How I sandboxed 10 students in my bathroom using Docker

I recently had to give an introduction course to UNIX shell and we all know that the best way to learn is to practice.
Obviously, we all work from home so no university infrastructure available, and every student were on Windows10 without WSL installed.
Hopefully I had an unused SBC that a plugged into my bathroom hair dryer socket, wifi-configured, port-forwarded, and made my students connect to it using putty (you can see the beast on this article banner).

How to sandbox your student

Build the sandbox

We will use an ubuntu image packed with some extra binaries.

FROM ubuntu:latest
RUN apt update && apt install -y curl tree jq
WORKDIR /root
ENTRYPOINT ["/bin/bash"]

Build this Dockerfile into an univ/sandbox image:

docker build -t univ/sandbox .

Start the sandbox

As soon as the students arrive we shall start a temporary sandbox for them. To do so, we create this /usr/bin/sandbox wrapper:

#!/usr/bin/sh
[ $# -eq 0 ] && mode=it || mode=i; # no argument = open a TTY
/usr/bin/docker run -$mode -v /home/$USER:/root --rm univ/sandbox:latest "$@"

This will also mount the incoming /home/$USER directory into the container /root/ directory. This way, they personal files are safe and I can grade every homework they have.

Create students accounts (spoiler: it's boring)

I had to spawn a bunch of adduser --shell /usr/bin/sandbox commands in my tmux, and student connected to my account to put their password.
Because once created they won't be able to change it, as passwd would have changed they volatile sandbox password, not they real account one.

Conclusion

Pros:

• both ssh bob@sbc, ssh bob@sbc env and scp file bob@sbc: works
• root: every student can either apt install openarena or rm -rf /*
• reproducibility: just reconnect to get a fresh container back
• persistence: personal files are kept across sessions

Cons:

• barebone: the ubuntu image may not come with the usual distro binaries like ping, ssh ... so be prepared to rebuild your sandbox image.
• /root/: every sandboxed student will find they /home/ in /root/ which might be misleading for newcomers
• security: Docker is not isolation-proof, so if any student use a 0 day to escape the sandbox, they will own my SBC (in which case I'll gladly offer them as a reward)
• ssh-copy-id won't work for because of permission mismatch between the root writing, and the user reading.