mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-17 17:02:01 -05:00
[GH-ISSUE #22225] feat: Hardware-isolated code execution backend via exec-sandbox (QEMU microVMs) #19669
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @clemlesne on GitHub (Mar 4, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/22225
TL;DR
exec-sandbox runs untrusted code inside ephemeral QEMU microVMs with hardware virtualization (KVM/HVF). It supports Python 3.14, JS/TS (Bun), and Shell, with 1-2ms warm-pool latency, streaming I/O, and 9 layers of isolation -- no privileged containers needed. It can be installed today as a zero-core-change Workspace Tool (
pip install exec-sandbox), or later wired in as a nativeCODE_EXECUTION_ENGINEbackend.Disclosure: I am the author/maintainer of exec-sandbox.
Check Existing Issues
Verify Feature Scope
Problem Description
Open WebUI's code execution today offers three backends, each with meaningful trade-offs for multi-user and self-hosted deployments:
The gap: There is no built-in backend that simultaneously provides (a) strong security isolation suitable for multi-tenant deployments, (b) server-side execution with full language support (Python, JS, shell), and (c) zero shared state between users/executions.
The community has recognized this. Discussion #19050 requests sandbox functionality as a core built-in, extending beyond the current Pyodide/Jupyter capabilities. Issue #9614 tracks code interpreter enhancements and has "external sandboxing" checked off on its roadmap (likely referencing the safe-code-execution plugin); exec-sandbox offers an alternative approach with hardware VM isolation instead of userspace kernel sandboxing. Issue #18224 highlighted the inadequacy of documentation around the RCE surface when workspace tools run via
exec()on the server -- reinforcing why sandboxed execution matters.The community safe-code-execution plugin by EtiennePerot addresses this with gVisor, but it requires Linux-only gVisor, relaxed seccomp profiles (
seccomp=unconfined), AppArmor disabled, and writable cgroupfs -- constraints that can be difficult to meet in production container orchestration environments and are unavailable on macOS for local development.Desired Solution you'd like
Add exec-sandbox (PyPI) as an additional code execution backend option, alongside the existing Pyodide, Jupyter, and Open Terminal backends.
What exec-sandbox provides:
pip install exec-sandbox-- single dependency, assets auto-download on first useHow this compares to existing options:
Integration as an Open WebUI Workspace Tool:
The most natural integration point is as a Workspace Tool, matching the pattern established by EtiennePerot's safe-code-execution plugin. This requires zero changes to Open WebUI core. Here is a working implementation sketch:
This follows the exact same pattern as the existing safe-code-execution tool -- same class structure, same Valves configuration, same event emitter usage -- so users already familiar with that plugin will find this immediately recognizable.
Alternatively, as a native backend integration:
For deeper integration, exec-sandbox could be registered as a new
CODE_EXECUTION_ENGINEoption (alongside the existing"pyodide"and"jupyter"options), backing the built-inexecute_codesystem tool. Note: Open Terminal uses a separate Docker-based shell API rather than theCODE_EXECUTION_ENGINEconfig path. This would require a modest patch tobackend/open_webui/utils/code_interpreter.pyto dispatch to the exec-sandbox Scheduler whenconfig.code.engine == "exec-sandbox". This approach would benefit from the existing UI affordances (run buttons on code blocks, automatic matplotlib capture, etc.) without any user-facing plugin installation.Alternatives Considered
1. EtiennePerot's safe-code-execution (gVisor)
Excellent community plugin that currently fills this gap. However, gVisor is Linux-only, requires relaxed container security policies (
seccomp=unconfined, AppArmor disabled, writable cgroupfs), and provides userspace kernel isolation rather than hardware VM isolation. exec-sandbox is a complementary alternative for deployments where macOS support, stricter container policies, or hardware-level isolation are requirements.2. Jupyter backend
Works for single-user setups but the shared kernel model makes it explicitly unsuitable for multi-user environments. No isolation between users.
3. Open Terminal (Docker-based)
Provides container-level isolation and full shell access, but containers share the host kernel. The isolation boundary is the Linux namespace layer, not a hardware hypervisor.
4. Cloud sandbox APIs (E2B, Modal, Runloop, Daytona)
Require sending code and data to external servers. Not viable for air-gapped, privacy-sensitive, or self-hosted deployments. Several are proprietary.
Additional Context
Resource requirements:
brew install qemuon macOS,apt install qemu-systemon Linux)/dev/kvm), HVF on macOS (kern.hv_support)/dev/kvmon the host (e.g.,--device /dev/kvm). Most cloud VMs and bare-metal hosts expose KVM, but nested virtualization must be enabled if running inside a VMWhat this does NOT propose:
Links:
@Classic298 commented on GitHub (Mar 4, 2026):
Probably not going to happen.
Also this feature request violates this requirement: "I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions."
Should have been opened in the discussions
The good news: What you are asking for is already being built.
https://github.com/open-webui/terminals
A scalable multi-user solution with isolated individual sandboxes - one sandbox per user - auto startup and orchestration.
and some of the other things you mentioned which open terminal does not yet have might be added in the future, who knows
But adding another backend must be most carefully considered, in the context of open terminal already covering 99% of that and the multi-user orchestration coming soon, i see little reason to add exec-sandbox