This topic describes Garden, the component that Cloud Foundry Application Runtime uses to create and manage isolated environments called containers. Each instance of an application deployed to Cloud Foundry runs within a container. For more information about how containers work, see the Container Mechanics section of the Container Security topic.
Garden has pluggable backends for different platforms and runtimes, and specifies a set of interfaces that each platform-specific backend must implement. These interfaces contain methods to perform the following actions:
- Create and delete containers
- Apply resource limits to containers
- Open and attach network ports to containers
- Copy files into and out of containers
- Run processes within containers
STDERRdata out of containers
- Annotate containers with arbitrary metadata
- Snapshot containers for redeploys without downtime
For more information, see the Garden repository on GitHub.
Cloud Foundry currently uses the Garden-runC backend, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of Cloud Foundry used the Garden-Linux backend.
Garden-runC has the following features:
- Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms
- AppArmor is configured and enforced by default for all unprivileged containers
- Seccomp whitelisting restricts the set of system calls a container can access, reducing the risk of container breakout
- Allows pluggable networking and rootfs management
For more information, see the Garden-runC repository on GitHub.
Garden manages container filesystems through a plugin interface. Cloud Foundry uses the GrootFS plugin for this task. GrootFS is a Linux-specific implementation of the Garden volume plugin interface.
GrootFS performs the following actions:
- Creates container filesystems based on buildpacks and droplets
- Creates container filesystems based on remote docker images
- Authenticates with remote registries when using remote images
- Properly maps UID/GID for all files inside an image
- Executes garbage collection to remove unused volumes
- Applies per container disk quotas
- Provides per container disk usage stats