Architecture
This page explains how nyxd is structured so new contributors can quickly map commands, APIs, and runtime behavior to source code.
System context
At runtime, the system has these actors:
- User runs
nyxcommands. nyxtalks tonyxdover a Unix socket HTTP API.nyxdorchestrates images, rootfs, networking, and lifecycle.crunexecutes OCI containers.- OCI registries provide image manifests and layer blobs.
- Linux kernel features provide namespaces, cgroups, overlayfs, nftables, and veth.
The design goal is a minimal stack: no Docker, no Podman, no containerd.
High-level architecture
1) Daemon entrypoint
cmd/nyxd/main.go- Parses flags, initializes subsystems, starts the control API, and runs shutdown logic.
2) CLI client
cmd/nyx/main.go- A thin client that dispatches commands to daemon endpoints.
3) Control API
internal/control/server.go- Exposes
/v1/*routes for run, pull, exec, logs, compose, image and container operations.
4) Supervisor (core orchestrator)
internal/supervisor/supervisor.go- Owns container start/stop/remove, restart policy behavior, health integration, and lifecycle supervision.
5) Compose translation
internal/compose/parse.gointernal/compose/specs.go- Parses compose YAML, validates dependencies, resolves images, and builds ordered
ContainerSpecvalues.
6) Image subsystem
internal/image/puller.go- Pulls and verifies OCI manifests/blobs and persists image metadata.
7) Rootfs subsystem
internal/overlay/overlay.go- Extracts layers and mounts overlayfs merged rootfs per container.
8) OCI bundle generation
internal/bundle/bundle.go- Produces OCI
config.jsonincluding namespaces, mounts, capabilities, seccomp, resources, and env/args.
9) Runtime adapter
internal/runtime/crun.go- Wraps
crunCLI for run/create/start/exec/state/kill/delete/list.
10) Network subsystem
- Interface:
internal/network/backend.go - Native default:
internal/network/native/manager.go - Optional CNI path:
internal/network/cni.go
11) DNS policy
internal/netdns/backend.go- Selects resolver backend based on daemon flags and driver mode.
12) Health and logs
- Health checks:
internal/health/health.go - Log collector:
internal/logs/logger.go
13) Persistence and recovery
internal/supervisor/persist.go- Persists supervisor metadata and supports re-adoption of running workloads after unclean daemon restarts.
Request-to-runtime flow
nyx run
- User runs
nyx run. nyxposts toPOST /v1/containers/run.- Control handler validates request and resolves container ID.
- If image is absent, daemon pulls image from registry.
- Supervisor prepares overlay rootfs and network namespace.
- Bundle module writes OCI
config.json. - Runtime module invokes
crun. - Supervisor starts log streaming and health monitoring.
- API returns container info or stream status to client.
nyx compose up
nyxsends compose file reference toPOST /v1/compose/up.- Compose module parses YAML, interpolates env, validates graph.
- Compose builder resolves/pulls required images and creates ordered specs.
- Supervisor reconciles desired state:
- unchanged services stay running
- changed services are stopped and recreated
- missing services are started
- API returns service container IDs.
Filesystem data model
Under the daemon base directory (default /var/lib/nyxd):
images/: pulled manifests/configs and blob cacheoverlay/: extracted layers and merged rootfs treesbundles/<id>/: OCI bundle files and run metadatasupervisor/containers/: persisted per-container supervisor recordsrun/crun/: runtime state rootlogs/<id>.log: JSONL container logs
This keeps state simple and inspectable without introducing a separate database.
Design properties
- Small and explicit component boundaries.
- Linux-first implementation.
- Runtime backend abstraction for networking modes.
- Control plane remains local-first (Unix socket).
- Supervisor-centric lifecycle and recovery semantics.