Page last updated:

This topic describes Garden, the component that Cloud Foundry uses to create and manage isolated environments called containers. Each instance of an app deployed to Cloud Foundry runs within a container. For more information about how containers work, see Container Mechanics in Container Security.

Back ends

Garden has plug-in back ends for different platforms and runtimes, and specifies a set of interfaces that each platform-specific back end must implement. These interfaces contain methods to perform the following actions:

  • Create and delete containers
  • Apply resource limits to containers
  • Open and attach network ports to containers
  • Copy files into and out of containers
  • Run processes within containers
  • Stream STDOUT and STDERR data out of containers
  • Annotate containers with arbitrary metadata
  • Snapshot containers for redeploys without downtime

For more information, see the Garden repository on GitHub.


Cloud Foundry currently uses the Garden-runC back end, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of Cloud Foundry used the Garden-Linux back end. For more information, see the Garden-Linux repository on GitHub.

Garden-runC has the following features:

  • Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms

  • AppArmor is configured and enforced by default for all unprivileged containers

  • Seccomp allowlisting restricts the set of system calls a container can access, reducing the risk of container breakout

  • Allows plug-in networking and rootfs management

For more information, see the Garden-runC repository on GitHub.

HealthChecker usage by monit

This component uses the Healthchecker-release to perform its monit health checks. It adds TCP and HTTP health checks to extend standard monit service checks. Because the version of monit included in BOSH does not support specific TCP or HTTP health checks, this utility performs health checking and restart processing when they become unreachable.

Healthchecker is added to a BOSH release as a monit process under the Job to be monitored. It is configured to perform a health check against the main process in the Job. If Healthchecker detects a failure, it exits. The Healthchecker supplementary script restarts the main monit process, allowing up to ten failures in a row. After ten consecutive failures, it stops restarting the Job because the process is either in a poor state, or the health checker is misconfigured and is causing process downtime.

This component typically requires no additional configuration by platform operators.

Garden RootFS (GrootFS)

Garden manages container file systems through a plug-in interface. Cloud Foundry uses the GrootFS plug-in for this task. GrootFS is a Linux-specific implementation of the Garden volume plug-in interface.

GrootFS performs the following actions:

  • Creates container file systems based on buildpacks and droplets
  • Creates container file systems based on remote docker images
  • Authenticates with remote registries when using remote images
  • Properly maps UID/GID for all files inside an image
  • Runs garbage collection to remove unused volumes
  • Applies per container disk quotas
  • Provides per container disk usage stats

For more information, see GrootFS Disk Usage and the GrootFS repository on GitHub.

Create a pull request or raise an issue on the source for this page in GitHub