{"id":18674,"date":"2016-12-27T13:02:36","date_gmt":"2016-12-27T10:02:36","guid":{"rendered":"https:\/\/www.altoros.com\/blog\/?p=18674"},"modified":"2021-12-17T18:04:42","modified_gmt":"2021-12-17T15:04:42","slug":"cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf","status":"publish","type":"post","link":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/","title":{"rendered":"Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_79_2 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#Containerization_in_Cloud_Foundry\" >Containerization in Cloud Foundry<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#How_Garden_is_different\" >How Garden is different<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#Garden_back_ends\" >Garden back ends<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#Security_considerations_for_Garden\" >Security considerations for Garden<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#Debugging_in_Garden\" >Debugging in Garden<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#Related_reading\" >Related reading<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#Want_details_Watch_the_video\" >Want details? Watch the video!<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#Related_slides\" >Related slides<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#About_the_speaker\" >About the speaker<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Containerization_in_Cloud_Foundry\"><\/span>Containerization in Cloud Foundry<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Providing isolation for applications, containers have always been a core component of Cloud Foundry\u2014each application deployed to the platform runs inside its own container.<\/p>\n<p>So far, two mechanisms have been developed for creating and managing Cloud Foundry containers: <a href=\"https:\/\/github.com\/cloudfoundry-attic\/warden\" target=\"_blank\" rel=\"noopener noreferrer\">Warden<\/a> and <a href=\"https:\/\/github.com\/cloudfoundry\/garden\" target=\"_blank\" rel=\"noopener noreferrer\">Garden<\/a>. The <a href=\"https:\/\/github.com\/cloudfoundry-attic\/dea_ng\" target=\"_blank\" rel=\"noopener noreferrer\">Droplet Execution Agent<\/a> (DEA), the first Cloud Foundry\u2019s runtime architecture, relied on Warden to orchestrate application containers. After the DEA was rewritten, a newer <a href=\"https:\/\/github.com\/cloudfoundry\/diego-release\" target=\"_blank\" rel=\"noopener noreferrer\">Diego<\/a> runtime came along, together with Garden containers. (At the <a href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-cab-december-2016-open-service-broker-api-and-diego-1-0\/\" target=\"_blank\" rel=\"noopener noreferrer\">recent CAB call<\/a>, it was highlighted that Diego 1.0 is officially available and capable of managing 250,000 containers.)<\/p>\n<p>In this article, we provide a brief overview of how the Cloud Foundry containerization layer has changed over time. For more technical details, check out <a href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-containers-warden-docker-and-garden\/\" target=\"_blank\" rel=\"noopener noreferrer\">our previous post<\/a> on Garden internals.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_Garden_is_different\"><\/span>How Garden is different<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In Cloud Foundry versions that use Diego, Garden replaced Warden.<\/p>\n<p><strong>Warden<\/strong>\u2014the older container technology\u2014was mostly written in Ruby, with some C code. It leveraged several features of the Linux kernel\u2014such as, <em>namespaces<\/em> and <em>control groups<\/em>\u2014to provide process isolation and resource management for containers.<\/p>\n<p><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-dea-warden-architecture.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-dea-warden-architecture.png\" alt=\"cloud-foundry-dea-warden-architecture\" width=\"640\" class=\"aligncenter size-full wp-image-18686\" \/><\/a><\/p>\n<p>Warden clients (DEAs) talk to Warden via a protocol that uses <em>Protocol Buffers<\/em>. The original container technology has a monolithic architecture: the Warden server is coupled into a single application with the container manager responsible for container life cycle routines. Such a design, however, makes it difficult to plug in an alternative container implementation.<\/p>\n<p>Unlike Warden, <strong>Garden<\/strong> was implemented in the Go programming language, and it has a modular architecture. To ensure flexibility of the system, the Garden server was decoupled from the container manager. The manager formed a separate component\u2014back end.<\/p>\n<p><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-diego-garden-architecture.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-diego-garden-architecture.png\" alt=\"cloud-foundry-diego-garden-architecture\" width=\"640\" class=\"aligncenter size-full wp-image-18699\" \/><\/a><\/p>\n<p>While the server and client are platform independent, back ends enable support for specific platforms (Linux and Windows). Today, Garden containers are used in several products, including Cloud Foundry itself, <a href=\"https:\/\/concourse-ci.