Docker Run Error

[EinfachFabsTV]

Hi, When i try to run Docker Images i get these Errors:

hello-world:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"join session keyring: create session key: disk quota exceeded\"": unknown. ERRO[0000] error waiting for container: context canceled

jenrik/get5-web:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"join session keyring: create session key: disk quota exceeded\"": unknown. ERRO[0005] error waiting for container: context canceled

hsfactory/ebot:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"join session keyring: create session key: disk quota exceeded\"": unknown. ERRO[0023] error waiting for container: context canceled

About My VServer System:

5 Cores
16 GB Ram
250 GB Disk

I also Looked for the Max Keys
maxkeys: 1048576

[maikelmclauflin]

same thing happened to me

[MarkOnDuty]

Me too. I'm getting this in an Ubuntu 16.04.6 LTS LXD container running on a Ubuntu 16.04.6 LTS host.

[jonasarts]

I have it on Ubuntu 18.04 LTS host with LXD containers using also Ubuntu 18.04 LTS.
(Remark: the containers run with security.nesting=true)

[atomlab]

I have it too.
Ubuntu 18.04 LTS inside LXD container with security.nesting: "true", security.privileged: "true"

[johanehnberg]

Try this, it is working for me on Ubuntu 20.04 host with Ubuntu 20.04 containers:

$ lxc profile show docker 
config:
  linux.kernel_modules: overlay, nf_nat
  security.nesting: "true"
description: ""
devices:
  aadisable:
    path: /sys/module/apparmor/parameters/enabled
    source: /dev/null
    type: disk
  fuse:
    path: /dev/fuse
    type: unix-char
name: docker

Someone could bisect which one is the key.

[Kramerican]

The solution for me - running Docker in LXD container - was to ensure that all of the following keys had really high values:

kernel.keys.maxbytes
kernel.keys.maxkeys
kernel.keys.root_maxbytes
kernel.keys.root_maxkeys

Once you hit high enough values, the problem goes away. I haven't researched what these keys do, nor what values are appropriate here - it really seems to depend on how many containers / busy the system is how high these values need to be.

Edit: More information on these values here:

https://www.kernel.org/doc/html/v4.13/security/keys/core.html

By cat'ing cat /proc/key-users I could see that my LXD container userid (used for mapping) was using the limit of kernel.keys.maxbytes which is quite low by default. I upped it to the same value as for root (25000000) which seems reasonable.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it had not recent activity during the stale period.