One operating system. Every Calyraen machine.
It runs the data centre, the workstation on your desk, and the small box bolted to a wall. Same core, same rules, same way of working. You do not buy it on its own. It comes on the hardware.
Learn it once. It behaves the same in the rack, on the desk, and at the edge. Learn it once.
Three editions share one kernel, one security model, and one set of tools. What you know on a server carries straight over to a workstation or an embedded box.
What stays true across every edition
The headline ideas that hold whether the machine is a server, a workstation, or a sealed edge device.
One system everywhere
The same kernel and tools ship on every Calyraen machine, so habits and scripts move with you.
Secure by default
Boot is verified, the disk is encrypted, and programs run with the least access they need, out of the box.
Signed updates only
Updates are checked against a signature before they install, so a tampered package will not run.
Managed from one place
Set a policy once and apply it to a single box or a whole room of them from the same console.
The shared foundation
These pieces are the same on the Server, Workstation, and Embedded editions.
- Kernel
- Single shared kernel across all three editions
- Architectures
- 64-bit x86 and 64-bit Arm
- File system
- Copy-on-write with checksums and snapshots
- Init and services
- Unified service manager with dependency ordering
- Secure boot
- Firmware verifies the bootloader and kernel signatures
- Disk encryption
- Full-volume encryption tied to the hardware key store
- Least privilege
- Programs run confined to only what they declare
- Update signing
- Every package and image is signature-checked before install
- Policy
- One policy format applied to one machine or many
- Monitoring
- Health, logs, and metrics report to a shared view
- Rollback
- Failed updates revert to the last known-good image
- Remote control
- Encrypted, key-based access for setup and repair
Pick the edition that matches the work
The core is shared. What changes is the tuning. Open a tab below for the data centre, the desk, or the edge.
The edition that runs the data centre
Built to host websites and apps, hold databases, run virtual machines, and manage a fleet of boxes as if it were one. It ships on Calyraen server hardware.
Why it suits the rack
Four reasons it earns its place in a data centre.
Hosts the things people use
Run web and app servers, databases, and virtual machines side by side on one box.
Scales with the work
Its scheduler keeps busy machines responsive and packs idle ones tight to save power.
Runs a whole fleet as one
Set a policy once and push it to ten servers or ten thousand from a single console.
Heals from a bad update
If an update misbehaves, the server boots back into the last image that worked.
Servers are juicy targets, so the security model assumes someone is always trying. Here is what stands in their way.
Security on the Server edition
It starts before the OS does
Security does not begin when the login screen appears. It begins at the power button.
- The firmware checks the bootloader's signature before it runs it.
- The bootloader checks the kernel's signature before it loads it.
- The kernel checks each driver and core service it brings up.
This chain is called secure boot. If any link has been swapped or tampered with, the chain breaks and the server refuses to continue. An attacker cannot quietly slip a modified kernel underneath the system.
Everything on disk is encrypted
The full volume is encrypted, and the key lives in a hardware security chip on the board, not in a file someone can copy. If a drive is pulled out of the rack and walked away with, the data on it is unreadable. The key never leaves the chip in the clear.
Programs get only what they ask for
This is least privilege, and it is the most important idea here. By default a program can see almost nothing. It must declare what it needs: which folders, which network ports, which devices. The OS grants exactly that and blocks the rest.
- A web server that only needs to read its site files cannot also read the database password file.
- A process that never asked for network access cannot open a connection out.
- If one service is broken into, the attacker is trapped inside that service's tiny world. They cannot wander into the rest of the machine.
Identities, not shared passwords
Each person and each service has its own identity and its own key. Access is granted to identities, not to a shared account everyone logs into. When someone leaves, you revoke one identity and they are out everywhere. Every action is tied to a name in the logs, so you can see who did what.
Updates have to prove who they are
Every update is signed by Calyraen. Before the server installs anything, it checks that signature against a key it already trusts. A package that is unsigned, or signed by the wrong key, or altered after signing, simply will not install. This is how a poisoned update gets stopped at the door rather than after it has run.
