Outcall
GitHub →

Architecture

Anatomy of the daemon

outcalld is one binary made of seven Tokio tasks. The bridge is the chokepoint; everything else exists to decide what may pass through it.

How it fits together

One bridge. One source of truth.

The daemon is the only thing on the host that can change policy. Operators talk to the host socket. Containers talk to the agent socket. Neither side reaches the other.

Operatoroutcall CLI · UIAgent containeroutcall-agent shimhost.sockagent.sockoutcalldrule enginebridgenftablesDNS filterHTTP proxyagent APIdocker manageroutcall0 bridgeInternet (filtered)