
  • Tmux: terminal window and pane management
  • Vim: editor
  • Docker: further compartmentalized dev environments (e.g. docker-compose up and I've got a local NGINX server, Ruby app server, & postgresql server up and running)

Here is the baseline software stack I use for hacking:

  • Same as above, plus
  • Termux: android-based terminal emulator for performing local testing when needed.

And that's it. I have reached a point where all I need is a phone, a portable monitor, and a keyboard to be productive.

And that's what this journey has been really all about: bringing technology back to its most basic set of needs for me to be effective and productive, where I am no longer physically or emotionally dependent on premium brushed aluminum computers with 16GB RAM just to run slack, chrome, and atom or vscode.

Parting Thoughts

I don't claim that this setup is for everyone. Admittedly, this setup falls apart when you have a hard requirement on a piece of software that is not available as a web app or if it is financially prohibitive as a web app.

I am really excited about what the future of development might look like.

Perhaps, in the not-so-distant-future, all you might need is the multi-core processing power already in your pocket, a Virtual Reality (VR) or Augmented Reality (AR) headset, with virtual workspaces (because, why be prohibitively limited by physical, costly monitors when you can just create unlimited number virtual monitors?)

But, I'm curious about your thoughts, opinions, or concerns about this setup or if you would like to share your setup.

Thank you for your time.

Cheers and happy coding! 🤗

Top comments (27)

Collapse
 
isr profile image
Imran Rafique • Edited

Peter,

With respect to the 4 points you brought up regarding dev-mode:

o you can re-enable verified boot, while still remaining in dev-mode. Its a single command.

o you can set a linux password for the user 'chronos'. Again, its a single command. This takes care of the open vt-2 (you need to give the chronos password) and the open sudo access to root (again, you have to now give the chronos password)

  • yes, you can see the contents of your home directory now, including all the chrome data. Just as you can when installing chrome on any other linux distribution (or OS). Basically, this just means "you now have a bash shell, with gnu coreutils, so you can peruse the filesystem". I'm not sure how this qualifies as a problem.

Hope the above doesn't come across as 'snarky' - thats not the intention.

Thing is, dev-mode chrome os can be close to a fully fledged linux distro - if that is your want. It even has a native pkg manager (chromebrew) to install the missing bits (gcc, tcl, ruby, python, tmux etc). The only thing that really gets in the way is the non standard display server (google's sommelier can help to partly overcome this - installable via chromebrew if you wish).

The only real warning against dev-mode ought to be - "if you're not especially comfortable on linux boxen, don't do it"

Not that its "insecure". It really isn't, once you set it up correctly (again, thats only 2 commands). The real insecurity comes down to what stuff you then go on to install and run on your machine.

And thats true of any system, once you have control over it.

Collapse
 
pbnj profile image
Peter Benjamin (they/them)

Hi Imran,

Thank you for the feedback.

I was aware that you can set a password for chronos user, but I was not aware that you can re-enable Verified Boot. Do you have a link to this you can share? Did a quick search for "enable verified boot in dev mode", but didn't find any relevant articles.

Collapse
 
isr profile image
Imran Rafique • Edited

crossystem is your swiss army toolbox for interacting with the boot-time features of chrome os.

The specific knob to tweak here is:

crossystem dev-boot-signed-only=1
Enter fullscreen mode Exit fullscreen mode

With crossystem, you can also turn legacy boot (the open "legacy" bios bootloader, accesed by ctrl-l at boottime) off, and usb boot (ctrl-u, used to boot chrome or chromium os usb installs) off.

(of course, you only do that if you have no interest in dual booting. The user has the power to decide - as it should be)

Once you have that, your dev-mode chromebook can ONLY boot the google supplied chrome os kernel, and it will verify the checksum on the kernel partition, just to make sure.

See? Dev-mode AND security. In only 2 commands (including setting the password).

(I've never figured out how such an easy-to-lockdown system gets so many articles posted on it - all warning how insecure it is and "don't do it".)

Thread Thread
 
tohodo profile image
Tommy

FYI here's how to toggle USB and legacy boot:

chromium.org/chromium-os/developer...

Both should be already disabled by default.

Collapse
 
darthwalsh profile image
Carl Walsh

you can re-enable verified boot, while still remaining in dev-mode. Its a single command.

Can you share the command? All the top google results give steps for re-enabling verified boot by turning off dev mode (i.e. by pressing space at boot and wiping user data).

Collapse
 
pbnj profile image
Peter Benjamin (they/them) • Edited

Carl, it's provided in a reply here.

Having said that, I haven't been using ChromeOS devices for several years now, so do it at your own risk.

Also, there is more detailed information about this in the crouton project's wiki here and here.

TL;DR:

[crouton] re-enables verified boot when it can, although this is a bit of a false sense of security, as anything with the ability to escape the chroot and edit the rootfs also has the permissions necessary to disable verified boot again as well.

The command to do this is:

crossystem dev-boot-signed-only=1
Enter fullscreen mode Exit fullscreen mode
Collapse
 
jmfayard profile image
Jean-Michel 🕵🏻‍♂️ Fayard

Hello Peter,
I am just starting with Linux on the chromebook and found your post quite useful.

What is not really clear to me is how you install command-line apps.

