OCI Runtime Create Failed: Permission Denied Error
This article explains how to resolve the Docker error docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "command": permission denied, specifically when the container process fails due to missing executable permissions.
Problem: Permission Denied on Entrypoint
The error occurs when the Docker engine attempts to execute your container's entrypoint command (specified in CMD or ENTRYPOINT), but the file lacks executable permissions in the container's filesystem. In this case, the deployment-service binary built in the first stage wasn't assigned execute permissions in the final Alpine-based image.
Solutions
Here are verified approaches to resolve the issue:
1. Add Execute Permission in Dockerfile (Recommended)
Add a RUN chmod +x command after copying the binary in your final build stage:
FROM alpine:latest
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /workspace/deployment-service . # Copy ONLY the binary
RUN chmod +x ./deployment-service # Grant execute permission
ARG DEFAULT_PORT=8080
ENV PORT $DEFAULT_PORT
EXPOSE $PORT
CMD ["./deployment-service"]Key improvements:
- Explicitly copy only the binary (reduces image size and permission issues)
chmod +xensures the binary is executable
WARNING
Avoid copying the entire /workspace directory. Only copy necessary artifacts to minimize permission conflicts.
2. Verify Entrypoint Syntax
Ensure your CMD or ENTRYPOINT uses the correct syntax:
- JSON form (recommended):
CMD ["./deployment-service"] - Shell form:
CMD ./deployment-service
::: code-group-item Correct Syntax
# JSON form (direct execution)
CMD ["./deployment-service"]
# Shell form (uses /bin/sh)
CMD ./deployment-service::: ::: code-group-item Incorrect Syntax
# Will try to execute 'server' as command
CMD "server"
# Uses shell but missing dot-slash
CMD deployment-service:::
3. Verify Base Image Compatibility
When specifying shells in CMD/ENTRYPOINT, ensure your base image includes the shell. Alpine images don’t include bash by default:
# Use 'sh' instead of 'bash' for Alpine
CMD ["sh", "-c", "./deployment-service --port=8080"]Full Fixed Dockerfile Example
# Build stage
FROM golang:1.19.2-alpine as builder
RUN apk add --no-cache openssh-client ansible git
WORKDIR /workspace
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN go build -o deployment-service cmd/deployment-service/main.go
# Final stage
FROM alpine:latest
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /workspace/deployment-service . # Copy binary only
RUN chmod +x ./deployment-service # Fix permissions
ARG DEFAULT_PORT=8080
ENV PORT $DEFAULT_PORT
EXPOSE $PORT
CMD ["./deployment-service"] # JSON formWhy This Happens
- Linux requires explicit execute (
+x) permissions for binaries. - File permissions aren't preserved when copying between build stages unless explicitly set.
- Alpine Linux images have minimal permissions by default.
Invalid Solutions
docker system prune -a: Cleans unused objects but doesn't fix permission issues.- Changing permissions outside the container: Host file permissions don't affect container filesystems.
Best Practices
- Minimize final image size: Copy only necessary artifacts between build stages.
- Explicit permissions: Always set execute permissions in the Dockerfile.
- Use multi-stage builds: Separate build and runtime environments.
- Verify paths: Double-check
WORKDIRand file paths inCOPYcommands.
These solutions resolve the permission denied error by ensuring your entrypoint binary has execute permissions in the container environment, following Linux permission standards.