Overlay networks get automatically created in overlapping segments

[tlex]

Description

With the upgrade to 27.0, the behavior documented here is not respected anymore:

Network subnets will be allocated sequentially from the IP pool space and subnets will be reused as they are deallocated from networks that are deleted.

For this, I have created three networks, using the same options, and all three received the same subnet. This does not happen on 26.x

Reproduce

e@de-prod01-master01:~$ for i in 1 2 3; do docker network create --attachable --internal --scope swarm --driver overlay test$i; done
g588vuulkqzzcrp7pw6pvniy0
idl2b9homr4gsb4vf38f8w53k
hox7ulbdfnjfds0tbqpgf8yc3
e@de-prod01-master01:~$ for i in $(docker network ls --format='{{.ID}}' --filter scope=swarm); do docker network inspect $i|jq '.[] | "Name=\(.Name) Network=\(.IPAM.Config[].Subnet)"'; done|grep test
"Name=test1 Network=10.0.12.0/24"
"Name=test2 Network=10.0.12.0/24"
"Name=test3 Network=10.0.12.0/24"
e@de-prod01-master01:~$ 

Expected behavior

The same behavior as on 26.x:

e@de-sup02-master01:~$ for i in 1 2 3; do docker network create --attachable --internal --scope swarm --driver overlay test$i; done
cwfxdixoowewxuovvriyizheg
udz18nedz2rd1xb63kbqz17tx
vy5ncd7qj7445ks5tiwvz25vn
e@de-sup02-master01:~$ for i in $(docker network ls --format='{{.ID}}' --filter scope=swarm); do docker network inspect $i|jq '.[] | "Name=\(.Name) Network=\(.IPAM.Config[].Subnet)"'; done|grep test
"Name=test1 Network=10.0.88.0/24"
"Name=test2 Network=10.0.89.0/24"
"Name=test3 Network=10.0.90.0/24"

docker version

e@de-prod01-master01:~$ docker version
Client: Docker Engine - Community
 Version:           27.0.1
 API version:       1.46
 Go version:        go1.21.11
 Git commit:        7fafd33
 Built:             Mon Jun 24 14:57:52 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.0.1
  API version:      1.46 (minimum version 1.24)
  Go version:       go1.21.11
  Git commit:       ff1e2c0
  Built:            Mon Jun 24 14:57:52 2024
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.7.18
  GitCommit:        ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
 runc:
  Version:          1.7.18
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

e@de-prod01-master01:~$ docker info
Client: Docker Engine - Community
 Version:    27.0.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.15.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.28.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 6
  Running: 6
  Paused: 0
  Stopped: 0
 Images: 6
 Server Version: 27.0.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: xw340dnn8msah40mvtmnywe1o
  Is Manager: true
  ClusterID: z9vyyjrxrpw0sug4fw23ghw1l
  Managers: 3
  Nodes: 12
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 10.30.0.50
  Manager Addresses:
   10.30.0.50:2377
   10.30.1.51:2377
   10.30.2.50:2377
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-1020-aws
 Operating System: Ubuntu 22.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.43GiB
 Name: de-prod01-master01
 ID: 99f62d0d-db5c-40f0-a7aa-db082179eb34
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http://proxy.int.infra.[redacted].com:3128/
 HTTPS Proxy: http://proxy.int.infra.[redacted].com:3128/
 No Proxy: *.docker.com,*.docker.io,*.elastic.co
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

This happens also with networks defined in stack files.

Possible workarounds:

• downgrade
• define the subnet manually

[thaJeztah]

Thanks for reporting; this looks to be an issue on the daemon side, not the CLI; possibly related to this ticket; moby/moby#48069

Could you open this ticket in the https://github.com/moby/moby/issues issue tracker, where the code for the daemon is maintained?

[thaJeztah]

Discussed with @robmry (who's looking into moby/moby#48069), and we're pretty sure it's the same issue, so let me close this ticket as a duplicate of moby/moby#48069

[robmry]

The issue I'm looking at will happen when there's a mix of network creation/deletion - I don't think it can happen when networks are only created on a newly started docker with no networks (or created then all deleted, or deleted strictly in reverse order of creation).

If this doesn't fit with what you're seeing, please let me know.