Containers with "restart: always" and shared network namespace may fail to start with "cannot join network namespace of a non running container" #50326
Description
Description
When using the restart: always policy in combination with network_mode: "container:<container_name>", containers can fail to start after a reboot or Docker daemon restart if the target container is not yet running. This results in errors like:
Error response from daemon: cannot join network namespace of a non running container: container <container_name> is exited
This seems to be a race condition depending on the startup order of containers after a system reboot or Docker restart. Even with restart: always, containers relying on another container’s network namespace may end up permanently exited unless manually restarted.
Reproduce
- Create a "network host" container:
services:
net-host:
image: alpine
command: sleep infinity
restart: always
- Create another container that uses the first container’s network namespace:
services:
net-client:
image: alpine
command: sleep infinity
network_mode: "container:net-host"
restart: always
-
Deploy the stack or start both containers with Docker Compose or manually.
-
Reboot the host or restart the Docker daemon:
sudo systemctl restart docker
Expected behavior
All containers with restart: always should come back up reliably, respecting dependencies implied by network_mode.
docker version
Client: Docker Engine - Community
Version: 28.3.1
API version: 1.51
Go version: go1.24.4
Git commit: 38b7060
Built: Wed Jul 2 20:56:22 2025
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 28.3.1
API version: 1.51 (minimum version 1.24)
Go version: go1.24.4
Git commit: 5beb93d
Built: Wed Jul 2 20:56:22 2025
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.27
GitCommit: 05044ec0a9a75232cad458027ca83437aae3f4da
runc:
Version: 1.2.5
GitCommit: v1.2.5-0-g59923ef
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
Client: Docker Engine - Community
Version: 28.3.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.25.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.38.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 5
Running: 4
Paused: 0
Stopped: 1
Images: 38
Server Version: 28.3.1
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
runc version: v1.2.5-0-g59923ef
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.8.0-60-generic
Operating System: Ubuntu 22.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.02GiB
Name: adrien-Latitude-5420
ID: RGG6:FFJ6:VQQE:4GZH:AJCY:YEHD:ZMEW:47X4:KEBD:NAJZ:265M:BCFE
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: falseAdditional Info
No response