This error occurs when Docker cannot load or parse a seccomp security profile. The issue is typically caused by an invalid JSON profile file, incorrect file path, or kernel incompatibility. Fixes include verifying the profile syntax, using the default profile, or temporarily disabling seccomp.
Seccomp (Secure Computing Mode) is a Linux kernel feature that restricts system calls available to containers, providing an additional layer of security. Docker uses seccomp profiles to define which syscalls are allowed or denied inside containers. When you see "error loading seccomp profile," the Docker daemon is unable to parse or apply the seccomp profile specified either in the daemon configuration or via the `--security-opt` flag. This can happen during container startup, image builds, or when starting the Docker daemon itself. The error typically falls into one of these categories: - **Profile not found**: The specified profile file path doesn't exist - **Invalid JSON syntax**: The profile file has malformed JSON - **Unsupported syscalls**: The profile references syscalls not available on your kernel version - **Kernel incompatibility**: The kernel doesn't support the seccomp features required by the profile
First, check that your kernel has seccomp enabled:
grep CONFIG_SECCOMP /boot/config-$(uname -r)You should see:
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=yIf not present, you'll need a kernel with seccomp support, or you must disable seccomp entirely.
If you're using a custom profile, verify the file exists:
ls -la /path/to/your/seccomp-profile.jsonEnsure Docker can read it:
# Check permissions
stat /path/to/your/seccomp-profile.json
# Test JSON validity
cat /path/to/your/seccomp-profile.json | python3 -m json.toolIf the JSON validation fails, you have a syntax error in the profile.
If you don't need a custom profile, use Docker's default:
For container runs:
# Default profile is applied automatically when no option specified
docker run --rm hello-worldTo explicitly use the default in daemon.json:
Download the default profile from the official repository:
curl -o /etc/docker/default-seccomp.json \
https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.jsonThen configure the daemon:
{
"seccomp-profile": "/etc/docker/default-seccomp.json"
}To bypass seccomp temporarily for debugging:
docker run --rm -it --security-opt seccomp=unconfined ubuntu:latestWarning: Running without seccomp removes an important security layer. Only use this for testing, never in production.
In Docker Compose:
services:
myapp:
image: myimage
security_opt:
- seccomp:unconfinedA common error on older kernels involves the clone3 syscall:
error adding seccomp filter rule for syscall clone3: permission deniedThis happens with Docker 20.10+ on older kernels. To fix:
Option 1: Update your kernel (recommended)
# Ubuntu/Debian
sudo apt update && sudo apt upgrade
# After kernel upgrade, reboot
sudo rebootOption 2: Use a modified profile without clone3
Download and modify the default profile to remove clone3 references, or use an older compatible profile.
After fixing the issue, verify seccomp is properly applied:
# Check Docker's security options
docker info --format '{{ .SecurityOptions }}'You should see seccomp in the output.
Check seccomp status inside a container:
docker run --rm alpine grep Seccomp /proc/1/status- Seccomp: 2 means seccomp filter is active (secure)
- Seccomp: 0 means no seccomp profile applied (unconfined)
If you modified daemon.json or updated kernel, restart Docker:
# Restart Docker daemon
sudo systemctl restart docker
# Verify it started correctly
sudo systemctl status docker
# Check for seccomp-related errors in logs
sudo journalctl -u docker -n 50 | grep -i seccompIf the daemon fails to start, check the seccomp profile path in your daemon.json is correct.
### Understanding Seccomp Profiles
Docker's default seccomp profile blocks approximately 44 out of 300+ Linux syscalls. The profile uses an allowlist approach with a default action of SCMP_ACT_ERRNO (deny with error).
Key profile structure:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86"],
"syscalls": [
{
"names": ["read", "write", "open"],
"action": "SCMP_ACT_ALLOW"
}
]
}### Kernel Upgrade Considerations
After upgrading your kernel, always reboot before running Docker. A common error scenario:
1. Upgrade from kernel 4.x to 5.x
2. Don't reboot
3. Docker tries to use new syscalls available in kernel 5.x
4. Running kernel (4.x) doesn't support them
5. Seccomp filter fails to load
### Debian/Ubuntu Post-Upgrade Error
A well-known issue occurs after upgrading from Debian 8 (Jessie) to Debian 9 (Stretch):
OCI runtime create failed: error loading seccomp filter into kernel: invalid argumentSolution: Reboot the server after the upgrade.
### Docker Swarm and Seccomp
In Docker Swarm mode, the security_opt directive is not supported for services:
Ignoring unsupported options: security_optFor Swarm services requiring custom seccomp profiles, you need to configure the profile at the daemon level on all swarm nodes.
### Debugging with strace
For deep troubleshooting, use strace to identify which syscall is failing:
docker run --rm -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined \
ubuntu strace -f your-command 2>&1 | grep -i denied### Profile Locations
- Default profile source: https://github.com/moby/profiles/blob/main/seccomp/default.json
- Daemon configuration: /etc/docker/daemon.json
- Custom profiles: Commonly stored in /etc/docker/seccomp/
image operating system "linux" cannot be used on this platform
How to fix 'image operating system linux cannot be used on this platform' in Docker
manifest unknown: manifest unknown
How to fix 'manifest unknown' in Docker
cannot open '/etc/passwd': Permission denied
How to fix 'cannot open: Permission denied' in Docker
Error response from daemon: failed to create the ipvlan port
How to fix 'failed to create the ipvlan port' in Docker
toomanyrequests: Rate exceeded for anonymous users
How to fix 'Rate exceeded for anonymous users' in Docker Hub