Remote Client module

Remote Client is Selium's external control plane. The server component exposes a TLS-secured QUIC endpoint that lets you start and stop processes, and interact with channels from outside the runtime. It also provides a client library and CLI, which we've already referred to several times in these docs.

To start the server module, use the below command. Pay special attention to the args= section, which tells the Remote Client server what address and port to bind to.

selium-runtime --module 'path=modules/selium_remote_client_server.wasm;capabilities=ChannelLifecycle,ChannelReader,ChannelWriter,ProcessLifecycle,NetQuicBind,NetQuicAccept,NetQuicRead,NetQuicWrite;args=utf8:localhost,u16:7000'

Security Notice: the Remote Client will soon employ mTLS to authenticate clients, however today it DOES NOT. It is highly recommended to only expose the Remote Client to secure local networks (or just localhost).

CLI basics

The CLI binary is named selium:

# Start a process
selium start hello.wasm some_entrypoint --capabilities ChannelLifecycle,ChannelReader,ChannelWriter
 
# Start a process and stream its logs to stdout
# Note that terminating this command *does not* stop the process
selium start hello.wasm ... --attach
 
# Stop a process
selium stop <id>
 
# Specify a non-default certs path (defaults to "./certs")
selium --cert-dir selium-work/certs <command>

Environment variables:

• SELIUM_DOMAIN and SELIUM_PORT pick the control-plane endpoint
• SELIUM_CERT_DIR points to the TLS cert directory
• SELIUM_LOG_FORMAT switches between text and JSON

Capabilities

The remote client will only request the capabilities you pass in. For example, ProcessLifecycle is required to spawn processes, and NetHttp* is required for HTTP I/O inside those processes. Treat this list as your "permission boundary". We strongly recommend you only grant the specific permissions your process needs.