Coder template that provisions Docker images with limits for:

- Balanced CPU usage (1024 CPU shares)

- RAM (2 GB max)

- Disk (10GB max for overlayfs, for 10GB max for home volume)

- Sysbox container runtime

- Secondary XFS block storage device mounted on `/var/lib/docker`

- Linux Kernel 5.19+

This template assumes you have the [sysbox container runtime](https://coder.com/docs/v2/latest/templates/docker-in-docker#sysbox-container-runtime) installed.

- Follow this documentation to [install Sysbox as a system package](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/install-package.md)

This template will not work unless Docker is configured to work with overlay2/XFs, as Docker's default storage driver is not capable of disk quotas per-container. Keep reading to learn how to use Docker with overlay2/XFS.

1. Attach an secondary block disk to your VM, dedicated to Docker volumes.

1. Format the secondary as an XFS filesystem

```sh

sudo mkfs.xfs /dev/sdb

```

1. Modify `/etc/fstab` to mount the disk with support for quotas:

```sh

1. You may also need to enable uquota,pquota in your GRUB config:

```sh

1. Stop all containers. If you have existing Docker volumes, back up `/var/lib/docker`

```sh

docker stop $(docker ps -a -q)

sudo cp -r /var/lib/docker /var/lib/docker.bk

```

1. Empty the `/var/lib/docker` folder, for mounting

```sh

1. Install a newer version of the Linux kernel (5.19+)

```sh

> This uses [ubuntu-mainline-kernel](https://github.com/pimlie/ubuntu-mainline-kernel.sh) to safely update.

1. Restart your machine

```sh

1. Ensure Docker is using overlay2/xfs:

```sh

1. Check your Kernel version

```sh

1. Import this template into Coder and create a workspace. Confirm the quota works:

```sh

> This may be slightly different depending on system. Adjust your quota in the template to compensate

1. Measure all quotas on the host with the following command.

```sh

FROM ubuntu

RUN apt-get update \

&& apt-get install -y \

curl \

git \

golang \

sudo \

vim \

wget \

&& rm -rf /var/lib/apt/lists/*

ARG USER=coder

RUN useradd --groups sudo --no-create-home --shell /bin/bash ${USER} \

&& echo "${USER} ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/${USER} \

&& chmod 0440 /etc/sudoers.d/${USER}

USER ${USER}

WORKDIR /home/${USER}

terraform {

required_providers {

coder = {

source = "coder/coder"

version = "~> 0.6.12"

}

docker = {

source = "kreuzwerker/docker"

version = "~> 2.22"

}

}

}

locals {

username = data.coder_workspace.me.owner

}

data "coder_provisioner" "me" {

}

provider "docker" {

}

data "coder_workspace" "me" {

}

resource "coder_agent" "main" {

arch = data.coder_provisioner.me.arch

os = "linux"

login_before_ready = false

startup_script_timeout = 180

startup_script = <<-EOT

# These environment variables allow you to make Git commits right away after creating a

# workspace. Note that they take precedence over configuration defined in ~/.gitconfig!

# You can remove this block if you'd prefer to configure Git manually or using

# dotfiles. (see docs/dotfiles.md)

env = {

GIT_AUTHOR_NAME = "${data.coder_workspace.me.owner}"

GIT_COMMITTER_NAME = "${data.coder_workspace.me.owner}"

GIT_AUTHOR_EMAIL = "${data.coder_workspace.me.owner_email}"

GIT_COMMITTER_EMAIL = "${data.coder_workspace.me.owner_email}"

}

}

resource "coder_app" "code-server" {

agent_id = coder_agent.main.id

slug = "code-server"

display_name = "code-server"

url = "http://localhost:13337/?folder=/home/${local.username}"

icon = "/icon/code.svg"

subdomain = false

share = "owner"

healthcheck {

url = "http://localhost:13337/healthz"

interval = 5

threshold = 6

}

}

resource "docker_volume" "home_volume" {

name = "coder-${data.coder_workspace.me.id}-home"

# Protect the volume from being deleted due to changes in attributes.

driver_opts = {

size = "10G"

}

lifecycle {

ignore_changes = all

}

# Add labels in Docker to keep track of orphan resources.

labels {

label = "coder.owner"

value = data.coder_workspace.me.owner

}

labels {

label = "coder.owner_id"

value = data.coder_workspace.me.owner_id

}

labels {

label = "coder.workspace_id"

value = data.coder_workspace.me.id

}

# This field becomes outdated if the workspace is renamed but can

# be useful for debugging or cleaning out dangling volumes.

labels {

label = "coder.workspace_name_at_creation"

value = data.coder_workspace.me.name

}

}

resource "docker_image" "main" {

name = "coder-${data.coder_workspace.me.id}"

build {

path = "./build"

build_args = {

USER = local.username

}

}

triggers = {

dir_sha1 = sha1(join("", [for f in fileset(path.module, "build/*") : filesha1(f)]))

}

}

resource "docker_container" "workspace" {

count = data.coder_workspace.me.start_count

image = docker_image.main.name

# Uses lower() to avoid Docker restriction on container names.

name = "coder-${data.coder_workspace.me.owner}-${lower(data.coder_workspace.me.name)}"

# Hostname makes the shell more user friendly: coder@my-workspace:~$

hostname = data.coder_workspace.me.name

# Use the docker gateway if the access URL is 127.0.0.1

entrypoint = ["sh", "-c", replace(coder_agent.main.init_script, "/localhost|127\\.0\\.0\\.1/", "host.docker.internal")]

env = ["CODER_AGENT_TOKEN=${coder_agent.main.token}"]

# Use sysbox container runtime

runtime = "sysbox-runc"

# Balanced CPU usage

cpu_shares = 1024

# 4 GB memory

memory = 4096

# 10 GB for overlayfs (root filesystem)

storage_opts = {

size = "10G"

}

host {

host = "host.docker.internal"

ip = "host-gateway"

}

volumes {

container_path = "/home/${local.username}"

volume_name = docker_volume.home_volume.name

read_only = false

}

# Add labels in Docker to keep track of orphan resources.

labels {

label = "coder.owner"

value = data.coder_workspace.me.owner

}

labels {

label = "coder.owner_id"

value = data.coder_workspace.me.owner_id

}

labels {

label = "coder.workspace_id"

value = data.coder_workspace.me.id

}

labels {

label = "coder.workspace_name"

value = data.coder_workspace.me.name

}

}