Component: Garden

Page last updated:

This topic describes Garden, the component that Cloud Foundry uses to create and manage isolated environments called containers. Each instance of an application deployed to Cloud Foundry runs within a container. For more information about how containers work, see the Container Mechanics section of the Understanding Container Security topic.


Garden has pluggable backends for different platforms and runtimes, and specifies a set of interfaces that each platform-specific backend must implement. These interfaces contain methods to perform the following actions:

  • Create and delete containers
  • Apply resource limits to containers
  • Open and attach network ports to containers
  • Copy files into and out of containers
  • Run processes within containers
  • Stream STDOUT and STDERR data out of containers
  • Annotate containers with arbitrary metadata
  • Snapshot containers for redeploys without downtime

For more information, see the Garden repository on GitHub.


Cloud Foundry currently uses the Garden-runC backend, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of Cloud Foundry used the Garden-Linux backend.

Note: Elastic Runtime versions v1.8.8 and above use Garden-runC instead of Garden-Linux.

Garden-runC has the following features:

  • Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms
  • AppArmor is configured and enforced by default for all unprivileged containers
  • Seccomp whitelisting restricts the set of system calls a container can access, reducing the risk of container breakout
  • Allows pluggable networking and rootfs management

For more information, see the Garden-runC repository on GitHub.

Create a pull request or raise an issue on the source for this page in GitHub