logoalt Hacker News

vivzkestreltoday at 4:24 PM1 replyview on HN

- I am not interested in running claude or any of the agents as much as I am interested in running untrusted user code on the cloud inside a sandbox

- Think codesandbox, how much time does it take for a VM here to boot?

- How safe do you think this solution would be to let users execute untrusted code inside while being able to pip install and npm install all sorts of libraries and

- how do you deploy this inside AWS Lambda/Fargate for the same usecase?

Replies

borensteintoday at 6:19 PM

> How safe do you think this solution would be to let users execute untrusted code inside while being able to pip install and npm install all sorts of libraries

It's designed to be fairly safe in exactly that situation, because it's sandboxed twice over: once in a container and once in a VM. You start to layer on risk when you punch holes in it (adding domains to the whitelist, port-forwarding, etc).

> how do you deploy this inside AWS Lambda/Fargate for the same usecase These both seem like poor fits. I suspect Lambda is simply a non-starter. For Fargate, you'd be running k8s inside a VM inside a pod inside k8s. As an alternative, you could construct an AMI that runs the yolo-cage microk8s cluster without the VM, and then you could deploy it to EC2.