Outcall

Welcome

Outcall is a host-level firewall daemon for Docker agent containers. Read the guides if you're operating it; read the specs if you're contributing to it.

Outcall sits between agent containers and the outside world. It is one binary that runs the bridge, the rule engine, the DNS filter, the HTTP proxy, the container-side shim API, and the Docker network manager. It is opinionated in exactly two directions: default-deny and fail-closed.

If outcalld is unreachable, every layer answers block, SERVFAIL, or exit-5. There is no "best effort" mode.

Pick your path

Two kinds of documentation

  • Operator guides — installation, configuration, the CLI, rule authoring, troubleshooting.
  • Specifications — the formal source of truth for every Outcall subsystem.

On this page