After update networking fails with rootless Docker

Docker Engine General
1

Docker version 29.0.2 (rootless)

for example:
docker run -it -p 3000:3080 alpine ash

Error response from daemon: failed to set up container networking: driver failed programming external connectivity on endpoint ……
failed to bind host port 10.0.2.100:3000/tcp: address already in use

It fails regardless which port is picked. 10.0.2.100 is not the IP of the host, but I guess 10.0.2.X is a network used by Docker internally.

2 Likes
2

Error message address already in use is clearly about the IP and listening port. It usually means another process is already using port 3000. Maybe check with netstat -tulpn.

2 Likes
3

IMHO the error message is misleading as there nothing listening. I have the suspicion that the problem might be slirp4netns.

1 Like
4

I’ve been able to make it run (rootless) adding the lines below to ~/.config/docker/daemon.json:

  "userland-proxy": false,
  "iptables": true,
  "ip": "0.0.0.0"

I don’t know how and why, just sharing this for a better/clear solution.

5

Thanks yurji.
Unfortunately that didn’t help here. Until the update everything was fine.

6

How about you share some more info? What OS do you use? Any virtualization? What does docker info tell you?

7

Hi!
Did you restart docker with systemctl --user restart docker?

8

At my docker compose file I upgraded the traefik image to it latest -new- version and problem solved.

9

@jcabrerazuniga
Do you run rootless Docker? I haven’t tested it on rootful, by my guess is the problem is caused by rootless. It fails with every image (in the example posted a simple alpine).
When entering the namespace for dockerd I can see the tap port with 10.0.2.100, but nothing is listening on any port.
The host runs 6.8.0-87-generic #88-Ubuntu.

1 Like
10

I had the problem until I used for Traefik something similar to:

traefik_proxy:
container_name: traefik_proxy
restart: unless-stopped
# The official v3.6.2 Traefik docker image
image: traefik:v3.6.2
# Enables the web UI and tells Traefik to listen to docker
ports:
- "443:443"
networks:
….

I use rootless dockerfile and with the traefik image update my dockerizad apache and node servers work. Just in case I use

FROM ubuntu:24.04

for my apache server.

1 Like
11

I had exactly the same issue after upgrading my x86 based KVM virtualized VPS to Docker 29.0.2 (rootless). Nothing worked, no container could be spun up. Always the same issue that the address is already in use (although it wasn’t, as no process was listening).
It is, as you suspect, slirp4netns. I could not getting it running again, and bug reports for this issue seem to be very low, so I suspect it is somehow a very special setup causing this issue.

Anyway, I decided in the end to ditch slirp4netns and move to passt (I require source IP propagation, and the only supported combination in a rootless setup is then using passt).

So I changed my previous override conf (~/.config/systemd/user/docker.service.d/override.conf) from

[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns"

to

[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta"
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit"
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=1500"

Don’t forget systemctl --user daemon-reload before you restart the docker service.

I’m not fully sure whether the reduction in the MTU is required, but I’m too tired now to test it out. After those changes, it worked again for me with passt. As you are using Ubuntu: Do not use the package from the repositories, it failed for me with TLS handshake issues and prevented containers establishing connection to https based hosts. I then installed the latest from the launchpad sources (https://launchpad.net/ubuntu/+source/passt/0.0~git20250919.623dbf6-1/+build/31425354) - wget <debv3 file>, then dpkg -i <deb file>. pasta --version should then also report a version number, which it doesn’t if you use the Ubuntu package.

Hope this helps.

1 Like
12

beware that pasta can crash sometimes. {"userland-proxy": false} in ~/.config/docker/daemon.json solves the problem for rootless. But nobody can explain why.

1 Like
13

For me it didn’t. Once I had user land proxy disabled, the daemon did not come up and requested to have the user land proxy enabled.

