Can no longer set an IP address inside of a subnet range when subnet range is larger than IP range

[kristof-mattei]

Description

Since v25 I am no longer able to attach a container to a network when the subnet is larger than the ip range, and when I set the container's IP to something inside of the subnet, but outside of the range:

Reproduce

1. docker network create foobar --subnet 10.0.0.0/16 --ip-range 10.0.1.0/24 --gateway 10.0.0.1
2. docker container create --network foobar --ip 10.0.0.100 ubuntu

Error response from daemon: invalid config for network foobar: invalid endpoint settings:
no configured subnet or ip-range contain the IP address 10.0.0.100

This worked on v24.

Expected behavior

I would be able to create a docker container inside of a network, inside of a subnet, but outside of the IP range.

The commands above work as-is in Docker v24.

docker version

❯ docker version
Client: Docker Engine - Community
 Version:           25.0.0
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        e758fe5
 Built:             Thu Jan 18 17:09:52 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          25.0.0
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       615dfdf
  Built:            Thu Jan 18 17:09:52 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.27
  GitCommit:        a1496014c916f9e62104b33d1bb5bd03b0858e59
 runc:
  Version:          1.1.11
  GitCommit:        v1.1.11-0-g4bccb38
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

❯ docker info
Client: Docker Engine - Community
 Version:    25.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 3
  Running: 2
  Paused: 0
  Stopped: 1
 Images: 53
 Server Version: 25.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: a1496014c916f9e62104b33d1bb5bd03b0858e59
 runc version: v1.1.11-0-g4bccb38
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-14-generic
 Operating System: Ubuntu 23.10
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 31.23GiB
 Name: server
 ID: SK2U:TRJM:XP77:Z5A6:7H64:QLWY:A2TQ:3TSH:RVJD:T2FY:NTWL:KMFE
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: kristofmattei
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response

[basrieter]

Also my problem! This should be working right?

[thaJeztah]

Looks related to;

• Validate IPAM config before handing it over to libnetwork #45759

@akerouanton @corhere @robmry ptal

[basrieter]

I think so. And this is cause use a lot of pain at them moment. As we limit the Docker ip-addresses that are automatically generated (ipvlan) to a specific range, but set fixed IP addresses outside that range (but within the subnet). This is now no longer possible.

So we had to enlarged the range so for now we had to widen the --ip-range but this is causing IP collisions.

Any way to rollback to the prevous docker version on Linux?

[thaJeztah]

You can use your package manager (apt / yum) to install a specific version; see the "specific version" tabs for the distro you're using; e.g. for ubuntu; https://docs.docker.com/engine/install/ubuntu/#install-from-a-package

[corhere]

It's more likely related to:

• daemon: Improve NetworkingConfig & EndpointSettings validation #46183

[kristof-mattei]

I think so. And this is cause use a lot of pain at them moment. As we limit the Docker ip-addresses that are automatically generated (ipvlan) to a specific range, but set fixed IP addresses outside that range (but within the subnet). This is now no longer possible.

So we had to enlarged the range so for now we had to widen the --ip-range but this is causing IP collisions.

Any way to rollback to the prevous docker version on Linux?

The problem for me is I don't want to put them in the range. I want to give them a static IP address in a subnet. I consider the range to be the DHCP range.

I put them in the subnet to avoid other containers from accidentally taking the IP. Putting them on the high end means relying on an implementation detail that the assignment starts at the low end.

Reservations are ok but cumbersome.