DEV Community

Cover image for How I sandboxed 10 students in my bathroom using Docker
Rémy F.
Rémy F.

Posted on • Edited on

2

How I sandboxed 10 students in my bathroom using Docker

I recently had to give an introduction course to UNIX shell and we all know that the best way to learn is to practice.
Obviously, we all work from home so no university infrastructure available, and every student were on Windows10 without WSL installed.
Hopefully I had an unused SBC that a plugged into my bathroom hair dryer socket, wifi-configured, port-forwarded, and made my students connect to it using putty (you can see the beast on this article banner).

How to sandbox your student

Build the sandbox

We will use an ubuntu image packed with some extra binaries.

FROM ubuntu:latest
RUN apt update && apt install -y curl tree jq
WORKDIR /root
ENTRYPOINT ["/bin/bash"]
Enter fullscreen mode Exit fullscreen mode

Build this Dockerfile into an univ/sandbox image:

docker build -t univ/sandbox .
Enter fullscreen mode Exit fullscreen mode

Start the sandbox

As soon as the students arrive we shall start a temporary sandbox for them. To do so, we create this /usr/bin/sandbox wrapper:

#!/usr/bin/sh
[ $# -eq 0 ] && mode=it || mode=i; # no argument = open a TTY
/usr/bin/docker run -$mode -v /home/$USER:/root --rm univ/sandbox:latest "$@"
Enter fullscreen mode Exit fullscreen mode

This will also mount the incoming /home/$USER directory into the container /root/ directory. This way, they personal files are safe and I can grade every homework they have.

Create students accounts (spoiler: it's boring)

I had to spawn a bunch of adduser --shell /usr/bin/sandbox commands in my tmux, and student connected to my account to put their password.
Because once created they won't be able to change it, as passwd would have changed they volatile sandbox password, not they real account one.

Conclusion

Pros:

  • both ssh bob@sbc, ssh bob@sbc env and scp file bob@sbc: works
  • root: every student can either apt install openarena or rm -rf /*
  • reproducibility: just reconnect to get a fresh container back
  • persistence: personal files are kept across sessions

Cons:

  • barebone: the ubuntu image may not come with the usual distro binaries like ping, ssh ... so be prepared to rebuild your sandbox image.
  • /root/: every sandboxed student will find they /home/ in /root/ which might be misleading for newcomers
  • security: Docker is not isolation-proof, so if any student use a 0 day to escape the sandbox, they will own my SBC (in which case I'll gladly offer them as a reward)
  • ssh-copy-id won't work for because of permission mismatch between the root writing, and the user reading.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

👋 Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay