| ▲ | MCP Run Python(github.com) |
| 172 points by xrd 8 days ago | 65 comments |
| |
|
| ▲ | behnamoh 5 days ago | parent | next [-] |
| So their method of sandboxing Python code is to spin up a JS runtime (deno), run Pyodide on it, and then run the Python code in Pyodide. Seems a lot of work to me. Is this really the best way to create and run Python sandboxes? |
| |
| ▲ | simonw 5 days ago | parent | next [-] | | I've been trying to find a good option for this for ages. The Deno/Pyodide one is genuinely one of the top contenders: https://til.simonwillison.net/deno/pyodide-sandbox I'm hoping some day to find a recipe I really like for running Python code in a WASM container directly inside Python. Here's the closest I've got, using wasmtime: https://til.simonwillison.net/webassembly/python-in-a-wasm-s... | | |
| ▲ | abshkbh 5 days ago | parent | next [-] | | https://github.com/abshkbh/arrakis Will come with MacOS support very soon :)
Does work on Linux | | |
| ▲ | Tsarp 5 days ago | parent [-] | | I tried this path and found that MacOS has horrible support on firecracker and similar. | | |
| ▲ | abshkbh 4 days ago | parent [-] | | Crosvm (our original Google project) and its children projects Firecracker, Cloud-Hypervisor are all based on top of "/dev/kvm" i.e. the Linux Virtualization stack. Apple's equivalent is the Apple Virtualization Framework which exposes kvm like functionality at a higher level. |
|
| |
| ▲ | singularity2001 5 days ago | parent | prev | next [-] | | one wasmtime dependency and a self contained python file with 100 loc seems reasonable! much better than calling deno, at least if you have no pip dependencies... just had to update to new api: # store.add_fuel(fuel)
store.set_fuel(fuel)
fuel_consumed=fuel-store.get_fuel() and it works!! time to hello world:
hello_wasm_python311.py 0.20s user 0.03s system 97% cpu 0.234 total | | |
| ▲ | antonvs 5 days ago | parent | next [-] | | I was interested in how this compares in a kind of absolute sense. For comparison, an optimized C hello world program gave these results using `perf` on my Dell XPS 13 laptop: 0.000636230 seconds time elapsed
0.000759000 seconds user
0.000000000 seconds sys
That's 36,800% faster. Hand-written assembly was very slightly slower. Using the standard library for output instead of a syscall brought it down to 20,900% faster.(Yes I used percentages to underscore how big the difference is. It's 368x and 209x respectively. That's huge.) Begrudgingly, here are the standard Python numbers: real 0m0.019s
user 0m0.015s
sys 0m0.004s
About 1230% faster than the sandbox, i.e. 12.3x. About an order of magnitude, which is typical for these kinds of exercises. | | |
| ▲ | singularity2001 5 days ago | parent [-] | | haha, 99% is startup time for the sandbox, but yeah, python via wasm is probably still 10-400 times slower than c. |
| |
| ▲ | lopuhin 5 days ago | parent | prev | next [-] | | it's pretty difficult to package native python dependencies for wasmtime or other wasi runtimes, e.g. lxml | | | |
| ▲ | fzzzy 4 days ago | parent | prev [-] | | Great, thanks for your post! I got it working too. This is going to be incredibly handy. |
| |
| ▲ | 3abiton 5 days ago | parent | prev | next [-] | | > I'm hoping some day to find a recipe I really like for running Python code in a WASM container directly inside Python. But what would be the usecase for this? | | |
| ▲ | simonw 5 days ago | parent [-] | | Running Python code from untrusted sources, including code written by LLMs. | | |
| ▲ | 3abiton 4 days ago | parent [-] | | I see, the way I would approach is it by running a client on in a specific python env on an incus instance, with LLM hosted either on the host or another seperate an incus instance. Lately been addicted to sandboxing apps in incus, specifically for isolated vpn tunnels, and automating certain web access. |
|
| |
| ▲ | Tsarp 5 days ago | parent | prev [-] | | Atleast on macos cant the sandbox-exec be used similar to what codex is doing? | | |
| ▲ | simonw 5 days ago | parent [-] | | Yeah, I got excited about that option a while back but was put off by the fact that Apple's (minimal) documentation say sandbox-exec is deprecated. | | |
|
| |
