coder · khorne3 · Jun 15, 2021 · Jun 14, 2021 · Jun 15, 2021 · Jun 15, 2021
diff --git a/admin/organizations.md b/admin/organizations.md
@@ -42,7 +42,8 @@ organization. You can set the:
 
 Finally, you can set **Resource Quotas**. These are limits on the number of
 **CPUs** and **GPUs**, as well as the amount of **memory** and **disk space**,
-each developer can use across *all* of their workspaces in this organization.
+each developer can request concurrently for running workspaces in this
+organization.
 
 When you've set your parameters, click **Create** to proceed.
 

diff --git a/guides/deployments/postgres.md b/guides/deployments/postgres.md
@@ -35,7 +35,7 @@ or cluster.
    Kubernetes Secret containing the password:
 
    ```console
-   kubectl create secret generic <NAME> --from-file=test=/dev/stdin
+   kubectl create secret generic <NAME> --from-file=password=/dev/stdin
    ```
 
    We recommend using the syntax provided above, which reads credentials from

diff --git a/guides/troubleshooting/docker-problems.md b/guides/troubleshooting/docker-problems.md
@@ -0,0 +1,115 @@
+---
+title: Docker key storage issues
+description: Learn how to solve Docker key storage issues inside Coder workspaces.
+---
+
+When using Coder, you may encounter the following error:
+
+```console
+docker: Error response from daemon: OCI runtime create failed:
+container_linux.go:370: starting container process caused:
+process_linux.go:459: container init caused: join session keyring:
+create session key: disk quota exceeded: unknown.
+```
+
+## Why this happens
+
+The kernel allocates a system key for each container created. When lots of
+developers are sharing the same instance, you may run into limits on the number
+and size of keys each user can have.
+
+## Resolution
+
+To fix this error, you can increase `maxkeys` and `maxbytes`. These are global
+settings that apply to *all* users sharing the same system. You can modify this
+by adding the following to the `sysctl` configuration file:
+
+```console
+sudo sysctl -w kernel.keys.maxkeys=20000
+sudo sysctl -w kernel.keys.maxbytes=400000
+```
+
+Alternatively, you can use a DaemonSet with `kubectl apply` to make changes to
+`sysctl`:
+
+```yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: increase-limits
+  namespace: kube-system
+  labels:
+    app: increase-limits
+    k8s-app: increase-limits
+spec:
+  selector:
+    matchLabels:
+      k8s-app: increase-limits
+  template:
+    metadata:
+      labels:
+        name: increase-limits
+        k8s-app: increase-limits
+      annotations:
+        seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+        apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      initContainers:
+        - name: sysctl
+          image: alpine:3
+          command:
+            - sysctl
+            - -w
+            - kernel.keys.maxkeys=20000
+            - kernel.keys.maxbytes=400000
+          resources:
+            requests:
+              cpu: 10m
+              memory: 1Mi
+            limits:
+              cpu: 100m
+              memory: 5Mi
+          securityContext:
+            # We need to run as root in a privileged container to modify
+            # /proc/sys on the host (for sysctl)
+            runAsUser: 0
+            privileged: true
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+      containers:
+        - name: pause
+          image: k8s.gcr.io/pause:3.5
+          command:
+            - /pause
+          resources:
+            requests:
+              cpu: 10m
+              memory: 1Mi
+            limits:
+              cpu: 100m
+              memory: 5Mi
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65535
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+      terminationGracePeriodSeconds: 5
+```
+
+At a later point, you can delete the DaemonSet by running:
+
+```console
+$ kubectl delete --namespace=kube-system daemonset increase-limits
+daemonset.apps "increase-limits" deleted
+```
+
+However, note that the setting will persist until the node restarts or another
+program sets the `kernel.keys.maxkeys` and `kernel.keys.maxkeys` settings.
diff --git a/manifest.json b/manifest.json
@@ -354,6 +354,9 @@
           "children": [
             {
               "path": "./guides/troubleshooting/inotify-watch-limits.md"
+            },
+            {
+              "path": "./guides/troubleshooting/docker-problems.md"
             }
           ]
         }

diff --git a/package.json b/package.json
@@ -12,7 +12,7 @@
     "format:check": "prettier --check '**/*.{css,html,js,json,jsx,ts,tsx,yaml,yml}'",
     "format:write": "prettier --write '**/*.{css,html,js,json,jsx,ts,tsx,yaml,yml}'",
     "lint": "markdownlint --config .markdownlint.jsonc --rules .markdownlint-rules '**/*.md'",
-    "lint:fix": "markdownlint --fix '**/*.md'"
+    "lint:fix": "markdownlint --config .markdownlint.jsonc --rules .markdownlint-rules --fix '**/*.md'"
   },
   "devDependencies": {
     "@types/minimist": "^1.2.1",

diff --git a/setup/installation.md b/setup/installation.md
@@ -46,42 +46,40 @@ kubectl config set-context --current --namespace=coder
    `helm search repo coder -l`)
 
