I recently had to give an introduction course to UNIX shell and we all know that the best way to learn is to practice.
Obviously, we all work from home so no university infrastructure available, and every student were on Windows10 without WSL installed.
Hopefully I had an unused SBC that a plugged into my bathroom hair dryer socket, wifi-configured, port-forwarded, and made my students connect to it using putty (you can see the beast on this article banner).
We will use an ubuntu image packed with some extra binaries.
RUN apt update && apt install -y curl tree jq
Dockerfile into an
docker build -t univ/sandbox .
As soon as the students arrive we shall start a temporary sandbox for them. To do so, we create this
[ $# -eq 0 ] && mode=it || mode=i; # no argument = open a TTY
/usr/bin/docker run -$mode -v /home/$USER:/root --rm univ/sandbox:latest "$@"
This will also mount the incoming
/home/$USER directory into the container
/root/ directory. This way, they personal files are safe and I can grade every homework they have.
I had to spawn a bunch of
adduser --shell /usr/bin/sandbox commands in my tmux, and student connected to my account to put their password.
Because once created they won't be able to change it, as
passwd would have changed they volatile sandbox password, not they real account one.
ssh bob@sbc envand
scp file bob@sbc:works
- root: every student can either
apt install openarenaor
rm -rf /*
- reproducibility: just reconnect to get a fresh container back
- persistence: personal files are kept across sessions
- barebone: the ubuntu image may not come with the usual distro binaries like ping, ssh ... so be prepared to rebuild your sandbox image.
/root/: every sandboxed student will find they
/root/which might be misleading for newcomers
- security: Docker is not isolation-proof, so if any student use a 0 day to escape the sandbox, they will own my SBC (in which case I'll gladly offer them as a reward)
ssh-copy-idwon't work for because of permission mismatch between the root writing, and the user reading.