Satellite Node

openstrate-satellite is the high-performance execution engine of the OpenStrate network. It is designed to run on a wide variety of hardware while maintaining strict isolation.

Security Architecture

The core of the Satellite's security is the Rootless Jail.

• Bubblewrap: Uses bwrap to create unprivileged namespaces for execution.
• Cgroups: Limits CPU and Memory consumption to prevents DoS attacks from "noisy neighbors".
• Filesystem Isolation: Missions only have access to a temporary, sandboxed filesystem. They cannot see the host's files unless explicitly mounted.
• Network Isolation: Satellites can be configured to have restricted or no network access during mission execution.

Beaconing & Discovery

The satellite uses an integrated AsyncZeroconf engine to broadcast its presence.

• mDNS Presence: Automatically discoverable by the CLI and Aperture.
• Vitals Reporting: Real-time telemetry (CPU, MEM) with 0.5s frequency and 2-decimal rounding.
• Hardware Tags: Automatically detects and reports capabilities like CUDA, AVX-512, or ARM64 to the constellation.

Communication

• ZMQ PUB/SUB (Port 5556): Used for ultra-low latency telemetry and log streaming.
• ZMQ REP/REQ (Port 5555): Used for secure command-and-control (Deploy, Stop, Reset).

Deployment

Local Optimization

When running on the same host as the Constellation, the satellite uses --network host (on Linux) for seamless mDNS discovery.

Remote & Windows Nodes

For nodes running on separate machines or under Windows/WSL:

1. Firewall: Ports 5555 and 5556 must be open for inbound traffic.
2. Port Mapping: Since Docker Desktop for Windows doesn't support host networking, use the launch_satellite.sh script to automatically apply explicit port mapping (-p 5555:5555).