Skip to content
Latchkey

Docker "oci runtime error: container_linux mkdir /proc" in CI

During container setup runc creates and mounts pseudo-filesystems like /proc. When it cannot - because the container lacks the privilege to mount procfs, or it is running nested without the needed capabilities - startup fails with an OCI runtime mkdir/mount error on /proc.

What this error means

A container fails to start with oci runtime error: container_linux.go: ...: mkdir /proc: operation not permitted or a related procfs mount failure.

docker
Error response from daemon: oci runtime error: container_linux.go:235: starting container process caused "process_linux.go:258: applying cgroup configuration for process caused \"mkdir /proc/sys/...: operation not permitted\""

Common causes

Insufficient privileges to mount procfs

A heavily restricted runtime or dropped capabilities prevent runc from mounting /proc.

Nested containers without required capabilities

Running Docker-in-Docker or under a restricted sandbox can deny the procfs mount.

An incompatible or restricted seccomp/AppArmor profile

A profile that blocks the mount syscall trips this during setup.

How to fix it

Grant the privileges the runtime needs

  1. For dind-style workloads, run the daemon container privileged so it can mount procfs.
service config
services:
  docker:
    image: docker:27-dind
    privileged: true

Relax the restricting security profile

  1. If a custom seccomp/AppArmor profile blocks the mount, use the default profile for the affected container.
Terminal
docker run --security-opt seccomp=unconfined myorg/app:ci

How to prevent it

  • Run dind daemons with the privileges they require to mount procfs.
  • Avoid over-restrictive seccomp/AppArmor profiles that block container setup.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →