Selium.

the_cloud { reimagined }the_cloud { reimagined }

A software-defined WebAssembly hypervisor for building scalable, connected applications.

Designed for developers

A composable, clusterable, extensible hypervisor

Selium is a first-principles rethink of cloud infrastructure, designed explicitly for software developers. Own your whole stack with zero DevOps.

The hypervisor

A single pane of glass

Selium is a single runtime and network abstraction for your underlying infrastructure, whether physical or virtual. Our client library and/or CLI are all you need to deploy, run and scale your applications across the largest data centres, while remaining light enough to run quietly on your dev machine.

Applications

Build monolithically. Scale granularly.

Every application can elect one or more runnable services, like entry points or `main` functions. These services share a common binary, so have access to the same dependencies, data types, functions, and whatever else your application code contains. Thus you have the luxury of coding monolithically, yet scaling granularly. Services only require a single annotation to define, and can even define arbitrary function signatures to receive runtime data from the CLI or client library at launch.

Network

Messages, not packets

Selium's network stack is based on composable messaging principles. Whether you're blasting out byte streams, deploying RPC servers, fanning out workloads, discovering services, isolating private segments, or just plain-old pub/sub, you're always using our dev-friendly I/O library. And when you need to talk to the outside world, we provide ergonomic TCP and UDP-based protocol bindings (e.g. QUIC, HTTP/S etc.) that seamlessly integrate with our core I/O.

Robust security

Capability-based environments

Every application instance has its own bespoke environment based on capabilities you compose in at runtime. Think of it like a custom kernel for each service: if the capability is there, the ABI is there. If not, it doesn't exist. And with capabilities being scoped and granular, you can express capabilities that are prohibitively complex with traditional infrastructure. For example, a publisher service with no network or disk access, that can only publish valid `MySchema` messages to sel://example-org/pub/some-stream.

Use cases

The code speaks for itself

Here's a taste of what Selium can do. Note that today we only support Rust, but further language support is coming very soon.

Selium Studio

Active tab

Data pipelines

Process large data streams with backpressure and strict payload typing.

Highlights

Native `Stream` + `Sink`
Network plumbing is simple and predictable
Backpressure is implicit

View on GitHub

examples/data-pipeline/src/lib.rsRust

1const INGRESS: &str = "sel://example.org/data-pipelines/ingress";

2const EVEN: &str = "sel://example.org/data-pipelines/even";

4/// Generates data to be transformed by the pipeline

5#[entrypoint]

6async fn generator(ctx: Context) -> Result<()> {

7 let switchboard: Switchboard = ctx.require().await;

8 let atlas: Atlas = ctx.require().await;

10 let mut publisher = Publisher::<i32>::create(&switchboard).await?;

11 atlas

12 .insert(Uri::parse(INGRESS).unwrap(), publisher.endpoint_id() as u64)

13 .await?;

15 // Emit a value every 0.5 seconds.

16 let mut state: i32 = -1;

17 loop {

18 state = state.wrapping_mul(1_103_515_245).wrapping_add(12_345);

19 publisher.send(state as i32).await?;

20 time::sleep(Duration::from_millis(500)).await?;

21 }

22}

24/// Doubles the input value

25#[entrypoint]

26async fn double(ctx: Context) -> Result<()> {

27 let switchboard: Switchboard = ctx.require().await;

28 let atlas: Atlas = ctx.require().await;

30 let ingress = Subscriber::<i32>::create(&switchboard).await?;

31 SubscriberAtlasExt::connect(&ingress, &atlas, &switchboard, INGRESS).await?;

33 let egress = Publisher::<i32>::create(&switchboard).await?;

34 PublisherAtlasExt::matching(&egress, &atlas, &switchboard, EVEN).await?;

36 ingress.map_ok(|item| item * 2).forward(egress).await?;

38 Ok(())

39}

41/// Adds 5u32 to the input value

42#[entrypoint]

43async fn add_five(ctx: Context) -> Result<()> {

44 let switchboard: Switchboard = ctx.require().await;

45 let atlas: Atlas = ctx.require().await;

47 let ingress = Subscriber::<i32>::create(&switchboard).await?;

48 SubscriberAtlasExt::connect(&ingress, &atlas, &switchboard, INGRESS).await?;

50 let egress = Publisher::<i32>::create(&switchboard).await?;

51 PublisherAtlasExt::matching(&egress, &atlas, &switchboard, EVEN).await?;

53 ingress.map_ok(|item| item + 5).forward(egress).await?;

55 Ok(())

56}

58/// Filters by even numbers

59#[entrypoint]

60async fn even(ctx: Context) -> Result<()> {

61 let switchboard: Switchboard = ctx.require().await;

62 let atlas: Atlas = ctx.require().await;

64 let ingress = Subscriber::<i32>::create(&switchboard).await?;

65 atlas

66 .insert(Uri::parse(EVEN).unwrap(), ingress.endpoint_id() as u64)

67 .await?;

69 ingress

70 .filter_map(|item| ready(item.ok()))

71 .filter(|item| ready(item % 2 == 0))

72 .for_each(|item| {

73 info!("Found even number: {item}");

74 ready(())

75 })

76 .await;

78 Ok(())

79}

Active tab

Log analysis

Run out-of-band analysis on your log traffic in realtime.