| ▲ | kodablah 5 days ago | parent | prev | next [-] | | There just aren't good Python sandboxing approaches. There are subinterpreters but they can slow to start from scratch. There are higher-level sandboxing approaches like microvms, but they have setup overhead and are not easy to use from inside Python. At Temporal, we required a sandbox but didn't have any security requirement, so we wrote it from scratch with eval/exec and a custom importer [0]. It is not a foolproof sandbox, but it does a good job at isolating state, intercepting and preventing illegal calls we don't like, and allowing some imports to "pass through" the outside instead of being reloaded for performance reasons. 0 - https://github.com/temporalio/sdk-python?tab=readme-ov-file#... | | |
| ▲ | achierius 5 days ago | parent | next [-] | | Out of curiosity, why did you need a sandbox if you didn't have any security concerns? | | |
| ▲ | kodablah 4 days ago | parent | next [-] | | Sibling quoted the proper part. It's to help people keep code deterministic by helping prevent shared state and prevent non-deterministic standard library calls. | |
| ▲ | necovek 4 days ago | parent | prev [-] | | > but it does a good job at isolating state, intercepting and preventing illegal calls we don't like
Sounds like they put the reason just there. |
| |
| ▲ | fzzzy 4 days ago | parent | prev [-] | | At least we have subinterpreters now. Even if they are slow that is a really good thing. |
| |
| ▲ | anentropic 5 days ago | parent | prev | next [-] | | It's what ChatGPT does apparently... https://simonwillison.net/2024/Dec/10/chatgpt-canvas/ | | |
| ▲ | simonw 5 days ago | parent [-] | | Not exactly - ChatGPT has two ways it can run Python code. It can use Pyodide and run it directly in the user's browser (for Canvas), and it can also run Python code on one of their servers in a Jupyter environment in a locked-down Kubernetes container (their "Code Interpreter" tool). To my knowledge they don't yet have a run-Python-in-WASM-on-the-server implementation. | | |
| ▲ | jamestimmins 5 days ago | parent [-] | | What’s the purpose of Jupyter here? Isn’t that optimized for notebooks, which presumably wouldn’t be relevant on the server? | | |
| ▲ | simonw 5 days ago | parent [-] | | I think it's more about tapping into the Jupyter ecosystem of visualization libraries etc, plus the fact that there's lots of data analyst examples in the training data that come from notebooks. | | |
| ▲ | jamestimmins 5 days ago | parent | next [-] | | That's an interesting dynamic of the training data impacting the architecture. I wonder if this is a one-off or we see that in other areas as well. | | |
| ▲ | fzzzy 4 days ago | parent [-] | | I think this is inevitable. Whatever is most highly represented (correctly) will become even more dominant. |
| |
| ▲ | __mharrison__ 5 days ago | parent | prev [-] | | So that's why it writes such bad pandas code... |
|
|
|
| |
| ▲ | pseudosavant 5 days ago | parent | prev | next [-] | | If there is a WASM build of the project, that is going to be the easiest and safest way to run that with untrusted user content. And Deno happens to be really good at hosting WASM itself. So, these are the two easiest tools to do this with. I was looking into using WASM in Python yesterday for some image processing. It requires pulling in a full WASM runtime like wasmtime. Still better than calling out to native binaries like ImageMagick, but definitely more complicated than doing it in Deno. If I was writing it myself I'd do Deno, but LLMs are so good at writing Python. | | | |
| ▲ | redleader55 5 days ago | parent | prev | next [-] | | The author states: > The code is executed using Pyodide in Deno and is therefore isolated from the rest of the operating system. To me personally, the premise is a bit naive - it assumes that deno's WASM VM doesn't have exploits, that pyodide doesn't have bugs, etc. It might as well ask the LLM to produce javascript code and run it under deno and then it would be simpler. In the end, the problem is one of risk budget. If you're running this in a VM you control and it's only you running your own prompts on it, maybe it's "good enough". If on the other hand, you want to sell this service to others who will attack your infrastructure, then no - it's not even close to be enough. Your question is a bit vague because it doesn't explain what "best way" means for you. Cheap, secure, implementable by a person over a weekend? | | |
| ▲ | fragmede 5 days ago | parent | next [-] | | The answer, I think, is to push running the VM back onto the user, and build on top of Fabrice's JS Linux and run the sandbox on the user's machine. That way at the very worst they can escape and steal their own cookies from the browser process the VM is running on/in. | |
