Companion project · cluster orchestration

SwiftCube — the orchestrator for swift-os fleets.

A Swift-everywhere control plane that schedules applications onto swift-os nodes, keeps desired state reconciled, and programs your load balancers. A simplified-but-complete analogue of Kubernetes — except it does the one thing that makes it fast: it removes the container abstraction instead of optimizing it.

instance = Cell, not a container single-binary control plane Raft · linearizable built through SC9b · host-tested

A deployed instance is a Cell — not a container.

The headline idea. SwiftCube does not run containers; it schedules swift-os Cells, the kernel's own capability-based isolation domain.

A Cell already bundles everything an orchestrated workload needs — so there is nothing left to assemble at deploy time. No container runtime to start, no image to layer, no union filesystem to stack, no daemon to talk to. Because the substrate is the kernel itself, an instance doesn't boot — it's admitted, in milliseconds.

instance = Cell, not a container.

◆ Cell — one app instance starts in ms

base imageread-only · content-addressed · deduplicated

scratchprivate RAM (tmpfs) · vanishes on stop

capabilitiesexplicit kernel rights · no root

resource domainaccounted · cpu + memory limits

VFS namespaceprivate filesystem view

lifecyclecreated → running → stopping → dead

No container runtime · achieved by removal

container runtimeimage layeringunion filesystema daemon → millisecond start

How the control plane is wired.

sctld is a single binary — API, scheduler, reconcilers, LB programmer, and an embedded cubestore — running as a 3-node Raft quorum. Each node runs a slet.

sctlCLI

sctld ×3 single binary · API + scheduler + reconcilers + LB programmer embeds cubestore · Raft quorum

external LBs nginx · hetzner · aws

slet node agent · one per node

drives Cellsthe instances
node-proxyeast-west · virtual service IP
node-local PVon datafs

Request lifecycle · the reconciliation flow

1sctl apply writes a Deployment — forwarded to the Raft leader and committed.
2The scheduler loop expands it into N Assignments — spread across nodes, fit by cpu/mem.
3Each node's slet watches its assignments and makes local reality match — creating, supervising, or reaping Cells — then reports status back.
4The endpoints loop watches healthy Cells and programs the external load balancers.

Self-healing falls out for free — when a node's lease expires, its assignments are re-placed elsewhere.

One process, no extra hop. Because cubestore lives in-process with the reconcile loops, SwiftCube skips the apiserver↔etcd network hop Kubernetes pays. A 3-node Raft group gives linearizable writes; a minority partition goes read-only. v1 nodes are swift-os only.

Two things make it different.

Both fall out of building on the Cell substrate rather than on top of a container runtime.

01 · substrate

Cells instead of containers

An instance is a kernel isolation domain, not a packaged process tree. The read-only base is shared across every replica; only the RAM scratch is per-instance.

→ Millisecond start — no runtime to spin up
→ Shared read-only base, deduplicated on the node
→ Per-instance RAM scratch, gone on stop

02 · authority

Capabilities instead of root-in-container

A workload's identity is its capability set. You don't grant a uid and hope; you enumerate exactly the kernel rights it holds — nothing ambient, nothing implied.

net.listen:8080fs.read:/etc/approot

Declare it. SwiftCube reconciles it.

A flat, compose-like manifest — no apiVersion/kind/spec wrapper. Apply it; the control loops pull reality toward it.

edge-api.yaml

# SwiftCube manifest — flat, compose-like (SWIFTCUBE_DESIGN §10)
app: edge-api
image: registry.local/edge-api@sha256:9f2c…         # content-addressed, read-only
replicas: 3
command: [ /bin/edge-api, --serve ]
update: { strategy: canary, canarySteps: [25, 50, 100], progressDeadlineSeconds: 300 }
resources: { cpu: 500m, memory: 256Mi }              # request == limit in v1
ports:
  - name: http
    container: 8080
    expose: { via: lb, provider: nginx, listen: 443, protocol: https, tlsCertRef: edge-api-tls }
env: { LOG_LEVEL: info }
secrets: [ db-password ]                             # from cubestore, mounted in tmpfs
volumes:
  - { name: state, mount: /var/lib/edge-api, persistent: true, size: 1Gi }   # node-local, fenced
capabilities: [ net.listen:8080, fs.read:/etc/edge-api ]   # identity IS the capability set
health:
  readiness: { http: /health, port: 8080, period: 1s, failureThreshold: 3 }
  liveness:  { http: /livez,  port: 8080, period: 5s }
placement: { spread: node, nodeSelector: { zone: eu-central } }

apply it · single node

sctl — apply

$ sctl --local ./state apply -f edge-api.yaml
deployment/edge-api created (revision 1, replicas 3)

read state

sctl — read state

$ sctl --local ./state get deployments
NAME      REPLICAS  REVISION  STRATEGY-REQ
edge-api  3         1         cpu=500m/mem=256Mi

