Swarm scoped from config networks broken

[camhorn]

Description

Relates to --ipv4 switch in 28.0.0, via #5599.

Reproduce

Create a config only network and try to create a swarm scoped network from that config. Fail due to ipv4 validation.

E.g.,

$ docker network create -d macvlan --subnet 192.168.0.0/16 --ip-range=192.168.15.2/32 --gateway 192.168.0.1 -o parent=enP3p49s0 --ipv4 --config-only ipv4-config
888c07f76583fbde6a2b2482d512322102d0e01be0ca3c4fae463fce96f8a3ce
$ docker network create -d macvlan --scope swarm --attachable --config-from ipv4-config ipv4-swarm
Error response from daemon: IPv4 cannot be disabled in a Swarm scoped network
$ docker network create -d macvlan --scope swarm --attachable --ipv4=true --config-from ipv4-config ipv4-swarm
Error response from daemon: user specified configurations are not supported if the network depends on a configuration network

If the swarm network pre-exists from a previous docker version, it becomes invalid:

user specified configurations are not supported if the network depends on a configuration network

Expected behavior

Successful creation of swarm scoped from config networks.

docker version

Client: Docker Engine - Community
 Version:           28.0.0
 API version:       1.48
 Go version:        go1.23.6
 Git commit:        f9ced58
 Built:             Wed Feb 19 22:10:30 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          28.0.0
  API version:      1.48 (minimum version 1.24)
  Go version:       go1.23.6
  Git commit:       af898ab
  Built:            Wed Feb 19 22:10:30 2025
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.7.23
  GitCommit:        57f17b0a6295a39009d861b89e3b3b87b005ca27
 runc:
  Version:          1.1.14
  GitCommit:        v1.1.14-0-g2c9f560
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    28.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.33.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 30
  Running: 28
  Paused: 0
  Stopped: 2
 Images: 29
 Server Version: 28.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: loki
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: vrvkvx5w9fqkosuizauesvr0h
  Is Manager: true
  ClusterID: y0i8yilafuopkwyj3kucajbwu
  Managers: 5
  Nodes: 7
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 10 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.0.169
  Manager Addresses:
   192.168.0.11:2377
   192.168.0.169:2377
   192.168.0.171:2377
   192.168.0.172:2377
   192.168.0.211:2377
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 57f17b0a6295a39009d861b89e3b3b87b005ca27
 runc version: v1.1.14-0-g2c9f560
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.9.3-76060903-generic
 Operating System: Pop!_OS 22.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 48
 Total Memory: 47.02GiB
 Name: system76-pc
 ID: b0f9c591-cc20-47d1-b55b-424e1637c46f
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: true
 Insecure Registries:
  murderbot.local:5055
  svc.lan:5055
  svc.lan:5056
  system76-pc.local:5055
  ::1/128
  127.0.0.0/8
 Registry Mirrors:
  http://system76-pc.local:5055/
  http://murderbot.local:5055/
 Live Restore Enabled: false

Additional Info

No response

[robmry]

Hi @camhorn - thank you for reporting this ... I'll take a look.

[gustafssone]

+1

[blubitv]

+1

moreover if you try to create a network directly (not from config), subnet is ignored.

e.g.
docker network create -d macvlan --scope swarm --ipv4 --subnet 192.168.0.0/24 --ip-range 192.168.0.40/29 --gateway=192.168.0.1 -o parent=ens160 -o com.docker.network.enable_ipv4=true testmvl

works, but any containers attached to this network will have an IP address from 172.19.0.0/16

[robmry]

moreover if you try to create a network directly (not from config), subnet is ignored.

e.g. docker network create -d macvlan --scope swarm --ipv4 --subnet 192.168.0.0/24 --ip-range 192.168.0.40/29 --gateway=192.168.0.1 -o parent=ens160 -o com.docker.network.enable_ipv4=true testmvl

works, but any containers attached to this network will have an IP address from 172.19.0.0/16

Thank you @blubitv ... that's surprising to me, and 27.5.1 seems to do the same thing.

I've traced it through to a point, but haven't yet figured out where the IPAM config goes missing. It's possible there's a swarm-reason for it - it'll need some more time and perhaps a swarm-guru to take a look.

So, I'd like to treat this as a separate issue ... please could you re-raise it in the moby project at https://github.com/moby/moby/issues ? (No problem if not, I can do it.)

(I think I have fixes for the --config-from issue, I'll start the tests running in a new PR shortly.)

[thaJeztah]

A fix for this was merged in moby/moby#49521, and will be part of the upcoming v28.0.1 patch release; thanks again for reporting!