This topic describes Garden, the component that Cloud Foundry uses to create and manage isolated environments called containers. Each instance of an application deployed to Cloud Foundry runs within a container. For more information about how containers work, see the Container Mechanics section of the Container Security topic.
Garden has pluggable backends for different platforms and runtimes, and specifies a set of interfaces that each platform-specific backend must implement. These interfaces contain methods to perform the following actions:
- Create and delete containers
- Apply resource limits to containers
- Open and attach network ports to containers
- Copy files into and out of containers
- Run processes within containers
STDERRdata out of containers
- Annotate containers with arbitrary metadata
- Snapshot containers for redeploys without downtime
For more information, see the Garden repository on GitHub.
Cloud Foundry currently uses the Garden-runC backend, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of Cloud Foundry used the Garden-Linux backend.
Garden-runC has the following features:
- Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms
- AppArmor is configured and enforced by default for all unprivileged containers
- Seccomp whitelisting restricts the set of system calls a container can access, reducing the risk of container breakout
- Allows pluggable networking and rootfs management
For more information, see the Garden-runC repository on GitHub.
Garden manages container filesystems through a plugin interface. Cloud Foundry uses the GrootFS plugin for this task. GrootFS is a Linux-specific implementation of the Garden volume plugin interface.
GrootFS performs the following actions:
- Creates container filesystems based on buildpacks and droplets
- Creates container filesystems based on remote docker images
- Authenticates with remote registries when using remote images
- Properly maps UID/GID for all files inside an image
- Executes garbage collection to remove unused volumes
- Applies per container disk quotas
- Provides per container disk usage stats