This error occurs when the Docker daemon fails to start on Linux systems using systemd. Common causes include disk space issues, invalid daemon.json configuration, firewall conflicts, or missing dependencies like iptables. Check journalctl logs for the specific cause.
When you attempt to start Docker using `systemctl start docker` or `service docker start`, systemd launches the Docker daemon process (`dockerd`). If this process terminates unexpectedly during startup, systemd reports "Job for docker.service failed because the control process exited with error code." This is a generic systemd error message indicating that dockerd crashed or exited with a non-zero exit code. The actual root cause varies widely and requires checking the detailed logs using `journalctl -xeu docker.service` or running `dockerd --debug` directly to see the specific error. Common categories of failures include: - **Resource constraints**: No disk space, memory issues - **Configuration errors**: Invalid daemon.json, conflicting command-line options - **Network/firewall issues**: iptables missing, firewalld conflicts, NAT chain errors - **Storage driver problems**: Deprecated options, corrupted graph directory - **Dependency issues**: Missing kernel modules, outdated kernel version - **VPN conflicts**: Gateway changes affecting Docker networking This error prevents Docker from running entirely, blocking all container operations until resolved.
The generic systemd error doesn't tell you what's wrong. Get the specific error:
Check service status:
sudo systemctl status docker.serviceCheck detailed logs:
sudo journalctl -xeu docker.serviceOr view more lines:
sudo journalctl -u docker.service -n 100 --no-pagerRun daemon directly for verbose output:
sudo dockerd --debugThis will show the exact reason Docker is failing to start. Look for lines containing "error", "failed", or "fatal".
If you see "no space left on device" or "Unable to get the TempDir under /var/lib/docker":
Check disk usage:
df -h
df -h /var/lib/dockerClear space on Linux:
# Clear old logs
sudo journalctl --vacuum-time=7d
# Clear package cache (Debian/Ubuntu)
sudo apt clean
# Clear package cache (RHEL/CentOS)
sudo yum clean all
# or
sudo dnf clean all
# Find large files
sudo du -sh /var/* | sort -hIf Docker was working before, prune Docker resources:
# Stop Docker if partially running
sudo systemctl stop docker
# Manually clean Docker temp files
sudo rm -rf /var/lib/docker/tmp/*
# After Docker starts, do a full cleanup
docker system prune -af --volumesEnsure at least 1-2 GB free on the partition containing /var/lib/docker.
A common cause is syntax errors or invalid options in /etc/docker/daemon.json.
Check if the file exists and is valid JSON:
# Check file exists
ls -la /etc/docker/daemon.json
# Validate JSON syntax
sudo cat /etc/docker/daemon.json | jq .If jq reports an error, fix the JSON syntax. Common mistakes:
- Missing commas between entries
- Trailing commas after last entry
- Using single quotes instead of double quotes
If file is empty or corrupted, recreate it:
sudo rm /etc/docker/daemon.json
echo '{}' | sudo tee /etc/docker/daemon.jsonCheck for deprecated options:
In Docker 24+, remove overlay2.override_kernel_check:
// Remove this if present:
{
"storage-opts": ["overlay2.override_kernel_check=true"]
}Also remove deprecated -g or --graph options (use --data-root instead).
On CentOS 8, RHEL 8+, and Fedora, iptables may not be installed by default. Docker requires it for networking.
Check if iptables is installed:
which iptablesInstall iptables:
# RHEL/CentOS/Rocky Linux
sudo dnf install iptables
# Or for older versions
sudo yum install iptablesStart Docker after installing:
sudo systemctl start dockerIf using nftables instead of iptables, ensure Docker is configured to work with nftables backend or install iptables-nft compatibility layer.
Docker and firewalld can conflict, especially with zone assignments. You may see errors like "ZONE_CONFLICT: 'docker0' already bound to a zone".
Option 1: Remove docker0 from conflicting zone:
sudo firewall-cmd --zone=trusted --remove-interface=docker0 --permanent
sudo firewall-cmd --reload
sudo systemctl restart dockerOption 2: Add docker0 to trusted zone:
sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0
sudo firewall-cmd --reload
sudo systemctl restart dockerOption 3: Temporarily stop firewalld to test:
sudo systemctl stop firewalld
sudo systemctl start dockerIf Docker starts, the issue is firewalld-related. Configure firewalld properly before re-enabling it.
Reload everything after changes:
sudo systemctl daemon-reload
sudo systemctl restart dockerVPN connections can change routing tables and gateway settings, breaking Docker networking.
Test by disconnecting VPN:
# Disconnect your VPN (method varies by VPN client)
# Then try starting Docker
sudo systemctl start dockerIf Docker starts after disconnecting VPN, you have a routing conflict.
Potential fixes:
1. Configure VPN to exclude Docker networks (172.17.0.0/16)
2. Use Docker's custom address pools in daemon.json:
{
"default-address-pools": [
{"base": "192.168.0.0/16", "size": 24}
]
}3. Set up split tunneling in your VPN configuration
4. Start Docker before connecting to VPN
A corrupted /var/lib/docker directory from previous installations can prevent Docker from starting.
WARNING: This will delete all containers, images, and volumes!
Backup any important data first, then clean:
# Stop Docker completely
sudo systemctl stop docker
sudo systemctl stop docker.socket
# Remove Docker data (DESTRUCTIVE)
sudo rm -rf /var/lib/docker
# Start Docker fresh
sudo systemctl start dockerLess destructive: Clear only runtime files:
sudo systemctl stop docker
sudo rm -rf /var/lib/docker/network
sudo rm -rf /var/lib/docker/tmp
sudo systemctl start dockerThis is often needed after upgrading from one Docker package to another (e.g., from Docker CE to Podman and back).
