This error occurs when Docker cannot create an IPvlan network interface, typically due to missing kernel module support, the parent network interface being busy, or running in a virtualized environment that doesn't support IPvlan. Fixing it involves verifying kernel support, checking interface availability, or switching to an alternative network driver like macvlan.
The "failed to create the ipvlan port" error indicates that Docker was unable to create the necessary network interface for an IPvlan network. IPvlan is a Linux kernel feature that allows multiple virtual interfaces to share a single parent physical interface, with each virtual interface having its own IP address but sharing the same MAC address. This error typically manifests in two forms: - **"operation not supported"**: The Linux kernel doesn't have IPvlan support enabled, or you're running in a virtualized environment (like a VM or container) that doesn't support the required networking capabilities. - **"device or resource busy"**: The parent network interface is already in use by another IPvlan network or another process, or there's a conflict after a system update or reboot. IPvlan networks are commonly used in scenarios requiring: - Direct layer 2 network access without promiscuous mode (unlike macvlan) - Multiple containers with unique IPs on the same physical network segment - Network environments where promiscuous mode is blocked or undesirable The error can occur when creating a new IPvlan network with `docker network create` or when starting a container attached to an existing IPvlan network.
First, check if your Linux kernel has IPvlan support compiled in or available as a module:
# Check if ipvlan module is loaded
lsmod | grep ipvlan
# Try loading the ipvlan module
sudo modprobe ipvlan
# Verify it loaded successfully
lsmod | grep ipvlanIf modprobe ipvlan fails with "Module ipvlan not found", your kernel doesn't have IPvlan support compiled in.
Check kernel configuration:
# Check if CONFIG_IPVLAN is enabled
grep CONFIG_IPVLAN /boot/config-$(uname -r)
# Should show: CONFIG_IPVLAN=m or CONFIG_IPVLAN=yCheck kernel version (IPvlan requires 4.2+):
uname -r
# Should be 4.2 or higher for stable IPvlan supportIf your kernel lacks IPvlan support, you'll need to either:
- Upgrade to a kernel with IPvlan compiled in
- Recompile your kernel with CONFIG_IPVLAN=m or CONFIG_IPVLAN=y
- Use an alternative network driver like macvlan
IPvlan may not work in certain virtualized environments. Check if you're running in a VM:
# Check for virtualization
systemd-detect-virt
# or
cat /sys/class/dmi/id/product_name
# or
hostnamectl | grep -i virtualizationCommon VM limitations:
- VMware: May work with proper virtual network configuration
- VirtualBox: Often doesn't support IPvlan properly
- KVM/QEMU: Usually works with virtio network drivers
- Hyper-V: Limited support, may require specific configuration
- OrbStack (macOS): Known to not support IPvlan; use macvlan instead
- WSL2: Limited networking capabilities for advanced drivers
If in a VM, consider alternatives:
1. Use macvlan driver instead of ipvlan
2. Use bridge networking
3. Configure VM networking to support the required features
If IPvlan isn't supported in your environment, macvlan is a viable alternative that provides similar functionality:
IPvlan L2 mode equivalent with macvlan:
# Create macvlan network instead of ipvlan
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 \
my_macvlan_networkKey differences between IPvlan and Macvlan:
- Macvlan: Each container gets a unique MAC address; requires promiscuous mode on parent
- IPvlan: All containers share the parent's MAC address; no promiscuous mode needed
Enable promiscuous mode for macvlan (if required):
sudo ip link set eth0 promisc onNote: Some cloud providers and corporate networks block promiscuous mode, making macvlan also unsuitable. In those cases, use bridge networking or an overlay network.
If the error mentions "device or resource busy", the parent interface may have conflicting state:
Step 1: List existing Docker networks:
docker network ls --filter driver=ipvlan
docker network ls --filter driver=macvlanStep 2: Remove conflicting networks:
# Stop containers using the network first
docker network disconnect my_ipvlan_network <container_name>
# Remove the network
docker network rm my_ipvlan_networkStep 3: Clean up orphaned network interfaces:
# List network interfaces
ip link show
# Look for ipvlan interfaces (usually named like ipvl0, ipvl1)
# Remove orphaned interfaces manually if needed
sudo ip link delete ipvl0 2>/dev/nullStep 4: Restart Docker daemon:
sudo systemctl restart dockerStep 5: Recreate the network:
docker network create -d ipvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 \
my_ipvlan_networkThe parent interface specified in the IPvlan network must exist and be in the correct state:
List available network interfaces:
ip link show
# or
ip addr showCheck the specific interface you're trying to use:
# Replace 'eth0' with your actual interface name
ip link show eth0Common interface naming:
- eth0, eth1: Traditional naming
- enp0s3, enp3s0: Predictable interface names
- ens192, ens160: VMware virtual interfaces
- bond0: Bonded interfaces
Create IPvlan with correct parent:
# Find your actual interface name first
ip route | grep default
# Example output: default via 192.168.1.1 dev enp0s3
# Use that interface as parent
docker network create -d ipvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=enp0s3 \
