Coppice is single-host today. That is a deliberate substrate choice, not a claim that cluster scheduling is unimportant. This appendix is the tracking page for the remaining CubeMaster-shaped row: prove that a sandbox on host A can reach a sandbox on host B over an operator-owned overlay without giving up the local ZFS and bhyve/jail control plane.
Target shape
The FreeBSD-native version is:
- Each host keeps its local sandbox bridge and allocator.
- A host-to-host overlay interface carries a second, cluster-scoped subnet.
- Per-sandbox policy still lands in local pf anchors.
- Template movement uses ZFS send/recv or an explicit registry, not a hidden hosted object store.
The likely first rig is VXLAN:
ifconfig vxlan0 create vxlanid 77 vxlanlocal <host-a-lan-ip> vxlanremote <host-b-lan-ip>
ifconfig bridge0 addm vxlan0WireGuard is the fallback if we want encrypted transport or routing instead of a stretched L2 segment.
Receipt Needed
The row closes when a two-host lab can prove all of this:
- host A and host B each launch one sandbox
- sandbox A reaches sandbox B over the overlay address
- local egress policy and air-gap still work on both hosts
- teardown removes overlay membership without leaving stale interfaces
- the receipt lands under
benchmarks/results/cluster-overlay/
Until then, this page is a sketch and the feature-audit row stays open.