Page last updated:

This topic describes Garden, the component that Pivotal Application Service (PAS) uses to create and manage isolated environments called containers. Each instance of an app deployed to PAS runs within a container. For more information about how containers work, see Container Mechanics in Container Security.

Back Ends

Garden has pluggable back ends for different platforms and runtimes, and specifies a set of interfaces that each platform-specific back end must implement. These interfaces contain methods to perform the following actions:

  • Create and delete containers
  • Apply resource limits to containers
  • Open and attach network ports to containers
  • Copy files into and out of containers
  • Run processes within containers
  • Stream STDOUT and STDERR data out of containers
  • Annotate containers with arbitrary metadata
  • Snapshot containers for redeploys without downtime

For more information, see the Garden repository on GitHub.


PAS currently uses the Garden-runC back end, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of PAS used the Garden-Linux back end. For more information, see the Garden-Linux repository on GitHub.

Note: PAS v1.8.8 and later use Garden-runC instead of Garden-Linux.

Garden-runC has the following features:

  • Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms

  • AppArmor is configured and enforced by default for all unprivileged containers

  • Seccomp allowlisting restricts the set of system calls a container can access, reducing the risk of container breakout

  • Allows pluggable networking and rootfs management

For more information, see the Garden-runC repository on GitHub.

Garden RootFS (GrootFS)

Garden manages container filesystems through a plugin interface. PAS uses the GrootFS plugin for this task. GrootFS is a Linux-specific implementation of the Garden volume plugin interface.

GrootFS performs the following actions:

  • Creates container filesystems based on buildpacks and droplets
  • Creates container filesystems based on remote docker images
  • Authenticates with remote registries when using remote images
  • Properly maps UID/GID for all files inside an image
  • Executes garbage collection to remove unused volumes
  • Applies per container disk quotas
  • Provides per container disk usage stats

For more information, see GrootFS Disk Usage and the GrootFS repository on GitHub.