Ubicloud
Open source cloud infrastructure platform delivering AWS-like IaaS services on bare metal providers at a fraction of the cost.
Ubicloud is an open source infrastructure-as-a-service (IaaS) platform that replicates core AWS services on bare metal servers from providers like Hetzner, Leaseweb, and AWS Bare Metal. Its control plane, built with Ruby on Roda and Sequel, manages Linux data plane nodes via SSH, provisioning virtual machines through Cloud Hypervisor within Linux namespaces. The result is cloud convenience at 3x lower cost than AWS, with no vendor lock-in and full infrastructure ownership.
The platform provides elastic compute, block storage via SPDK, managed PostgreSQL with high availability and point-in-time restore, Kubernetes, AI inference endpoints, and a full networking stack using IPsec tunnels and nftables for firewalls and load balancers. An attribute-based access control (ABAC) system with recursive tag resolution enforces fine-grained permissions across all resources. GitHub Actions integration provides ephemeral CI runners that are significantly cheaper than hosted alternatives.
Ubicloud supports both a managed service at console.ubicloud.com and fully self-hosted deployments bootstrapped with Docker Compose. Teams that have been burned by AWS egress fees, cloud vendor dependencies, or compliance restrictions on data residency have a concrete path to run the same workloads on dedicated hardware in any datacenter they choose.
What You Get
- Elastic Compute with Cloud Hypervisor - Provision isolated virtual machines on bare metal using Cloud Hypervisor as the VMM, with each VM contained within Linux namespaces for security isolation and IPv4/IPv6 dual-stack networking support.
- High-Performance Block Storage - Virtualized block devices powered by the Storage Performance Development Toolkit (SPDK), with encryption at rest, data encryption key protection, and extensibility for future snapshot and replication features.
- Managed PostgreSQL with HA - Fully managed PostgreSQL instances with automatic backups, point-in-time restore (PITR), high availability failover, and performance matching or exceeding AWS RDS at approximately 3x lower cost.
- Attribute-Based Access Control (ABAC) - Fine-grained user permissions using recursive tag-based policy resolution via SQL CTEs, enabling dynamic role and attribute enforcement across projects and resources without application-level recursion overhead.
- Virtual Networking with IPsec and nftables - Private and public networking with dual-stack IPv4/IPv6, IPsec tunneling for encrypted inter-VM communication, per-customer network namespaces, and flexible firewall rules and load balancers built on Linux nftables.
- GitHub Actions CI Runners - Managed ephemeral CI runners replacing GitHub-hosted or self-hosted options, with isolated VMs per job, Arm support, and costs roughly 10x lower than equivalent cloud runner options.
- Kubernetes Cluster Management - Managed Kubernetes clusters with node provisioning, etcd backups, and automated node upgrades through dedicated prog-based lifecycle management across control and worker node pools.
- AI Inference Endpoints - Managed inference infrastructure for deploying and routing LLM and AI model requests, with replica management, router targets, and scaling built directly into the Ubicloud control plane.
Common Use Cases
- CI/CD with GitHub Actions cost reduction - Engineering teams replace expensive GitHub-hosted runners with Ubicloud ephemeral VMs, gaining isolated environments per job, faster CPUs on bare metal, and roughly 10x lower costs for compute-intensive test suites.
- Migrating PostgreSQL workloads off AWS RDS - Data teams move production databases to Ubicloud managed PostgreSQL for 3x cost savings while retaining PITR, high availability, automated backups, and performance parity with RDS.
- Building a private cloud on leased bare metal - Infrastructure teams at companies with data residency or compliance requirements deploy Ubicloud on Hetzner or Leaseweb hardware, maintaining full control over encryption keys and infrastructure without sacrificing cloud-style resource management.
- Running AI inference endpoints on dedicated hardware - ML teams deploy inference endpoints on Ubicloud for predictable GPU or CPU allocation without shared-tenant latency variance and at significantly lower per-token infrastructure cost than managed cloud AI APIs.
- Multi-tenant SaaS infrastructure provisioning - Platform engineering teams use Ubicloud as an internal cloud control plane to provision isolated VMs, private subnets, and managed databases for tenant environments with ABAC-enforced access boundaries.
- Portability-focused application deployment - Development teams using Kamal or similar deployment tools run their application dependencies on Ubicloud to gain portable, open infrastructure instead of being tied to cloud-specific managed services.
Under The Hood
Architecture
Ubicloud follows a clear control-plane/data-plane separation where a Ruby application (codenamed Clover) coordinates SSH-connected Linux bare metal nodes that run the actual cloud workloads. The control plane uses Roda’s hash-branch routing with a hierarchical plugin system to handle API endpoints, a web console, and CLI in a single application. Execution logic lives in a rich prog/ layer where each cloud service has a Nexus prog that drives resource lifecycle through semaphore-based state transitions stored in a PostgreSQL-backed strand stack. This strand model decouples long-running infrastructure operations from HTTP request cycles. Scheduling and monitoring run as separate Respirate processes with thread-pooled MonitorRunner instances that use PostgreSQL LISTEN/NOTIFY for distributed coordination across horizontally scaled control plane nodes. The authorization system uses recursive CTEs to resolve tag-based ABAC policies without application-level loops, and a dedicated Overrider system allows test and development environments to substitute implementations at runtime without code changes.
