You can use Garden, the component that VMware Tanzu Application Service for VMs (TAS for VMs) uses to create and manage isolated environments called containers. Each instance of an app deployed to TAS for VMs runs within a container.
For more information about how containers work, see Container Mechanics in Container Security.
Garden has plug-in back ends for different platforms and runtimes. It specifies a set of interfaces that each platform specific back end must implement.
These interfaces contain methods to perform the following actions:
STDOUT
and STDERR
data out of containers.For more information, see the Garden repository on GitHub.
TAS for VMs currently uses the Garden-runC back end, a Linux-specific implementation of the Garden interface using the Open Container Interface (OCI) standard. Previous versions of TAS for VMs used the Garden-Linux back end. For more information, see the Garden-Linux repository on GitHub.
Garden-runC has the following features:
Uses the same OCI low-level container execution code as Docker and Kubernetes, so container images run identically across all three platforms
AppArmor is configured and enforced by default for all unprivileged containers
Seccomp allowlisting restricts the set of system calls a container can access, reducing the risk of container breakout
Allows pluggable networking and rootfs management
For more information, see the Garden-runC repository on GitHub.
Garden manages container file systems through a plug-in interface. TAS for VMs uses the Garden RootFS (GrootFS) plug-in for this task. GrootFS is a Linux-specific implementation of the Garden volume plug-in interface.
GrootFS performs the following actions:
For more information, see GrootFS Disk Usage and the GrootFS repository on GitHub.