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">Concourse CI<\/a>, and <a href=\"https:\/\/bosh.io\/docs\/\/bosh-lite.html\" target=\"_blank\" rel=\"noopener noreferrer\">BOSH Lite<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Garden_back_ends\"><\/span>Garden back ends<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>For creating and managing containers, <strong>Garden<\/strong> provides a platform-neutral Go API and multiple back ends, with each back end implementing the Garden API for a specific platform. By now, three Garden back ends have been created: <\/p>\n<ul>\n<li>Garden-Linux (phased out)<\/li>\n<li>Garden-runC (Guardian)<\/li>\n<li>Garden-Windows (Greenhouse)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/containers-in-cloud-foundry-garden.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/containers-in-cloud-foundry-garden.png\" alt=\"containers-in-cloud-foundry-garden\" width=\"640\" class=\"aligncenter size-full wp-image-18688\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Garden-Linux<\/strong><\/p>\n<p>The retired <a href=\"https:\/\/github.com\/cloudfoundry-attic\/garden-linux\" target=\"_blank\" rel=\"noopener noreferrer\">Garden-Linux<\/a> back end was the successor of the Warden container implementation with similar features for providing process isolation, including the mentioned Linux namespaces, control groups, and a layered file system.<\/p>\n<p>In addition to the default buildpack life cycle, Garden-Linux introduced support for Docker containers in Cloud Foundry.<\/p>\n<p><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/docker-images-with-garden-in-cloud-foundry.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/docker-images-with-garden-in-cloud-foundry.png\" alt=\"docker-images-with-garden-in-cloud-foundry\" width=\"640\" class=\"aligncenter size-full wp-image-18689\" \/><\/a> <\/p>\n<p>The project, however, is no longer actively developed and has been moved to <a href=\"https:\/\/github.com\/cloudfoundry-attic\" target=\"_blank\" rel=\"noopener noreferrer\">Cloud Foundry Attic<\/a>. The reasons behind switching to Garden-runC are explained in <a href=\"https:\/\/www.cloudfoundry.org\/blog\/garden-and-runc\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a> from the Garden team.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Garden-runC<\/strong><\/p>\n<p><a href=\"https:\/\/github.com\/cloudfoundry\/garden-runc-release\" target=\"_blank\" rel=\"noopener noreferrer\">Garden-runC (Guardian)<\/a> is a Linux back end for Garden that uses <a href=\"https:\/\/github.com\/opencontainers\/runc\" target=\"_blank\" rel=\"noopener noreferrer\">runC<\/a> to spawn and run containers according to the <a href=\"https:\/\/opencontainers.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">Open Container Initiative<\/a> (OCI) specification. In Cloud Foundry, Guardian replaced Garden-Linux and now serves as the default back end for Garden containers.<\/p>\n<blockquote><p><em>\u201cIn 2015, Open Container Initiative appeared to create industry standards around containers to build an open, portable, platform-, cloud-, and hardware-independent container and runtime format.\u201d \u2014Maksim Zhylinski<\/em><\/p><\/blockquote>\n<p>Concerned with developing open industry standards around the container image format and runtime, OCI currently provides two specifications:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/opencontainers\/image-spec\/blob\/main\/spec.md\" target=\"_blank\" rel=\"noopener noreferrer\">Image specification<\/a> defines how container images should be created and prepared to run.<\/li>\n<li><a href=\"https:\/\/github.com\/opencontainers\/runtime-spec\/blob\/main\/spec.md\" target=\"_blank\" rel=\"noopener noreferrer\">Runtime specification<\/a> defines how to run the container images.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Garden-Windows<\/strong><\/p>\n<p><a href=\"https:\/\/github.com\/cloudfoundry-attic\/garden-windows\" target=\"_blank\" rel=\"noopener noreferrer\">Garden-Windows (Greenhouse)<\/a> is a Windows back end for Garden. Since Windows does not support containers in the same way as Linux does, a <a href=\"https:\/\/tanzu.vmware.com\/content\/pivotal-engineering-journal\" target=\"_blank\" rel=\"noopener noreferrer\">different approach<\/a> was needed for developing this back end.<\/p>\n<p>To provide support for Windows containers, the following features are used:<\/p>\n<ul>\n<li><strong>File system isolation:<\/strong> creating a unique user per container<\/li>\n<li><strong>Disk usage limiting:<\/strong> setting NTFS quotas<\/li>\n<li><strong>CPU and memory usage limiting:<\/strong> employing Windows job objects<\/li>\n<li><strong>Network isolation:<\/strong> binding applications directly to the external IP of the cell<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Security_considerations_for_Garden\"><\/span>Security considerations for Garden<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>Garden<\/strong> uses the core features of the Linux kernel to ensure the security of Linux-based containers in Cloud Foundry. The <em>namespaces<\/em> and <em>cgroups<\/em> have been around for years and become the cornerstone of many popular projects.