I recently had to give an introduction course to UNIX shell and we all know that the best way to learn is to practice.
Obviously, we all work from home so no university infrastructure available, and every student were on Windows10 without WSL installed.
Hopefully I had an unused SBC that a plugged into my bathroom hair dryer socket, wifi-configured, port-forwarded, and made my students connect to it using putty (you can see the beast on this article banner).
How to sandbox your student
Build the sandbox
We will use an ubuntu image packed with some extra binaries.
FROM ubuntu:latest
RUN apt update && apt install -y curl tree jq
WORKDIR /root
ENTRYPOINT ["/bin/bash"]
Build this Dockerfile
into an univ/sandbox
image:
docker build -t univ/sandbox .
Start the sandbox
As soon as the students arrive we shall start a temporary sandbox for them. To do so, we create this /usr/bin/sandbox
wrapper:
#!/usr/bin/sh
[ $# -eq 0 ] && mode=it || mode=i; # no argument = open a TTY
/usr/bin/docker run -$mode -v /home/$USER:/root --rm univ/sandbox:latest "$@"
This will also mount the incoming /home/$USER
directory into the container /root/
directory. This way, they personal files are safe and I can grade every homework they have.
Create students accounts (spoiler: it's boring)
I had to spawn a bunch of adduser --shell /usr/bin/sandbox
commands in my tmux, and student connected to my account to put their password.
Because once created they won't be able to change it, as passwd
would have changed they volatile sandbox password, not they real account one.
Conclusion
Pros:
- both
ssh bob@sbc
,ssh bob@sbc env
andscp file bob@sbc:
works - root: every student can either
apt install openarena
orrm -rf /*
- reproducibility: just reconnect to get a fresh container back
- persistence: personal files are kept across sessions
Cons:
- barebone: the ubuntu image may not come with the usual distro binaries like ping, ssh ... so be prepared to rebuild your sandbox image.
-
/root/
: every sandboxed student will find they/home/
in/root/
which might be misleading for newcomers - security: Docker is not isolation-proof, so if any student use a 0 day to escape the sandbox, they will own my SBC (in which case I'll gladly offer them as a reward)
-
ssh-copy-id
won't work for because of permission mismatch between the root writing, and the user reading.
Top comments (0)