2 Likes
14

I’m running Docker rootless, same issue here: failed to bind host port 10.0.2.100:6000/tcp: address already in use

Starting a new container, restarting either Docker or the host does not fix it and nothing is listening on the port on any ip (netstat -tulpn).
I’ve temporary fixed the issue by binding it directly to the host ip:

ports:
      - 10.10.10.10:6000:80

The upgrade path that broke the port binding:

containerd.io/jammy 2.1.5-1<del>ubuntu.22.04</del>jammy amd64 [upgradable from: 1.7.29-1<del>ubuntu.22.04</del>jammy]
docker-buildx-plugin/jammy 0.30.0-1<del>ubuntu.22.04</del>jammy amd64 [upgradable from: 0.29.1-1<del>ubuntu.22.04</del>jammy]
docker-ce-cli/jammy 5:29.0.2-1<del>ubuntu.22.04</del>jammy amd64 [upgradable from: 5:28.5.2-1<del>ubuntu.22.04</del>jammy]
docker-ce-rootless-extras/jammy 5:29.0.2-1<del>ubuntu.22.04</del>jammy amd64 [upgradable from: 5:28.5.2-1<del>ubuntu.22.04</del>jammy]
docker-ce/jammy 5:29.0.2-1<del>ubuntu.22.04</del>jammy amd64 [upgradable from: 5:28.5.2-1<del>ubuntu.22.04</del>jammy]
1 Like
15

Something in V29 of the Docker Engine broke setting the port driver to slirp4netns for rootless containers i had upgraded from 28.5.1 to 29.0.2 and starting getting the issues described here.

I tried downgrading to 29.0.1 then 29.0.0 but still had the same issue. Once i downgraded to last 28 version which is 28.5.2 it all worked again.

Im on a arm64 cpu Ubuntu 24.04.3 LTS vps on Oracle Cloud.

Downgrade process if on Ubuntu 24.04.3 LTS

on rootless user

  1. Bring down all docker containers
  2. Remove the containers/docker network

Run following commands as rootless user

systemctl --user stop docker

#probably not needed but for good measure
pkill -f rootlesskit
pkill -f slirp4netns

Switch to root user then do the following

#remove old docker packages
sudo apt remove --purge docker-ce docker-ce-cli docker-ce-rootless-extras containerd.io docker-buildx-plugin docker-compose-plugin

#list versions of docker
apt list --all-versions docker-ce

#set version 28.5.2 , this was mine
VERSION_STRING=5:28.5.2-1~ubuntu.24.04~noble

# reinstall docker with selected version
sudo apt install docker-ce=$VERSION_STRING docker-ce-cli=$VERSION_STRING docker-ce-rootless-extras=$VERSION_STRING containerd.io docker-buildx-plugin docker-compose-plugin

#disable the system root docker and remove sock
sudo systemctl disable --now docker.service docker.socket
sudo rm /var/run/docker.sock

go back to rootless user run these


#either run rootless setup tool which should not need to do much of anything other than start the user docker service
dockerd-rootless-setuptool.sh install

#or just run the service directly
systemctl --user start docker

After service has started remake your containers and test

1 Like
16

29.0.4 is out but it does not fix the issue, still need "userland-proxy": false

17

Hi @yurj ,

I created the file ~/.config/docker/daemon.json with the content:

{
	"userland-proxy": false
}

But now when I restart docker I have the following error:

$ systemctl --user restart docker
Job for docker.service failed because the control process exited with error code.
See "systemctl --user status docker.service" and "journalctl --user -xeu docker.service" for details.

$ systemctl --user status docker.service
● docker.service - Docker Application Container Engine (Rootless)
     Loaded: loaded (/home/jordi/.config/systemd/user/docker.service; enabled; preset: enabled)
    Drop-In: /home/jordi/.config/systemd/user/docker.service.d
             └─override.conf
     Active: activating (auto-restart) (Result: exit-code) since Tue 2025-11-25 18:07:16 CET; 473ms ago
       Docs: https://docs.docker.com/go/rootless/
    Process: 23681 ExecStart=/usr/bin/dockerd-rootless.sh (code=exited, status=1/FAILURE)
   Main PID: 23681 (code=exited, status=1/FAILURE)
        CPU: 425ms

I need to remove the daemon.json file for it to restart correctly.
Am I doing anything wrong?

Thanks in advance.
Jordi.

18

Thanks yurj for the notification. I can confirm that the problem has NOT been fixed.

19

This is a community forum where users help users.

You might want to raise an issue in Docker’s upstream project Moby, so that developers can actually see the issue and take actions to fix them:

Update: someone already did:

2 Likes
20

this should print the real error. The issue can have different causes, and that lines fixes in same cases. Let’s monitor the issue linked here above by @meyay

I’ve tried to print the error, it does not say much more. I’ve posted it in the github issue above.