Skip to content

How to Fix 'OCI runtime create failed' Docker Error

DodaTech 2 min read

In this tutorial, you'll learn about How to Fix 'OCI runtime create failed' Docker Error. We cover key concepts, practical examples, and best practices.

The Problem

You run docker run and get OCI runtime create failed: container_linux.go:367: starting container process caused: Process_linux.go:...: executing child process: clone: no such device. This error indicates the container runtime (runc) failed to start the container, often due to cgroup version mismatches, seccomp policy issues, or missing kernel modules. The error message varies depending on the root cause but always points to a problem at the operating system level rather than the application level.

Quick Fix

1. Check if Docker is running properly

docker info

Look for warnings about cgroups, security options, or kernel support. Pay special attention to lines like:

WARNING: No blkio throttle support
WARNING: No oom kill detection support
Cgroup Driver: cgroupfs  # vs systemd

2. Restart the Docker daemon

sudo systemctl restart docker

After restart, run docker run hello-world to test. If it works, a transient state issue was the cause.

3. Fix cgroup driver mismatch

If Docker uses cgroupfs but your init system uses systemd, edit /etc/docker/daemon.json:

{
  "exec-opts": ["native.cgroupdriver=systemd"]
}

Restart Docker:

sudo systemctl restart docker

4. Disable cgroup v2 (fallback for older Docker versions)

# Edit kernel cmdline
sudo sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"/' /etc/default/grub
sudo update-grub
sudo reboot

This forces cgroup v1, which has broader compatibility with older Docker versions.

5. Check seccomp profile (if the error mentions seccomp)

# Run without seccomp to test
docker run --security-opt seccomp=unconfined hello-world

# Or use a custom profile
docker run --security-opt seccomp=/path/to/profile.json hello-world

If this fixes it, create a custom seccomp profile that allows the blocked syscall.

6. Verify kernel modules are loaded

lsmod | grep -E "overlay|br_netfilter|nf_nat|xt_conntrack"

If missing, load them and make permanent:

sudo modprobe overlay
sudo modprobe br_netfilter
echo "overlay" | sudo tee /etc/modules-load.d/docker-overlay.conf
echo "br_netfilter" | sudo tee /etc/modules-load.d/docker-br-netfilter.conf

Common Causes

Cause Error Pattern Fix
Missing kernel modules clone: no such device sudo modprobe overlay br_netfilter
Cgroup v2 incompatibility failed to write "0" to cgroup.procs Disable cgroup v2 in kernel params
Seccomp policy too strict seccomp: operation not permitted Use --security-opt seccomp=unconfined to test
Old Docker on new kernel Various OCI errors Upgrade Docker to latest

Inspect Container Configuration

docker inspect <container-id> --format '{{json .Config}}' | python3 -m json.tool
# {
#   "Hostname": "abc123",
#   "Env": ["PATH=/usr/local/bin:..."],
#   "Cmd": ["node", "app.js"]
# }

Use docker inspect to examine the full configuration of a container. This reveals misconfigurations in environment variables, command arguments, and network settings that may not appear in logs.

Prevention

  • Keep Docker and the host kernel updated
  • Use a Docker-supported Linux distribution (Ubuntu 20.04+, Debian 11+, RHEL 8+)
  • Check docker info for warnings after every kernel upgrade
  • Run docker run --rm hello-world after Docker installation to verify the runtime works

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro