| ▲ | simonw 6 days ago |
| I've been trying to find a good option for this for ages. The Deno/Pyodide one is genuinely one of the top contenders: https://til.simonwillison.net/deno/pyodide-sandbox I'm hoping some day to find a recipe I really like for running Python code in a WASM container directly inside Python. Here's the closest I've got, using wasmtime: https://til.simonwillison.net/webassembly/python-in-a-wasm-s... |
|
| ▲ | abshkbh 5 days ago | parent | next [-] |
| https://github.com/abshkbh/arrakis Will come with MacOS support very soon :)
Does work on Linux |
| |
| ▲ | Tsarp 5 days ago | parent [-] | | I tried this path and found that MacOS has horrible support on firecracker and similar. | | |
| ▲ | abshkbh 5 days ago | parent [-] | | Crosvm (our original Google project) and its children projects Firecracker, Cloud-Hypervisor are all based on top of "/dev/kvm" i.e. the Linux Virtualization stack. Apple's equivalent is the Apple Virtualization Framework which exposes kvm like functionality at a higher level. |
|
|
|
| ▲ | singularity2001 5 days ago | parent | prev | next [-] |
| one wasmtime dependency and a self contained python file with 100 loc seems reasonable! much better than calling deno, at least if you have no pip dependencies... just had to update to new api: # store.add_fuel(fuel)
store.set_fuel(fuel)
fuel_consumed=fuel-store.get_fuel() and it works!! time to hello world:
hello_wasm_python311.py 0.20s user 0.03s system 97% cpu 0.234 total |
| |
| ▲ | antonvs 5 days ago | parent | next [-] | | I was interested in how this compares in a kind of absolute sense. For comparison, an optimized C hello world program gave these results using `perf` on my Dell XPS 13 laptop: 0.000636230 seconds time elapsed
0.000759000 seconds user
0.000000000 seconds sys
That's 36,800% faster. Hand-written assembly was very slightly slower. Using the standard library for output instead of a syscall brought it down to 20,900% faster.(Yes I used percentages to underscore how big the difference is. It's 368x and 209x respectively. That's huge.) Begrudgingly, here are the standard Python numbers: real 0m0.019s
user 0m0.015s
sys 0m0.004s
About 1230% faster than the sandbox, i.e. 12.3x. About an order of magnitude, which is typical for these kinds of exercises. | | |
| ▲ | singularity2001 5 days ago | parent [-] | | haha, 99% is startup time for the sandbox, but yeah, python via wasm is probably still 10-400 times slower than c. |
| |
| ▲ | lopuhin 5 days ago | parent | prev | next [-] | | it's pretty difficult to package native python dependencies for wasmtime or other wasi runtimes, e.g. lxml | | | |
| ▲ | fzzzy 5 days ago | parent | prev [-] | | Great, thanks for your post! I got it working too. This is going to be incredibly handy. |
|
|
| ▲ | 3abiton 5 days ago | parent | prev | next [-] |
| > I'm hoping some day to find a recipe I really like for running Python code in a WASM container directly inside Python. But what would be the usecase for this? |
| |
| ▲ | simonw 5 days ago | parent [-] | | Running Python code from untrusted sources, including code written by LLMs. | | |
| ▲ | 3abiton 4 days ago | parent [-] | | I see, the way I would approach is it by running a client on in a specific python env on an incus instance, with LLM hosted either on the host or another seperate an incus instance. Lately been addicted to sandboxing apps in incus, specifically for isolated vpn tunnels, and automating certain web access. |
|
|
|
| ▲ | Tsarp 5 days ago | parent | prev [-] |
| Atleast on macos cant the sandbox-exec be used similar to what codex is doing? |
| |
| ▲ | simonw 5 days ago | parent [-] | | Yeah, I got excited about that option a while back but was put off by the fact that Apple's (minimal) documentation say sandbox-exec is deprecated. | | |
|
