Open Source Container Orchestration

Lightweight Container
Orchestration

Run containers natively on Linux (libcontainer), macOS (Apple Containerization), and Windows (Hyper-V HCS plus a WSL2 delegate). Encrypted overlay networking, a built-in image builder, and a Raft-backed scheduler — in a single binary, no daemon.

Get Started Try It Now

Install

One binary. No daemon. Pick your platform.

Linux / macOS

Linux / macOS
curl -fsSL https://zlayer.dev/install | sh

Windows (PowerShell)

Windows (PowerShell)
irm https://zlayer.dev/install | iex

Python

Python
curl -fsSL https://zlayer.dev/install.py | python3

From source (Cargo)

From source (Cargo)
cargo install --git https://forge.blackleafdigital.com/BlackLeafDigital/ZLayer zlayer

After install, run zlayer --version to verify. Need a specific build? Hit /latest-linux-amd64, /latest-linux-arm64, /latest-macos-silicon, /latest-macos-intel, or /latest-windows — each 302s to the matching asset on the newest GitHub release.

Why ZLayer?

Purpose-built for simplicity, security, and performance. Everything you need, nothing you don't.

Cross-Platform Native

First-class support for Linux, macOS, and Windows. youki on Linux, Seatbelt on macOS, HCS native plus WSL2 delegate on Windows. No Docker Desktop required.

Daemonless on Linux

On Linux, each container runs as a direct child process via libcontainer. Complete control, full visibility, no daemon to keep alive.

Built-in Image Builder

Build OCI images directly from Dockerfile or ZImagefile YAML. buildah on Linux and macOS, native HCS-backed builder on Windows. No external tools required.

Encrypted Overlay Networks

Mesh networking via boringtun userspace WireGuard. IP allocation, DNS service discovery, and health checking. Wintun adapter on Windows.

Security First

Rootless containers, seccomp profiles, and namespace isolation. OpenID Connect SSO, RBAC with users, groups, and permissions, plus an audit log of every change.

GitOps & Multi-Tenancy

Project-scoped deployments with git polling, webhook receivers, environments, secrets, and credentials. Workflows compose tasks, builds, and deploys into DAGs.

Simple Configuration

This is the actual spec format the zlayer deploy CLI consumes — not a Kubernetes-style approximation.

my-app.zlayer.yml
version: v1
deployment: my-app

services:
  web:
    rtype: service
    image:
      name: ghcr.io/myorg/web:latest
      pull_policy: if_not_present

    resources:
      cpu: 1.0
      memory: 512Mi

    env:
      DATABASE_URL: "postgres://db:5432/app"
      RUST_LOG: "info"

    endpoints:
      - name: http
        protocol: http
        port: 3000
        host: app.example.com
        expose: public

    scale:
      mode: adaptive
      min_replicas: 2
      max_replicas: 10
      target_cpu_percent: 70

    health:
      start_grace: 15s
      interval: 10s
      timeout: 5s
      retries: 3
      check:
        type: tcp
        port: 3000

Validate a deployment

Paste a ZLayer deployment spec. We run the actual zlayer-spec parser on the server and tell you exactly what's wrong — same code path as zlayer deploy. Includes a WebAssembly runtime — see the Playground for that.

Container Spec (YAML)

Validation

Click Validate to check the spec

Open Full Playground

Ready to Get Started?

Deploy your first container in minutes. Check out our documentation or try the interactive playground.

Read the Docs View on GitHub

Lightweight ContainerOrchestration