my_ipvlan_networkFor VLAN-tagged interfaces:
# Create VLAN interface first (VLAN 100 on eth0)
sudo ip link add link eth0 name eth0.100 type vlan id 100
sudo ip link set eth0.100 up
# Then use it as parent
docker network create -d ipvlan \
--subnet=10.100.0.0/24 \
-o parent=eth0.100 \
-o ipvlan_mode=l2 \
vlan100_networkIPvlan support has improved significantly in recent Docker versions. Older versions (pre-1.13, especially experimental releases) may have bugs:
Check current Docker version:
docker versionUpgrade Docker on Ubuntu/Debian:
# Remove old versions
sudo apt remove docker docker-engine docker.io containerd runc
# Set up repository
sudo apt update
sudo apt install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install latest Docker
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-pluginUpgrade Docker on CentOS/RHEL:
# Remove old versions
sudo yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine
# Set up repository
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# Install latest Docker
sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl start dockerAfter system upgrades or reboots, IPvlan networks may fail due to stale state. Here's how to recover:
Full Docker network cleanup:
# Stop all containers
docker stop $(docker ps -aq)
# Remove all containers
docker rm $(docker ps -aq)
# Remove all networks (except default ones)
docker network prune -f
# Restart Docker
sudo systemctl restart dockerIf still failing, perform a more thorough cleanup:
# Stop Docker
sudo systemctl stop docker
# Remove Docker network state files
sudo rm -rf /var/lib/docker/network/files/*
# Start Docker
sudo systemctl start docker
# Recreate your networks
docker network create -d ipvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 \
my_ipvlan_networkPersist IPvlan module loading across reboots:
# Add ipvlan to modules loaded at boot
echo "ipvlan" | sudo tee /etc/modules-load.d/ipvlan.confWhen using Docker Compose with IPvlan networks, ensure proper configuration:
docker-compose.yml example:
version: "3.8"
services:
app:
image: nginx:alpine
networks:
ipvlan_net:
ipv4_address: 192.168.1.100
networks:
ipvlan_net:
driver: ipvlan
driver_opts:
parent: eth0
ipvlan_mode: l2
ipam:
config:
- subnet: 192.168.1.0/24
gateway: 192.168.1.1For L3 mode (routing mode):
networks:
ipvlan_l3:
driver: ipvlan
driver_opts:
parent: eth0
ipvlan_mode: l3
ipam:
config:
- subnet: 192.168.10.0/24
- subnet: 192.168.20.0/24Important notes for L3 mode:
- No gateway is specified (Docker host acts as router)
- External routing must be configured on your network
- Containers in L3 mode are isolated from the parent network by default
IPvlan modes explained:
Docker IPvlan supports two modes:
L2 Mode (default):
- Works like macvlan but without unique MAC addresses
- All containers share the parent interface's MAC
- Containers can communicate with the physical network directly
- Suitable for flat network topologies
- Create with: -o ipvlan_mode=l2
L3 Mode:
- Docker host acts as a router between containers and parent network
- Traffic is routed at Layer 3 (IP level), not bridged at Layer 2
- Broadcasts are contained within the container network
- Requires static routes on your gateway for external access
- Better isolation but more complex setup
- Create with: -o ipvlan_mode=l3
Kernel requirements:
- Minimum: Linux kernel 4.2+
- Recommended: Linux kernel 4.9+ for stability
- CONFIG_IPVLAN must be enabled (as module or built-in)
- Docker Swarm mode requires IPvlan support
IPvlan vs Macvlan comparison:
| Feature | IPvlan | Macvlan |
|---------|--------|---------|
| MAC addresses | Shared (parent's MAC) | Unique per container |
| Promiscuous mode | Not required | Required |
| Virtual environments | Less compatible | More compatible |
| Network isolation | Better in L3 mode | Limited |
| Host communication | Blocked by default | Can be configured |
Troubleshooting in enterprise environments:
Some enterprise network switches and cloud providers have restrictions that affect both IPvlan and macvlan:
- Port security limiting MAC addresses per port
- DHCP snooping preventing new MACs
- ARP inspection blocking traffic
- Cloud provider security groups
Container-to-host communication:
By default, containers on IPvlan networks cannot communicate with the Docker host. This is by design for security. If you need host communication:
# Create a separate macvlan/ipvlan interface on the host
ip link add myipvlan link eth0 type ipvlan mode l2
ip addr add 192.168.1.200/24 dev myipvlan
ip link set myipvlan upDebugging IPvlan issues:
# Check if ipvlan module is loaded
lsmod | grep ipvlan
# View kernel messages for errors
dmesg | grep -i ipvlan
dmesg | tail -50
# Check Docker daemon logs
journalctl -u docker.service -f
# Inspect network details
docker network inspect my_ipvlan_network
# Check network namespace
ip netns list
sudo nsenter --net=/var/run/docker/netns/<container_netns> ip link showimage operating system "linux" cannot be used on this platform
How to fix 'image operating system linux cannot be used on this platform' in Docker
manifest unknown: manifest unknown
How to fix 'manifest unknown' in Docker
cannot open '/etc/passwd': Permission denied
How to fix 'cannot open: Permission denied' in Docker
toomanyrequests: Rate exceeded for anonymous users
How to fix 'Rate exceeded for anonymous users' in Docker Hub
yaml: line X: found character that cannot start any token
How to fix 'found character that cannot start any token' in Docker Compose