[HN Gopher] MCP Run Python
___________________________________________________________________
MCP Run Python
Author : xrd
Score : 102 points
Date : 2025-04-15 11:09 UTC (2 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| turnsout wrote:
| Woof, use with care
| mountainriver wrote:
| Cool!
| evacchi wrote:
| cool!! you might also want to check out
| https://www.mcp.run/dylibso/eval-py
|
| It's open source too :) https://github.com/dylibso/mcp.run-
| servlets/tree/main/servle...
|
| We also use Wasm to sandbox all our servlets
| https://docs.mcp.run/blog/2025/04/07/mcp-run-security
|
| (I work at Dylibso)
| behnamoh wrote:
| So their method of sandboxing Python code is to spin up a JS
| runtime (deno), run Pyodide on it, and then run the Python code
| in Pyodide.
|
| Seems a lot of work to me. Is this really the best way to create
| and run Python sandboxes?
| kissgyorgy wrote:
| Not at all.
| jononor wrote:
| What is the best way? Or at least, a better way?
| babush wrote:
| I recall Shopify having a seccomp-based jail to run
| untrusted ruby code. But their use-case was very limited so
| they can get away with blocking almost every syscall.
|
| Other than that... VMs? The fact that people consider
| JS/WASM engines good security sandboxes is a bit scary tbf.
| simonw wrote:
| I trust a WASM sandbox a whole lot more than I trust a
| Docker container sandbox.
|
| WASM engines run in almost every browser on earth,
| billions of times a day. Security problems in those get
| spotted very quickly.
| babush wrote:
| It's a bit hard to do comparisons without going into
| threat models and all that _fun_ stuff :shrug:
|
| For example, JS runs in almost every browser on earth
| too, yet it took V8 devs 2 years to find out that
| `Math.expm1()` could return -0.0 (https://chromium.google
| source.com/v8/v8.git/+/56f7dda67fdc97...). This is a
| cherry-picked example, and JS is clearly more complex
| than WASM, but still.
|
| Just because stuff runs on a lot of devices doesn't mean
| it's more or less secure.
|
| Linux runs on quite a few devices too, yet we still find
| bugs, people still don't ship updates to said bugs, yadda
| yadda yadda.
|
| My point is just that lots of devs often skip the threat
| modeling and just think "I'll slap it in a WASM thingie
| an it'll be fine". Well good luck.
| kissgyorgy wrote:
| Landlock, cgroups on Linux
| ehsanu1 wrote:
| gVisor
| pansa2 wrote:
| It might be. CPython doesn't support sandboxing Python code, so
| the only option is to run the whole interpreter within a
| sandbox.
| anentropic wrote:
| It's what ChatGPT does apparently...
|
| https://simonwillison.net/2024/Dec/10/chatgpt-canvas/
| simonw wrote:
| Not exactly - ChatGPT has _two_ ways it can run Python code.
| It can use Pyodide and run it directly in the user 's browser
| (for Canvas), and it can also run Python code on one of their
| servers in a Jupyter environment in a locked-down Kubernetes
| container (their "Code Interpreter" tool).
|
| To my knowledge they don't yet have a run-Python-in-WASM-on-
| the-server implementation.
| jamestimmins wrote:
| What's the purpose of Jupyter here? Isn't that optimized
| for notebooks, which presumably wouldn't be relevant on the
| server?
| simonw wrote:
| I think it's more about tapping into the Jupyter
| ecosystem of visualization libraries etc, plus the fact
| that there's lots of data analyst examples in the
| training data that come from notebooks.
| jamestimmins wrote:
| That's an interesting dynamic of the training data
| impacting the architecture. I wonder if this is a one-off
| or we see that in other areas as well.
| __mharrison__ wrote:
| So that's why it writes such bad pandas code...
| pseudosavant wrote:
| If there is a WASM build of the project, that is going to be
| the easiest and safest way to run that with untrusted user
| content. And Deno happens to be really good at hosting WASM
| itself. So, these are the two easiest tools to do this with.
|
| I was looking into using WASM in Python yesterday for some
| image processing. It requires pulling in a full WASM runtime
| like wasmtime. Still better than calling out to native binaries
| like ImageMagick, but definitely more complicated than doing it
| in Deno. If I was writing it myself I'd do Deno, but LLMs are
| so good at writing Python.
| kmangutov wrote:
| Interesting to understand what is possible in this
| Deno/Pyodide environment. For example sklearn works despite
| being quite an involved dependency [1]. Another side to this
| is data input/output, which seems possible with a low level
| interface [2]. Very exciting that (a simple) end-to-end ML
| experience is now possible in the modern browser.
|
| [1] https://www.erp5.com/NXD-
| Blog.Scipy.and.Scikit.Learn.Compile... [2]
| https://donatstudios.com/Read-User-Files-With-Go-WASM
| ridruejo wrote:
| It's one of the best ways, at least on the sandboxing front.
| Hard to beat Wasm at that
| simonw wrote:
| I've been trying to find a good option for this for ages. The
| Deno/Pyodide one is genuinely one of the top contenders:
| https://til.simonwillison.net/deno/pyodide-sandbox
|
| I'm hoping some day to find a recipe I really like for running
| Python code in a WASM container directly inside Python. Here's
| the closest I've got, using wasmtime:
| https://til.simonwillison.net/webassembly/python-in-a-wasm-s...