| ▲ | achierius 5 days ago | parent | prev [-] | | > premise is a bit naive - it assumes that deno's WASM VM doesn't have exploits, that pyodide doesn't have bugs, Eh, I wouldn't call this naive. Two points: 1. Pyodide bugs should not be a huge concern here. As long as your python code is executing on top of a JS runtime, the runtime is what matters first and foremost from a security pov. 2. Yes, it's possible for Deno to have bugs. But frankly: it's much less likely to than most any other method for doing this sort of sandboxing. Deno sits on v8, which is the engine used by Chrome, and there are very few applications in the world which have a closer eye and larger dedicated security budget than Chrome. V8 can have bugs, sure, but I would expect they (along with JSC and maybe SpiderMonkey) will have far fewer than any other runtime for a serious dynamic language on the market today. Yes, a VM would be better (and frankly, when you're talking about running Python on top of a JS runtime, might not even be less performance), but the reason why is not that they "have fewer bugs". |
| |
| ▲ | jjuliano 5 days ago | parent | prev | next [-] | | I am nowhere near as big or as popular as Pydantic, but this is my solution - https://kdeps.com/getting-started/resources/python.html | |
| ▲ | samuel 5 days ago | parent | prev | next [-] | | I spin up a docker container using the docker API. I haven't used gvisor because I don't expect the model to try kernel level exploits. If it were the case, we're already doomed. | |
| ▲ | jacob019 5 days ago | parent | prev | next [-] | | Indeed. What ever happened to user mode linux? | |
| ▲ | pansa2 5 days ago | parent | prev | next [-] | | It might be. CPython doesn't support sandboxing Python code, so the only option is to run the whole interpreter within a sandbox. | |
| ▲ | ridruejo 5 days ago | parent | prev | next [-] | | It’s one of the best ways, at least on the sandboxing front. Hard to beat Wasm at that | |
| ▲ | kissgyorgy 5 days ago | parent | prev [-] | | Not at all. | | |
| ▲ | jononor 5 days ago | parent [-] | | What is the best way? Or at least, a better way? | | |
| ▲ | babush 5 days ago | parent | next [-] | | I recall Shopify having a seccomp-based jail to run untrusted ruby code. But their use-case was very limited so they can get away with blocking almost every syscall. Other than that... VMs? The fact that people consider JS/WASM engines good security sandboxes is a bit scary tbf. | | |
| ▲ | simonw 5 days ago | parent [-] | | I trust a WASM sandbox a whole lot more than I trust a Docker container sandbox. WASM engines run in almost every browser on earth, billions of times a day. Security problems in those get spotted very quickly. | | |
| ▲ | babush 5 days ago | parent [-] | | It's a bit hard to do comparisons without going into threat models and all that _fun_ stuff :shrug: For example, JS runs in almost every browser on earth too, yet it took V8 devs 2 years to find out that `Math.expm1()` could return -0.0 (https://chromium.googlesource.com/v8/v8.git/+/56f7dda67fdc97...). This is a cherry-picked example, and JS is clearly more complex than WASM, but still. Just because stuff runs on a lot of devices doesn't mean it's more or less secure. Linux runs on quite a few devices too, yet we still find bugs, people still don't ship updates to said bugs, yadda yadda yadda. My point is just that lots of devs often skip the threat modeling and just think "I'll slap it in a WASM thingie an it'll be fine". Well good luck. |
|
| |
| ▲ | kissgyorgy 5 days ago | parent | prev | next [-] | | Landlock, cgroups on Linux | |
| ▲ | ehsanu1 5 days ago | parent | prev [-] | | gVisor |
|
|
|
|
| ▲ | simonw 5 days ago | parent | prev | next [-] |
| I hacked around with this a bit and figured out a way to get it to spit out logging of the prompts and responses to the server: https://gist.github.com/simonw/54fc42ef9a7fb8f777162bbbfbba4... Short-ish version: ANTHROPIC_API_KEY="$(llm keys get anthropic)" \
uv run --with devtools --with pydantic-ai python -c '
import asyncio
from devtools import pprint
from pydantic_ai import Agent, capture_run_messages
from pydantic_ai.mcp import MCPServerStdio
server = MCPServerStdio(
"deno",
args=[
"run",
"-N",
"-R=node_modules",
"-W=node_modules",
"--node-modules-dir=auto",
"jsr:@pydantic/mcp-run-python",
"stdio",
],
)
agent = Agent("claude-3-5-haiku-latest", mcp_servers=[server])
async def main():
with capture_run_messages() as messages:
async with agent.run_mcp_servers():
result = await agent.run("How many days between 2000-01-01 and 2025-03-18?")
