Skip to main content

Module capability

Module capability 

Source
Expand description

Daemon capability survey.

Probes the runtime environment of the zlayer daemon (root vs. non-root, host vs. nested in a container, cgroup v2 path, CAP_NET_ADMIN, presence of /dev/net/tun, and writability of the cgroup root) and derives a coarse DaemonMode from those signals.

All probes are intentionally cheap and non-destructive — a handful of syscalls, no allocations of kernel resources (no TUN interfaces, no cgroup writes). The struct is safe to construct multiple times.

Non-Linux targets report a fixed degraded survey since the kernel features these probes target are Linux-only.

Structs§

DaemonCapabilities
Snapshot of the daemon’s effective capabilities and execution environment.

Enums§

DaemonMode
Coarse classification of the daemon’s effective execution environment.

Functions§

can_rootless_overlay
Decide whether the daemon can run the overlay in fully rootless mode: the overlay daemon wraps itself in its own user+network namespace (holding CAP_NET_ADMIN over its OWN netns only) and uses pasta for egress, instead of requiring host root or a setcap’d binary.
capability_overlay_fallback
Decide whether capability state forces a fallback from overlay to host networking. Pure and side-effect-free so it can be unit-tested without the host’s real capability state.
current_cgroup_v2_path
Returns the current process’s cgroup-v2 path, if any.
ensure_daemon_leaf_and_container_parent
Migrate the current daemon process into a <scope>/init sub-cgroup and return the sibling <scope>/containers path as the parent for future container cgroups. Idempotent — safe to call multiple times.
ensure_host_container_parent
Ensure the top-level host container hierarchy exists and has controllers delegated, returning the container parent path (/zlayer/containers, relative to the cgroup-v2 mount) for libcontainer’s cgroupsPath.
fusermount_binary
The fusermount helper to use for unmounting a fuse-overlayfs mount, preferring the FUSE3 fusermount3 and falling back to fusermount. Returns the resolved binary path, or None if neither is on PATH. Linux-only.
remove_host_container_cgroup
Best-effort removal of the host-mode container cgroup at /sys/fs/cgroup/zlayer/containers/<container_id>.