I started with Google: Set up Linux (Beta) on the Chromebook

This part worked fine

sudo apt-get update && sudo apt-get dist-upgrade`
sudo apt-get install default-jdk 

But when I started to install other apps, I found that everything was outdated (gradle) or not available (fd-find, ripgrep, ...).

Any insights on this?

Collapse
 
angelarae63 profile image
Angela Whisnant

Thanks for this article. I have been looking at Chromebooks lately because I really love the simplicity of them. (I dislike Windows) I am fine with most of my work living in the cloud as long as it's secure. The only concern I have is the text-editors currently available. I am glad you agree that the Chrome OS shouldn't be hacked. I'd be afraid to do that. Saw one at Walmart today, a lovely Acer Chromebook 15.6 which someone had tried to put into Developer Mode. Sad. However, I did watch this Chrome Developer Demo by Google. They show running Linux in container on Chrome OS (no real hacking required)and actually run VS Code in a Linux container. Here's the link for that in case you are interested.

Collapse
 
pbnj profile image
Peter Benjamin (they/them)

Yeah, ChromeOS support for Linux apps has been a great feature for developers.

I don't think all Chromebooks get access to this feature, so I would check and be sure that this feature is available on that Chromebook before you commit to it.

Collapse
 
angelarae63 profile image
Angela Whisnant

I am looking into that. Lists, lists everywhere...which ones can I trust? Is there a way to check with Google?

Thread Thread
 
pbnj profile image
Peter Benjamin (they/them)

There is no official list that I am aware of, but I'm not sure if you have come across this or not: xda-developers.com/chromebooks-lin...

Collapse
 
k4ml profile image
Kamal Mustafa

Not having password-less ssh really a bummer. I'm considering chromebook as I've been doing remote dev on EC2 instances for many years already, and the workflow you described here is no alien to me. My current macbook air just a gateway to real development machine where I just need browser and iterm most of the time.

Searching around however I found this where it possible to use ssh key with Secure Shell, where the key has to be generated on other machine.

jonmccune.wordpress.com/2017/07/09...

Collapse
 
surajkr profile image
surajkr • Edited

How does VNC over http fare on Chromebook?
I am on the fence to buy a Chromebook. While SSH to remote server seems doable to do some scripting and administration tasks.

I am wondering if vnc is functional as a last resort GUI access to remote development station.

Collapse
 
bradtaniguchi profile image
Brad

I gotta point out you can always use a cloud IDE (Code anywhere, Cloud9, codesandbox, stackblitz) to get things going without installing anything. I used Cloud9 for an entire project and the entire experience was great. Being able to jump directly from my under-powered chromebook (200$ model) to a full fledged desktop without skipping a beat was pretty cool, and beats working in a shell.

Unfortunately Cloud9 no longer has a free tier since getting bought out by Amazon. The IDE wasn't that powerful though, it was probably on par with Sublime with a lot of syntax highlighting, but any advanced refactoring was out of the picture. Plus, the free tier was comparable to a raspberrypi in horsepower. (my project was a very minimal web app)

I've heard good things about codeanywhere and codesandbox, but limited experience with both, but same idea applies.

These sorts of IDE options are probably the most minimal (0 installation), but are probably the most limited in scope. For the right people, its probably enough, especially for even the lower end chromebooks. :D

Collapse
 
darthwalsh profile image
Carl Walsh

For anybody reading this in 2021, Termux has deprecated the Play Store version of the app, and now they say to install from the F-Droid app store. Unfortunately, on ChromeOS in order to sideload F-Droid you need to enable dev mode, defeating the benefit of Termux.

You can keep using the old version of Termux from the Play Store, but it won't get updates; you'll get messages about the pkg download mirrors being offline (which is easy to workaround). But who knows what breaks next?

Collapse
 
grahamlyons profile image
Graham Lyons

This is great. I'm really interested in how much can be done locally on a Chromebook. Do you find that the reliance on a remote server can be difficult, particularly if your Internet connection isn't good/available?

Collapse
 
pbnj profile image
Peter Benjamin (they/them)

Personally, I have not found reliance on remote servers to be too difficult.

When I run into slow/flaky wireless connections, I tether to my mobile/cellular network and I’m good to go.

I haven’t encountered a scenario when I was unexpectedly completely offline.
When I know I will be completely offline (eg plane), I pull my projects down locally and I’m good to go.

The only complaint I have about local development work is that Termux (android terminal emulator) has a few quirks, like no /etc/shells, or that root Linux directory is $PREFIX, or that #!/usr/bin/env ... doesn’t work, or that to paste you have to ctrl alt v ...etc

Collapse
 
jmfayard profile image
Jean-Michel 🕵🏻‍♂️ Fayard

Has anyone tried using Android Studio 3.5 (which is supposed to be officially supported) or IntelliJ IDEA community edition on the chromebook?

Would you recommend it?
I'm about to give programming workshop for beginners and it would be great if chromebook were really usable

aboutchromebooks.com/news/android-...

medium.com/@budding.technologist/u...

Collapse
 
joe_dougherty profile image
Joe Dougherty 🐴 • Edited

Came on this article while researching future dev tools with Chromebooks. Bought my wife (pretty non-techie) a very sweet Asus Flip C304 for Christmas and now I'm jealous. I'm eventually replacing a Lenovo laptop (and my company-provided Mac Air) for my dev work with something portable, so I needed some experienced analysis from someone who has done this. This post has been more than helpful.

Cheers.

Some comments have been hidden by the post's author - find out more