Also mount /var/lib/containerd on a volume for DinD buildkit

chapterjason · chapterjason · commit 81cecbb30d47 · 2026-05-15T14:55:31.000Z
Buildkit (embedded in dockerd) uses containerd's overlayfs snapshotter for
cache mounts. Its layer dirs live under /var/lib/containerd. If that path
sits on the workspace's overlay writable layer, the kernel refuses the
nested overlay mount (redirect_dir=off, EINVAL).

Add a second per-workspace docker volume (containerd_data) mounted at
/var/lib/containerd so the snapshotter has a non-overlay backing, same
fix pattern as /var/lib/docker.
diff --git a/main.tf b/main.tf
@@ -463,6 +463,29 @@ resource "docker_volume" "docker_data" {
   }
 }
 
+# /var/lib/containerd needs its own non-overlay backing for the same reason
+# as /var/lib/docker: buildkit (embedded in dockerd) uses containerd's
+# overlayfs snapshotter for cache mounts, and the kernel refuses nested
+# overlay with redirect_dir=off when the underlying dirs sit on an overlay.
+resource "docker_volume" "containerd_data" {
+  name = "coder-${data.coder_workspace.me.id}-containerd-data"
+  lifecycle {
+    ignore_changes = all
+  }
+  labels {
+    label = "coder.owner"
+    value = data.coder_workspace_owner.me.name
+  }
+  labels {
+    label = "coder.owner_id"
+    value = data.coder_workspace_owner.me.id
+  }
+  labels {
+    label = "coder.workspace_id"
+    value = data.coder_workspace.me.id
+  }
+}
+
 # Per-workspace projects volume. Cloned repos + work-in-progress live here
 # so they survive workspace restarts. $HOME itself is image-owned and resets
 # each start; per-owner state that must persist outside projects goes through
@@ -567,6 +590,12 @@ resource "docker_container" "workspace" {
     read_only      = false
   }
 
+  volumes {
+    container_path = "/var/lib/containerd"
+    volume_name    = docker_volume.containerd_data.name
+    read_only      = false
+  }
+
   # home_persist and shared are NOT terraform-managed — they're owned outside
   # this workspace's lifecycle (per-owner and deployment-wide respectively).
   # Referencing them by name means workspace destroy won't try to remove them
