Swarm overlay IPv6 subnet cannot be allocated (invalid Prefix / inconsistent pool handling) in Docker 29.4.1

[vingarzan]

Description

Hey folks!

I am trying to create an overlay network with IPv6 support results in incomplete initialization. Am I doing something wrong, or is this explicitly not supported? Or maybe IPv6 is supported, but not IPAM and I would have to deal myself with that for now?

If I try without specifying a subnet, I get EnableIPv6 but no subnet. When I try with subnet I get one of 3 errors:

• Failed to find network
• Pool overlaps with other one on this address space
• cannot find address pool

Cheers!
-Dragos

Reproduce

1. docker swarm init --advertise-addr fdbf:993c:3b9:0:21b:21ff:febc:102c
   ... works ...

2. Make an overlay network, with IPv6 enabled

docker network create \
    --driver overlay \
    --attachable \
    --ipv6 \
    ovl-test
  iaplxqscyhjljj89gxd7qfpbb

> docker network ls
NETWORK ID     NAME              DRIVER    SCOPE
4e2d94811029   bridge            bridge    local
ab8c8d02aacb   docker_gwbridge   bridge    local
c6c766f9f3f2   host              host      local
lme3wha6q57t   ingress           overlay   swarm
a8fdd26f4619   none              null      local
iaplxqscyhjl   ovl-test          overlay   swarm

> docker network inspect ovl-test
[
    {
        "Name": "ovl-test",
        "Id": "iaplxqscyhjljj89gxd7qfpbb",
        "Created": "2026-04-28T09:04:24.392769918Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv4": true,
        "EnableIPv6": true,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "10.0.1.0/24",
                    "Gateway": "10.0.1.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4097"
        },
        "Labels": null,
        "Containers": {},
        "Status": {
            "IPAM": {
                "Subnets": {
                    "10.0.1.0/24": {
                        "IPsInUse": 3,
                        "DynamicIPsAvailable": 253
                    }
                }
            }
        }
    }
]

--> EnableIPv6=true
--> (issue) IPAM - No IPv6 subnets?

3. Make an overlay network, with IPv6 enabled and a subnet specified (outside the daemon.json configuration)

> docker network create \
  --driver overlay \
  --attachable \
  --ipv6 \
  --subnet fd42:1234:5678:1::/64 \
  --gateway fd42:1234:5678:1::1 \
  ovl-test
e8dojebxiefo0rvbgtvcao4d1

> docker network ls 
NETWORK ID     NAME              DRIVER    SCOPE
4e2d94811029   bridge            bridge    local
ab8c8d02aacb   docker_gwbridge   bridge    local
c6c766f9f3f2   host              host      local
lme3wha6q57t   ingress           overlay   swarm
a8fdd26f4619   none              null      local
e8dojebxiefo   ovl-test                    swarm

> docker network inspect ovl-test
[]
Error response from daemon: network ovl-test not found

Also observed in syslog:

Apr 28 11:07:08 kermit dockerd[1580178]: time="2026-04-28T11:07:08.350175525+02:00" level=error msg="Failed to find network iaplxqscyhjljj89gxd7qfpbb on node ab8gmawmd9rym7dtf8yc6bc3t" module=node node.id=ab8gmawmd9rym7dtf8yc6bc3t
Apr 28 11:07:57 kermit dockerd[1580178]: time="2026-04-28T11:07:57.062690992+02:00" level=error msg="Failed to release pool fd42:1234:5678:1::/64" error="address space does not contain specified address pool"
Apr 28 11:07:57 kermit dockerd[1580178]: time="2026-04-28T11:07:57.062718572+02:00" level=error msg="Failed allocation for network e8dojebxiefo0rvbgtvcao4d1" error="failed allocating pools and gateway IP for network e8dojebxiefo0rvbgtvcao4d1: cannot find address pool for poolID:fd42:1234:5678:1::/64/invalid Prefix" module=node node.id=ab8gmawmd9rym7dtf8yc6bc3t

4. Try with a subnet in the configuration

> docker network create \
  --driver overlay \
  --attachable \
  --ipv6 \
  --subnet fd00:dead:beef:1::/64 \
  ovl-test
xoq65fj7zba4osszeub8abnuv

