From 84b6f7ce87372a50b084bf7055ef3963380f2784 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Apr 2026 18:00:34 +0000
Subject: [PATCH 1/2] Initial plan


From 7b6da04843c941eaa1fb92e6ac8603c8c2baef03 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 7 Apr 2026 18:02:54 +0000
Subject: [PATCH 2/2] docs: add kernel keyring sysctl configuration guide for
 admins

Agent-Logs-Url: https://github.com/mieweb/opensource-server/sessions/aa2ca390-e572-4a49-a6b1-c81d0c38e951

Co-authored-by: runleveldev <44057501+runleveldev@users.noreply.github.com>
---
 mie-opensource-landing/docs/admins/index.md   |  1 +
 .../docs/admins/kernel-keyring.md             | 37 +++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 mie-opensource-landing/docs/admins/kernel-keyring.md

diff --git a/mie-opensource-landing/docs/admins/index.md b/mie-opensource-landing/docs/admins/index.md
index 785fd6c1..7561087b 100644
--- a/mie-opensource-landing/docs/admins/index.md
+++ b/mie-opensource-landing/docs/admins/index.md
@@ -8,3 +8,4 @@ sidebar_position: 1
 - **[Core Concepts →](core-concepts)** — Cluster organization, user roles, container lifecycle
 - **[Deploying LDAP Servers →](ldap-servers)** — Set up ldap1/ldap2 for container authentication
 - **[Deploying Agents →](deploying-agents)** — Set up agent containers on remote Proxmox nodes
+- **[Kernel Keyring Configuration →](kernel-keyring)** — Fix "disk quota exceeded" errors under nested Docker/LXC virtualization
diff --git a/mie-opensource-landing/docs/admins/kernel-keyring.md b/mie-opensource-landing/docs/admins/kernel-keyring.md
new file mode 100644
index 00000000..1e5c3395
--- /dev/null
+++ b/mie-opensource-landing/docs/admins/kernel-keyring.md
@@ -0,0 +1,37 @@
+---
+sidebar_position: 8
+---
+
+# Kernel Keyring Configuration
+
+Configure kernel keyring quotas on Proxmox hosts so the unprivileged UID mapped to `root` inside containers has the same key limits as the real host root, preventing quota exhaustion under nested Docker/LXC virtualization.
+
+## Apply the Settings
+
+Run the following on every Proxmox host node:
+
+```bash
+# Increase max number of keys allowed per UID
+sysctl -w kernel.keys.maxkeys=200000
+
+# Increase max bytes of kernel memory for keys per UID
+sysctl -w kernel.keys.maxbytes=2000000
+```
+
+To persist across reboots, add the values to `/etc/sysctl.d/99-kernel-keys.conf`:
+
+```bash
+cat >> /etc/sysctl.d/99-kernel-keys.conf << 'EOF'
+# Allow unprivileged container root the same keyring limits as host root.
+# Prevents "unable to create session key: disk quota exceeded" under nested
+# virtualization (e.g. Docker inside LXC).
+kernel.keys.maxkeys=200000
+kernel.keys.maxbytes=2000000
+EOF
+
+sysctl --system
+```
+
+:::important
+These settings must be applied on every Proxmox node where nested Docker builds or Docker-in-LXC workloads run.
+:::