Describe the bug
The Docker package docker-25.0.16-1.amzn2023.0.1 introduces a network issue when utilizing a container that attempts to attach to multiple networks.
In our case, the problem was discovered when a containerized wireguard system stopped working after the upgrade of the docker package to docker-25.0.16-1.amzn2023.0.1.
Upon startup, the container exits with the following error (x's are redactions):
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running prestart hook #0: exit status 1, stdout: , stderr: failed to add interface veth6fxxxxx to sandbox: error setting interface "veth6fxxxxxx" IP to 172.17.0.3/16: **_cannot program address 172.17.0.3/16 in sandbox interface because it conflicts with existing route_** {Ifindex: 84 Dst: 0.0.0.0/0 Src: <nil> Gw: 10.x.x.x Flags: [] Table: 254 Realm: 0}: unknown
To Reproduce
I created this test script. It should run to completion:
Package: docker-25.0.14-1.amzn2023.0.6
#!/usr/bin/env bash
docker network create foo
docker network create bar
docker run -d -it --name test-1092165 --network foo alpine sh
docker network connect bar test-1092165
sleep 5
docker stop test-1092165
docker container rm test-1092165
docker network rm bar
docker network rm foo
Package installed: docker-25.0.16-1.amzn2023.0.1
Generates error:
Error response from daemon: failed to add interface veth95c26b1 to sandbox: error setting interface "veth95c26b1" IP to 172.19.0.2/16: cannot program address 172.19.0.2/16 in sandbox interface because it conflicts with existing route {Ifindex: 50 Dst: 0.0.0.0/0 Src: <nil> Gw: 172.18.0.1 Flags: [] Table: 254 Realm: 0}
Expected behavior
2nd Network should be able to attach.
Additional context
Problem was eliminated by Downgrade to docker-25.0.14-1.amzn2023.0.6
This problem seems to be a known issue that was also found in the Debian Docker package: moby/moby#49197
The fix for the Debian package is discussed extensively here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092165
From that discussion, it appears to be an issue with the github.com/vishvananda/netlink library that happened in v1.2.1 - v1.3. That issue and the specific Debian package patch can be found in the bug ticket.
Describe the bug
The Docker package docker-25.0.16-1.amzn2023.0.1 introduces a network issue when utilizing a container that attempts to attach to multiple networks.
In our case, the problem was discovered when a containerized wireguard system stopped working after the upgrade of the docker package to docker-25.0.16-1.amzn2023.0.1.
Upon startup, the container exits with the following error (x's are redactions):
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running prestart hook #0: exit status 1, stdout: , stderr: failed to add interface veth6fxxxxx to sandbox: error setting interface "veth6fxxxxxx" IP to 172.17.0.3/16: **_cannot program address 172.17.0.3/16 in sandbox interface because it conflicts with existing route_** {Ifindex: 84 Dst: 0.0.0.0/0 Src: <nil> Gw: 10.x.x.x Flags: [] Table: 254 Realm: 0}: unknownTo Reproduce
I created this test script. It should run to completion:
Package: docker-25.0.14-1.amzn2023.0.6
Package installed: docker-25.0.16-1.amzn2023.0.1
Generates error:
Error response from daemon: failed to add interface veth95c26b1 to sandbox: error setting interface "veth95c26b1" IP to 172.19.0.2/16: cannot program address 172.19.0.2/16 in sandbox interface because it conflicts with existing route {Ifindex: 50 Dst: 0.0.0.0/0 Src: <nil> Gw: 172.18.0.1 Flags: [] Table: 254 Realm: 0}Expected behavior
2nd Network should be able to attach.
Additional context
Problem was eliminated by Downgrade to docker-25.0.14-1.amzn2023.0.6
This problem seems to be a known issue that was also found in the Debian Docker package: moby/moby#49197
The fix for the Debian package is discussed extensively here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092165
From that discussion, it appears to be an issue with the github.com/vishvananda/netlink library that happened in v1.2.1 - v1.3. That issue and the specific Debian package patch can be found in the bug ticket.