This guide is for developers automating DRO Cloud or building on top of the container compute API. It explains the security model and the contracts you can rely on.

Tenancy & security

  • Identity comes from your token. The tenant is derived server-side from your authenticated session — never from the request body. A tenant_id in the payload is ignored.
  • Strict isolation. Reads are tenant-scoped; a lookup for a resource you do not own returns not_found, never the row.
  • Mass-assignment safe. Only an allowlisted set of fields is settable on create; privileged fields (volumes, networks, capabilities, system flags) are platform-controlled and silently dropped.

Desired-state model

Create, start, and stop are eventually consistent. The API writes your desired state (a container row) inside a quota-locked transaction, then enqueues a worker that materialises it on the host via Brood (docker run / docker stop). A periodic reconciler is the backstop, so a transient worker outage cannot leave your declaration unfulfilled. Expect a brief delay between a 201 and the workload being live.

Quotas

  • Count quota caps how many containers your tenant may run.
  • Resource quota caps total reserved vCPU and memory — the sum of explicit cpu_limit/mem_limit across your containers.
  • Caps are evaluated against the most restrictive of your region-specific and tenant-wide (*) allocations. Neither silently overrides the other.
  • An over-quota create is refused with 403 and a detail object naming the dimension, the request, and the cap.

Placement

host_key must be a real fleet host and in a region allocated to your tenant. Once your tenant holds any concrete region allocation, it is confined to those regions.

Contracts & limits

  • Naming. You supply a short name; the platform namespaces it per-tenant so it is unique on the host. The name is format-validated.
  • Ports. You may not pin host ports/IPs — the platform manages the edge. Declare container ports only.
  • Bounds. env is capped at 200 keys, ports at 50; cpu_limit must be a positive vCPU count (≤ 256) and mem_limit a Docker memory value (e.g. 512m, 2g).
  • Logs. Recent captured docker logs are available per container via the logs endpoint.
© 2026 DRO Platform