Kubernetes Error Guide: 'CreateContainerError' Runtime Create Failure
Fix the CreateContainerError: resolve bad commands, missing host mounts, device conflicts, and runtime issues that stop the container runtime from creating the container.
- #kubernetes-helm
- #troubleshooting
- #errors
- #runtime
Exact Error Message
NAME READY STATUS RESTARTS AGE
worker-5f7c9d8b6c-r4n8t 0/1 CreateContainerError 0 34s
# kubectl describe pod worker-5f7c9d8b6c-r4n8t
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Failed 11s (x4 over 34s) kubelet
Error: container create failed:
time="..." level=error msg="runc create failed: unable to start container process:
exec: \"/app/start.sh\": stat /app/start.sh: no such file or directory"
What the Error Means
CreateContainerError is reported when the image pulled successfully but the container runtime (containerd/CRI-O via runc) failed at the create step — after the image is ready but before the container actually runs. The kubelet hands a valid OCI spec to the runtime, and the runtime rejects it because something about the container’s configuration cannot be set up on the node.
This is distinct from CreateContainerConfigError (which is Kubernetes-side: a missing ConfigMap or Secret) and from RunContainerError (which is the start step). CreateContainerError is the runtime saying “I have the image, but I cannot construct this container as specified.”
Common Causes
- A
command/entrypoint that does not exist in the image —exec: "/app/start.sh": no such file or directory. - A hostPath mount whose source does not exist on the node, so the runtime cannot bind-mount it.
- A container name collision — a leftover container with the same name from a previous failed start that was not cleaned up.
- Invalid
securityContextsettings the runtime cannot apply (a non-existent user/UID, unsupported capabilities, or a seccomp profile that is missing). - Device or sysctl requests the node cannot satisfy (e.g. requesting
/dev/fusewithout the device plugin). - A corrupted image layer or runtime state on the node, often after a disk-full or unclean shutdown.
- A read-only or full root filesystem on the node preventing the runtime from writing container state.
How to Reproduce the Error
Point a container at a command that is not present in the image:
apiVersion: v1
kind: Pod
metadata:
name: bad-cmd
spec:
containers:
- name: app
image: busybox:1.36
command: ["/app/start.sh"] # not in the busybox image
kubectl apply -f bad-cmd.yaml
kubectl get pod bad-cmd
# STATUS: CreateContainerError
Diagnostic Commands
# Confirm the reason and the full runtime message
kubectl get pod <POD> -o jsonpath='{.status.containerStatuses[0].state.waiting.reason}{"\n"}'
kubectl describe pod <POD> | grep -A6 -iE 'createcontainererror|container create failed|runc'
# Inspect the requested command, mounts, and security context
kubectl get pod <POD> -o jsonpath='{.spec.containers[0].command} {.spec.containers[0].args}{"\n"}'
kubectl get pod <POD> -o jsonpath='{.spec.containers[0].volumeMounts}{"\n"}'
kubectl get pod <POD> -o jsonpath='{.spec.containers[0].securityContext}{"\n"}'
# On the node: confirm a hostPath source exists
ls -ld /path/from/hostpath
# On the node: look for stale containers or runtime errors (containerd)
crictl ps -a | grep <POD>
crictl pods | grep <POD>
journalctl -u containerd --since "10 min ago" | grep -i error
# Confirm node disk is not full (a common create-step failure)
kubectl describe node <NODE> | grep -iE 'diskpressure|allocatable'
Step-by-Step Resolution
1. Read the exact runtime message. The describe event contains the precise cause — a missing binary, a mount path, or a security setting:
kubectl describe pod <POD> | grep -A6 'container create failed'
2. If the entrypoint is missing, fix the command or the image. Verify the binary exists in the image and the path is correct:
kubectl run probe --rm -it --image=<IMAGE> --command -- ls -l /app/
Then correct the command/args to a path that exists.
3. If a hostPath is missing, create it or fix the path. The runtime cannot bind-mount a source that does not exist. Either pre-create the directory via a DaemonSet/node provisioning step, or set hostPath.type appropriately (e.g. DirectoryOrCreate).
4. Clear a stale container name collision. If a previous failed container was left behind, remove it on the node:
crictl ps -a | grep <CONTAINER_NAME>
crictl rm <CONTAINER_ID>
Then delete the pod so the kubelet recreates it cleanly.
5. Fix invalid securityContext or device requests. Ensure any runAsUser UID exists in the image, requested capabilities are supported, and any device plugin (FUSE, GPU) is installed before requesting its resource.
6. If the node itself is unhealthy, drain it. Disk-full or corrupted runtime state affects every new container; cordon and investigate:
kubectl cordon <NODE>
kubectl describe node <NODE> | grep -i pressure
Prevention and Best Practices
- Validate that
command/entrypoint paths exist in the image as part of CI image testing. - Avoid hostPath mounts where possible; when required, use
type: DirectoryOrCreateor pre-provision the path on every node. - Keep node disks monitored — many
CreateContainerErrorcases are reallyDiskPressurein disguise. - Test any non-trivial
securityContext(custom UID, dropped capabilities, seccomp) in a staging cluster before production. - Install required device plugins before scheduling pods that request special devices.
- Set up alerting on pods stuck in
CreateContainerErrorso a degraded node is caught before it spreads. See more in Kubernetes & Helm guides.
Related Errors
CreateContainerConfigError— Kubernetes could not assemble the container config (missing ConfigMap/Secret), before the runtime is even called.RunContainerError— creation succeeded but the runtime failed to start the process.RunContainerError: exec format error— the binary architecture does not match the node.CrashLoopBackOff— the container created and started but the process keeps exiting.
Frequently Asked Questions
What is the difference between CreateContainerError and CreateContainerConfigError? CreateContainerConfigError is a Kubernetes-side failure to build the container spec — typically a missing ConfigMap, Secret, or environment reference. CreateContainerError happens later: the spec was valid, but the container runtime rejected the create call on the node.
The image works fine locally with docker run. Why does Kubernetes fail? Differences in mounts, security context, user, or the runtime (containerd vs Docker) can surface only under Kubernetes. Read the runc create failed message — it names the exact missing path, user, or capability.
Could a full node disk cause this? Yes. When the node is under disk pressure, the runtime may be unable to write container state and fails the create step. Check kubectl describe node for DiskPressure and free space before blaming the pod spec.
Why does deleting and recreating the pod sometimes fix it? When the cause is a stale container name collision or a transient runtime state issue, a clean recreate lets the runtime start fresh. If the root cause is the pod spec (bad command, missing mount), recreating will reproduce the same error.
Download the Free 500-Prompt DevOps AI Toolkit
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.