Containers without the baggage.
The Layers Scale is Tophan’s application packaging and deployment system. It uses immutable overlayfs layers to compose applications — no daemon, no socket, no runtime to secure, no container escape to worry about.
Traditional container platforms run a privileged daemon that manages everything. That daemon has root access, listens on a network socket, and is a high-value target for attackers. Container escapes are a well-documented attack class, and the entire security model depends on a single daemon not having bugs.
Tophan’s Layers Scale takes a different approach: applications are composed from immutable filesystem layers using the kernel’s own overlayfs. There’s no daemon to compromise because there’s no daemon at all.
| Feature | Description | Status |
|---|---|---|
| Immutable Base Layers | Application base images are read-only. Always. No runtime modification possible. | Stable |
| Application Layers | Each application is a thin layer on top of a shared base. Only the differences are stored. | Beta |
| Layer Composition | Stack layers in any order. Base OS + runtime + application + configuration = running workload. | Beta |
| Deduplication | Identical layers across applications are stored once. 50 apps sharing the same base = 1 copy on disk. | Beta |
| Image Management | Build, sign, verify, and distribute layer images. Private registries with content-addressable storage. | Beta |
| Security Scanning | Every layer is scannable against known vulnerability databases. Scan at build time, at deploy time, and continuously. | Planned |
| Namespace Isolation | Applications run in separate Linux namespaces. Process, network, mount, and user isolation. | Stable |
| Resource Limits | cgroups v2 resource control. CPU, memory, I/O, and PID limits per application. | Stable |
┌─────────────────────────┐
│ Application Config │ Environment, ports, mounts
├─────────────────────────┤
│ Application Layer │ App binaries + libraries
├─────────────────────────┤
│ Runtime Layer │ Language runtime (if needed)
├─────────────────────────┤
│ Base OS Layer │ Minimal root filesystem
└─────────────────────────┘
overlayfs
At runtime, overlayfs merges these layers into a single coherent filesystem. The application sees a normal Linux root. Changes during execution go to an ephemeral upper layer that is discarded when the application stops.
No daemon assembles this. The kernel does it natively. tophand manages lifecycle (start, stop, health checks), but the isolation is a kernel primitive, not a userspace construct.
| Aspect | Traditional Containers | Tophan Layers |
|---|---|---|
| Runtime daemon | Yes (privileged) | None |
| Network socket | Yes (attack surface) | None |
| Escape attacks | Well-documented class | No daemon to escape to |
| Image format | Proprietary | Standard overlayfs |
| Deduplication | Per-host only | Cluster-wide |
| Immutability | Optional | Mandatory |