Make switches more student-proof #52
Description
We are currently doing a mini-internet run and one group has touched the br0 interface of OVS on their L2-switches with ip. By configuring VLAN tags with ip directly on the br0 interface, they created a fun collection of weird issues, which we ultimately could only solve with a full restart and restoring from backups (hopefully).
Now while its certainly not the correct way to setup VLAN tags in case of the mini-internet, students will always somehow find this kind of stuff and try it out. Thats part of the learning curve after all.
In this case, we might want to limit their access though, as breaking the whole mini-internet is not acceptable.
Possible solutions:
-
Disable execution of
ipon switches
Our band-aid solution is to run a script after the setup that removes the X bit from theipbinary in the switch containers. This probably has side effects for teardown scripts. -
Have a non-root user in the switch containers
By having another user in the switch containers you could control the tools the students have access to more precisely via sudo. You could even still allowip [..] showcommands.