If something does go wrong
The system keeps the last known-good image. A bad update or a corrupted boot rolls the machine back to that image automatically, so a single failure does not take a server offline for hours.
One server is easy. A room full of them is where management earns its keep.
Managing a fleet from one place
One console, every machine
You do not log into servers one at a time. You describe how a server should be set up, and the management plane makes every server match that description. Add a new box to the rack and it pulls its configuration down and configures itself.
Policy is written down, not clicked in
A policy is a plain file that says what a machine should look like:
- which services run and which are off
- which firewall rules apply
- who is allowed to log in and at what level
- which update channel the machine follows
Because it is a file, you can review it, keep a history of changes, and roll it back. There is no mystery state that only lives inside one server's head. If you want twenty servers identical, you point all twenty at the same policy.
Groups and rollouts
Machines are sorted into groups: web servers here, database servers there, a test group off to the side. You can change a group's policy and watch it apply. Sensible practice is to roll a change to the test group first, confirm it is healthy, then let it flow to the rest.
Monitoring that comes to you
Every machine reports its health, its logs, and its metrics back to a shared view. Instead of opening each server to ask if it is fine, you watch one dashboard.
- CPU, memory, disk, and network on every box
- Service status and recent restarts
- Logs gathered centrally so you can search across the whole fleet at once
- Alerts when a number crosses a line you set
Repair without a trip to the rack
When a machine needs hands-on work, you reach it over an encrypted, key-based connection. Even a server that failed to boot properly can be reached through its management interface to be fixed or re-imaged, without anyone walking to the data centre floor.
Performance here is about doing more with the hardware you already paid for.
Performance and scaling on servers
The scheduler is the quiet hero
A server runs hundreds of tasks at once. The scheduler decides which task gets the processor next, for how long, and on which core. The Server edition tunes this for many tasks competing at the same time, which is exactly what a busy host faces.
- Work is spread across cores so no single core becomes a bottleneck.
- Tasks are kept near the memory and cores they were already using, which avoids slow cross-chip hops.
- A burst of traffic on one site does not starve the others.
Memory used well, not wasted
The system caches frequently read data in spare memory so it does not fetch it from disk twice. Identical memory pages across virtual machines are shared rather than duplicated. When memory gets tight, the least useful pages are released first.
Storage that keeps up
The file system batches writes, checksums everything so silent corruption is caught, and takes snapshots without copying the whole disk. Snapshots are near-instant because they only record what changed.
Virtual machines that feel native
Virtualization runs close to the metal. Guests talk to the processor's virtualization features directly rather than through slow emulation, so a virtual machine performs close to a bare machine. You can pack many guests on one host and move a running guest to another host with barely a pause.
Scaling out
When one server is not enough, you add more and the fleet shares the load. Because every server is built from the same policy, a new node joins and starts taking work without hand-holding. Idle machines are packed tightly and can be powered down to save energy, then brought back when demand returns.
Server edition specification
The detail for the data centre build.
- Processors
- Up to 8 sockets, hundreds of cores
- Memory
- Addresses many terabytes of RAM
- Storage pools
- Pooled drives with checksums and snapshots
- Network
- Bonded high-speed links with failover
- Guests
- Many virtual machines and containers per host
- Web and app
- Run multiple sites and services per host
- Databases
- Tuned storage and memory paths for query loads
- Virtualization
- Near-native guests with live migration
- File and cache
- Shared storage and in-memory caching roles
- Secure boot
- Signed bootloader, kernel, and core services
- Encryption
- Full-volume, key held in the hardware chip
- Least privilege
- Per-service confinement, deny by default
- Updates
- Signed images with automatic rollback
- Policy
- File-based config applied across the fleet
- Monitoring
- Central health, metrics, and log search
- Grouping
- Staged rollouts by machine group
- Remote access
- Encrypted key-based control and re-imaging
A few everyday commands
Plain management from the console. These are the kinds of commands an operator runs day to day.
