Skip to content

[OSPP] Implement a mcp server to run any scripts or commands securely #3547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 19 commits into
base: master
Choose a base branch
from
Draft

[OSPP] Implement a mcp server to run any scripts or commands securely #3547

wants to merge 19 commits into from
+4,305 −0

Conversation

yexuanyang
Copy link

What's changed?

Hello, everyone! Currently, we are looking at monitoring data or alarm data on hertzbeat platform, but we can't make the next step such as automatic recovery, automatic repair, etc. for alarm data or collected data. Now with AI's capabilities, we can automate monitoring and alerting with the help of AI, which generates and decides on its own the repair scripts or tasks for abnormal services on the other end based on the alert information, monitoring information, etc., and then calls the mcp server deployed on the other end to execute them. So I wrote a mcp server and put it under the mcp-servers folder, other mcp servers can be put into this same directory, so that it is easy to add new mcp servers to hertzbeat.

This mcp server currently accomplishes the following:

  • Execute scripts through the mcp server. Scripts are currently executed from unix-like os using the shibang #! ASCII text executable file in unix-like os using shibang #! in the header, windows bat format is not tested.
  • There are preset tools that combine a series of common commands to accomplish some information gathering tasks. For example, getting the current disk usage.
  • Record logs of command and script execution. There may be omissions in the logging of some operations, but this is only the first version.
  • Command blacklist and operator blacklist. Me. Commands and operators in the blacklist cannot be executed; the blacklist is now configured in config.yaml.

Some things that need to be done in the future:

  • Command whitelisting. Some commands may have dangerous operators and commands, but administrators still want to allow such commands to be executed, these commands are put into a whitelist, and the program prioritizes checking to see if the command matches one of the whitelisted items, and executes it directly if it matches, and only checks with the blacklist if it doesn't exist.
  • documentation. Current The documentation is incomplete in the current code, and needs to be filled in later.

Sorry, this pr might be a bit big, I'll try to work with reviewer to ease the pain of review.

Checklist

  • I have read the Contributing Guide
  • I have written the necessary doc or comment.
  • I have added the necessary unit tests and all cases have passed.

yexuanyang and others added 16 commits July 3, 2025 21:26
@yexuanyang
Initial commit
4ad5ab8
@yexuanyang
WIP: BashServer using Streamable Http connection with MCP Authorization
9730357
@yexuanyang
WIP: Streamable http and oauth bash_server
8fb7a3e
@yexuanyang
Change endpoints from /oauth/xx to /xx and use new StreamableHttpService
1e34034
@yexuanyang
WIP: Add powershell and script execution capability
c93a091 
1. Add a tool to get the available shell in unix-like machine.
2. Support powershell and script execution
@yexuanyang
Set the BIND_ADDRESS from environment variable
7065185
@yexuanyang
Change the description of bash server
66d4794
@yexuanyang
Use config.toml to set the host and port
032c1fe
@yexuanyang
Clippy fix
cd8f0c6
@yexuanyang
Separate development and production environments and add some preset
3b740fd 
tools
@yexuanyang
Add all preset tools in unix os observation
f0daf56
@yexuanyang
Add blacklist for commands and symbols
c42f085
@yexuanyang
Add logs to trace the execution of script or command
a3bc720
@yexuanyang
Merge pull request apache#2 from yexuanyang/dev
0f410e5 
Dev: version 0.1
@yexuanyang
Add 'mcp-servers/mcp-bash-server/' from commit '0f410e5fad6f5b37f9d16…
dc4af38 
…6707daac4ad4c1f87f2'

git-subtree-dir: mcp-servers/mcp-bash-server
git-subtree-mainline: b6b1a48
git-subtree-split: 0f410e5
@yexuanyang
Add README.md in mcp-servers directory
05273cb
@github-actions github-actions bot added the doc Improvements or additions to documentation label Jul 4, 2025
@tomsun28 tomsun28 added the OSPP label Jul 4, 2025
@tomsun28 tomsun28 changed the title [feature] Implement a mcp server to run any scripts or commands securely [OSPP] Implement a mcp server to run any scripts or commands securely Jul 4, 2025
@tomsun28 tomsun28 requested a review from Aias00 July 5, 2025 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aias00 Aias00 Awaiting requested review from Aias00

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
doc Improvements or additions to documentation OSPP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@yexuanyang @tomsun28 @Calvin979 @Aias00 @yuluo-yx