We are currently doing a mini-internet run and one group has touched the br0 interface of OVS on their L2-switches with ip. By configuring VLAN tags with ip directly on the br0 interface, they created a fun collection of weird issues, which we ultimately could only solve with a full restart and restoring from backups (hopefully).
Now while its certainly not the correct way to setup VLAN tags in case of the mini-internet, students will always somehow find this kind of stuff and try it out. Thats part of the learning curve after all.
In this case, we might want to limit their access though, as breaking the whole mini-internet is not acceptable.
Possible solutions:
-
Disable execution of ip on switches
Our band-aid solution is to run a script after the setup that removes the X bit from the ip binary in the switch containers. This probably has side effects for teardown scripts.
-
Have a non-root user in the switch containers
By having another user in the switch containers you could control the tools the students have access to more precisely via sudo. You could even still allow ip [..] show commands.
We are currently doing a mini-internet run and one group has touched the
br0interface of OVS on their L2-switches withip. By configuring VLAN tags withipdirectly on thebr0interface, they created a fun collection of weird issues, which we ultimately could only solve with a full restart and restoring from backups (hopefully).Now while its certainly not the correct way to setup VLAN tags in case of the mini-internet, students will always somehow find this kind of stuff and try it out. Thats part of the learning curve after all.
In this case, we might want to limit their access though, as breaking the whole mini-internet is not acceptable.
Possible solutions:
Disable execution of
ipon switchesOur band-aid solution is to run a script after the setup that removes the X bit from the
ipbinary in the switch containers. This probably has side effects for teardown scripts.Have a non-root user in the switch containers
By having another user in the switch containers you could control the tools the students have access to more precisely via sudo. You could even still allow
ip [..] showcommands.