$ cal status --group web # health of every web server at a glance
$ cal policy apply web-tier.cfg # push one config to the whole web group
$ cal update stage --group test # roll the new image to the test group first
$ cal vm migrate db-02 host-07 # move a running database guest, no downtime
$ cal logs search "timeout" 1h # search the last hour of logs across the fleet
$ cal rollback db-02 # send one node back to its last good image
Built for the rack, not bolted on
The Server edition ships on Calyraen server hardware. The depth above lives in the popups when you want it, and stays out of the way when you do not.
The edition for serious desk work
For engineering, 3D, heavy analysis, and creative work. Same core as the server, tuned to feel fast under your hands and to get out of the way. It ships on Calyraen workstations.
Why it suits a pro desk
Four reasons it belongs in front of someone doing real work.
Made for heavy tools
Engineering, 3D, simulation, and analysis apps get the cores and memory they ask for.
Stays fast under load
A long render in the background does not turn your mouse and typing into a slideshow.
Keeps apps apart
Each app runs in its own confined space, so one crashing tool does not drag the rest down.
Quiet about your data
Your files are encrypted and apps cannot reach into folders you never granted them.
A workstation holds work that matters and connects to networks you do not control. Here is how it protects both.
Security on the Workstation edition
Your disk is locked when the machine is off
The whole drive is encrypted, and the key lives in a hardware chip on the board. If the laptop is lost or the desktop is stolen, the work on it cannot be read. Powering it off or locking it puts the data out of reach. The key never sits in a plain file someone could copy.
Every app lives in its own box
This is app isolation, and it is the part you feel most. Each application runs inside its own confined space. It can see its own files and the documents you explicitly open with it. It cannot quietly rummage through the rest of your home folder.
- A PDF viewer cannot read your private keys.
- A creative tool cannot reach into your engineering project unless you open that project with it.
- If one app is exploited by a bad file, the damage is fenced inside that app's box.
Apps ask before they reach further
When an app wants your camera, your microphone, your location, or a folder it has not touched before, you get asked. You grant or deny, and you can change your mind later. Nothing helps itself in the background.
The boot chain is verified
Like the server, the workstation checks signatures from firmware to bootloader to kernel before anything runs. A tampered system stops at boot rather than starting up compromised. You begin every session on a system that has proven it is the genuine one.
Updates are signed
Updates are checked against Calyraen's signature before they install. An altered or unsigned update will not run, so the update path is not a way in.
Privacy is the default, not a setting you hunt for
There is no quiet telemetry shovelling your activity off the machine. What leaves the workstation is what you send. The starting position is closed, and you open things deliberately.
The whole point of a workstation is that it stays responsive while the heavy job runs. Here is how it manages that.
Performance on the Workstation edition
The thing in front of you wins
A workstation scheduler has a different job from a server one. On a server, fairness across many tasks matters most. On a workstation, the app you are actively using matters most. The Workstation edition leans toward interactivity.
- Your typing, your cursor, and the window you are working in get priority.
- Heavy background jobs, a render or a compile or a simulation, take the cores that are spare.
- When you switch to a tool, it wakes up sharp instead of crawling out of the background.
The result is that a four-hour render can run while you keep modelling, and the model still moves smoothly.
Low overhead means more for your work
The system keeps its own footprint small so the machine's power goes to your tools, not to housekeeping. There is no heavy layer of background services fighting your application for the processor.
Memory tuned for big files
Professional work means big files: large datasets, dense scenes, deep project histories. The system caches what you touch often so reopening is instant, shares identical memory where it can, and lets a hungry application take a large slice of RAM when it genuinely needs it.
The hardware accelerators are available
Graphics and compute accelerators are exposed directly to the apps that can use them, so 3D, rendering, and analysis tools run on the silicon built for them rather than falling back to the slow path.
Fast storage, safely
The file system batches writes for speed and checksums data so a silent disk error does not quietly rot a project. Snapshots let you grab a point in time before a risky change, in an instant, without copying the whole disk.
A good pro OS is one you stop noticing. Here is what it does to disappear.
Staying out of the way
No surprise reboots
Updates download quietly and wait. They install when you choose, not in the middle of a deadline. The system will tell you an update is ready and then leave the timing to you.
