Worker Nodes
Worker nodes are compute servers running the Spunto agent — your infrastructure, fully under your control.
A worker node is a compute server registered with an organization. The Spunto agent runs on it, connects outbound to the API via WebSocket, and executes Docker commands to spawn and manage worker containers.
This architecture — called BYOC (Bring Your Own Compute) — means:
- No inbound ports required — the agent connects outbound, so no firewall changes are needed
- Your infrastructure — use any server: cloud VM, on-premise machine, Raspberry Pi
- Full isolation — workers run as isolated Docker containers on the node's Docker engine
- Multi-node support — add multiple nodes; new workers are scheduled on the least-loaded available node
[Your server]
└── docker run ghcr.io/coderhammer/spunto-agent:latest
├── Connects to wss://your-api/api/agent/connect?token=...
├── Node status → online
└── Receives spawn/stop/remove commands over WebSocketThe agent never exposes any port. All communication is initiated by the agent — it polls the API over the persistent WebSocket connection and reacts to the commands it receives (spawn, stop, remove, exec, tunnel open/close).
| Status | Description |
|---|---|
online | Agent connected, ready to accept workers |
offline | Agent disconnected (network issue, stopped) |
draining | Accepting no new workers (existing workers continue) |
Workers never have ports published to the host. The agent connects itself to a container's network on demand and reaches it directly by its internal bridge IP — no host port mapping is needed.
- Per-worker network isolation — every newly created worker gets its own dedicated Docker bridge network. Workers on the same node, even within the same organization, cannot reach each other's containers directly: all access goes through the proxy, which is the only place ownership and session are checked.
- No ports published to the host — containers are fully isolated from the host network.
- Deployments are isolated the same way — each deployment's services share a private network scoped to that deployment only (
mp-dep-{deploymentId}), unreachable from workers or other deployments.
Ready to connect a server? See Adding a Node for the step-by-step setup.
