Modules
Tank — an opinionated, declarative container orchestrator built on Linx.
A container's desired state inside a pod.
The host-config seam: how Tank reads the host's network facts without owning them — the uplink a macvlan attaches to, and the DNS servers a container inherits.
The default Tank.Host: uplink + DNS read straight from application config.
Runs anywhere, with no host-network integration.
Pulls an OCI / Docker image and assembles it into a root filesystem a container can run from.
Minimal OCI Distribution (registry HTTP API v2) client.
Extracts an OCI image layer -- a gzipped tar -- into a directory.
Resolves an image's User spec to a numeric {uid, gid}.
A Tank.Volume mounted into a container at an absolute in-rootfs path.
One network interface inside a pod's network namespace.
Interprets a pulled OCI image config against a Tank.Container spec to derive
the workload's run parameters, per the OCI rules
A pod's desired state: one or more containers sharing a single network
namespace, the pod-level network and volumes, and a restart policy. The pod
name is the unique key (the Khepri path leaf under [:tank, :pods, name]).
A pod's network namespace: a set of interfaces plus pod-level DNS (one
/etc/resolv.conf per netns). Loopback is always raised by the runtime.
The level-triggered control loop that converges running pods to the desired
state in Tank.Store. This is what closes the declarative loop: you
Tank.apply/1 a pod and the reconciler starts it — you never start a
container imperatively.
Brings one pod to running reality and supervises it.
Configures a pod's network namespace at the Linx.Process :ready
checkpoint. A pod's :network is one of
Host-side container rootfs bring-up, run during the Linx.Process :ready
checkpoint. Builds the container's filesystem inside its mount namespace and
pivots into it, leaving the workload ready to execve.
The desired-state store seam: Tank's view of the [:tank, :pods, …] subtree
of a Khepri store.
A pod-level storage volume, mounted into containers via Tank.Mount.