    ```console
-   helm install coder coder/coder --namespace coder
+   helm install coder coder/coder --namespace coder --version=<VERSION>
    ```
 
    **Steps 3-5 are optional for non-production deployments.**
 
-1. Get a copy of your Helm chart so that you can modify it; you'll need to
-   modify the Helm chart to update your PostgreSQL databases (step 4) and enable
-   dev URLs (step 5):
+1. Get a copy of your Helm config values so that you can modify it; you'll need
+   to modify these values to update your PostgreSQL databases (step 4) and
+   enable dev URLs (step 5):
 
-   a. Get a copy of your existing Helm chart and save it as `current-values.yaml`:
-   `helm show values coder/coder > current-values.yaml`
+   a. Create an empty file called `values.yaml` which will contain your
+   deployment configuration options.
 
-   b. Edit the `current-values.yaml` file as needed. Be sure to remove the lines
-   that you are _not_ modifying, otherwise the contents of `current-values.yaml`
-   will override those in the default chart.
+   b. Edit the `values.yaml` file as needed.
 
    > View the
    > [configuration options available in the `values.yaml` file.](https://github.com/cdr/enterprise-helm#values)
 
    c. Upgrade/install your Coder deployment with the updated Helm chart (be sure
-   to replace the placeholder value with your Coder version). **This must be done
-   whenever you update the Helm chart:**
+   to replace the placeholder value with your Coder version). **This must be
+   done whenever you update the Helm chart:**
 
    ```console
-   helm upgrade coder coder/coder -n coder --version=<VERSION> --values current-values.yaml
+   helm upgrade coder coder/coder --namespace coder --version=<VERSION> --values values.yaml
    ```
 
    > If you omit `--version`, you'll upgrade to the latest version, excluding
    > release candidates (RCs). To include RCs, provide the `--devel` flag.
    >
    > We do not provide documentation for RCs, and you should not use them unless
-   you've been instructed to do so by Coder. You can identify RCs by the
-   presence of `-rc` in the version number (e.g., `1.16.0-rc.1`).
+   > you've been instructed to do so by Coder. You can identify RCs by the
+   > presence of `-rc` in the version number (e.g., `1.16.0-rc.1`).
 
 1. Ensure that you have superuser privileges to your PostgreSQL database. Add
-   the following to your Helm chart so that Coder uses your external PostgreSQL
+   the following to your Helm values so that Coder uses your external PostgreSQL
    databases:
 
    ```yaml
@@ -96,14 +94,22 @@ kubectl config set-context --current --namespace=coder
    ```
 
    To create the `passwordSecret`, run
-   `kubectl create secret generic <NAME> --from-file=test=/dev/stdin`
+   `kubectl create secret generic <NAME> --from-literal="password=UserDefinedPassword"`
    (be sure to replace `UserDefinedPassword` with your actual password).
 
+   > Put a space before the command to prevent it from being saved in your shell
+   > history.
+   >
+   > Running this command could potentially expose your database password to
+   > other users on your system through `/proc`. If this is a concern, you can
+   > use `--from-file=password=/dev/stdin` instead of `--from-literal=...` to
+   > enter your password and press `Ctrl+D` when you're done to submit it.
+
    You can find/define these values in your
    [PostgreSQL server configuration file](https://www.postgresql.org/docs/current/config-setting.html).
 
    > For more information, [see our guide](../guides/deployments/postgres.md) on
-   setting up a PostgreSQL instance.
+   > setting up a PostgreSQL instance.
 
 1. [Enable dev URL usage](../admin/devurls.md). Dev URLs allow users to access
    the web servers running in your workspace. To enable, provide a wildcard

diff --git a/workspaces/variables.md b/workspaces/variables.md
@@ -57,4 +57,8 @@ env | grep CODER_
         <td><code>CODER_WP_NAME</code></td>
         <td>The name of the workspace provider hosting the environment</td>
     </tr>
+    <tr>
+        <td><code>CODER_RUNTIME</code></td>
+        <td>Whether the workspace is a CVM or not</td>
+    </tr>
 </table>
-Original file line number
+Diff line change
@@ Expand Up / @@ -354,6 +354,9 @@ @@
               "children": [
                 {
                   "path": "./guides/troubleshooting/inotify-watch-limits.md"
+                },
+                {
+                  "path": "./guides/troubleshooting/docker-problems.md"
                 }
               ]
             }
@@ Expand Down @@