Box

Box — OCI Container Runtime

*rea:*infra/net/
*ath:*infra/net/box
*lug:*koder-box (alias kbox)
*ind:*OCI-compatible container runtime + image manager (Go)
*ersion:*v1.1.0 (CHANGELOG: infra/net/box/CHANGELOG.kmd)
*elf~~hosted pair:*row 13 of [`registries/self~~hosted~~pairs.md`](..registriesself~~hosted~~pairs.md) — replaces DockerPodmancontainerdbuildahnerdctl. Status: *table*for single~~node runtimebuildregistrycomposeCRIU; experimental for clusterCDIWASMCVEICP-Brasil signing.

Role in the stack

Box is the Koder OCI container runtime — the layer that actually runs containerized applications on top of infra/linux/distro. Every Koder service or product packaged as an OCI image (whether deployed via infra/net/cloud or a manual server provision) ultimately runs inside Box.

It is the substrate for multitenant compute: namespace isolation, cgroup resource limits, lifecycle management, image pulling, layer storage, volume mounts. v1.1.0 added live checkpointrestore (CRIU), distributed build farm, and modern rootless networking (pasta, macvlanipvlan, netavark/aardvarkdns).

Surfaces

Surface	Form	Notes
`kbox` CLI	Go binary	Linux amd64 + arm64; commands cover container, image, network, volume, compose, system, farm, checkpoint, restore, migrate
REST API	HTTP over Unix socket (`/run/koder-box.sock`) + TCP port 9380	Docker-compatible subset on `/v1.{N}/…`; native namespace on `/api/v1/…`
Docker-compat socket	`/run/docker.sock` mode 0660	Lets Portainer, ctop, lazydocker, `docker-compose` connect unmodified
`/metrics`	Prometheus exposition	Optional dedicated listener (config: `metrics.listen`)
Tracing	Line-delimited JSON spans	Opt~~in via `KODER_BOX_TRACE_OUTPUT=stderr\|stdout\|file:/…`; OTLP exporter follow~~up tracked in `infra/net/box/backlog/pending/109` (the package surface is OTel-shaped to keep the swap mechanical)

Configuration

/etc/koder-box/default.toml (TOML) → KODER_BOX_* env overrides → CLI flags. The TOML loader landed in #104 (Go 1.24+, BurntSushi/toml); the schema mirrors the JSON-tagged internal/config.Config. Missing file is silent (defaults kept); malformed file is a startup error.

Multi-tenancy

Every container carries a KoderUserID field and an OCI label dev.koder.tenant.user_id (mirrors). The REST API resolves the tenant from the X-Koder-User-ID request header (until OAuth Koder ID daemon auth lands — ticket #110); listinspect handlers filter by tenant, and cross-tenant lookups return 404 (not 403) per `specsmulti-tenancy/contract.kmd. Legacy containers without the field resolve to the special tenant unknown` so they remain visible to administrators during the migration window. Landed in #108.

Primary couplings

Consumer	Relationship	Status
`infra/linux/distro`	Ships Box pre~~installed in the Koder Linux ISO; container_native gate already passed (row 12 of self~~hosted-pairs)	live
`infra/net/jet`	Reverse-proxies inbound traffic to containers running in Box	live
`infra/net/cloud`	PaaS deploys app workloads to Box	live
`services/foundation/secrets`	Future: inject secrets into containers (currently Box has its own `internal/secret/`)	aspirational
`services/foundation/billing`	Future: per-tenant container hour metering	aspirational
`services/crypto/signer`	Image signing alignment with ICP-Brasil (ticket #114)	pending
`infra/data/kdb`	Cluster~~mode daemon state backend (ticket #115); blocked on `infra/data/kdb#414` (kdb~~kv stable)	blocked
`infra/observe