Highlights

Discover channels using Atlas patterns
Aggregate multiple data streams
Evaluate streams using a sliding window

View on GitHub

examples/log-analyser/src/lib.rsRust

1#[schema(

2 path = "schemas/log.fbs",

3 ty = "examples.log_analyser.Warning",

4 binding = "crate::fbs::examples::log_analyser::Warning"

5)]

6struct Warning {

7 message: String,

10const ERR_THRESHOLD: usize = 10;

11const WARN_THRESHOLD: usize = 50;

13/// Aggregates log traffic matching source pattern

14#[entrypoint]

15async fn analyser(

16 ctx: selium_userland::Context,

17 pattern: &str,

18 alert_uri: &str,

19 window_time: u32,

20) -> Result<()> {

21 let switchboard: Switchboard = ctx.require().await;

22 let atlas: Atlas = ctx.require().await;

24 let subscriber = Subscriber::<LogRecord>::create(&switchboard).await?;

26 // Connect subscriber to log publishers

27 try_join_all(atlas.lookup(pattern).await?.into_iter().map(|id| {

28 let chan = unsafe { SharedChannel::from_raw(id) };

29 switchboard

30 .adopt_output_channel::<LogRecord>(chan, Backpressure::Drop, AdoptMode::Tap)

31 .and_then(|id| subscriber.connect(&switchboard, id))

32 }))

33 .await?;

35 let alerts = Publisher::create_with_backpressure(&switchboard, Backpressure::Drop).await?;

36 let alert_uri = Uri::parse(alert_uri).context("Alert URI is invalid")?;

37 atlas.insert(alert_uri, alerts.endpoint_id() as u64).await?;

39 if window_time == 0 {

40 return Err(anyhow::anyhow!("Window time must be at least 1 second"));

41 }

43 subscriber

44 .filter_map(|res| ready(res.ok()))

45 .window(Duration::from_secs(u64::from(window_time)))

46 .filter_map(|window| ready(analyse_window(window)))

47 .map(Ok)

48 .forward(alerts)

49 .await?;

51 Ok(())

52}

54fn analyse_window(window: Vec<LogRecord>) -> Option<Warning> {

55 let mut errors = 0;

56 let mut warnings = 0;

57 for record in window {

58 match record.level {

59 LogLevel::Error => errors += 1,

60 LogLevel::Warn => warnings += 1,

61 _ => (),

62 }

63 }

65 if errors > ERR_THRESHOLD {

66 info!("{errors} errors observed in window");

67 Some(Warning::new(format!("{errors} errors observed in window")))

68 } else if warnings > WARN_THRESHOLD {

69 info!("{warnings} warnings observed in window");

70 Some(Warning::new(format!(

71 "{warnings} warnings observed in window"

72 )))

73 } else {

74 None

75 }

76}

Secure by design

Safe, predictable, and built to last

Selium is engineered for safety, predictability, and reliability. Isolation by default with opt-in connectivity and strong typing throughout to eliminate foot-guns.

Defence in depth.: Capability-driven deny-by-default with zero ambient authority. Full service isolation, even within one app.
Scalability built in.: From first service to thousands, no re-architecture required.
Predictable by default.: Selium does what you ask it to, every time. No side effects and no magic.
Observable from day one.: Logs, metrics, and traces are first-class, not afterthoughts.
Team and growth friendly.: A single model from solo projects to large organisations.
Fast onboarding.: Your application is self-describing. It is just code, so it is learnable.

Get started

Run Selium locally in minutes

These commands get you a local runtime, and CLI, so you can start building in minutes.

Quickstart (local runtime)

1. Install Selium using the helper script

curl --proto '=https' --tlsv1.2 -sSfL https://selium.com/install.sh | sh

2. Or, install Selium from source

# See README.md for instructions: https://github.com/seliumlabs/selium

3. Start the Selium runtime

selium-runtime \
    --module 'path=selium_remote_client_server.wasm;capabilities=ChannelLifecycle,ChannelReader,ChannelWriter,ProcessLifecycle,NetQuicBind,NetQuicAccept,NetQuicRead,NetQuicWrite;args=utf8:localhost,u16:7000' \
    --module 'path=selium_switchboard_server.wasm;capabilities=ChannelLifecycle,ChannelReader,ChannelWriter,SingletonRegistry' \
    --module 'path=selium_atlas_server.wasm;capabilities=ChannelLifecycle,ChannelReader,ChannelWriter,SingletonRegistry' &

5. Test that everything works

selium ps