It does not nag
There is no stream of pop-ups asking you to try features or rate things. Notifications are for things that actually need you. The default is quiet.
Sane defaults, deep settings
Most people never open the deep settings, and that is the point. The defaults are chosen to be sensible for pro work. The depth is there when you go looking, and hidden when you are not.
Predictable, every time
Because it shares the same core as the server and embedded editions, the workstation behaves consistently. A script you wrote works the same tomorrow. An update does not quietly move things around. The machine you sat down at last week is the machine you sit down at today.
Recover fast
If an app misbehaves, its own confined box keeps the rest of the system standing. If an update ever does go wrong, the workstation can boot back into the last image that worked, so a bad day does not cost you the machine.
It respects focus
A focus mode silences the non-urgent and dims the rest so the work in front of you is the only thing asking for attention. The OS treats your concentration as something worth protecting.
Workstation edition specification
The detail for the desk build.
- Processors
- Up to 2 sockets, high core counts
- Memory
- Large RAM for datasets and dense scenes
- Accelerators
- Direct access to graphics and compute hardware
- Displays
- Multiple high-resolution outputs
- Storage
- Fast local drives with snapshots
- Engineering
- CAD, EDA, and simulation workloads
- 3D and render
- Modelling and long background renders
- Analysis
- Large datasets held and crunched locally
- Creative
- Editing, audio, and design tooling
- Scheduler
- Favours the active app and your input
- Overhead
- Small system footprint, more left for tools
- Memory cache
- Hot files kept ready, big slices on demand
- Focus mode
- Silences non-urgent interruptions
- Encryption
- Full-disk, key held in the hardware chip
- App isolation
- Each app confined to its own space
- Permissions
- Camera, mic, location, and folders asked first
- Privacy default
- No background telemetry, closed by default
Fast where it counts, quiet everywhere else
The Workstation edition ships on Calyraen workstations. The deep detail is one tap away in the popups and stays folded until you want it.
Lean and locked down for the edge
For kiosks, signage, drones, sensors, and the small boxes that run unattended for years. Stripped to the essentials, sealed shut, and updated only by signed images. It ships on Calyraen edge hardware.
Why it suits the edge
Four reasons it belongs in a sealed box on a wall, a pole, or a drone.
Tiny footprint
Only what the device needs is on it, so it fits on modest hardware and boots fast.
Locked by design
The configuration is fixed and read-only, so nobody changes it by poking at the box.
Runs unattended
It is built to run for months without a person nearby, and to recover on its own if it stumbles.
Updated from afar
Signed images are pushed over the network, so a field of devices updates without a site visit.
An edge device sits in public, sometimes for years, with no one watching it. The security model assumes that.
Security on the Embedded edition
Secure boot, with no detours
The device verifies every stage at power-on: firmware checks the bootloader, the bootloader checks the kernel, the kernel checks the one application image it is allowed to run. If anything has been swapped, it refuses to start. On an embedded box there is no operator standing by to notice tampering, so the device has to refuse on its own.
The system is read-only
The operating system and the app run from a read-only image. Nothing can write changes into them while the device is running. This matters for two reasons:
- Malware has nowhere to install itself, because the system files cannot be modified.
- A power cut in the middle of operation cannot corrupt the system, because the system is never being written to.
The only writable area is a small data partition for the things the device legitimately needs to save, and even that is fenced off from the system.
Configuration is locked
The device's settings are baked into the signed image. There is no admin menu to fiddle with on the unit itself, no default password to leave unchanged, no console to break into. To change how a device behaves, you build a new signed image and push it. Someone with physical access to a kiosk cannot reconfigure it by tapping the screen in the right corners.
Only signed images install
Every update is a complete image signed by Calyraen. The device checks the signature against a key burned in at the factory before it accepts anything. An unsigned image, or one signed with the wrong key, or one altered in transit, is rejected. This is the single most important defence for a device you can never physically guard.
Locked down to the minimum
The device exposes only the network ports it actually uses and runs only the services the app needs. Everything else is simply not present. A smaller system has fewer doors, and fewer doors means fewer ways in.
