Mount /var/lib/docker on a docker volume for DinD

chapterjason · chapterjason · commit 45677aedf935 · 2026-05-15T14:49:51.000Z
Nested overlay-on-overlay fails when /var/lib/docker lives on the
workspace's writable layer (buildkit cache mount: redirect_dir=off,
invalid argument). The standard docker:dind image avoids this by
declaring VOLUME /var/lib/docker so the path lives on a real filesystem.

Resurrect the docker_data volume (per-workspace, named
coder-&lt;id&gt;-docker-data) and mount it at /var/lib/docker. Inner dockerd
now has a non-overlay filesystem underneath. docker-prune.service still
runs on shutdown to keep the volume from accumulating image cache.
diff --git a/main.tf b/main.tf
@@ -439,15 +439,27 @@ removed {
   }
 }
 
-# docker_data volume is no longer managed — the workspace runs Docker-in-
-# Docker with /var/lib/docker on the container writable layer (wiped on
-# every workspace stop by Coder; docker-prune.service additionally prunes
-# on shutdown). Volume is retained to avoid data loss for any workspace
-# that still has images/cache in it from the sysbox era.
-removed {
-  from = docker_volume.docker_data
+# Per-workspace /var/lib/docker volume. Required for Docker-in-Docker:
+# nested overlay-on-overlay fails when /var/lib/docker is on the
+# container writable layer, so the inner dockerd needs a real filesystem
+# beneath it. docker-prune.service runs `docker system prune -af --volumes`
+# on shutdown to keep the volume from accumulating image cache over time.
+resource "docker_volume" "docker_data" {
+  name = "coder-${data.coder_workspace.me.id}-docker-data"
   lifecycle {
-    destroy = false
+    ignore_changes = all
+  }
+  labels {
+    label = "coder.owner"
+    value = data.coder_workspace_owner.me.name
+  }
+  labels {
+    label = "coder.owner_id"
+    value = data.coder_workspace_owner.me.id
+  }
+  labels {
+    label = "coder.workspace_id"
+    value = data.coder_workspace.me.id
   }
 }
 
@@ -549,6 +561,12 @@ resource "docker_container" "workspace" {
     read_only      = false
   }
 
+  volumes {
+    container_path = "/var/lib/docker"
+    volume_name    = docker_volume.docker_data.name
+    read_only      = false
+  }
+
   # home_persist and shared are NOT terraform-managed — they're owned outside
   # this workspace's lifecycle (per-owner and deployment-wide respectively).
   # Referencing them by name means workspace destroy won't try to remove them
