Nexters
Planned
Nexters are heavy-weight isolation containers that replace Docker for service deployment on Nexus OS.
What Is a Nexter?
A Nexter provides full service isolation using namespace/jail/VM boundaries — stronger than NipCells, designed for multi-service deployments, CI/CD workloads, and untrusted code execution.
NipCells vs Nexters
| Feature | NipCells | Nexters |
|---|---|---|
| Use case | Desktop applications | Services, CI/CD, untrusted code |
| Isolation level | Capability-based | Namespace/jail/VM |
| Startup time | Near-instant | Seconds (heavier init) |
| Resource overhead | Minimal | Moderate |
| Networking | Shared via Membrane | Isolated virtual network |
| Config format | Package manifest | KDL blueprint |
KDL Blueprints
Nexters use KDL blueprints instead of Dockerfiles:
ini
nexter "postgres" {
base "alpine-musl"
packages {
install "postgresql" version="16.2"
install "pg_stat_statements"
}
network {
expose 5432 protocol="tcp"
isolate true
}
storage {
volume "/Data/postgres" mount="/var/lib/postgresql"
tmpfs "/tmp" size="256M"
}
pledge "STDIO" "RPATH" "WPATH" "INET"
resources {
memory "2G"
cpu-shares 512
}
}Why Not Docker?
Docker relies on:
- Linux namespaces and cgroups (Linux-specific)
- A container runtime daemon (dockerd, containerd)
- OCI image format (layer-based, not content-addressable)
- Bridge networking (complex, fragile)
Nexters use:
- Capability Algebra and pledge/unveil (platform-agnostic)
- No daemon — the kernel manages isolation directly
- CAS-based storage (NexFS content addressing)
- UTCP for inter-Nexter communication
Kubernetes Compatibility
For cloud deployments, Nexus systems can run containerd/podman alongside Nexters. The NexBox distribution includes standard container runtimes for Kubernetes integration. Nexters are the sovereign alternative for workloads that don't need Kubernetes compatibility.