diff --git a/server/container_create.go b/server/container_create.go
index 2e096cdf13ac..361947ff2fcb 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -395,10 +395,6 @@ func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, ociConfig *v1.
 		}
 	}
 
-	if len(kubeCommands) == 0 && len(kubeArgs) == 0 {
-		return nil, fmt.Errorf("no command specified")
-	}
-
 	processArgs := append(kubeCommands, kubeArgs...)
 
 	logrus.Debugf("OCI process args %v", processArgs)
@@ -1160,39 +1156,52 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	}
 
 	processArgs := []string{}
-	if containerImageConfig != nil {
-		processArgs, err := buildOCIProcessArgs(containerConfig, &containerImageConfig.Config)
-		if err != nil {
-			return nil, err
-		}
+	if containerImageConfig == nil {
+		processArgs, err = buildOCIProcessArgs(containerConfig, nil)
+	} else {
+		processArgs, err = buildOCIProcessArgs(containerConfig, &containerImageConfig.Config)
 	}
-	specgen.SetProcessArgs(processArgs)
-
-	envs := mergeEnvs(containerImageConfig, containerConfig.GetEnvs())
-	for _, e := range envs {
-		parts := strings.SplitN(e, "=", 2)
-		specgen.AddProcessEnv(parts[0], parts[1])
+	if err != nil {
+		return nil, err
 	}
+	if len(processArgs) == 0 {
+		specgen.Spec().Process = nil
+	} else {
+		specgen.SetProcessArgs(processArgs)
 
-	// Set working directory
-	// Pick it up from image config first and override if specified in CRI
-	containerCwd := "/"
-	if containerImageConfig != nil {
-		imageCwd := containerImageConfig.Config.WorkingDir
-		if imageCwd != "" {
-			containerCwd = imageCwd
+		envs := mergeEnvs(containerImageConfig, containerConfig.GetEnvs())
+		for _, e := range envs {
+			parts := strings.SplitN(e, "=", 2)
+			specgen.AddProcessEnv(parts[0], parts[1])
 		}
-	}
-	runtimeCwd := containerConfig.WorkingDir
-	if runtimeCwd != "" {
-		containerCwd = runtimeCwd
-	}
-	specgen.SetProcessCwd(containerCwd)
-	if err := setupWorkingDirectory(mountPoint, mountLabel, containerCwd); err != nil {
-		if err1 := s.StorageRuntimeServer().StopContainer(containerID); err1 != nil {
-			return nil, fmt.Errorf("can't umount container after cwd error %v: %v", err, err1)
+
+		// Set working directory
+		// Pick it up from image config first and override if specified in CRI
+		containerCwd := "/"
+		if containerImageConfig != nil {
+			imageCwd := containerImageConfig.Config.WorkingDir
+			if imageCwd != "" {
+				containerCwd = imageCwd
+			}
+		}
+		runtimeCwd := containerConfig.WorkingDir
+		if runtimeCwd != "" {
+			containerCwd = runtimeCwd
+		}
+		specgen.SetProcessCwd(containerCwd)
+		if err := setupWorkingDirectory(mountPoint, mountLabel, containerCwd); err != nil {
+			if err1 := s.StorageRuntimeServer().StopContainer(containerID); err1 != nil {
+				return nil, fmt.Errorf("can't umount container after cwd error %v: %v", err, err1)
+			}
+			return nil, err
+		}
+
+		// Setup user and groups
+		if linux != nil {
+			if err = setupContainerUser(&specgen, mountPoint, linux.GetSecurityContext(), containerImageConfig); err != nil {
+				return nil, err
+			}
 		}
-		return nil, err
 	}
 
 	var secretMounts []rspec.Mount
@@ -1225,13 +1234,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		return nil, err
 	}
 
-	// Setup user and groups
-	if linux != nil {
-		if err = setupContainerUser(&specgen, mountPoint, linux.GetSecurityContext(), containerImageConfig); err != nil {
-			return nil, err
-		}
-	}
-
 	// Set up pids limit if pids cgroup is mounted
 	_, err = cgroups.FindCgroupMountpoint("pids")
 	if err == nil {