⚠️ VeridianOS Kernel Documentation - This is low-level kernel code. All functions are unsafe unless explicitly marked otherwise. no_std

Module containers

veridian_kernel::virt

Module containers 

Source
Expand description

Enhanced container runtime with OCI specification support, cgroup controllers, overlay filesystem, veth networking, and seccomp BPF filtering.

This module implements 7 container enhancement sprints:

  1. OCI Runtime Specification (config.json parsing, lifecycle, hooks, pivot_root)
  2. Container Image Format (layers, overlay composition, manifest, SHA-256 IDs)
  3. Cgroup Memory Controller (limits, usage tracking, OOM, hierarchical accounting)
  4. Cgroup CPU Controller (shares, quota/period, throttling, burst, hierarchy)
  5. Overlay Filesystem (lower/upper layers, copy-up, whiteout, directory merge)
  6. Veth Networking (virtual pairs, bridge, NAT masquerade, ARP proxy, MTU)
  7. Seccomp BPF (filter instructions, syscall filtering, arg inspection, inheritance)

Modules§

audit_arch
Audit architecture values.
seccomp_offsets
Seccomp data offsets (for x86_64 struct seccomp_data layout).

Structs§

ArpProxyEntry
ARP proxy entry for container IPs.
BpfInstruction
A single BPF instruction.
CachedLayer
CgroupCpuController
Cgroup CPU controller with shares and bandwidth limiting.
CgroupMemoryController
Cgroup memory controller.
ContainerImage
Container image: manifest + layers + config.
CpuBandwidthStats
CPU bandwidth statistics.
ImageLayer
A single layer in a container image.
ImageManifest
Container image manifest.
LayerCache
Layer cache: stores extracted layers by their digest.
LayerDigest
Image layer digest (SHA-256).
MemoryStat
Memory statistics counters.
NatPortMapping
NAT port mapping entry.
NatTable
NAT masquerade table for outbound SNAT and inbound port forwarding.
OciConfig
Parsed OCI runtime configuration (config.json equivalent).
OciContainer
An OCI-compliant container runtime instance.
OciHook
Lifecycle hook specification.
OciHooks
OCI hooks at different lifecycle points.
OciLinuxConfig
Linux-specific configuration.
OciMount
A single mount specification from the OCI config.
OciNamespace
A namespace entry in the OCI linux config.
OciProcess
Process specification from config.json.
OciRoot
Root filesystem specification.
OomEvent
OOM event information.
OverlayEntry
A single entry in an overlay layer.
OverlayFs
Overlay filesystem combining multiple layers.
OverlayLayer
A single layer in the overlay filesystem.
SeccompData
Seccomp data structure matching the kernel’s struct seccomp_data.
SeccompFilter
A seccomp BPF filter program.
SeccompState
Per-process seccomp state.
VethBridge
Bridge configuration for container networking.
VethEndpoint
Virtual Ethernet interface state.
VethPair
A virtual Ethernet pair.

Enums§

BpfOpcode
BPF instruction opcodes for seccomp filters.
OciLifecycleState
OCI container lifecycle states per the runtime-spec.
OciNamespaceKind
Linux namespace configuration from the OCI config.
OverlayEntryKind
Entry type in the overlay filesystem.
SeccompAction
Seccomp return action values.
SeccompMode
Seccomp operating modes.

Functions§

create_veth_pair
Create a veth pair with generated MACs.
generate_veth_mac
Generate a deterministic MAC address from a veth pair ID.
is_gzip
Gzip detection: check for gzip magic bytes (0x1f, 0x8b).
parse_tar_filename
TAR header: first 100 bytes are the filename, bytes 124-135 are octal size.
parse_tar_size
Parse octal size from TAR header bytes 124..135.