this post was submitted on 11 Oct 2025
24 points (100.0% liked)

technology

24272 readers
322 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

founded 5 years ago
MODERATORS
context@hexbear.net
SexUnderSocialism@hexbear.net
gaycomputeruser@hexbear.net
Wakmrow@hexbear.net
SwitchyandWitchy@hexbear.net
24
Breathing life into some disposed of ChromeBooks (hexbear.net)
submitted 4 months ago by invalidusernamelol@hexbear.net to c/technology@hexbear.net
14 comments fedilink hide all child comments
 

So I'm helping a local tech non-profit refurbish some old Chromebooks for distribution to halfway houses and immigrants that need computer access for legal stuff. The current need is basically a rock solid platform for getting to websites, reading email, and editing mostly shared Google docs.

Issue is that the hardware is no longer supported by Google.

We've gone ahead and got Coreboot flashed on all 40 devices and have settled on using Fedora-Onyx (Atomic distro with a Budgie UI).

We need to install some flatpaks on each machine and set up a base configuration. Easy enough with rpm-ostree and some manual configuration, but I was wondering if anyone here has had more experience with managing the atomic distros.

Basically I want to have it so the volunteers just need to plug in a USB installer stick and get a fully setup instance. Is there an easy way to take a tree and transfer it to another machine that isn't using something like clonezilla? I'm assuming we could just maintain an image and rebase to thatafter installing, but I'm not fully aware of the easiest way to accomplish that.

you are viewing a single comment's thread
view the rest of the comments
[–] hellinkilla@hexbear.net 7 points 4 months ago (1 children)

I don't know how to do that. If you don't get any good leads I suggest re-asking it with the question up front, which if I understand it, is something like "What's the easiest way to install the exact same custom Fedora system on multiple identical devices?"

The fact they are chromebooks or what they are for is probably irrelevant? The only thing I would really wonder about is if you are planning to encrypt them, which might not be a bad idea if the intended purpose is legal situations of marginalized people. That might make the nature of the device more relevant.

I did a quick websearch, and found they have something called Kickstart, would that help you? Otherwise I think what you are looking for could also be described as backing up and restoring the system to another machine. I assume fedora recommends or ships with some kind of system backup software; what about using that?

I also have in my bookmarks (but have never used) mkosi "A fancy wrapper around dnf --installroot, apt, pacman and zypper that generates customized disk images with a number of bells and whistles."

I have run linux on a few chromebooks, it is a great pairing if all the hardware is supported. Storage is an issue. You have to be very, very disciplined to keep your system tight. I don't know how fedora/atomic copes with upgrades but if it keeps a bunch of shit cached/backed-up after completion as other distros do, you run into problems pretty quick with your storage being 100% full which can be difficult to diagnose and get out of if you don't know your way around. And if you are going to have swap, which is handy and expected by many users to be able to close the lid and retain the state without power, you have even less storage to work with.

As long as you have realistic expectations about not being able to have a million firefox windows open at once, chromebooks are great and should serve you well.

[–] invalidusernamelol@hexbear.net 4 points 4 months ago (1 children)

The reason for using atomic is so updates are automatic, and a device can be wiped by nuking /var/ which is essentially exactly the same as factory resetting a Chromebook.

I did look into Kickstart, I might end up using it. Seems more designed for automating the installer process, and not post install system config. I'm probably gonna do some more research into saving and exporting ostree layers so I can manage the package layers and just manually copy over the /var/ from an already configured system.

End of the day there's only so much you can do with 16GB of emmc storage, and because most other distros we tried on these machines were no longer maintained or incredibly unstable. The layer cache can be limited and old versions can be pruned. Since these are meant to be incredibly minimal, the base system is only ~2GB after install and config. Which fits in the 2GB of Ram. Definitely not winning any speed races, but for 3-4 tabs and minor workloads it's usable.

I'll have to investigate encryption aspect, I think easily nukable might be enough. Especially if there's a performance cost to decrypting the drive on startup. Especially since most of the users of these devices are gonna be using G-Drive for file storage anyways.

[–] hellinkilla@hexbear.net 3 points 4 months ago (1 children)

My understanding is that it is difficult/impossible to properly erase solid state memory due to how the devices work. Better descriptions than I could manage:

Even to the extent you can it's very slow. Certainly slower than the 5s lost to decryption on boot.

