Expand description
Daemon capability survey.
Probes the runtime environment of the zlayer daemon (root vs. non-root,
host vs. nested in a container, cgroup v2 path, CAP_NET_ADMIN, presence
of /dev/net/tun, and writability of the cgroup root) and derives a coarse
DaemonMode from those signals.
All probes are intentionally cheap and non-destructive — a handful of syscalls, no allocations of kernel resources (no TUN interfaces, no cgroup writes). The struct is safe to construct multiple times.
Non-Linux targets report a fixed degraded survey since the kernel features these probes target are Linux-only.
Structs§
- Daemon
Capabilities - Snapshot of the daemon’s effective capabilities and execution environment.
Enums§
- Daemon
Mode - Coarse classification of the daemon’s effective execution environment.
Functions§
- can_
rootless_ overlay - Decide whether the daemon can run the overlay in fully rootless mode: the
overlay daemon wraps itself in its own user+network namespace (holding
CAP_NET_ADMINover its OWN netns only) and uses pasta for egress, instead of requiring host root or a setcap’d binary. - capability_
overlay_ fallback - Decide whether capability state forces a fallback from overlay to host networking. Pure and side-effect-free so it can be unit-tested without the host’s real capability state.
- current_
cgroup_ v2_ path - Returns the current process’s cgroup-v2 path, if any.
- ensure_
daemon_ leaf_ and_ container_ parent - Migrate the current daemon process into a
<scope>/initsub-cgroup and return the sibling<scope>/containerspath as the parent for future container cgroups. Idempotent — safe to call multiple times. - ensure_
host_ container_ parent - Ensure the top-level host container hierarchy exists and has controllers
delegated, returning the container parent path (
/zlayer/containers, relative to the cgroup-v2 mount) for libcontainer’scgroupsPath. - fusermount_
binary - The fusermount helper to use for unmounting a
fuse-overlayfsmount, preferring the FUSE3fusermount3and falling back tofusermount. Returns the resolved binary path, orNoneif neither is onPATH. Linux-only. - remove_
host_ container_ cgroup - Best-effort removal of the host-mode container cgroup at
/sys/fs/cgroup/zlayer/containers/<container_id>.