Architecture

How Volt unifies containers and virtual machines under one platform.

Overview

Volt is a unified workload platform. Unlike Docker (containers only) or traditional hypervisors (VMs only), Volt manages both — with the same CLI, the same storage backend, and the same security model.

┌─────────────────────────────────────────────┐
│                  Volt CLI                    │
├──────────────────────┬──────────────────────┤
│     Containers       │    Virtual Machines   │
│   (systemd-nspawn)   │  (Neutron Stardust)  │
├──────────────────────┴──────────────────────┤
│              Stellarium CAS                  │
│        (Content-Addressed Storage)           │
├─────────────────────────────────────────────┤
│             Landlock LSM + seccomp           │
├─────────────────────────────────────────────┤
│              Linux Kernel (KVM)              │
└─────────────────────────────────────────────┘

Components

Volt CLI

The single entry point for all workload operations. No daemon process — Volt is a direct-execution CLI that creates systemd units for containers and KVM instances for VMs.

Container Runtime

Built on systemd-nspawn — the container engine built into systemd. Each container is a native systemd unit with full lifecycle management, resource controls via cgroups, and namespace isolation.

Neutron Stardust (microVMM)

A KVM-based micro virtual machine monitor built from scratch. Sub-millisecond cold boot, under 32MB memory footprint per VM. Provides full kernel isolation when container-level isolation isn't sufficient.

Stellarium (Content-Addressed Storage)

Block-level content-addressed storage shared by both containers and VMs. Unlike Docker's layer-based overlay2, Stellarium deduplicates at the block level across your entire fleet.

No Daemon

Volt has no long-running daemon process. Docker requires dockerd — a root daemon that manages all containers. If it crashes, every container is orphaned. Volt creates native systemd units directly. The init system is the process manager.

Security Architecture

Security is enforced at every layer:

• Landlock LSM — Filesystem access control (restricts what paths a workload can see)
• Seccomp — Syscall filtering (restricts what kernel APIs a workload can call)
• Capabilities — Dropped by default (no CAP_SYS_ADMIN, no CAP_NET_RAW unless explicitly granted)
• User namespaces — Root inside the container maps to an unprivileged user outside
• KVM isolation — For VMs, a completely separate kernel eliminates shared-kernel attacks