More relevant barriers would be the added complexity of initial set up, and the friction of having to know and enter an extra password on boot.

though work is to be done in the cloud, obviously there has to be some local cache. Even on an unencrypted device that might be non trivial to access (I don't know how). An attacker would have to be specifically motivated and knowledgeable. On the other hand, the data could be very very sensitive, desirable, and not available by easier means. So if there was a raid search arrests, if devices were stolen sold or given away, the information could end up somewhere bad. It could be the government or it could be someone's ex husband.

I think it's totally a question of risk model. Not one answer for all situations.

I think it's worthwhile, if it makes sense with your situation, to at least nuke users files. people will always accidentally or purposefully download stuff to their computers, and a much more realistic threat than a forensic deconstruction is that the next person who hops on the device sees someone else's birthday pics, browser history, bank statements or whatever. I wonder if there might even be some tools or scripts available to help run a public computer like that; shouldn't have to make from scratch.

[–] invalidusernamelol@hexbear.net 3 points 4 months ago (1 children)

These will be going to single users as far as I know. They're priced to the org at ~$30 and that money comes from their grant.

These are some of the lowest end Chromebooks I've worked with tbh. The emmc is so incredibly slow that the network speeds are bottlenecked by it lol. The A B updates that ostree does take around 15 minutes to build and use ~80% of the CPU in the background (luckily that's only done once a day at midnight or if they specifically request updates).

LUKS encryption would be easy to enable, but someone would inevitably forget their password and we'd have to break the news that the resume they were working on is lost forever. I'll probably include instructions on how to encrypt specific folders so they can have secure locations that they set up.

If we set up LUKS with a shop password and share it, that also just kinda defeats the purpose. Now they're all using the same password. Could use the device code as a salt, but that's still easy to guess and hard to remember.

Running an rm -rf on the var partition should be moderately quick, and since it's a btrfs filesystem, we could also just totally overwrite the logical volume and reassign it. On non spinning disk storage, overwriting the block headers is more than enough to scuttle access to the data.

[–] hellinkilla@hexbear.net 4 points 4 months ago (1 children)

Yeah that totally makes sense. I've had a hell of a time trying to get encryption working properly and smoothly. In theory it should be OK but once you introduce any kind of complexity there are problems. One complexity being using really shitty hardware, which I'm well acquainted with. And it probably isn't a good idea to implement something that has a lot of new-to-you techniques because you do not want to realize there is a problem that needs to be fixed on every machine after a month.

BTW you should count on the devices failing in mysterious and unrepairable ways. Eventually they all fail and you can't do much about it. Sometimes slowly and sometimes suddenly stop out of nowhere.

I was thinking about the shared password issue and I think it still protects against stuff being found if stolen or lost. I don't think you'd want individual decryption passwords. Impossible to manage.

I wonder if your users will want to use thumb drives or other external storage. On the one hand it would be good to encourage using gnome disks or something to encrypt them, but that is terribly incompatible outside linux. So if you make it difficult to store stuff, people will end up putting all their stuff on a FAT32 doohicky that floats around in their purse or pocket, where it could find its way virtually anywhere. So I think moderation is very sensible to avoid incentivizing workarounds that are way worse.

[–] invalidusernamelol@hexbear.net 2 points 4 months ago (1 children)

Totally agree with you there. The atomic stuff is new to me as well, but after seeing the weird compatibility and stability issues that these things had with a regular install, I figured it was worth the plunge to have the A/B update system. Also means installing a bunch of stuff is harder for the end user unless they know the 3 commands you need to bypass the ostree lol.

I wish people would just natural have a better time understanding technology, but reality is that 90% of the people we distribute computers to barely know how to use a keyboard and many don't speak English. These machines are single purpose devices, and any additional security we add will just make them toss it in the trash.

We do have education sessions where we teach people how to use a browser, how to open Gmail, how to identify a scam, etc. I've been wanting to expand those classes to have some basic Intro to Linux, intro to Python, intro to Bash, etc. type classes that teach people the bare minimum so they can start learning. But that's only gonna work with the kids. Any older person that gets one of these devices needs to have it work as frictionless as possible with a minimal amount of interaction.

[–] hellinkilla@hexbear.net 2 points 4 months ago

I wonder of it would be worthwhile to have a few machines designated by interface language to support non English users. The localization takes up massive space if you get all of it. But maybe like a few Spanish-enabled machines or whatever is most relevant.

I like to share my computer hobby with people too but its a tough sell. it requires a massive investment of time and attention to get comfortable with the basics. Out of reach for most adults. I feel like its a victory if I just get people to look at what's on the screen, like peruse the menus and see what the system is offering to you. Most just click the icon they know they need ignore the rest. I think anything that encourages simple exploration of the available tools is empowering. Once you see what the computer can already do, then you start to think about what it could do.