# actiond Developer Reference Wiki > actiond is a local Remote Execution API (REAPI) worker and cache for running Bazel actions in a hermetic Linux sandbox, supporting both direct Linux host execution via chroot/namespaces and macOS-hosted Linux VM execution via Apple's Virtualization.framework. This is a Grok-Wiki source-grounded repository wiki. Use the complete Markdown link when an agent needs the full repo context. ## Context Links - [Complete Markdown wiki](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63/llms-full.txt) - [Complete Markdown alias](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63.md) - [Human interactive wiki](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63) - [GitHub repository](https://github.com/hermeticbuild/actiond) ## Repository - Repository: hermeticbuild/actiond - Generated: 2026-05-25T17:47:35.912Z - Updated: 2026-05-25T18:16:09.115Z - Runtime: Pi · Claude Code · claude-sonnet-4-6 - Format: Technical - Pages: 6 ## Pages - [Technical Orientation](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63/pages/01-technical-orientation.md): What actiond is, its two execution modes (linux-actiond and darwin-actiond serve-vm), the top-level binary layout, the REAPI subset it implements, and how the rest of this reference is organized. - [REAPI Server, CAS & Data Flow](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63/pages/02-reapi-server-cas-data-flow.md): The HTTP/2 gRPC server that implements the REAPI surface (Execution, CAS, ByteStream, ActionCache, Capabilities), how blobs are stored and addressed in the content-addressable store, and the end-to-end data flow from Bazel client through to action output collection. - [Linux Host Execution — Chroot, Namespaces & Cgroups](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63/pages/03-linux-host-execution-chroot-namespaces-cgroups.md): How linux-actiond runs actions directly on a Linux host: execroot construction, read-only bind mounts for CAS inputs, private mount and network namespace setup, loopback-only networking, uid/gid drop, PR_SET_NO_NEW_PRIVS, and best-effort cgroup v2 resource limits. - [macOS VM Execution — darwin-actiond, vsock & Guest Worker](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63/pages/04-macos-vm-execution-darwin-actiond-vsock-guest-worker.md): How darwin-actiond serve-vm boots a minimal arm64 Linux VM via Virtualization.framework, proxies REAPI traffic over virtio-vsock to linux-actiond-guest, manages the guest-owned ext4 CAS on a virtio block device, and handles standalone binary payload extraction at startup. - [actiondfs — Lazy CAS-Backed Input Filesystem](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63/pages/05-actiondfs-lazy-cas-backed-input-filesystem.md): The custom Linux kernel filesystem module that exposes REAPI input trees to VM actions without per-file copies: lazy Directory proto resolution from the guest CAS, VM-lifetime parsed Directory cache keyed by digest, backing-file delegation for read/splice/mmap, strict vs. overlayfs compatibility paths for input-mutating actions, and the /proc/actiondfs_stats counter interface. - [Build System, Runtime Images & Testing](https://grok-wiki.com/public/wiki/hermeticbuild-actiond-796c0ee40e63/pages/06-build-system-runtime-images-testing.md): How the full repo is built with Bazel and rules_zig, how glibc runtime SquashFS images are packaged and selected via the libc platform property, how standalone binaries embed compressed kernel and initramfs payloads, and the layered testing strategy: unit tests, Docker Linux e2e, VM e2e, and the LLVM tblgen smoke benchmark. ## Source Files - `ARCHITECTURE.md` - `BUILD.bazel` - `cmd/darwin_actiond/` - `cmd/linux_actiond_guest/` - `cmd/linux_actiond/` - `e2e/llvm_tblgen_smoke.sh` - `e2e/run_llvm_vm_smoke.sh` - `kernel/actiondfs/actiondfs.c` - `kernel/actiondfs/BUILD.bazel` - `kernel/actiondfs/Kconfig` - `kernel/actiondfs/Makefile` - `MODULE.bazel` - `README.md` - `runtimes/BUILD.bazel` - `runtimes/glibc_runtime_repo.bzl` - `src/action_cache_service.zig` - `src/action_executor.zig` - `src/action_runner.zig` - `src/body_sink.zig` - `src/bytestream_service.zig` - `src/cache_service.zig` - `src/capabilities_service.zig` - `src/cas.zig` - `src/control_protocol.zig` - `src/darwin_vm_host.zig` - `src/darwin_vm.zig` - `src/embedded_payload.zig` - `src/execroot.zig` - `src/execution_service.zig` - `src/grpc_http2_server.zig` - `src/grpc_vsock_bridge.zig` - `src/guest_init.zig` - `src/guest_worker.zig` - `src/reapi_dispatch.zig` - `src/reapi.zig` - `src/root.zig` - `src/runtime_mount.zig` - `src/staged_cas_index.zig` - `src/vsock.zig` - `tools/e2e.sh` - `vm/BUILD.bazel`