Update service with --network=host failed

[AntaresS]

Expected behavior

After doing docker service update --network-add=host <service_name>, expect to see an updated service.

Actual behavior

The updated service stops working.

Information

Detailed output:

[vagrant@node1 ~]$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
6vfwdwzotefb upbeat_jang replicated 1/1 nginx:latest
vwup9138xgc6 gifted_archimedes replicated 0/1 nginx:latest
[vagrant@node1 ~]$ docker service ps gifted_archimedes
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
kyw8hou52ccw gifted_archimedes.1 nginx:latest node1 Ready Rejected 3 seconds ago "container sharing network nam…"
ta1wpu2absrg _ gifted_archimedes.1 nginx:latest node3 Shutdown Rejected less than a second ago "container sharing network nam…"
kbm3hx0z9i6k _ gifted_archimedes.1 nginx:latest node2 Shutdown Rejected less than a second ago "container sharing network nam…"
r4277pb2x9ph _ gifted_archimedes.1 nginx:latest node3 Shutdown Rejected less than a second ago "container sharing network nam…"
et9q62egsfqs _ gifted_archimedes.1 nginx:latest node2 Shutdown Rejected less than a second ago "container sharing network nam…"

vagrant@node1 ~]$ docker network inspect host
[
{
"Name": "host",
"Id": "ef2c967262ac9d42266a32aecb7a69e26e779869762d2dba6a795194da0f03f4",
"Created": "2017-06-15T18:42:55.682777743Z",
"Scope": "local",
"Driver": "host",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": []
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]

[vagrant@node1 ~]$ docker service inspect gifted_archimedes
[
{
"ID": "vwup9138xgc6p9bqywnt6h2w5",
"Version": {
"Index": 429
},
"CreatedAt": "2017-06-15T20:26:31.96374476Z",
"UpdatedAt": "2017-06-15T20:33:07.958068248Z",
"Spec": {
"Name": "gifted_archimedes",
"Labels": {},
"TaskTemplate": {
"ContainerSpec": {
"Image": "nginx:latest@sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268",
"StopGracePeriod": 10000000000,
"DNSConfig": {}
},
"Resources": {
"Limits": {},
"Reservations": {}
},
"RestartPolicy": {
"Condition": "any",
"Delay": 5000000000,
"MaxAttempts": 0
},
"Placement": {
"Platforms": [
{
"Architecture": "amd64",
"OS": "linux"
}
]
},
"Networks": [
{
"Target": "r6xaa5u2a2r3d4a2v5uashq3l"
},
{
"Target": "lfivxn3jkh6rzeiv7gad8fpzu"
},
{
"Target": "r6xaa5u2a2r3d4a2v5uashq3l"
}
],
"ForceUpdate": 0,
"Runtime": "container"
},
"Mode": {
"Replicated": {
"Replicas": 1
}
},
"UpdateConfig": {
"Parallelism": 1,
"FailureAction": "pause",
"Monitor": 5000000000,
"MaxFailureRatio": 0,
"Order": "stop-first"
},
"RollbackConfig": {
"Parallelism": 1,
"FailureAction": "pause",
"Monitor": 5000000000,
"MaxFailureRatio": 0,
"Order": "stop-first"
},
"EndpointSpec": {
"Mode": "vip"
}
},
"PreviousSpec": {
"Name": "gifted_archimedes",
"Labels": {},
"TaskTemplate": {
"ContainerSpec": {
"Image": "nginx:latest@sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268",
"DNSConfig": {}
},
"Resources": {
"Limits": {},
"Reservations": {}
},
"Placement": {
"Platforms": [
{
"Architecture": "amd64",
"OS": "linux"
}
]
},
"Networks": [
{
"Target": "lfivxn3jkh6rzeiv7gad8fpzu"
},
{
"Target": "r6xaa5u2a2r3d4a2v5uashq3l"
}
],
"ForceUpdate": 0,
"Runtime": "container"
},
"Mode": {
"Replicated": {
"Replicas": 1
}
},
"EndpointSpec": {
"Mode": "vip"
}
},
"Endpoint": {
"Spec": {
"Mode": "vip"
},
"VirtualIPs": [
{
"NetworkID": "lfivxn3jkh6rzeiv7gad8fpzu",
"Addr": "10.0.0.2/24"
},
{
"NetworkID": "r6xaa5u2a2r3d4a2v5uashq3l"
}
]
},
"UpdateStatus": {
"State": "paused",
"StartedAt": "2017-06-15T20:33:07.680917657Z",
"Message": "update paused due to failure or early termination of task zf03vakojzfpe9vds14nlxb12"
}
}
] ```


  - Linux distro: Vagrant
  - Docker CE version, can be found from output of `docker vesion`
    `17.06.0-ce-rc3`
  - A reproducible case if this is a bug, Dockerfiles FTW
  - Page URL if this is a docs issue or the name of a man page

### Steps to reproduce the behavior

  1. ...
  2. ...

[thaJeztah]

I think that's "expected", because the container can only be in a single networking namespace at a time; adding the host network will make docker attempt to put the container in the host's networking namespace, but that will conflict with the container already having its own namespace for the other networks.

ping @abh @fcrisciani we should check that when using host, that no other networks are allowed, and produce a sensible error

[trajano]

Can it somehow be routed so that we can be on host and overlay such that we can get the real IP since that's only possible on host network.

[mellertson]

Can it somehow be routed so that we can be on host and overlay such that we can get the real IP since that's only possible on host network.

It's like you were reading my mind, because I was wondering the same thing. 😄

[cpuguy83]

No you can't be on host and overlay because the host network is no network isolation.
If you want an IP on your physical network but also want to join other networks you may want to use macvlan or ipvlan drivers.

I'm going to close this as working as expected.

[trajano]

can an example be provided to show how to implement the user case using macvlan or ipvlan drivers with swarm as

• https://docs.docker.com/network/drivers/ipvlan/
• https://docs.docker.com/network/drivers/macvlan/

Does not specify anything for Swarm.

[cpuguy83]

Very last bit here: https://docs.docker.com/reference/cli/docker/network/create/#swarm-networks-with-local-scope-drivers

it's a rather small blurb, unfortunately.
The gist is, each node needs a config-only network (all with the same same name) then in your swarm-scope network you tell it to use the config from the config-only network.