| singularity2001 wrote:
| one wasmtime dependency and a self contained python file with
| 100 loc seems reasonable!
|
| much better than calling deno, at least if you have no pip
| dependencies...
|
| just had to update to new api:
|
| # store.add_fuel(fuel) store.set_fuel(fuel)
| fuel_consumed=fuel-store.get_fuel()
|
| and it works!!
|
| time to hello world: hello_wasm_python311.py 0.20s user 0.03s
| system 97% cpu 0.234 total
| lopuhin wrote:
| it's pretty difficult to package native python dependencies
| for wasmtime or other wasi runtimes, e.g. lxml
| antonvs wrote:
| I was interested in how this compares in a kind of absolute
| sense. For comparison, an optimized C hello world program
| gave these results using `perf` on my Dell XPS 13 laptop:
| 0.000636230 seconds time elapsed 0.000759000
| seconds user 0.000000000 seconds sys
|
| That's 36,800% faster. Hand-written assembly was very
| slightly slower. Using the standard library for output
| instead of a syscall brought it down to 20,900% faster.
|
| (Yes I used percentages to underscore how big the
| difference is. It's 368x and 209x respectively. That's
| huge.)
|
| Begrudgingly, here are the standard Python numbers:
| real 0m0.019s user 0m0.015s sys
| 0m0.004s
|
| About 1230% faster than the sandbox, i.e. 12.3x. About an
| order of magnitude, which is typical for these kinds of
| exercises.
| abshkbh wrote:
| https://github.com/abshkbh/arrakis
|
| Will come with MacOS support very soon :) Does work on Linux
| jjuliano wrote:
| I am nowhere near as big or as popular as Pydantic, but this is
| my solution - https://kdeps.com/getting-
| started/resources/python.html
| redleader55 wrote:
| The author states:
|
| > The code is executed using Pyodide in Deno and is therefore
| isolated from the rest of the operating system.
|
| To me personally, the premise is a bit naive - it assumes that
| deno's WASM VM doesn't have exploits, that pyodide doesn't have
| bugs, etc. It might as well ask the LLM to produce javascript
| code and run it under deno and then it would be simpler.
|
| In the end, the problem is one of risk budget. If you're
| running this in a VM you control and it's only you running your
| own prompts on it, maybe it's "good enough". If on the other
| hand, you want to sell this service to others who will attack
| your infrastructure, then no - it's not even close to be
| enough.
|
| Your question is a bit vague because it doesn't explain what
| "best way" means for you. Cheap, secure, implementable by a
| person over a weekend?
| fragmede wrote:
| The answer, I think, is to push running the VM back onto the
| user, and build on top of Fabrice's JS Linux and run the
| sandbox on the user's machine. That way at the very worst
| they can escape and steal their own cookies from the browser
| process the VM is running on/in.
| kodablah wrote:
| There just aren't good Python sandboxing approaches. There are
| subinterpreters but they can slow to start from scratch. There
| are higher-level sandboxing approaches like microvms, but they
| have setup overhead and are not easy to use from inside Python.
|
| At Temporal, we required a sandbox but didn't have any security
| requirement, so we wrote it from scratch with eval/exec and a
| custom importer [0]. It is not a foolproof sandbox, but it does
| a good job at isolating state, intercepting and preventing
| illegal calls we don't like, and allowing some imports to "pass
| through" the outside instead of being reloaded for performance
| reasons.
|
| 0 - https://github.com/temporalio/sdk-python?tab=readme-ov-
| file#...
| m3047 wrote:
| Having watched the repeated immolation of blissful innocence
| since smart email clients would run whatever smart (OLE? Smart?
| I'm kidding.) document was delivered, this is going to be so much
| fun in a trainwreck kind of way.
| bigbuppo wrote:
| I keep seeing this MCP thing and I'm really happy that people are
| getting into Burroughs mainframes rather than that stupid AI
| crap.
| snoman wrote:
| That's a pretty obscure/dated reference to the Master Control
| Program that ran on Burroughs mainframes.
|
| I suspect the downvotes are for "... stupid AI crap."
| someguy101010 wrote:
| Nice! I'm working on a way to do this for javascript using v8
| https://github.com/r33drichards/mcp-js. Right now this works but
| there is some significant jank.
| _pdp_ wrote:
| Bookmarked it. We took another approach which provides more
| flexibility but at the cost of slower spin up. Basically we use
| firecracker vm. We mount the attachments and everything else into
| the vm so that the agent can run tools on them (anything on the
| os) and we destroy the machine at the very end. It works! It is
| also as secure as firecracker goes.
|
| But I like using WASM especially in a hosted environment like
| Deno. It feels like a more scaleable solution and probably less
| maintenance too with the downside that that we wont be able to
| run just any cmd.
|
| I am happy to provide more details and point to the tool is
| anyone is interested. It is not open-source but you can play with
| it for free.
| retinaros wrote:
| its like u using lambda
| singularity2001 wrote:
| Why not Pyodide directly in python?
| simonw wrote:
| I haven't found a supported, documented way to do that yet. I'd
| love to find one.
| Cluelessidoit wrote:
| Hi, I don't really know anything honestly, but I do remember an
| ai I running on my laptop using xpip or xpython as a contained
| environment I think it's a single instance, would that work or is
| that close???
___________________________________________________________________
(page generated 2025-04-17 23:00 UTC)