> docker network ls
NETWORK ID     NAME              DRIVER    SCOPE
4e2d94811029   bridge            bridge    local
ab8c8d02aacb   docker_gwbridge   bridge    local
c6c766f9f3f2   host              host      local
lme3wha6q57t   ingress           overlay   swarm
a8fdd26f4619   none              null      local
xoq65fj7zba4   ovl-test                    swarm

> docker network inspect ovl-test
[]
Error response from daemon: network ovl-test not found

Syslog:

Apr 28 11:13:05 kermit dockerd[1580178]: time="2026-04-28T11:13:05.060907553+02:00" level=error msg="Failed allocation for network xoq65fj7zba4osszeub8abnuv" error="failed allocating pools and gateway IP for network xoq65fj7zba4osszeub8abnuv: invalid pool request: Pool overlaps with other one on this address space" module=node node.id=ab8gmawmd9rym7dtf8yc6bc3t

5. Try to use a subnet closer to the one configured

> docker network create \
  --driver overlay \
  --attachable \
  --ipv6 \
  --subnet fd00:dead:beef:100::/64 \
  ovl-test
kpmj6j6e6dmtwlpp0557y0t7i

> docker network ls
NETWORK ID     NAME              DRIVER    SCOPE
4e2d94811029   bridge            bridge    local
ab8c8d02aacb   docker_gwbridge   bridge    local
c6c766f9f3f2   host              host      local
lme3wha6q57t   ingress           overlay   swarm
a8fdd26f4619   none              null      local
kpmj6j6e6dmt   ovl-test                    swarm

> docker network inspect ovl-test
[]
Error response from daemon: network ovl-test not found

Syslog says:

Apr 28 11:16:37 kermit dockerd[1580178]: time="2026-04-28T11:16:37.375135655+02:00" level=error msg="Failed allocation for network kpmj6j6e6dmtwlpp0557y0t7i" error="failed allocating pools and gateway IP for network kpmj6j6e6dmtwlpp0557y0t7i: cannot find address pool for poolID:fd00:dead:beef:100::/64/invalid Prefix" module=node node.id=ab8gmawmd9rym7dtf8yc6bc3t

Expected behavior

Either IPv6 would not be supported and the operation would fail, or it would be supported and IPAM would be showing the IPv6 subnet.

docker version

Client: Docker Engine - Community
 Version:           29.4.1
 API version:       1.54
 Go version:        go1.26.2
 Git commit:        055a478
 Built:             Mon Apr 20 16:32:36 2026
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          29.4.1
  API version:      1.54 (minimum version 1.40)
  Go version:       go1.26.2
  Git commit:       6c91b92
  Built:            Mon Apr 20 16:32:36 2026
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.2.3
  GitCommit:        77c84241c7cbdd9b4eca2591793e3d4f4317c590
 runc:
  Version:          1.3.5
  GitCommit:        v1.3.5-0-g488fc13e
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    29.4.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.33.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v5.1.3
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 32
 Server Version: 29.4.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: active
  NodeID: itnb09kewm0ldsl9yzgqdz56p
  Is Manager: true
  ClusterID: x66t4h5q1l3e1n1465ukkkwst
  Managers: 1
  Nodes: 1
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: fdbf:993c:3b9:0:21b:21ff:febc:102c
  Manager Addresses:
   [fdbf:993c:3b9:0:21b:21ff:febc:102c]:2377
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 77c84241c7cbdd9b4eca2591793e3d4f4317c590
 runc version: v1.3.5-0-g488fc13e
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-101-generic
 Operating System: Ubuntu 22.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 32
 Total Memory: 60.47GiB
 Name: kermit
 ID: 4424c7cb-587d-4279-910a-eff2a7259c6f
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
  ::1/128
 Live Restore Enabled: false
 Default Address Pools:
   Base: 10.10.0.0/16, Size: 24
   Base: fd00:dead:beef::/56, Size: 64
 Firewall Backend: iptables

Additional Info

cat /etc/docker/daemon.json

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:caff:ffff::/64",
  "iptables": true,
  "default-address-pools": [
    { "base": "10.10.0.0/16", "size": 24 },
    { "base": "fd00:dead:beef::/56", "size": 64 }
  ]
}

[corhere]

We do not currently support assigning IPv6 addresses to overlay network endpoints. The overlay network data plane might pass IPv6 packets, though I can make no promises regarding reliability or efficiency. (IPv6 overlay traffic would be forwarded by flood-and-learn, compared to the EVPN-esque forwarding for IPv4 overlay traffic.)