Compose: Docker Run Error

Created on 14 Mar 2020  路  6Comments  路  Source: docker/compose

Hi, When i try to run Docker Images i get these Errors:

hello-world:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"join session keyring: create session key: disk quota exceeded\"": unknown. ERRO[0000] error waiting for container: context canceled

jenrik/get5-web:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"join session keyring: create session key: disk quota exceeded\"": unknown. ERRO[0005] error waiting for container: context canceled

hsfactory/ebot:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"join session keyring: create session key: disk quota exceeded\"": unknown. ERRO[0023] error waiting for container: context canceled

About My VServer System:

5 Cores
16 GB Ram
250 GB Disk

I also Looked for the Max Keys
maxkeys: 1048576

kinbug
Source
picture EinfachFabsTV
👍1

Most helpful comment

same thing happened to me

picture maikelmclauflin on 18 Mar 2020
👍5 😕1

All 6 comments

same thing happened to me

maikelmclauflin picture maikelmclauflin on 18 Mar 2020
👍5 😕1

Me too. I'm getting this in an Ubuntu 16.04.6 LTS LXD container running on a Ubuntu 16.04.6 LTS host.

MarkOnDuty picture MarkOnDuty on 19 Mar 2020

I have it on Ubuntu 18.04 LTS host with LXD containers using also Ubuntu 18.04 LTS.
(Remark: the containers run with security.nesting=true)

jonasarts picture jonasarts on 1 Apr 2020

I have it too.
Ubuntu 18.04 LTS inside LXD container with security.nesting: "true", security.privileged: "true"

atomlab picture atomlab on 13 May 2020

Try this, it is working for me on Ubuntu 20.04 host with Ubuntu 20.04 containers:

$ lxc profile show docker 
config:
  linux.kernel_modules: overlay, nf_nat
  security.nesting: "true"
description: ""
devices:
  aadisable:
    path: /sys/module/apparmor/parameters/enabled
    source: /dev/null
    type: disk
  fuse:
    path: /dev/fuse
    type: unix-char
name: docker

Someone could bisect which one is the key.

johanehnberg picture johanehnberg on 23 May 2020

The solution for me - running Docker in LXD container - was to ensure that all of the following keys had really high values:

kernel.keys.maxbytes
kernel.keys.maxkeys
kernel.keys.root_maxbytes
kernel.keys.root_maxkeys

Once you hit high enough values, the problem goes away. I haven't researched what these keys do, nor what values are appropriate here - it really seems to depend on how many containers / busy the system is how high these values need to be.

Edit: More information on these values here:

https://www.kernel.org/doc/html/v4.13/security/keys/core.html

By cat'ing cat /proc/key-users I could see that my LXD container userid (used for mapping) was using the limit of kernel.keys.maxbytes which is quite low by default. I upped it to the same value as for root (25000000) which seems reasonable.

Kramerican picture Kramerican on 13 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dazorni picture dazorni  路  3Comments
guycalledseven picture guycalledseven  路  3Comments
giggio picture giggio  路  3Comments
AvdN picture AvdN  路  3Comments
dimsav picture dimsav  路  3Comments