How to build a safe demo with admin access on Linux hosts?

Wouldn't it be nice to let people play with gdb and inapp from the internet?

Yeah, but wait a minute, people would take control of the host computer and use its network connectivity of other and unintended purposes. Especially since the demo gives you access to a working gdb session as root. It is pretty unavoidable that people will find a way to escape the docker container and run their private stuffs on it, eating all the network bandwidth available.

My idea to make it safe

Software cannot be trusted. Why not doing it on the hardware level?

Controlling a zombie computer is always nice for DDoS attacks, free coin mining or for running a proxy/Tor router node, but it gets so much less interesting when the network connection is too slow. Let's say the host computer is only connected via a serial line to the outside world. Even hacking the kernel won't get you an Ethernet cable connection. Serial data transfer at max 115kbps is only ~14 kilobytes per second. Just enough for a remote terminal session, but useless for anything else.

Imagine the board has only read-only local storage and RAM disk. A power switch cycles the board every hours or so. It is all nice but how do you update the local storage remotely? If any ethernet access is given what-so-ever, this can be hacked and used to bypass the serial line limitation...

On-the-go mass-storage for all!

For example, Raspberry Pi has support for booting from an USB drive. I made experiments with the Nano Pi NEO, and managed to convert its USB port into an OTG USB device which simulates an USB mass-storage device and serves a selectable image at runtime.

Now let's talk about hosting

Everything most certainly fits in a 1U rack space and takes less than 100W. 10Mbps internet connection is probably fine as well.

Seems possible to host a custom 1U in colocation for 50€/month (incl. VAT) in Munich.

A Raspberry with multiple USB-to-Serial adapter can be turned into a cheap terminal server.

Do everything with the Nano Pi NEO?