Docker requires Linux kernel 3.10 or newer with specific modules.
Check kernel version:
uname -rIf version is below 3.10, you need to upgrade your kernel.
Check for required kernel modules:
# Check if overlay module is loaded
lsmod | grep overlay
# Load if missing
sudo modprobe overlay
# Check other important modules
lsmod | grep br_netfilter
sudo modprobe br_netfilterMake modules persistent:
echo "overlay" | sudo tee /etc/modules-load.d/docker.conf
echo "br_netfilter" | sudo tee -a /etc/modules-load.d/docker.confCheck sysctl settings:
sudo sysctl net.bridge.bridge-nf-call-iptables
sudo sysctl net.ipv4.ip_forwardBoth should return 1. If not:
echo "net.bridge.bridge-nf-call-iptables = 1" | sudo tee /etc/sysctl.d/docker.conf
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/docker.conf
sudo sysctl --systemThe Docker daemon binary must exist at the expected location.
Check if dockerd exists:
which dockerd
ls -la /usr/bin/dockerdIf not found at /usr/bin but exists elsewhere:
# Find actual location
sudo find / -name dockerd 2>/dev/null
# Create symlink if needed (example)
sudo ln -s /usr/sbin/dockerd /usr/bin/dockerdReinstall Docker if binary is missing:
# Debian/Ubuntu
sudo apt-get update
sudo apt-get install --reinstall docker-ce docker-ce-cli
# RHEL/CentOS
sudo yum reinstall docker-ce docker-ce-cliCheck if binary is corrupted:
file /usr/bin/dockerd
# Should show: "ELF 64-bit LSB executable" or similarAfter making any changes, properly reload systemd and start Docker:
# Reload systemd configuration
sudo systemctl daemon-reload
# Reset failed status
sudo systemctl reset-failed docker.service
# Start Docker
sudo systemctl start docker
# Check status
sudo systemctl status docker
# Verify Docker works
docker version
docker info
docker run hello-worldEnable Docker to start on boot:
sudo systemctl enable dockerIf Docker still fails, run dockerd --debug again to see if the specific error has changed.
### Understanding systemd Service Failures
When systemd reports "Job for docker.service failed because the control process exited with error code", the actual exit code can provide clues:
- Exit code 1: Generic error (check logs for details)
- Exit code 2: Misuse of command (bad arguments)
- Exit code 127: Command not found (dockerd binary missing)
- Exit code 203: Exec format error (binary incompatible with system)
Check the exit code with:
systemctl show docker.service --property=ExecMainStatus### Docker Service Configuration Files
Docker's systemd service can be configured in multiple places:
1. Main service file: /lib/systemd/system/docker.service
2. Override directory: /etc/systemd/system/docker.service.d/
3. Daemon config: /etc/docker/daemon.json
To see effective configuration:
systemctl cat docker.service### Creating a Systemd Override
To modify Docker startup without editing the main service file:
sudo systemctl edit docker.serviceThis creates an override file at /etc/systemd/system/docker.service.d/override.conf.
Common overrides:
[Service]
# Clear default ExecStart
ExecStart=
# Set custom ExecStart
ExecStart=/usr/bin/dockerd --data-root=/mnt/docker
# Add environment variables
Environment="HTTP_PROXY=http://proxy:3128"### Storage Driver Issues
If you see errors about storage drivers:
Check current driver:
docker info 2>/dev/null | grep "Storage Driver"Common storage driver problems:
- aufs: Deprecated, switch to overlay2
- devicemapper: Complex setup, often misconfigured on RHEL/CentOS
- overlay2: Recommended, requires kernel 4.0+
Force overlay2 driver:
{
"storage-driver": "overlay2"
}### Network Troubleshooting
If errors mention network initialization:
# Check bridge interface
ip addr show docker0
# Delete stale bridge
sudo ip link delete docker0
# Check iptables rules
sudo iptables -L -n -v
# Reset Docker networking
sudo systemctl stop docker
sudo rm -rf /var/lib/docker/network
sudo systemctl start docker### Debugging with strace
For deep debugging, trace the daemon startup:
sudo strace -f -o /tmp/docker-trace.log dockerdThen search for errors:
grep -i "error\|fail\|denied" /tmp/docker-trace.log### SELinux Considerations (RHEL/CentOS)
SELinux can block Docker operations. Check if SELinux is causing issues:
# Check SELinux status
getenforce
# Check for Docker-related denials
sudo ausearch -m avc -ts recent | grep docker
# Temporarily disable to test (not recommended for production)
sudo setenforce 0
sudo systemctl start dockerIf Docker works with SELinux disabled, install the Docker SELinux policy:
sudo yum install container-selinux### AppArmor Considerations (Debian/Ubuntu)
Similar to SELinux, AppArmor can block Docker:
# Check AppArmor status
sudo aa-status
# Check for Docker denials
sudo dmesg | grep -i "apparmor.*docker"unable to configure the Docker daemon with file /etc/docker/daemon.json
How to fix 'unable to configure the Docker daemon with file daemon.json' in Docker
docker: Error response from daemon: OCI runtime create failed: container_linux.go: starting container process caused: exec: "/docker-entrypoint.sh": stat /docker-entrypoint.sh: no such file or directory
How to fix 'exec: entrypoint.sh: no such file or directory' in Docker
image operating system "linux" cannot be used on this platform
How to fix 'image operating system linux cannot be used on this platform' in Docker
dockerfile parse error line 5: unknown instruction: RRUN
How to fix 'unknown instruction' Dockerfile parse error in Docker
manifest unknown: manifest unknown
How to fix 'manifest unknown' in Docker