Description
I don't know if there is already an issue for it but it would be good to run submissions in a Docker container. That would allow limiting the amount of resources (CPU, memory) a submission can use and apply other restrictions (e.g. remove network access).
The step 1 of this could be to add another worker setup that would run the same conda worker but inside docker. One could mount relevant folders with miniconda and data. Very roughly something like,
docker run --rm ubuntu -v /home/user/ramp_deployment:/ramp_deployment -v /home/user/miniconda3/:/mininconda3 /miniconda3/bin/python start_worker_script.py
I think by mounting the right folders, one might even use default docker images.
This would help with resource limits, but not with access to hidden test data. Since it will be present on the filesystem, users can access it (and this is what is happening the current teaching event we are doing with @massich and @mathurinm).
Step 2 would be to mount only the features of the hidden test set (i.e. without the target column) inside Docker, compute predictions, then score final predictions in a separate docker environment. So that target column can not be accessed in principle by users.
@glemaitre please comment if I forgot something (I have not looked in detail into how workers are implemented).
cc @maikia