Skip to main content
The broker runs on the manager and dispatches short-lived evaluation work to worker nodes. Challenge services stay on the manager; the broker is the only path that places jobs onto the worker pool. Source: docs/architecture.md:44-46; src/platform_network/config/settings.py:100-104.

Source repository

The Docker broker service, the Swarm backend, and the GPU placement contract.

Job dispatch

The broker dispatches CPU and GPU jobs as Swarm replicated-jobs with --restart-condition none, so an evaluation can never auto-restart:
  • CPU jobs are constrained to node.labels.platform.workload==cpu.
  • GPU jobs (broker gpu_count > 0) are constrained to node.labels.platform.workload==gpu and request --generic-resource NVIDIA-GPU=<N>.
Source: docs/architecture.md:46-49; src/platform_network/config/settings.py:103-104. The broker listens on its own port and is addressed internally by service name. Source: src/platform_network/config/settings.py:63-65.
SettingDefaultSource
docker.broker_port8082src/platform_network/config/settings.py:64
docker.broker_urlhttp://platform-docker-broker:8082src/platform_network/config/settings.py:65
docker.broker_node_rolemanagersrc/platform_network/config/settings.py:72
docker.challenge_placement_constraintnode.role==managersrc/platform_network/config/settings.py:102
The broker enforces an image allowlist scoped to a single trusted registry namespace. Source: src/platform_network/config/settings.py:67-69.

The GPU contract

Broker clients request GPUs with limits.gpu_count. gpu_count=None or an omitted field means CPU-only and emits no GPU resource. A positive integer requests that many GPUs and is expressed as the Swarm generic resource --generic-resource NVIDIA-GPU=<N>. The resource name NVIDIA-GPU is case-sensitive and must match the node-generic-resources advertisement in the worker daemon.json. Source: docs/architecture.md:73-75. GPU placement is node labels plus generic resources only. A GPU job is constrained to node.labels.platform.workload==gpu and acquires a capacity lease before the service is created; the lease is released on cleanup or failure. There is no remote GPU HTTP agent and no device-ID scheduling. Source: docs/architecture.md:77.

Internal broker endpoints

The broker exposes an internal Docker control surface, used between the master and the broker — not part of the public API:
EndpointSource
POST /v1/docker/runsrc/platform_network/master/docker_broker.py:669-690
POST /v1/docker/cleanupsrc/platform_network/master/docker_broker.py:692-701
POST /v1/docker/listsrc/platform_network/master/docker_broker.py:703-712
Broker calls require a Bearer token plus the X-Platform-Challenge-Slug header. Source: src/platform_network/master/docker_broker.py:717-730.

Archive validation

Broker archive uploads are treated as untrusted input. The Swarm broker path rejects absolute paths, parent traversal, links, and device members before extraction, and malformed broker images are rejected before any service is created. Source: docs/security.md:41-43.

Cleanup

Job cleanup is two-layered. The broker /v1/docker/cleanup path removes the Swarm service and releases the workload and GPU ledger entries on success and failure. The manager-only supervisor timeout-reaper independently reaps jobs that exceed their timeout, so a crashed or unreachable challenge cannot leak long-running services. Source: docs/security.md:45.
Broker-created challenge jobs must not receive the host Docker socket; the default socket-grant allowlist is empty. The privileged Docker-in-Docker escape hatch is covered on the Security model page.

Swarm and miner pool

The worker pool the broker dispatches to.

Supervisor

The timeout-reaper that backstops broker cleanup.

Sources

Citations reference the base repository pinned at SHA e33109bfa4f5054928c3b4d429be9cf35d36b166 (see SOURCES.md). Paths prefixed with src/platform_network/ are the internal Python package.