Skip to content

docs(rfc): add RFC 0013 native Windows support via MXC#2071

Open
shailendra-nv wants to merge 1 commit into
NVIDIA:mainfrom
shailendra-nv:rfc-0013-native-windows-mxc
Open

docs(rfc): add RFC 0013 native Windows support via MXC#2071
shailendra-nv wants to merge 1 commit into
NVIDIA:mainfrom
shailendra-nv:rfc-0013-native-windows-mxc

Conversation

@shailendra-nv

@shailendra-nv shailendra-nv commented Jun 30, 2026

Copy link
Copy Markdown

Summary

Adds RFC 0013, which proposes running OpenShell natively on Windows 11 (x64 and ARM64) without a Linux VM, Docker Desktop, or WSL. The proposal introduces a new openshell-driver-mxc compute driver built on Microsoft Execution Containers (MXC / wxc-exec) and relocates OpenShell's value layers (egress policy, L7 inspection, inference and privacy routing) to a host-side CONNECT proxy, avoiding any in-sandbox supervisor on Windows.

Related Issue

Refs #2050

Changes

  • Add rfc/0013-native-windows-mxc/README.md (RFC 0013, state: review).
  • Proposes the in-process, supervisor-free openshell-driver-mxc compute driver backed by wxc-exec.
  • Documents the four-layer Windows architecture: gateway as a Windows Service, in-process MXC driver, host CONNECT proxy, and the unmodified wxc-exec binary.
  • Specifies OpenShell-policy to MXC config translation with a fail-safe (always block, never silently broaden) mapper, plus design decisions D1-D4, risks, and alternatives.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable) - N/A (RFC proposal; no code or architecture-doc changes yet)

Propose native Windows 11 support through a build-only MSVC lane and a new
in-process, supervisor-free MXC compute driver, with host-side governed egress
and an OpenShell to MXC policy-translation seam.

Refs: NVIDIA#2050
Signed-off-by: Shailendra Singh <shailendras@nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@github-actions

Copy link
Copy Markdown

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:


I have read the DCO document and I hereby sign the DCO.


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.


This RFC proposes extending OpenShell to run natively on Windows 11 (x64 and
ARM64) without a Linux VM, Docker Desktop, or WSL. It will produce a new
compute driver, `openshell-driver-mxc`, that will use Microsoft

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we consider this for an out-of-tree driver impl? cc @elezar and @drew

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think that would be preferred if possible.

Thinking out loud here: If we used an out-of-tree remote driver and were able to use the containerized gateway, our only windows build target would be the CLI.

@shailendra-nv

Copy link
Copy Markdown
Author

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

I have read the DCO document and I hereby sign the DCO.

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.

I have read the DCO document and I hereby sign the DCO.

@shailendra-nv

Copy link
Copy Markdown
Author

recheck

Comment on lines +109 to +111
The defining property is that the OpenShell value layers — egress policy, L7
inspection, inference routing, and the privacy router — live on the host inside
the gateway process, not inside the sandbox. A native Windows agent therefore

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this defining property still be valid if the supervisor was run only in networking mode? This essentially deploys the supervisor exclusively as the proxy.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proxy also assumes it's serving exactly one sandbox. Does this design imply that there will be a many:1 ratio of sandboxes-to-proxy?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this defining property still be valid if the supervisor was run only in networking mode? This essentially deploys the supervisor exclusively as the proxy.

Yes. The defining property is about the location of enforcement which would be host rather than sandbox itself due to lack of fine grained network enforcement in MXC. The idea here is that we extend the network enforcement with host side proxy.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proxy also assumes it's serving exactly one sandbox. Does this design imply that there will be a many:1 ratio of sandboxes-to-proxy?

Correct that's the design intent. As we have a host side proxy rather than supervisor per sandbox, it was kept Many:1 with sandbox attribution to reduce the host side overhead. We can look into 1:1 implementation with shared pieces reused with host side proxy. In a client system, I am worried about the resource cost for such implementation.

Comment on lines +64 to +66
- Porting `openshell-sandbox` (the Linux supervisor) to Windows, or shipping any
in-sandbox OpenShell binary. Defense-in-depth via an in-sandbox enforcer
is explicitly deferred.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it deferred, or rejected? If it's deferred when do we see us picking it up? The current proposal is a large architecture change w.r.t the supervisor, so I don't want to unwind this change down the road if we want to eventually port the sandbox.

Comment on lines +67 to +68
- Making Windows a Docker, Podman, Kubernetes, or VM runtime host. Those drivers
remain compile-only configuration stubs that return an unsupported error.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not include Docker which does work on Windows?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docker on Windows uses Docker Desktop -- which uses a WSL2-backed VM to actually run the containers. This runs LINUX containers.

Comment on lines +158 to +161
The `mxc.rs` invoker is the boundary to MXC. Invocation is always
`wxc-exec.exe --config-base64 <base64(JSON)> --experimental [--debug]`;
`configurationId` defaults to `composable` (never `small` — a known OS bug). The
invoker must branch on phase for I/O semantics:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Today, sandboxes are represented as a container and can be built from Dockerfiles. Eg I can run openshell sandbox create --from my.Dockerfile.

How are we handling this from the MXC driver? If starting sandboxes from container images aren't supported, how is software made available to the sandbox? Is everything shared w/ the host?

#### State model and lifecycle

MXC has no remote inventory API, so the in-memory registry is the single source
of truth.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reconciliation loop? Eg if I directly delete an OpenShell managed appcontainer, will that get reflected in OpenShell?

Comment on lines +227 to +229
The driving constraint is that MXC network filtering is host/IP/CIDR-level only:
it cannot encode ports, protocols, per-binary scope, or L7 rules. The mapper
therefore emits the coarsest safe approximation and a structured loss report.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the coarsest approximation? Does this mean you are mapping OpenShell network policies to MXC network policies?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants