[BUG] <title>Docker Engine 28.x regression in IP to interface assignment

[kmo7]

Description

Description

This is a critical bug for Linux containers that use multiple ethernet ports. The issue is each time Docker Compose is invoked, it assigns the IP addresses to the lexically ordered interface names in the associated container in a haphazard order and not in accordance with the YAML file. For example, it can assign eth1's IP to eth2, eth2's IP to eth4 etc. This also means directly connected containers in the YAML file can not ping between interfaces that are supposed to be connected correctly per the YAML file.

Contacted Docker Support, they confirmed the issue and asked me to open a case on Git Hub, so here is the info. Including a simple Docker Compose YAML file that shows the issue with a single generic alpine container. In both cases (working and not), using the following docker compose version so it is not the docker compose that is at fault here:

Docker Compose version v2.35.1

Steps to Reproduce

1. Environment

Any 28.x Docker version I have tried has this issue. You can go to the latest 28.x Docker Engine as well and you will see the issue.

docker version
Client: Docker Engine - Community
Version: 28.0.4
API version: 1.48
Go version: go1.23.7
Git commit: b8034c0
Built: Tue Mar 25 15:07:16 2025
OS/Arch: linux/amd64
Context: default

Server: Docker Engine - Community
Engine:
Version: 28.0.4
API version: 1.48 (minimum version 1.24)
Go version: go1.23.7
Git commit: 6430e49
Built: Tue Mar 25 15:07:16 2025
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.27
GitCommit: 05044ec0a9a75232cad458027ca83437aae3f4da
runc:
Version: 1.2.5
GitCommit: v1.2.5-0-g59923ef
docker-init:
Version: 0.19.0
GitCommit: de40ad0

The issue happens on both Ubuntu 24.04 and 22.04 LTS versions

2. Configuration

This simplified Docker Compose YAML can be used to see the issue, showing a single container here for simplicity:

services:
cAlpine1:
image: 'alpine:latest'
container_name: alpine1
hostname: alpine1
command: ["/bin/sh", "-c", "while true; do echo 'Infinite loop!'; sleep 5; done"]
privileged: true
networks:
eth0:
ipv4_address: 10.0.1.2
eth1:
ipv4_address: 10.1.1.2
eth2:
ipv4_address: 10.2.1.2
eth3:
ipv4_address: 10.3.1.2
networks:
eth0:
name: eth0
driver: bridge
ipam:
driver: default
config:
- subnet: 10.0.1.0/24
eth1:
name: eth1
driver: bridge
ipam:
driver: default
config:
- subnet: 10.1.1.0/24
eth2:
name: eth2
driver: bridge
ipam:
driver: default
config:
- subnet: 10.2.1.0/24
eth3:
name: eth3
driver: bridge
ipam:
driver: default
config:
- subnet: 10.3.1.0/24

3. Command

docker compose -f single-alpine-compose.yaml up -d
docker container ls
docker network ls
docker exec -ti alpine1 ash
ip address

4. Result/Error
You may have to try this a couple of times, but the problem is easily reproducable. Have not seen it take more than 3 times.

Below shows that eth0 got the IP address for eth1, eth1 got the IP address for eth2, eth2 got the IP address for eth3, eth3 got the IP address for eth0. There is no predictability here, on different runs, different out of order assignments are done. The docker network ls always shows the networks in correct lexical order (see later below)

docker exec -ti alpine1 ash
/ # ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether ca:00:9f:52:47:a3 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.2/24 brd 10.1.1.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1@if24: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 3a:ad:30:86:56:84 brd ff:ff:ff:ff:ff:ff
inet 10.2.1.2/24 brd 10.2.1.255 scope global eth1
valid_lft forever preferred_lft forever
4: eth2@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 06:15:e4:ed:b0:b8 brd ff:ff:ff:ff:ff:ff
inet 10.3.1.2/24 brd 10.3.1.255 scope global eth2
valid_lft forever preferred_lft forever
5: eth3@if26: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 92:09:2a:a8:ea:8e brd ff:ff:ff:ff:ff:ff
inet 10.0.1.2/24 brd 10.0.1.255 scope global eth3
valid_lft forever preferred_lft forever
/ #

# docker network ls
NETWORK ID NAME DRIVER SCOPE
fab4d00f70ab bridge bridge local
c8685fe7287c eth0 bridge local
d2dcffbce587 eth1 bridge local
b7bff14d2235 eth2 bridge local
156428999cc7 eth3 bridge local
5ad3a22e4929 host host local
295b8976dbd1 none null local

Steps To Reproduce

1- Use the docker compose up command shown to create the alpine1 container:
docker compose -f single-alpine-compose.yaml up -d

2- Enter the alpine container:
docker exec -ti alpine1 ash

3- Run the following command inside alpine1 to see the IP address assigned to each of eth0 - eth3 and see that they do not match the YAML file.
/ # ip address

Compose Version

# docker compose version
Docker Compose version v2.34.0

Docker Environment

**This issue also happened on 28.1.1-1, 28.1.0**

# docker info
Client: Docker Engine - Community
 Version:    28.0.4
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.22.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.34.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 1
  Paused: 0
  Stopped: 1
 Images: 5
 Server Version: 28.0.4
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-57-generic
 Operating System: Ubuntu 24.04.2 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 56
 Total Memory: 251.8GiB
 Name: q-jlab-05a
 ID: c67cc920-990c-47dd-8ada-8f5b259a2259
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

Anything else?

No response

[kmo7]

single-alpine-compose.yaml.txt

uploaded the yaml file via attachment as the web formatting in the case itself for this file is messed up (even though it shows it correctly formatted in "edit" mode).

[kmo7]

Had accidentally closed this issue. Reopening it. This is a critical issue for anyone who uses Docker for containers that are virtual routers, including from various commercial networking companies. (I work for one). It makes such containers undeployable. I am hoping Docker developers take this seriously and fix it, it is easily reproducable.

[ndeloof]

This has been addressed with the introduction of interface_name: https://github.com/compose-spec/compose-spec/blob/main/05-services.md#interface_name

see #12740 (comment) for an example using a driver label to do the same if you can't wait for next release

[kmo7]

I verified the fix for the following case also fixes this current case. Some followup questions please.
#12740

The Docker engine versions I verified on a Linux 24.04 server are:
Version: 28.0.4
API version: 1.48
Go version: go1.23.7
Git commit: b8034c0
Built: Tue Mar 25 15:0

And this 27 release, which does not need the fix, but to make sure that it can use the same comopose file with the fix for 28.0.4 as well.
Client: Docker Engine - Community
Version: 27.5.1
API version: 1.47
Go version: go1.22.11
Git commit: 9f9e405
Built: Wed Jan 22 13:41:48 2025
OS/Arch: linux/amd64
Context: default

The follow up questionscomments:

1- Can you please confirm the above fix for the 12740 case will continue working even after the fix for this current case is released? The reason is we have no control as to which version of Docker Engine our customers use, and thus we need to supply a universal solution to them.

2- Will the fix for case 12740 work on earlier releases of 28.x as well? (it seems it does, as the 28.0.4 version is from March. please confirm).

3- Can you please notify on this current case when the fix you mentioned above is released? Will that fix also be backward compatible with older versions of Docker ie. act as a benign NOP and be ignored on the older releases of Docker so we can use the same YAML file?

[robmry]

1- Can you please confirm the above fix for the 12740 case will continue working even after the fix for this current case is released? The reason is we have no control as to which version of Docker Engine our customers use, and thus we need to supply a universal solution to them.

The Docker Engine API won't change - the new "interface_name" field will translate to the "com.docker.network.endpoint.ifname" driver label inside compose.

So, the example @ndeloof linked to in #12740 (comment) will continue to work after the "interface_name" field has been added to compose.

2- Will the fix for case 12740 work on earlier releases of 28.x as well? (it seems it does, as the 28.0.4 version is from March. please confirm).

Driver label "com.docker.network.endpoint.ifname" was added in Docker Engine (moby) 28.0.0,
moby/moby#49155.

3- Can you please notify on this current case when the fix you mentioned above is released? [...]

@ndeloof will know - but, older versions of compose won't recognise "interface_name". So, unless you control which version of compose your customers use, you should stick with the "com.docker.network.endpoint.ifname" driver label. (So, don't wait for the new compose release, and don't change your compose file once it has been released.)

[...] Will that fix also be backward compatible with older versions of Docker ie. act as a benign NOP and be ignored on the older releases of Docker so we can use the same YAML file?

Yes, older versions of Docker Engine will just ignore the "com.docker.network.endpoint.ifname" driver label.

[kmo7]

Thank you Rob. Will keep using the fix for #12740 then for all releases of Docker.
I have one further request please. Can the Docker team add a regression test for this issue and check that the issue is not re-introduced before future Docker minor/major releases? It is simple to do w/ a single Alpine container with multiple ethernet ports attached to it on Linux.

Besides us, many major networking companies have multiple ethernet port routers that are containerized for ease of testing/integration into their networks, and the bug mentioned in this case, would break any such containers. Thank you and the Docker support team, ndeloof for addressing this

[robmry]

You'll find Docker Engine's tests for the new "ifname" label in the moby PR I linked above - and Compose's tests for its new "interface_name" field in its PRs (linked from #12740).

[kmo7]

Thanks Rob. In addition to the integration tests mentioned in those links, does it make sense to have an actual "multi-port networking" integration test that is run for EVERY future Docker code commit to this area? The test would be to just spin a single Alpine container with a YAML file like the one I had attached (w/ the addition of the endpoint API from the #12740 solution).

The integration tests you mentioned might be doing this, but from their description it was not clear to me that they are doing it for this specific use case too and also whether it was just a one time test before the associated commit went in, or one that will be done each time there is a change in this area.

