Skip to content


You can find the source of this version on GitHub at cloudfoundry-incubator/guardian-release. It was created based on the commit 2b3dedc5.

Release Notes

Hi garden fans! Today we have a bumper release with lots of nice little fixes and improvements:

API Changes and Deprecations: - Docker Auth Support: The client.Create call now supports an Image.URI field which deprecates the existing RootfsPath field. It acts in exactly the same way as the existing field, however it is now possible to specify Image.Username and Image.Password which will be passed to the image_plugin if configured. This allows an image_plugin (such as grootfs) to support authenticated Docker images. - Create-Time NetIn/Out: NetIn and NetOut are now able to be specified on the client.Create call, and we recommend all clients switch to this as the dynamic methods are now deprecated. If specified, they are passed to the network_plugin on create, which allows better integration with CNI up/down hooks. The existing methods will continue to be supported in the built-in kawasaki networker until the next major version bump. - Image Plugin API: Experimental image_plugin API continues to evolve, now does not needlessly swap uid before running the plugin in unprivileged mode (this is up to the plugin to do if it wishes). - Grace Time: grace_time now defaults to 0 (i.e. infinity). Most clients were explicitly overriding our default here anyway, and without this default it is impossible to later ask for a container not to have a grace time (since 0 in client.Create means “use the default”). Clients must now explicitly set the grace_time bosh property if they wish containers to have a grace time by default.

General Improvements - RunC was bumped to the latest version - Inspector-garden is no longer needed! You can now interact with containers without any extra steps. (Yay!) - Fixed handling of the bosh release shutdown script to avoid a case where a non-zero exit was returned to bosh even though the server had been killed - The bosh release now increases pid limits to avoid running out of pids in large deployments (to avoid pid exhaustion from containers we recommend configuring ContainerSpec.Pids.Max in the client.Create call). - It is possible to opt-out of apparmor (for environments which cannot support it), by specifying an empty string for the apparmor_profile property. It is also possible to request a different apparmor profile than the garden-default be used, so long as this is installed on the host (for example as a bosh pre-start job in an add-on). - iptables rules now add a descriptive comment containing the container guid for easier debuggability - Work continues on the experimental rootless mode, there is now a separate setup command which can be run as root, allowing the main guardian server to start up without needing root.


You can reference this release in your deployment manifest from the releases section:

- name: "garden-runc"
  version: "1.2.0"
  url: ""
  sha1: "8c63afa62decbabfa809d017c15e4d0ce3c74ff3"

Or upload it to your director with the upload-release command:

bosh upload-release --sha1 8c63afa62decbabfa809d017c15e4d0ce3c74ff3 \