Differences

This shows you the differences between two versions of the page.

--- projects:cluster [2025/07/14 15:26] – created samp20
+++ projects:cluster [2026/04/24 14:25] (current) – samp20
@@ Line 6: / Line 6: @@
   * Be simpler to setup and use than Kubernetes.
   * Work across networks. For example between a cloud provider and self-hosted.
-  * Not require a separate management service.
 ===== Parts list =====
@@ Line 13: / Line 12: @@
   * Python based core.
-  * JSON for cluster configuration.
+  * PostgreSQL database for cluster configuration.
-    * Will eventually be signed (possibly JWT).
   * runc (or other OCI compliant runtime) for container management.
-  * Wireguard for the node mesh network.
   * NFTables for firewall configuration.
-  * Python Flask for config distribution.
+  * Python Flask for web UI/API.
+  * Caddy for HTTPS ingress proxy.
 ===== General architecture =====
-The core of the system will be a python service that will receive the configuration (probably via UNIX socket), validate it and update the various components through python plugins using ''importlib.metadata.entry_points''.
+{{drawio>projects:cluster-architecture.png}}
-The configuration will consist of objects representing different parts of the system that need to be configured. An example is below:
+===== RunC integration =====
+RunC containers are created with a ''config.json'' and a ''rootfs''. RunC can generate a base configuration. While we could technically include that in the cluster config directly, it probably makes more sense to use the RunC generated config and merge the cluster config into it. A Docker config (Docker uses RunC under the hood) is even more restricted, specifying what syscalls are allowed for example. We may want to add this in the future, but not initially.
+==== Pulling the root filesystem ====
+There exists a few tools that can help with this. [[https://github.com/containers/skopeo|Skopeo]] and [[https://umo.ci/|Umoci]]. An example is below:
+  - ''%%skopeo copy docker://busybox:latest oci:busybox:latest%%''. Will create a ''busybox'' folder.
+  - ''%%umoci unpack --image busybox:latest bundle%%''. Unpacks the OCI image into an OCI runtime bundle in the ''bundle'' folder. This bundle also has a ''config.json''. It'll be interesting to compare that with the RunC generated one.
+It may be preferred to follow the [[https://github.com/opencontainers/image-spec/blob/main/conversion.md|OCI conversion spec]] directly instead of relying on a 3rd party tool such as Umoci.
+===== Network and Wireguard =====
+This will use the [[https://docs.pyroute2.org/index.html|pyroute2]] python module. This has support for [[https://docs.pyroute2.org/wireguard.html|Wireguard]] and [[https://docs.pyroute2.org/netns.html|Network Namespaces]] (their example is with a veth pair).
+===== NFTables =====
+NFTables comes with its own python interface that wraps around ''libnftables''. There's a good tutorial to get started here https://ral-arturo.org/2020/11/22/python-nftables-tutorial.html.
+The scope of this will initially be to configure the forward chains to forward from the container's virtual ethernet to the wireguard tunnel. In the future this can be extended to implement firewall policies between containers.
+===== Caddy =====
+Caddy can be configured directly through JSON.
-<code>
-{
-    "hosts": {
-        "cloud01": {
-            "wg_network": {
-                "type": "wireguard_network",
-                "link_name": "wg_cluster",
-                "address": "10.69.0.1/16"
-            },
-            "peer_local01": {
-                "type": "wireguard_peer",
-                "network": "wg_network",
-                "allowed_ips": ["10.69.1.0/24"]
-            }
-        }
-    }
-}
-</code>