Structs§
- Context
Populator - Context populator - copies files from source to destination
- Lazy
Context Populator - Lazy context populator that supports both copy and bind mount modes
- Tmpfs
Mount - tmpfs mount manager
Enums§
- Context
Mode - Context population mode
- Filesystem
State - Filesystem lifecycle state machine matching Nucleus_Filesystem_FilesystemLifecycle.tla
Constants§
- PROC_
NULL_ MASKED - Paths to mask with /dev/null (files) – matches OCI runtime spec masked paths. Exposed for testing; the canonical list of sensitive /proc entries that must be hidden from container processes.
- PROC_
READONLY_ PATHS - Paths to remount read-only – matches OCI runtime spec readonlyPaths.
- PROC_
TMPFS_ MASKED - Paths to mask with empty tmpfs (directories).
- ROOTFS_
ATTESTATION_ FILE
Functions§
- audit_
mounts - Audit all mounts in the container’s mount namespace.
- bind_
mount_ host_ paths - Bind mount essential host directories into container
- bind_
mount_ rootfs - Bind mount a pre-built rootfs (e.g. a Nix store closure) into the container.
- create_
dev_ nodes - Create essential device nodes in /dev
- create_
minimal_ fs - Create minimal filesystem structure in the new root
- mask_
proc_ paths - Mask sensitive /proc paths by bind-mounting /dev/null or tmpfs over them
- mount_
procfs - Mount procfs at the given path
- mount_
secrets - Mount secret files into the container root.
- mount_
secrets_ inmemory - Mount secrets onto a dedicated in-memory tmpfs instead of bind-mounting host paths.
- mount_
volumes - Mount persistent bind volumes and ephemeral tmpfs volumes into the container root.
- normalize_
container_ destination - Normalize an absolute container destination path and reject traversal.
- normalize_
volume_ destination - Normalize and validate a user-supplied volume destination inside the container.
- resolve_
container_ destination - Resolve a validated container destination under a host-side root directory.
- resolve_
volume_ destination - Resolve a validated user-supplied volume destination under a host-side root directory.
- snapshot_
context_ dir - switch_
root - Switch to new root filesystem using pivot_root or chroot
- validate_
bind_ mount_ source - Validate that a bind mount source exists and is not a sensitive host path or subtree.
- validate_
bind_ mount_ source_ policy - Validate bind-mount source policy without requiring the source to exist.
- validate_
production_ rootfs_ path - Validate a production rootfs path and return the canonical path to use.
- verify_
context_ integrity - verify_
context_ manifest - verify_
rootfs_ attestation