This error occurs when Docker tries to create a network using an IP address range (CIDR block) that conflicts with an existing Docker network or host network. The fix involves identifying and removing the conflicting network or reconfiguring the subnet.
The "Pool overlaps with other one on this address space" error occurs when Docker's network allocation system detects a conflict between IP address ranges. When you create a Docker network (either explicitly or through docker-compose), Docker assigns it a subnet from its address pool. If that subnet overlaps with an already-allocated network, Docker refuses to create the new network to prevent routing conflicts. This commonly happens when: - You have a docker-compose.yml that specifies a fixed subnet that's already in use - An old Docker network wasn't properly cleaned up and is blocking the IP range - A VPN client is using the same IP range Docker is trying to allocate - The host machine's network configuration uses IP ranges that conflict with Docker's defaults Docker's default address pools use ranges like 172.17.0.0/16, 172.18.0.0/16, etc. If your infrastructure, VPN, or existing networks use these ranges, you'll encounter this overlap error.
First, identify all existing Docker networks and their subnets:
docker network lsThen inspect each network to see its subnet configuration:
docker network inspect <network_name>Look for the "Subnet" field in the IPAM Config section. You can also list all subnets at once:
docker network inspect $(docker network ls -q) | grep -E '"Name"|"Subnet"'Compare the subnet from the error or your docker-compose.yml with existing networks. Look for networks with matching IP ranges.
You can also check which network interfaces on your host might be conflicting:
ip addr show | grep "inet "On macOS:
ifconfig | grep "inet "Note: Network IDs starting with br- in ip addr output correspond to Docker networks (e.g., br-7bf61cfc0b5a means Docker network ID 7bf61cfc0b5a).
If you identified an unused Docker network causing the conflict, remove it:
docker network rm <network_name>If containers are still connected to the network, stop them first:
docker stop $(docker network inspect <network_name> -f '{{range .Containers}}{{.Name}} {{end}}')
docker network rm <network_name>For a clean slate, you can remove all unused networks:
docker network pruneWarning: This removes all networks not used by at least one container.
If your docker-compose.yml specifies a conflicting subnet, change it to a non-overlapping range:
networks:
my_network:
driver: bridge
ipam:
config:
- subnet: 172.28.0.0/16 # Use a different subnetChoose a subnet that doesn't conflict with:
- Other Docker networks (check with docker network inspect)
- Your host's network interfaces
- Your VPN's IP range
- Common private ranges: 10.x.x.x, 172.16-31.x.x, 192.168.x.x
If you want multiple docker-compose projects to share a network, create it once and reference it as external:
First, create the network:
docker network create shared_networkThen reference it in docker-compose.yml:
networks:
my_network:
external: true
name: shared_networkThis prevents Docker from trying to create a new network each time.
If the error started after connecting to a VPN, the VPN may be using Docker's default IP ranges. Temporarily disconnect:
# OpenVPN
sudo systemctl stop openvpn
# Or kill the VPN process
sudo killall openvpnThen retry your Docker command. If this works, see the Advanced Notes for permanent solutions.
Configuring Docker's default address pools: You can change which IP ranges Docker uses by default. Edit (or create) /etc/docker/daemon.json:
{
"default-address-pools": [
{"base": "10.10.0.0/16", "size": 24},
{"base": "10.11.0.0/16", "size": 24}
]
}Then restart Docker:
sudo systemctl restart dockerNote: This only affects newly created networks. Existing networks keep their subnets.
VPN coexistence: If your VPN uses ranges like 172.17.x.x (Docker's default), configure Docker to use completely different ranges. Popular choices that rarely conflict:
- 10.200.0.0/16
- 10.201.0.0/16
- 172.30.0.0/16
Docker Compose network naming: By default, Docker Compose creates networks named <project>_<network>. If you're running the same project from different directories, they might conflict. Use explicit project names:
docker-compose -p unique_project_name upRemoving network configuration entirely: If you don't need custom networking, remove the ipam: block from docker-compose.yml and let Docker auto-assign subnets:
networks:
my_network:
driver: bridge
# No ipam block - Docker chooses the subnetmacvlan and host network conflicts: If using macvlan networks that bridge to the host, ensure the subnet doesn't overlap with the host's actual network. The macvlan subnet should be a subset of the host network that's reserved for containers.
Kubernetes/minikube conflicts: If running Kubernetes locally, its pod networks may conflict with Docker. Check kubectl cluster-info dump | grep -i cidr for Kubernetes network ranges.
image operating system "linux" cannot be used on this platform
How to fix 'image operating system linux cannot be used on this platform' in Docker
manifest unknown: manifest unknown
How to fix 'manifest unknown' in Docker
cannot open '/etc/passwd': Permission denied
How to fix 'cannot open: Permission denied' in Docker
Error response from daemon: failed to create the ipvlan port
How to fix 'failed to create the ipvlan port' in Docker
toomanyrequests: Rate exceeded for anonymous users
How to fix 'Rate exceeded for anonymous users' in Docker Hub