Component: Garden

Page last updated:

This topic describes Garden, the component that Cloud Foundry uses to create and manage isolated environments called containers. Each instance of an application deployed to Cloud Foundry runs within a container. For more information about how containers work, see the Container Mechanics section of the Understanding Container Security topic.

Backends

Garden has pluggable backends for different platforms and runtimes, and specifies a set of interfaces that each platform-specific backend must implement. These interfaces contain methods to perform the following actions:

  • Create and delete containers
  • Apply resource limits to containers
  • Open and attach network ports to containers
  • Copy files into and out of containers
  • Run processes within containers
  • Stream STDOUT and STDERR data out of containers
  • Annotate containers with arbitrary metadata
  • Snapshot containers for redeploys without downtime

For more information, see the Garden repository on GitHub.

Garden-runC

Cloud Foundry currently uses the Garden-runC backend, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of Cloud Foundry used the Garden-Linux backend.

Garden-runC has the following features:

  • Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms
  • AppArmor is configured and enforced by default for all unprivileged containers
  • Seccomp whitelisting restricts the set of system calls a container can access, reducing the risk of container breakout
  • Allows pluggable networking and rootfs management

For more information, see the Garden-runC repository on GitHub.

Was this helpful?
What can we do to improve?
View the source for this page in GitHub