Coder logo

Docker

When using Coder, you may encounter the following error:

docker: Error response from daemon: OCI runtime create failed:
container_linux.go:370: starting container process caused:
process_linux.go:459: container init caused: join session keyring:
create session key: disk quota exceeded: unknown.

Why this happens

The kernel allocates a system key for each container created. When lots of developers are sharing the same instance, you may run into limits on the number and size of keys each user can have.

Resolution

To fix this error, you can increase maxkeys and maxbytes. These are global settings that apply to all users sharing the same system. You can modify this by adding the following to the sysctl configuration file:

sudo sysctl -w kernel.keys.maxkeys=20000
sudo sysctl -w kernel.keys.maxbytes=400000

Alternatively, you can use a DaemonSet with kubectl apply to make changes to sysctl:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: increase-limits
  namespace: kube-system
  labels:
    app: increase-limits
    k8s-app: increase-limits
spec:
  selector:
    matchLabels:
      k8s-app: increase-limits
  template:
    metadata:
      labels:
        name: increase-limits
        k8s-app: increase-limits
      annotations:
        seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
        apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
    spec:
      nodeSelector:
        kubernetes.io/os: linux
      initContainers:
        - name: sysctl
          image: alpine:3
          command:
            - sysctl
            - -w
            - kernel.keys.maxkeys=20000
            - kernel.keys.maxbytes=400000
          resources:
            requests:
              cpu: 10m
              memory: 1Mi
            limits:
              cpu: 100m
              memory: 5Mi
          securityContext:
            # We need to run as root in a privileged container to modify
            # /proc/sys on the host (for sysctl)
            runAsUser: 0
            privileged: true
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
      containers:
        - name: pause
          image: k8s.gcr.io/pause:3.5
          command:
            - /pause
          resources:
            requests:
              cpu: 10m
              memory: 1Mi
            limits:
              cpu: 100m
              memory: 5Mi
          securityContext:
            runAsNonRoot: true
            runAsUser: 65535
            allowPrivilegeEscalation: false
            privileged: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
      terminationGracePeriodSeconds: 5

At a later point, you can delete the DaemonSet by running:

$ kubectl delete --namespace=kube-system daemonset increase-limits
daemonset.apps "increase-limits" deleted

However, note that the setting will persist until the node restarts or another program sets the kernel.keys.maxkeys and kernel.keys.maxkeys settings.

If this doesn't resolve the issue, please contact us for further support.