[robmry]

The regression tests added in moby/moby#49155 check that interface names in container can be configured.

All of the regression tests run automatically and must pass before any new PR is merged. They run again on the master branch after the merge. Individual tests run several times in each regression run, covering different OSs and host configurations. You can see test results on the PRs themselves.

The issue you had was not with the new interface-naming feature. It was that, before the feature was added, there was no way to control the order of interface name assignment. So, I don't see a reason to put interface naming tests in a loop; if an interface name can be configured for one container, it can be configured for another.

[kmo7]

Thank you, Rob. Since this broke container deployment completely for us, I want to follow up on this till we are both agreed please. Our containers are used by thousands of customers and we are reliant on Docker for many deployments. I do realize the issue was about the ordering, of course. About this: “The issue you had was not with the new interface-naming feature. It was that, before the feature was added, there was no way to control the order of interface name assignment. So, I don't see a reason to put interface naming tests in a loop; if an interface name can be configured for one container, it can be configured for another.” But this issue does not happen in Docker Engine 27.5.1 or other 27.x versions we tried before this feature was introduced, so this implies it is the interface naming feature that introduced it. I was not suggesting that the tests be on a multiple container compose file. The example I had attached was just one container with 3 interfaces, I was deploying it repeatedly to see if the IP to interface tuples were assigned properly. So, I am just doing due diligence here, till we are both convinced that the level of integration testing added will catch such issues in the future. Actually we HAD seen this a year or so ago, in our internal testing, but that server was decommissioned so I can not go back and see the Docker version on it, and retry it. At that time, a combination of lexical naming of interfaces and the “priority” field solved it and we did not see it again till 28.x came out. There was info on stack exchange etc back then that suggested using the priority field as well to ensure this issue does not happen. That theory no longer worked in 28.x, so I followed up w/ your support team, who sent me documentation indication priority field has a different purpose (at least now). Unfortunately, Docker documentation is not versioned to indicate which release(s) it pertains to, so there is no way to know for external users if what field X meant a year ago, is what it means today. Having version controlled documentation would be of great benefit for users. This was another request I had made of Docker support team. Thank you for the continuing discussion on this. My intention is to make this completely solid for all customers and to raise awareness that many networking vendors use multi ethernet port containers. We can also have a phone conversation with you, to conclude on this if you like. The internal Docker case for this is 00145095, where you can find my work email info. Juniper Business Use Only From: Rob Murray ***@***.***> Sent: Thursday, May 1, 2025 1:58 AM To: docker/compose ***@***.***> Cc: Kaveh Moezzi ***@***.***>; State change ***@***.***> Subject: Re: [docker/compose] [BUG] <title>Docker Engine 28.x regression in IP to interface assignment (Issue #12776) [External Email. Be cautious of content] [Image removed by sender.]robmry left a comment (docker/compose#12776)<https://urldefense.com/v3/__https:/github.com/docker/compose/issues/12776*issuecomment-2844410719__;Iw!!NEt6yMaO-gk!GX9TPO4WBZHOvMeTpWm9O2ZqrDRKslNBi2kQr_d1Cm3cZuzf1_deeNn7AEQO4IgWcaxDMznQ5SP8ckqXHjmO2gkDgQ$> The regression tests added in moby/moby#49155<https://urldefense.com/v3/__https:/github.com/moby/moby/pull/49155__;!!NEt6yMaO-gk!GX9TPO4WBZHOvMeTpWm9O2ZqrDRKslNBi2kQr_d1Cm3cZuzf1_deeNn7AEQO4IgWcaxDMznQ5SP8ckqXHjmOQKDRJA$> check that interface names in container can be configured. All of the regression tests run automatically and must pass before any new PR is merged. They run again on the master branch after the merge. Individual tests run several times in each regression run, covering different OSs and host configurations. You can see test results on the PRs themselves. The issue you had was not with the new interface-naming feature. It was that, before the feature was added, there was no way to control the order of interface name assignment. So, I don't see a reason to put interface naming tests in a loop; if an interface name can be configured for one container, it can be configured for another. — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/docker/compose/issues/12776*issuecomment-2844410719__;Iw!!NEt6yMaO-gk!GX9TPO4WBZHOvMeTpWm9O2ZqrDRKslNBi2kQr_d1Cm3cZuzf1_deeNn7AEQO4IgWcaxDMznQ5SP8ckqXHjmO2gkDgQ$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AVFQEDN5HIH75DRIO4BOEZ324HO2RAVCNFSM6AAAAAB32PYLN2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNBUGQYTANZRHE__;!!NEt6yMaO-gk!GX9TPO4WBZHOvMeTpWm9O2ZqrDRKslNBi2kQr_d1Cm3cZuzf1_deeNn7AEQO4IgWcaxDMznQ5SP8ckqXHjmdbpXd5w$>. You are receiving this because you modified the open/close state.Message ID: ***@***.***>