<\/p>\n<p>In the case of the <strong>Greenhouse<\/strong> back end, it is important to understand that a completely isolated file system cannot be created for Windows containers. Parts of the host file system are still visible to the temporary user who owns the container. It is better to avoid storing sensitive information in locations where the containers can access it, such as <em>C:\\Program Files<\/em>.<\/p>\n<p>At the same time, some principles of the Garden architecture that promote container security might put certain constraints on the types of operations you can perform.<\/p>\n<p>For instance, every container in Garden uses its own subnet with interfaces, and a firewall is created for the container. Although it is good from the perspective of security, these rules make connecting containers with each other an issue.<\/p>\n<blockquote><p><em>\u201cIt doesn\u2019t really fit into the PaaS ideology. For example, in Docker, you have a single subnet for your containers, and you can create links between them. In Garden, you can\u2019t.\u201d \u2014Maksim Zhylinski<\/em><\/p><\/blockquote>\n<p><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/security-considerations-for-cloud-foundry-containers.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/security-considerations-for-cloud-foundry-containers-1013x1024.png\" alt=\"security-considerations-for-cloud-foundry-containers\" width=\"400\" class=\"aligncenter size-large wp-image-18690\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Debugging_in_Garden\"><\/span>Debugging in Garden<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>It is possible that your application running in a Garden container can one day fail to work as expected. Logs are not always sufficient to identify the reason, so you might want to get inside the container and check what is happening there.<\/p>\n<p>Diego and Garden simplify application debugging by providing a CLI command\u2014<code style=\"color: #222222; background-color: #e6e6e6; padding: 1px 2px;\">cf ssh APP_NAME<\/code>\u2014that brings you directly inside the container (image below).<\/p>\n<p><a href=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/dubugging-containers-in-cloud-foundry.png\"><img decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/dubugging-containers-in-cloud-foundry.png\" alt=\"dubugging-containers-in-cloud-foundry\" width=\"640\" class=\"aligncenter size-full wp-image-18691\" \/><\/a><\/p>\n<p>Before this command was released, getting into an application container had been way more complicated and included multiple steps. The user also needed to have access to BOSH.<\/p>\n<p>If you are interested in debugging the container manager itself, there is a tool, <em><a href=\"https:\/\/github.com\/contraband\/gaol\" target=\"_blank\" rel=\"noopener noreferrer\">gaol<\/a><\/em>, which is a CLI for Garden. You can create containers, delete them, open a shell inside a new container, and do many more things with it.<\/p>\n<p>To sum up, the newest Cloud Foundry container technology\u2014Garden\u2014provides a platform-independent API for creating and managing containers. Pluggable back ends, which are the platform-specific implementations of the Garden interfaces, ensure that users can securely run applications in both Linux and Windows-based containers.<\/p>\n<p>When reading this, keep in mind that Diego and Garden are being actively developed, so things are changing pretty fast.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Related_reading\"><\/span>Related reading<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/a-new-cloud-foundry-container-engine-for-linux-garden-runc-v1-0-is-out\/\">A New Cloud Foundry Container Engine for Linux, Garden-runC v1.0, Is Out!<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-containers-warden-docker-and-garden\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cloud Foundry Containers: The Difference Between Warden, Docker, and Garden<\/a><\/li>\n<li><a href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-security-do-containers-contain\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cloud Foundry Security: Do Containers Contain?<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Want_details_Watch_the_video\"><\/span>Want details? Watch the video!<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td class=\"video-details-td\">\n<div style=\"float:right; width:50%; padding-left:15px; font-size:14px;\">\n<strong>Table of contents<\/strong><\/p>\n<ol>\n<li style=\"margin-bottom: 12px;\">What are containers? (0:25)<\/li>\n<li style=\"margin-bottom: 12px;\">What are Warden containers? (1:52)<\/li>\n<li style=\"margin-bottom: 12px;\">What are Garden containers? (3:18)<\/li>\n<li style=\"margin-bottom: 12px;\">What are the Garden back ends for Linux and Windows? (5:22)<\/li>\n<li style=\"margin-bottom: 12px;\">How was the Garden-Linux project implemented? (5:42)<\/li>\n<li style=\"margin-bottom: 12px;\">What is the Greenhouse project? (10:59)<\/li>\n<li style=\"margin-bottom: 12px;\">What are the Guardian project and OCI? (12:56)<\/li>\n<li style=\"margin-bottom: 12px;\">How does debugging work in Garden? (15:57)<\/li>\n<li style=\"margin-bottom: 12px;\">What about the security of Garden containers? (22:43)<\/li>\n<\/ol>\n<\/div>\n<div class=\"video-container\"><iframe loading=\"lazy\" title=\"Who Lives in Our Garden: Understanding Cloud Foundry\u2019s Container Manager\" width=\"1200\" height=\"675\" src=\"https:\/\/www.youtube.com\/embed\/SR5FrZtBZ4I?