pprint(messages)
print(result.output)
asyncio.run(main())'
Output here: https://gist.github.com/simonw/54fc42ef9a7fb8f777162bbbfbba4...I got it running against Mistral Small 3.1 running locally too - notes on that here: https://simonwillison.net/2025/Apr/18/mcp-run-python/ |
|
| ▲ | evacchi 5 days ago | parent | prev | next [-] |
| cool!! you might also want to check out https://www.mcp.run/dylibso/eval-py It's open source too :) https://github.com/dylibso/mcp.run-servlets/tree/main/servle... We also use Wasm to sandbox all our servlets https://docs.mcp.run/blog/2025/04/07/mcp-run-security (I work at Dylibso) |
|
| ▲ | _pdp_ 5 days ago | parent | prev | next [-] |
| Bookmarked it. We took another approach which provides more flexibility but at the cost of slower spin up. Basically we use firecracker vm. We mount the attachments and everything else into the vm so that the agent can run tools on them (anything on the os) and we destroy the machine at the very end. It works! It is also as secure as firecracker goes. But I like using WASM especially in a hosted environment like Deno. It feels like a more scaleable solution and probably less maintenance too with the downside that that we wont be able to run just any cmd. I am happy to provide more details and point to the tool is anyone is interested. It is not open-source but you can play with it for free. |
| |
|
| ▲ | yahoozoo 5 days ago | parent | prev | next [-] |
| All of these Agent frameworks are already overwhelming. Insert joke about parallels to the JavaScript ecosystem. What agent framework is truly the top dog? Is it just working with the big model providers native frameworks, such as OpenAI’s Agents SDK? |
|
| ▲ | m3047 5 days ago | parent | prev | next [-] |
| Having watched the repeated immolation of blissful innocence since smart email clients would run whatever smart (OLE? Smart? I'm kidding.) document was delivered, this is going to be so much fun in a trainwreck kind of way. |
|
| ▲ | bigbuppo 5 days ago | parent | prev | next [-] |
| I keep seeing this MCP thing and I'm really happy that people are getting into Burroughs mainframes rather than that stupid AI crap. |
| |
| ▲ | snoman 5 days ago | parent [-] | | That’s a pretty obscure/dated reference to the Master Control Program that ran on Burroughs mainframes. I suspect the downvotes are for “… stupid AI crap.” | | |
| ▲ | bigbuppo 4 days ago | parent [-] | | ...and that still runs on Unisys Libra systems, doing the sort of boring but important work that keeps the world running, such as processing unemployment benefits for the people that are going to be laid off of the AI companies once everyone realizes AGI isn't going to happen and GenAI is the new leaded gasoline. |
|
|
|
| ▲ | someguy101010 5 days ago | parent | prev | next [-] |
| Nice! I'm working on a way to do this for javascript using v8 https://github.com/r33drichards/mcp-js. Right now this works but there is some significant jank. |
|
| ▲ | Cluelessidoit 5 days ago | parent | prev | next [-] |
| Hi, I don’t really know anything honestly, but I do remember an ai I running on my laptop using xpip or xpython as a contained environment I think it’s a single instance, would that work or is that close??? |
|
| ▲ | jamesralph8555 5 days ago | parent | prev | next [-] |
| How secure is this? I tried building something similar, but it was taking too long to setup a fully virtualized solution like kata container or firecracker. |
|
| ▲ | singularity2001 5 days ago | parent | prev | next [-] |
| Why not Pyodide directly in python? |
| |
| ▲ | simonw 5 days ago | parent [-] | | I haven't found a supported, documented way to do that yet. I'd love to find one. |
|
|
| ▲ | turnsout 5 days ago | parent | prev | next [-] |
| Woof, use with care |
|
| ▲ | neuroelectron 4 days ago | parent | prev | next [-] |
| Crap but it's mcp so being good isn't the point anyway |
|
| ▲ | mountainriver 5 days ago | parent | prev [-] |
| Cool! |
