Movatterモバイル変換

[0]ホーム
URL:

Skip to content
DEV Community
Log in Create account

DEV Community

Cover image for How I sandboxed 10 students in my bathroom using Docker
Rémy F.
Rémy F.

Posted on • Edited on

     

How I sandboxed 10 students in my bathroom using Docker

I recently had to give an introduction course to UNIX shell and we all know thatthe best way to learn is to practice.
Obviously, we all work from home so no university infrastructure available, and every student were on Windows10 without WSL installed.
Hopefully I had an unusedSBC that a plugged into my bathroom hair dryer socket, wifi-configured, port-forwarded, and made my students connect to it usingputty (you can see the beast on this article banner).

How to sandbox your student

Build the sandbox

We will use an ubuntu image packed with some extra binaries.

FROM ubuntu:latestRUN apt update && apt install -y curl tree jqWORKDIR /rootENTRYPOINT ["/bin/bash"]
Enter fullscreen modeExit fullscreen mode

Build thisDockerfile into anuniv/sandbox image:

docker build-t univ/sandbox.
Enter fullscreen modeExit fullscreen mode

Start the sandbox

As soon as the students arrive we shall start a temporary sandbox for them. To do so, we create this/usr/bin/sandbox wrapper:

#!/usr/bin/sh[$#-eq 0]&&mode=it||mode=i;# no argument = open a TTY/usr/bin/docker run -$mode-v /home/$USER:/root--rm univ/sandbox:latest"$@"
Enter fullscreen modeExit fullscreen mode

This will also mount the incoming/home/$USER directory into the container/root/ directory. This way, they personal files are safe and I can grade every homework they have.

Create students accounts (spoiler: it's boring)

I had to spawn a bunch ofadduser --shell /usr/bin/sandbox commands in my tmux, and student connected to my account to put their password.
Because once created they won't be able to change it, aspasswd would have changed they volatile sandbox password, not they real account one.

Conclusion

Pros:

  • bothssh bob@sbc,ssh bob@sbc env andscp file bob@sbc: works
  • root: every student can eitherapt install openarena orrm -rf /*
  • reproducibility: just reconnect to get a fresh container back
  • persistence: personal files are kept across sessions

Cons:

  • barebone: the ubuntu image may not come with the usual distro binaries like ping, ssh ... so be prepared to rebuild your sandbox image.
  • /root/: every sandboxed student will find they/home/ in/root/ which might be misleading for newcomers
  • security: Docker is not isolation-proof, so if any student use a 0 day to escape the sandbox, they will own my SBC (in which case I'll gladly offer them as a reward)
  • ssh-copy-id won't work for because of permission mismatch between the root writing, and the user reading.

Top comments(0)

Subscribe
pic
Create template

Templates let you quickly answer FAQs or store snippets for re-use.

Dismiss

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment'spermalink.

For further actions, you may consider blocking this person and/orreporting abuse

  • Location
    Toulouse, France
  • Work
    Transversal Expert
  • Joined

Trending onDEV CommunityHot

DEV Community

We're a place where coders share, stay up-to-date and grow their careers.

Log in Create account
[8]ページ先頭
©2009-2025 Movatter.jp