How to Fix 'OCI runtime create failed' Docker Error
In this tutorial, you'll learn about How to Fix 'OCI runtime create failed' Docker Error. We cover key concepts, practical examples, and best practices.
The Problem
You run docker run and get OCI runtime create failed: container_linux.go:367: starting container process caused: Process_linux.go:...: executing child process: clone: no such device. This error indicates the container runtime (runc) failed to start the container, often due to cgroup version mismatches, seccomp policy issues, or missing kernel modules. The error message varies depending on the root cause but always points to a problem at the operating system level rather than the application level.
Quick Fix
1. Check if Docker is running properly
docker info
Look for warnings about cgroups, security options, or kernel support. Pay special attention to lines like:
WARNING: No blkio throttle support
WARNING: No oom kill detection support
Cgroup Driver: cgroupfs # vs systemd
2. Restart the Docker daemon
sudo systemctl restart docker
After restart, run docker run hello-world to test. If it works, a transient state issue was the cause.
3. Fix cgroup driver mismatch
If Docker uses cgroupfs but your init system uses systemd, edit /etc/docker/daemon.json:
{
"exec-opts": ["native.cgroupdriver=systemd"]
}
Restart Docker:
sudo systemctl restart docker
4. Disable cgroup v2 (fallback for older Docker versions)
# Edit kernel cmdline
sudo sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"/' /etc/default/grub
sudo update-grub
sudo reboot
This forces cgroup v1, which has broader compatibility with older Docker versions.
5. Check seccomp profile (if the error mentions seccomp)
# Run without seccomp to test
docker run --security-opt seccomp=unconfined hello-world
# Or use a custom profile
docker run --security-opt seccomp=/path/to/profile.json hello-world
If this fixes it, create a custom seccomp profile that allows the blocked syscall.
6. Verify kernel modules are loaded
lsmod | grep -E "overlay|br_netfilter|nf_nat|xt_conntrack"
If missing, load them and make permanent:
sudo modprobe overlay
sudo modprobe br_netfilter
echo "overlay" | sudo tee /etc/modules-load.d/docker-overlay.conf
echo "br_netfilter" | sudo tee /etc/modules-load.d/docker-br-netfilter.conf
Common Causes
| Cause | Error Pattern | Fix |
|---|---|---|
| Missing kernel modules | clone: no such device |
sudo modprobe overlay br_netfilter |
| Cgroup v2 incompatibility | failed to write "0" to cgroup.procs |
Disable cgroup v2 in kernel params |
| Seccomp policy too strict | seccomp: operation not permitted |
Use --security-opt seccomp=unconfined to test |
| Old Docker on new kernel | Various OCI errors | Upgrade Docker to latest |
Inspect Container Configuration
docker inspect <container-id> --format '{{json .Config}}' | python3 -m json.tool
# {
# "Hostname": "abc123",
# "Env": ["PATH=/usr/local/bin:..."],
# "Cmd": ["node", "app.js"]
# }
Use docker inspect to examine the full configuration of a container. This reveals misconfigurations in environment variables, command arguments, and network settings that may not appear in logs.
Prevention
- Keep Docker and the host kernel updated
- Use a Docker-supported Linux distribution (Ubuntu 20.04+, Debian 11+, RHEL 8+)
- Check
docker infofor warnings after every kernel upgrade - Run
docker run --rm hello-worldafter Docker installation to verify the runtime works
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro