Welcome
Outcall is a host-level firewall daemon for Docker agent containers. Read the guides if you're operating it; read the specs if you're contributing to it.
Outcall sits between agent containers and the outside world. It is one binary that runs the bridge, the rule engine, the DNS filter, the HTTP proxy, the container-side shim API, and the Docker network manager. It is opinionated in exactly two directions: default-deny and fail-closed.
If outcalld is unreachable, every layer answers block, SERVFAIL, or
exit-5. There is no "best effort" mode.
Pick your path
Quickstart
Run an agent that can reach exactly one host in five minutes.
Installation
Capabilities, mounts, and release images.
Writing rules
The YAML format, CEL conditions, and per-rule egress modes.
Specifications
Every functional requirement, interface, and edge case — versioned and stable.
Two kinds of documentation
- Operator guides — installation, configuration, the CLI, rule authoring, troubleshooting.
- Specifications — the formal source of truth for every Outcall subsystem.