Tech Stack The backend is Ruby 4.0 on Roda for HTTP routing, Sequel for database access, Rodauth for authentication including WebAuthn, and net-ssh for SSH communication with data plane nodes. PostgreSQL is both the application database and the distributed coordination mechanism via LISTEN/NOTIFY. The frontend is a server-side Roda-rendered web console styled with Tailwind CSS and jQuery for interactivity. Infrastructure components on data plane nodes are written in Ruby (rhizome) and Shell, with a small Go CLI binary and a Ruby SDK. The project has deep AWS SDK integrations for EC2, IAM, S3, and KMS for cloud-agnostic backend support alongside Google Cloud APIs. CI uses GitHub Actions, production deployment uses Puma behind Foreman, and code quality is enforced by StandardRB and RuboCop with domain-specific plugins.
Code Quality
With over 500 RSpec files spanning unit, integration, and end-to-end tests using Capybara, WebMock, and golden-file validation, the test coverage is extensive and covers both the HTTP layer and the prog lifecycle logic. Error handling uses a custom exception hierarchy (CloverError subclasses) for typed, structured error responses rather than uncaught exceptions. The codebase enforces naming conventions through RuboCop, uses UUIDs and database-level constraints for data integrity, and isolates test behavior through an Overrider mechanism that avoids monkey-patching. Comment density in core files is moderate—sufficient for orientation without being noisy—and OpenAPI 3.0 specification is maintained alongside the implementation in openapi/. Brakeman security scanning runs in CI. The development experience is documented thoroughly in DEVELOPERS.md with mise-based toolchain management.
What Makes It Unique Ubicloud’s recursive tag-based ABAC system uses SQL CTEs with cycle detection to resolve permission hierarchies across subjects, actions, and objects without application-level recursion—a genuinely novel approach to policy evaluation in a multi-tenant cloud context. The strand/semaphore execution model for infrastructure programs provides durable, restartable state machines for long-running operations like VM provisioning or Kubernetes node upgrades, persisted in PostgreSQL rather than a dedicated workflow engine. PostgreSQL LISTEN/NOTIFY is used as the coordination bus for distributed monitoring and scheduling, avoiding external message queue dependencies. The rhizome data plane agents handle cloud tasks like VM lifecycle, network namespace configuration, and SPDK block device management directly on bare metal nodes via SSH, keeping the control plane stateless with respect to host-side execution. The platform also ships an integrated AI inference routing layer with replica and router management, positioning it uniquely among open source cloud platforms.
Self-Hosting
Ubicloud is released under the GNU Affero General Public License v3.0 (AGPL-3.0). This means the source code is freely available to view, modify, and self-host, but any modifications to the software made available as a network service must be released under the same license. For most teams running Ubicloud as internal infrastructure, the AGPL imposes no practical restrictions—you are not distributing the software, so the copyleft clause does not apply. If you plan to build a commercial cloud product on top of Ubicloud and expose it to external customers, you would need to release your modifications or obtain a commercial license from Ubicloud.
Running Ubicloud yourself means taking on the full operational burden of a cloud control plane. The control plane requires a PostgreSQL instance, Ruby 4.0, and access to bare metal servers from supported providers like Hetzner or Leaseweb. You are responsible for bootstrapping nodes with the rhizome agent, managing control plane availability, rotating secrets, applying software updates, and monitoring for stuck strands or failed progs. The infrastructure is complex: bare metal servers need to be provisioned with Ubuntu 24.04 via rescue mode before cloudifying, and any networking issues, SPDK failures, or SSH connectivity problems require direct operator intervention. There is no self-healing control plane—you own the reliability of the system.
Ubicloud offers a managed service at console.ubicloud.com that eliminates this operational overhead. The managed tier handles control plane availability, node provisioning, security patching, and support. Self-hosters give up managed SLAs, 24/7 support, automatic upgrades, and the integrated billing and customer management layer. The managed service also has first access to new services like AI inference endpoints and Kubernetes as they reach GA. For teams whose core competency is not cloud infrastructure operations, the managed Ubicloud tier is likely a better value proposition even at higher cost than self-hosting on cheap bare metal.
Related Apps
Netdata
Monitoring · Devops
Real-time per-second metrics, ML-powered anomaly detection, and zero-config observability for any infrastructure.
Netdata
GPL 3.0Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Docker (Moby)
Devops · Developer Tools
The open-source container engine at the heart of Docker — a modular toolkit of runtime, build, and networking components for assembling container-based systems.