Page last updated:

This topic describes Garden, the component that Cloud Foundry uses to create and manage isolated environments called containers. Each instance of an application deployed to Cloud Foundry runs within a container. For more information about how containers work, see the Container Mechanics section of the Container Security topic.


Garden has pluggable backends for different platforms and runtimes, and specifies a set of interfaces that each platform-specific backend must implement. These interfaces contain methods to perform the following actions:

  • Create and delete containers
  • Apply resource limits to containers
  • Open and attach network ports to containers
  • Copy files into and out of containers
  • Run processes within containers
  • Stream STDOUT and STDERR data out of containers
  • Annotate containers with arbitrary metadata
  • Snapshot containers for redeploys without downtime

For more information, see the Garden repository on GitHub.


Cloud Foundry currently uses the Garden-runC backend, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of Cloud Foundry used the Garden-Linux backend.

Note: PAS versions v1.8.8 and above use Garden-runC instead of Garden-Linux.

Garden-runC has the following features:

  • Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms
  • AppArmor is configured and enforced by default for all unprivileged containers
  • Seccomp whitelisting restricts the set of system calls a container can access, reducing the risk of container breakout
  • Allows pluggable networking and rootfs management

For more information, see the Garden-runC repository on GitHub.

Garden RootFS (GrootFS)

Garden manages container filesystems through a plugin interface. Cloud Foundry uses the GrootFS plugin for this task. GrootFS is a Linux-specific implementation of the Garden volume plugin interface.

GrootFS performs the following actions:

  • Creates container filesystems based on buildpacks and droplets
  • Creates container filesystems based on remote docker images
  • Authenticates with remote registries when using remote images
  • Properly maps UID/GID for all files inside an image
  • Executes garbage collection to remove unused volumes
  • Applies per container disk quotas
  • Provides per container disk usage stats

For more information, see GrootFS Disk Usage and the GrootFS repository on GitHub.