The "DB::Exception: Cannot create child process" error in ClickHouse signals that the server failed to spawn a new child process. Unlike the more general CANNOT_FORK error, CANNOT_CREATE_CHILD_PROCESS may encompass broader failures in the process creation pipeline, including issues with posix_spawn, clone, or process setup after forking. This error most often arises when ClickHouse needs to execute external programs for executable UDFs, table functions, or dictionary sources.
Impact
Any functionality that requires spawning an external process will be unavailable while this error persists. Queries that reference executable user-defined functions or executable table functions will fail, and dictionaries backed by external commands will be unable to load or refresh. The error does not affect standard query execution against regular ClickHouse tables.
Common Causes
- The per-user or system-wide process limit has been reached
- Insufficient memory to create a new process
- The executable file specified in the configuration does not exist or is not executable
- Security policies (seccomp, AppArmor, SELinux) are blocking process creation
- Cgroup PID limits have been exhausted in containerized environments
- The ClickHouse user does not have permission to execute the target program
Troubleshooting and Resolution Steps
Check the error log for details:
grep -i "CANNOT_CREATE_CHILD_PROCESS\|Cannot create child" /var/log/clickhouse-server/clickhouse-server.err.log | tail -10Verify the target executable exists and is runnable:
sudo -u clickhouse /path/to/executable --helpIf this fails, fix the path or permissions.
Check process limits:
cat /proc/$(pidof clickhouse-server)/limits | grep "processes" ps -u clickhouse --no-headers | wc -lCheck system memory:
free -hEnsure sufficient memory is available for process creation.
Check cgroup PID limits (containers):
cat /sys/fs/cgroup/pids.max 2>/dev/null cat /sys/fs/cgroup/pids.current 2>/dev/nullCheck security policies:
# SELinux ausearch -m avc -ts recent 2>/dev/null # seccomp grep -i seccomp /var/log/audit/audit.log 2>/dev/null | tail -5Increase process limits if needed:
sudo systemctl edit clickhouse-server # Add: # [Service] # LimitNPROC=65535 sudo systemctl restart clickhouse-server
Best Practices
- Validate all executable paths and permissions during deployment, before configuring them in ClickHouse.
- Set process limits high enough to accommodate both ClickHouse threads and any child processes.
- In containerized environments, ensure the PID cgroup limit accounts for child process spawning.
- Prefer native ClickHouse functionality over executable-based integrations where possible to avoid subprocess overhead.
- Log and alert on CANNOT_CREATE_CHILD_PROCESS errors as they often indicate systemic resource issues.
Frequently Asked Questions
Q: How is CANNOT_CREATE_CHILD_PROCESS different from CANNOT_FORK?
A: While both relate to process creation failures, CANNOT_FORK specifically indicates the fork() system call failed. CANNOT_CREATE_CHILD_PROCESS can cover a broader range of failures in the process creation pipeline, including issues that occur after forking but before the child process begins execution.
Q: Can this error occur without using executable UDFs?
A: It is uncommon but possible. Some ClickHouse integrations or internal operations may need to spawn processes. However, the vast majority of cases involve executable UDFs, table functions, or dictionary sources.
Q: Will this error affect data integrity?
A: No. This error only prevents the creation of child processes. It does not affect data stored in ClickHouse tables or ongoing write operations that do not involve external processes.
Q: How can I prevent this error in production?
A: Set generous process limits, ensure ample system memory, and thoroughly test external programs before deploying them. Monitoring process counts and memory usage will help you catch resource pressure early.