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Related_slides\"><\/span>Related slides<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><center><iframe loading=\"lazy\" src=\"\/\/www.slideshare.net\/slideshow\/embed_code\/key\/JBsh23ClMScdgp\" width=\"595\" height=\"485\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" style=\"border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;\" allowfullscreen><\/iframe><\/center><\/p>\n<hr\/>\n<h3><span class=\"ez-toc-section\" id=\"About_the_speaker\"><\/span>About the speaker<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<div>\n<div style=\"float: right;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/zhylinski-maksim.png\" alt=\"zhylinski-maksim\" width=\"150\" height=\"150\" class=\"aligncenter size-full wp-image-18712\" \/><\/div>\n<div style=\"width: 600px;\"><small><a href=\"https:\/\/by.linkedin.com\/in\/maksimzhylinski\" target=\"_blank\" rel=\"noopener noreferrer\">Maksim Zhylinski<\/a> is a Cloud Foundry Engineer at Altoros. He is an expert in cloud computing, networking, and Cloud Foundry, having worked on multiple BOSH CPIs, releases, and service brokers. Maksim has 6+ years of experience in Ruby, JavaScript, and Go, as well as extensive skills in server and client-side web app development. He is an active member of the Ruby and Go communities and a frequent contributor to various open-source projects.<\/small><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Containerization in Cloud Foundry<\/p>\n<p>Providing isolation for applications, containers have always been a core component of Cloud Foundry\u2014each application deployed to the platform runs inside its own container.<\/p>\n<p>So far, two mechanisms have been developed for creating and managing Cloud Foundry containers: Warden and Garden. The Droplet Execution Agent (DEA), the first [&#8230;]<\/p>\n","protected":false},"author":24,"featured_media":18846,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[7],"tags":[873,570,206],"class_list":["post-18674","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-opinion","tag-cloud-native","tag-containers","tag-oss-cloud-foundry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging | Altoros<\/title>\n<meta name=\"description\" content=\"To help you better understand Cloud Foundry containers, Maksim Zhylinski outlines the history of their 5-year evolution. Debugging tips for Garden, the new container system, and security considerations are also in the spotlight.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging | Altoros\" \/>\n<meta property=\"og:description\" content=\"Containerization in Cloud Foundry Providing isolation for applications, containers have always been a core component of Cloud Foundry\u2014each application deployed to the platform runs inside its own container. So far, two mechanisms have been developed for creating and managing Cloud Foundry containers: Warden and Garden. The Droplet Execution Agent (DEA), the first [...]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/\" \/>\n<meta property=\"og:site_name\" content=\"Altoros\" \/>\n<meta property=\"article:published_time\" content=\"2016-12-27T10:02:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-12-17T15:04:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-containers-garden-warden-and-docker.gif\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"358\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/gif\" \/>\n<meta name=\"author\" content=\"Victoria Fedzkovich\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Victoria Fedzkovich\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/\",\"url\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/\",\"name\":\"Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging | Altoros\",\"isPartOf\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-containers-garden-warden-and-docker.gif\",\"datePublished\":\"2016-12-27T10:02:36+00:00\",\"dateModified\":\"2021-12-17T15:04:42+00:00\",\"author\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/c7b416b09612e334a4e0184568906c36\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#primaryimage\",\"url\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-containers-garden-warden-and-docker.gif\",\"contentUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-containers-garden-warden-and-docker.gif\",\"width\":640,\"height\":358},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.altoros.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#website\",\"url\":\"https:\/\/www.altoros.com\/blog\/\",\"name\":\"Altoros\",\"description\":\"Insight\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.altoros.