bytedance/deer-flow

docker sandbox模式的MCP服务偶尔会出现:Access denied - path outside allowed directories

Open

#2904 opened on May 12, 2026

View on GitHub
 (6 comments) (0 reactions) (0 assignees)Python (67,767 stars) (9,005 forks)batch import
help wanted

Description

环境:linux+deerflow(bedbf22) sandbox:docker MCP-filesystem: "type": "stdio", "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/home/ubuntu/deerflow/EdgeHarness/backend/.deer-flow/threads/" ],

启动之后是可以正常访问沙箱docker里的/mnt/user-data/workspace/,但使用一段时间之后会出现工具调用错误“Access denied - path outside allowed directories”。具体错误日志见后。我理解这是将docker里的虚拟路径映射到host主机路径上了。偶发现象,但出现之后就一致不能访问该路径,需要重启才能恢复使用。

错误日志片段: Secure MCP Filesystem Server running on stdio Client does not support MCP Roots, using allowed directories set from server args: [ '/home/ubuntu/deerflow/EdgeHarness/backend/.deer-flow/threads' ] 2026-05-12 15:38:25 - deerflow.agents.middlewares.tool_error_handling_middleware - ERROR - Tool execution failed (async): name=filesystem_read_text_file id=call_00_dhivpeLYWtlf5QJkgTtp0422 Traceback (most recent call last): File "/home/ubuntu/deerflow/EdgeHarness/backend/packages/harness/deerflow/agents/middlewares/tool_error_handling_middleware.py", line 61, in awrap_tool_call return await handler(request) ^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langchain/agents/factory.py", line 669, in call_inner return await inner(req, execute) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/packages/harness/deerflow/agents/middlewares/clarification_middleware.py", line 198, in awrap_tool_call return await handler(request) ^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langgraph/prebuilt/tool_node.py", line 1196, in execute return await self._execute_tool_async(req, input_type, config) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langgraph/prebuilt/tool_node.py", line 1151, in _execute_tool_async content = _handle_tool_error(e, flag=self._handle_tool_errors) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langgraph/prebuilt/tool_node.py", line 432, in _handle_tool_error content = flag(e) # type: ignore [assignment, call-arg] ^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langgraph/prebuilt/tool_node.py", line 389, in _default_handle_tool_errors raise e File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langgraph/prebuilt/tool_node.py", line 1103, in _execute_tool_async response = await tool.ainvoke(call_args, config) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langchain_core/tools/structured.py", line 70, in ainvoke return await super().ainvoke(input, config, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langchain_core/tools/base.py", line 652, in ainvoke return await self.arun(tool_input, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langchain_core/tools/base.py", line 1131, in arun raise error_to_raise File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langchain_core/tools/base.py", line 1097, in arun response = await coro_with_context(coro, context) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langchain_core/tools/structured.py", line 124, in _arun return await self.coroutine(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langchain_mcp_adapters/tools.py", line 414, in call_tool return _convert_call_tool_result(call_tool_result) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/ubuntu/deerflow/EdgeHarness/backend/.venv/lib/python3.12/site-packages/langchain_mcp_adapters/tools.py", line 189, in _convert_call_tool_result raise ToolException(error_msg) langchain_core.tools.base.ToolException: Access denied - path outside allowed directories: /mnt/user-data/workspace/agent-mail-relay/src/comm/factory.rs not in /home/ubuntu/deerflow/EdgeHarness/backend/.deer-flow/threads

Contributor guide

Tech stack
dockerpythonnodejs
Domain
backenddevops
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
DockerMCP protocolPythonLangChain
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Investigate why the MCP filesystem server's allowed directories become incorrect after runtime. Check if Docker volume mounts change or if the npx command restarts without the proper arguments. Look at the MCP client initialization in the agent code to see how the allowed directories are set and if there's a race condition between tool calls and server reinitialization.