JACO
Just Another Container Orchestrator · v0.1.2

JACO

A small, opinionated container orchestrator.
Two binaries. Raft, WireGuard, nftables.

Get startedRead the architectureGitHub ↗

§ 01What is JACO

01 / 05

JACO is a multi-node container orchestrator built on hashicorp/raft, embedded Caddy, WireGuard, and per-(deployment, network) bridges with nftables-enforced isolation. It ships as two binaries: jacod, the long-running daemon managed by systemd, and jaco, the operator CLI that talks to a local daemon over a unix socket and to peer daemons over TLS gRPC for cross-host control.

No control-plane cluster to babysit, no YAML dialect to learn beyond a small overlay on the docker-compose.yml you already have. Install on your hosts, jaco cluster init, join the rest, jaco apply.

§ 02Quickstart

02 / 05
1init the first node
sudo jaco cluster init
# cluster_id:     <uuid>
# operator_token: <64 hex chars>
2join the followers
jaco node issue-join-token
sudo jaco node join \
  --peer node-1:7000 \
  --token <single-use>
3ship a deployment
export JACO_TOKEN=<token>
jaco apply --server node-1:7000 \
  ./hello/jaco.yaml
# Applied revision: 1

Full walkthrough in getting started.

§ 03The shape of it

03 / 05
01

Control plane

Raft-replicated state machine with a gRPC API for cluster, tokens, audit, deploy, and watch. On-disk snapshots survive restarts; the leader runs the reconcile loop.

Architecture
02

Discovery

Per-(deployment, network) docker bridges, deterministic /24 IPAM, a WireGuard mesh, and nftables east-west isolation with per-bridge DNS — kernel-gated, degrading gracefully.

Networking
03

Ingress

Embedded Caddy v2 reverse proxy with per-route ACME via raft-backed CertMagic storage. HTTP-01 challenge coordination runs through raft so any node can answer.

Ingress

§ 04Architecture

04 / 05
wg mesh◆ node-1 · LEADERcontrol-planeschedulerruntimediscoveryingressnode-2 · followerfsm replicaruntime · discoveryingress (standby)node-3 · followerfsm replicaruntime · discoveryingress (standby)raft apply →:80 / :443 — embedded Caddy + ACME

Every node runs the same verticals in one jacod process; the leader runs the reconcile loop. See architecture.

§ 05Status

05 / 05
Project status — live from docs
Tagged releases through `v0.2.1`, functional for single-host and multi-host clusters via the two-binary path described above. The earlier open gaps are now implemented:

Known remaining item: the raft transport (:7001) is still plaintext TCP — run it over a private network or overlay you control.