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/c7b416b09612e334a4e0184568906c36\",\"name\":\"Victoria Fedzkovich\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/03\/author-v-f-150x150.jpg\",\"contentUrl\":\"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/03\/author-v-f-150x150.jpg\",\"caption\":\"Victoria Fedzkovich\"},\"description\":\"Victoria Fedzkovich strives for effective technical communication at Altoros. As a professional with 7+ years of experience in technical and scientific writing, she creates content for user guides, manuals, white papers, and technical overviews. Victoria is currently focused on the Cloud Foundry ecosystem and IoT solutions.\",\"url\":\"https:\/\/www.altoros.com\/blog\/author\/viktoryia-fedzkovich\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging | Altoros","description":"To help you better understand Cloud Foundry containers, Maksim Zhylinski outlines the history of their 5-year evolution. Debugging tips for Garden, the new container system, and security considerations are also in the spotlight.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/","og_locale":"en_US","og_type":"article","og_title":"Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging | Altoros","og_description":"Containerization in Cloud Foundry Providing isolation for applications, containers have always been a core component of Cloud Foundry\u2014each application deployed to the platform runs inside its own container. So far, two mechanisms have been developed for creating and managing Cloud Foundry containers: Warden and Garden. The Droplet Execution Agent (DEA), the first [...]","og_url":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/","og_site_name":"Altoros","article_published_time":"2016-12-27T10:02:36+00:00","article_modified_time":"2021-12-17T15:04:42+00:00","og_image":[{"width":640,"height":358,"url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-containers-garden-warden-and-docker.gif","type":"image\/gif"}],"author":"Victoria Fedzkovich","twitter_misc":{"Written by":"Victoria Fedzkovich","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/","url":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/","name":"Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging | Altoros","isPartOf":{"@id":"https:\/\/www.altoros.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#primaryimage"},"image":{"@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#primaryimage"},"thumbnailUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-containers-garden-warden-and-docker.gif","datePublished":"2016-12-27T10:02:36+00:00","dateModified":"2021-12-17T15:04:42+00:00","author":{"@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/c7b416b09612e334a4e0184568906c36"},"breadcrumb":{"@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#primaryimage","url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-containers-garden-warden-and-docker.gif","contentUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/12\/cloud-foundry-containers-garden-warden-and-docker.gif","width":640,"height":358},{"@type":"BreadcrumbList","@id":"https:\/\/www.altoros.com\/blog\/cloud-foundry-garden-back-ends-container-security-and-debugging-oss-cf\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.altoros.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Cloud Foundry\u2019s Garden: Back Ends, Container Security, and Debugging"}]},{"@type":"WebSite","@id":"https:\/\/www.altoros.com\/blog\/#website","url":"https:\/\/www.altoros.com\/blog\/","name":"Altoros","description":"Insight","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.altoros.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/c7b416b09612e334a4e0184568906c36","name":"Victoria Fedzkovich","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.altoros.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/03\/author-v-f-150x150.jpg","contentUrl":"https:\/\/www.altoros.com\/blog\/wp-content\/uploads\/2016\/03\/author-v-f-150x150.jpg","caption":"Victoria Fedzkovich"},"description":"Victoria Fedzkovich strives for effective technical communication at Altoros. As a professional with 7+ years of experience in technical and scientific writing, she creates content for user guides, manuals, white papers, and technical overviews. Victoria is currently focused on the Cloud Foundry ecosystem and IoT solutions.","url":"https:\/\/www.altoros.com\/blog\/author\/viktoryia-fedzkovich\/"}]}},"_links":{"self":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/18674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/comments?post=18674"}],"version-history":[{"count":47,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/18674\/revisions"}],"predecessor-version":[{"id":65756,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/posts\/18674\/revisions\/65756"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/media\/18846"}],"wp:attachment":[{"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/media?parent=18674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/categories?post=18674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.altoros.com\/blog\/wp-json\/wp\/v2\/tags?post=18674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}