Component: Garden

Page last updated:

This topic describes Garden, the component that Cloud Foundry uses to create and manage isolated environments called containers. Each instance of an application deployed to Cloud Foundry runs within a container. For more information about how containers work, see the Container Mechanics section of the Understanding Container Security topic.

Backends

Garden has pluggable backends for different platforms and runtimes, and specifies a set of interfaces that each platform-specific backend must implement. These interfaces contain methods to perform the following actions:

• Create and delete containers
• Apply resource limits to containers
• Open and attach network ports to containers
• Copy files into and out of containers
• Run processes within containers
• Stream STDOUT and STDERR data out of containers
• Annotate containers with arbitrary metadata
• Snapshot containers for redeploys without downtime

For more information, see the Garden repository on GitHub.

Garden-runC

Cloud Foundry currently uses the Garden-runC backend, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of Cloud Foundry used the Garden-Linux backend.

Garden-runC has the following features:

• Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms
• AppArmor is configured and enforced by default for all unprivileged containers
• Seccomp whitelisting restricts the set of system calls a container can access, reducing the risk of container breakout
• Allows pluggable networking and rootfs management

For more information, see the Garden-runC repository on GitHub.