Encrypted where it counts
The writable data partition is encrypted with a key held in the device's hardware chip, so a unit that is pried open does not surrender the data it was holding.
These devices have to keep going with nobody around. Reliability is the whole job.
Reliability on the Embedded edition
Two system slots, never a brick
The device keeps two copies of the system: the one running now, and a spare. When an update arrives, it is written to the spare slot while the current slot keeps the device working. The device then reboots into the new slot.
- If the new slot boots and proves healthy, it becomes the running one.
- If it fails to boot or fails its self-check, the device falls straight back to the old slot.
This is why a bad update in the field does not turn a device into a brick. The worst case is that it keeps running the version it had before, and you try again.
It restarts itself
A watchdog keeps an eye on the device. If the app stops responding or the system hangs, the watchdog restarts it without anyone driving out to power-cycle the box. For a device on a pole or inside a wall, this is the difference between a blip and a truck roll.
Power loss is expected, not feared
Because the system runs read-only and writes go to a small protected data area, pulling the plug at the wrong moment does not corrupt the device. It simply boots back up where it was. Kiosks lose power. Signage gets switched off at night. The OS treats that as normal.
Built to run for years
There are no surprise background tasks chewing storage or memory over time. The footprint is fixed and known, so a device behaves the same on day one and on day eight hundred. Memory and storage use do not creep.
Managed in fleets, from afar
A thousand kiosks are managed the way a server fleet is: grouped, monitored, and updated centrally. You can see which devices are online, which are on which image version, and push a new signed image to a group on a schedule. A device that drops off the network and comes back picks up where the fleet expects it to be.
Small hardware, long runtimes, no fan to spare. Performance here means doing the job on very little.
Performance on the Embedded edition
Only what the device needs
The image is built down to exactly the parts this device uses and nothing else. No spare drivers, no unused services, no general-purpose clutter. A smaller system boots faster, uses less memory, and leaves more of the modest hardware for the actual job.
Boots fast, every time
Because there is so little to bring up, the device is ready quickly after power-on. A signage screen comes back to its content in seconds after a power cut rather than sitting on a logo while a heavy system loads.
Light on memory and storage
The system holds a small, fixed amount of memory and storage for itself. That headroom goes to the app: the display pipeline for signage, the flight loop for a drone, the sensor reads for a monitor. There is no slow bloat over time because there is nothing extra installed to grow.
Predictable timing
For devices that have to react on time, a drone holding position, a controller reading a sensor, the scheduler keeps timing steady so the important loop is not left waiting behind housekeeping. The device does the same thing in the same time, run after run.
Runs cool and quiet
A lean system asks less of the processor, which means less heat. That suits fanless boxes sealed against dust and weather, where there is no cooling to rely on and no easy way to service the unit.
Same tools as the big editions
Despite being the smallest edition, it shares the core, the security model, and the management tools of the server and workstation. What you learned managing servers applies to managing a field of edge devices.
Embedded edition specification
The detail for the edge build.
- Image size
- Stripped to the device's needs, very small
- Memory
- Runs comfortably on modest RAM
- Storage
- Read-only system, small protected data area
- Boot time
- Fast cold boot after power loss
- Architectures
- 64-bit Arm and 64-bit x86
- Kiosks
- Self-service screens in public spaces
- Signage
- Always-on displays that recover after power cuts
- Drones and robots
- Steady timing for control loops
- Sensors and gateways
- Unattended monitoring at the edge
- Secure boot
- Verified from firmware to single app image
- Read-only system
- System cannot be written to at runtime
- Locked config
- Settings baked into the signed image
- Data encryption
- Writable area encrypted with hardware key
- Updates
- Full images, signed, key burned in at factory
- Dual slots
- Spare system slot with automatic fallback
- Watchdog
- Restarts a hung device on its own
- Power loss
- Safe shutdown and clean boot expected
- Fleet control
- Grouped, monitored, updated remotely
Set it, seal it, leave it
The Embedded edition ships on Calyraen edge hardware. The deep workings sit in the popups for the day you need them, and the device just runs the rest of the time.