docs(compute): document the External runtime row and supervisor cell

st-gr · st-gr · commit f0d5b2776718 · 2026-06-09T00:45:46.000-07:00
Adds the External row to the runtime summary and supervisor delivery
tables: activated by --compute-driver-socket, GetCapabilities driver_name
logged for diagnostics, operator owns process and socket lifecycle, trust
boundary is the socket's filesystem permissions.

Also picks up rustfmt's normalization of the new imports and helper
signatures introduced in the previous two commits.

Signed-off-by: st-gr &lt;38470677+st-gr@users.noreply.github.com&gt;
diff --git a/architecture/compute-runtimes.md b/architecture/compute-runtimes.md
@@ -34,6 +34,7 @@ when a sandbox create request asks for GPU resources.
 | Podman | Rootless or single-machine deployments. | Container plus nested sandbox namespace. | Uses the Podman REST API, OCI image volumes, and CDI GPU devices when available. |
 | Kubernetes | Cluster deployment through Helm. | Pod plus nested sandbox namespace. | Uses Kubernetes API objects, service accounts, secrets, PVC-backed workspace storage, and GPU resources. |
 | VM | Experimental microVM isolation. | Per-sandbox libkrun VM. | Gateway spawns `openshell-driver-vm` as a subprocess over a private, state-local Unix socket. The VM driver boots a cached bootstrap `rootfs.ext4`, prepares requested OCI images inside a bootstrap VM with `umoci`, attaches the prepared image disk read-only, and gives each sandbox a writable `overlay.ext4` for merged-root changes and runtime material. The driver persists each accepted launch request beside the overlay and restarts those VMs on driver startup without recreating the overlay. |
+| External | Out-of-tree drivers operated alongside the gateway. | Whatever boundary the driver implements. | Activated by `--compute-driver-socket=<path>` (env `OPENSHELL_COMPUTE_DRIVER_SOCKET`). The gateway connects to a UDS the operator already provisioned, runs `GetCapabilities`, logs the advertised `driver_name`, and dispatches all sandbox lifecycle calls through the same `compute_driver.proto` surface as the in-tree drivers. The driver process and socket lifecycle are operator-owned; the gateway does not spawn, supervise, or remove the driver. The trust boundary is the socket's filesystem permissions — the operator must ensure only the gateway uid can read/write it. |
 
 Per-sandbox CPU and memory values currently enter the driver layer through
 template resource limits. Docker and Podman apply them as runtime limits.
@@ -68,6 +69,7 @@ The supervisor must be available inside each sandbox workload:
 | Podman | Read-only OCI image volume containing the supervisor binary. |
 | Kubernetes | Sandbox pod image or pod template configuration. |
 | VM | Embedded in the guest rootfs bundle. |
+| External | Defined by the out-of-tree driver. |
 
 Driver-controlled environment variables must override sandbox image or template
 values for sandbox ID, sandbox name, gateway endpoint, relay socket path, TLS
diff --git a/crates/openshell-server/src/cli.rs b/crates/openshell-server/src/cli.rs
@@ -1515,9 +1515,7 @@ ssh_session_ttl_secs = 1234
         let (args, _) = parse_with_args(&["openshell-gateway", "--db-url", "sqlite::memory:"]);
         assert_eq!(
             args.compute_driver_socket.as_deref(),
-            Some(std::path::Path::new(
-                "/var/run/openshell/external.sock"
-            ))
+            Some(std::path::Path::new("/var/run/openshell/external.sock"))
         );
     }
 
diff --git a/crates/openshell-server/src/compute/mod.rs b/crates/openshell-server/src/compute/mod.rs
@@ -15,6 +15,7 @@ use crate::sandbox_watch::SandboxWatchBus;
 use crate::supervisor_session::SupervisorSessionRegistry;
 use crate::tracing_bus::TracingLogBus;
 use futures::{Stream, StreamExt};
+use hyper_util::rt::TokioIo;
 use openshell_core::ComputeDriverKind;
 use openshell_core::proto::compute::v1::{
     CreateSandboxRequest, DeleteSandboxRequest, DriverCondition, DriverPlatformEvent,
@@ -35,17 +36,16 @@ use openshell_driver_kubernetes::{
 use openshell_driver_podman::{
     ComputeDriverService as PodmanDriverService, PodmanComputeConfig, PodmanComputeDriver,
 };
-use hyper_util::rt::TokioIo;
 use prost::Message;
 use std::fmt;
 use std::net::SocketAddr;
 use std::path::{Path, PathBuf};
 use std::pin::Pin;
 use std::sync::Arc;
 use std::time::Duration;
-use tokio::sync::Mutex;
 #[cfg(unix)]
 use tokio::net::UnixStream;
+use tokio::sync::Mutex;
 use tonic::transport::{Channel, Endpoint};
 use tonic::{Code, Request, Status};
 use tower::service_fn;