$ sctl --local ./state rollout status edge-api
rollout edge-api:
  strategy:  canary
  revision:  2
  replicas:  3
  phase:     Progressing
  revisions: r1=1 r2=2
  traffic:   r1:50% r2:50%
  ready:     3
  history:   r1 r2

Apply just commits intent. Cell admission, traffic shifting, and LB programming happen asynchronously in sctld's reconcile loops — watch them land with rollout status.

Four pieces. Everything Swift.

If you know Kubernetes, you already know the shape — SwiftCube just collapses it into far less moving machinery.

Component	What it is	Kubernetes analogue
sctl	The command-line client. Runs on Mac, Linux, and Windows. apply manifests · inspect state · drive rollouts	kubectl
sctld	The control plane, as a single binary. consensus + watch + reconcile loops in one process — zero-copy framing between them	apiserver + scheduler + controller-manager
cubestore	Embedded MVCC key-value store with watch. the source of truth — linearizable writes, streaming watches	etcd
slet	The node agent. Lives on every swift-os node and drives Cells. admits, starts, and reaps Cells · reports node truth back	kubelet

A 3-controller quorum gives you fault tolerance; cubestore living in-process with the reconcile loops is what removes the network hop Kubernetes pays between apiserver and etcd.

What it does for the fleet.

The orchestration surface you'd expect — built directly on the Cell substrate and one consistent store.

Reconciliation-driven

Declarative by default. Control loops pull reality toward desired state, so self-healing isn't a feature — it's the normal operating mode.

Strong consistency

One Raft group, linearizable writes, leader forwarding. A 3-controller quorum keeps the cluster's truth single and correct.

Automatic rollouts

Rolling, blue-green, and canary — every step gated on readiness, with automatic rollback the moment a gate fails.

Sticky volumes

Node-local persistent volumes with fencing for stateful workloads — the instance comes back to its data, never to a torn write.

Secure by construction

mTLS everywhere, RBAC on the API, and secrets envelope-encrypted then delivered via tmpfs — never written to disk on the node.

Built for the flagship profile

Fits swift-os's application & AI-hosting profile cleanly — long-running services and inference workloads, scheduled as Cells.

Where it actually stands.

In the swift-os tradition: we tell you what's real. SwiftCube is built through milestone SC9b, host-tested, and single-node sctl --local works today.

Real today, not yet a fleet product. The full SC0–SC9 ladder is implemented and host-tested; you can apply a manifest, watch a canary roll out, and read rollout state on a single node right now. Treat any speed language as a design target of the architecture, not a benchmark sheet.

The honest advantage. Not "faster than X." It's that consensus, watch, and the reconcile loops run in one process with zero-copy framing — and that the instance is a Cell, so there's no runtime to start.

v1 scope: swift-os nodes only. The whole speed thesis depends on the Cell substrate — so SwiftCube doesn't pretend to orchestrate anything else yet. Remaining seams: production mTLS accept-loop, image registry, RBAC/secrets delivery, full multi-node in QEMU.

Milestone ladder · SC0–SC9 · all complete

SC0cubestore — single-node MVCC KV + watch + WAL/snapshot
SC1Raft consensus — elections, replication, quorum of 3, leader forwarding
SC2node join — bootstrap token, mTLS, TTL leases
SC3slet — reconcile loop driving the C6 Cell supervisor
SC4scheduler — Deployment → Assignments (spread + fit)
SC5readiness/liveness probes → ready-only endpoints loop
SC6LB provider interface + nginx backend
SC7east-west — service registry + userspace node-proxy
SC8node-local sticky PVs on datafs + single-writer fencing
SC9sctl CLI + manifest parser + rollout state machine (rolling/blue-green/canary + rollback)

← Back to

Architecture & the Cell model

Check →

What works today