This error occurs when Docker Swarm's built-in ingress network is missing or corrupted. The ingress network is essential for the routing mesh that enables load balancing across swarm nodes. The fix typically involves recreating the ingress network or reinitializing the swarm.
The "network ingress not found" error indicates that Docker Swarm's special ingress overlay network is missing from the cluster. The ingress network is automatically created when you initialize a swarm and is fundamental to how Docker Swarm routes external traffic to services. The ingress network powers Docker Swarm's routing mesh - a feature that allows any node in the swarm to accept connections on published ports for any service, even if that node isn't running a task for that service. When a request arrives on a published port, the ingress network routes it through IPVS (IP Virtual Server) to an active container running the service. This error typically surfaces when deploying services with published ports, running `docker stack deploy`, or after certain network operations that inadvertently remove the ingress network. It can also occur when nodes fail to properly join the swarm's ingress network due to firewall issues or network configuration problems. The ingress network is not just an ordinary overlay network - it's a special network managed by Docker that cannot be manually attached to or modified like regular networks. When it goes missing, swarm services with published ports will fail to deploy or become unreachable.
First, confirm that the ingress network is actually missing from your swarm:
docker network ls --filter scope=swarmYou should see an ingress network with the overlay driver. If it's not listed, the network is indeed missing.
Also check the swarm status:
docker info | grep -A5 "Swarm"Verify you're on a manager node and the swarm is active.
The ingress network requires specific ports to be open between all swarm nodes. If ports are blocked, nodes cannot participate in the ingress network.
Required ports:
- TCP/UDP 7946: Container network discovery and gossip
- UDP 4789: Overlay network traffic (VXLAN)
- TCP 2377: Cluster management (managers only)
Check if ports are open:
# Test port connectivity from another node
nc -zv <manager-ip> 7946
nc -zuv <manager-ip> 4789Open the required ports:
# Using ufw
sudo ufw allow 7946/tcp
sudo ufw allow 7946/udp
sudo ufw allow 4789/udp
sudo ufw allow 2377/tcp
# Using firewalld
sudo firewall-cmd --permanent --add-port=7946/tcp
sudo firewall-cmd --permanent --add-port=7946/udp
sudo firewall-cmd --permanent --add-port=4789/udp
sudo firewall-cmd --permanent --add-port=2377/tcp
sudo firewall-cmd --reloadIf the ingress network was deleted, you can recreate it. First, remove any remnants of the old ingress network:
# This may show an error if already missing - that's okay
docker network rm ingressThen create a new ingress network:
docker network create \
--driver overlay \
--ingress \
--subnet=10.0.0.0/24 \
--gateway=10.0.0.1 \
--opt com.docker.network.driver.overlay.vxlanid_list=4096 \
ingressThe --ingress flag is critical - it tells Docker this is the special routing mesh network, not a regular overlay.
Note: Only one ingress network can exist at a time. If you get a conflict error, ensure the old one is fully removed.
If the default ingress subnet (10.0.0.0/24) conflicts with your local network, create it with a different subnet:
docker network create \
--driver overlay \
--ingress \
--subnet=10.255.0.0/24 \
--gateway=10.255.0.1 \
ingressYou can verify there's no conflict by checking existing network ranges:
docker network inspect ingress --format '{{range .IPAM.Config}}{{.Subnet}}{{end}}'
ip route showIf you initialized swarm with --default-addr-pool, ensure the ingress subnet doesn't overlap:
docker swarm init --default-addr-pool 10.10.0.0/16 --default-addr-pool-mask-length 24Sometimes nodes need a Docker daemon restart to properly rejoin the ingress network:
# On the affected node
sudo systemctl restart dockerAfter restart, verify the node sees the ingress network:
docker network ls --filter scope=swarm
docker network inspect ingressCheck that the node is properly connected:
docker info --format '{{.Swarm.LocalNodeState}}'This should return active.
If the ingress network cannot be recreated due to corrupted swarm state, you may need to reinitialize the swarm:
Warning: This will remove all services, configs, and secrets. Export important data first.
On all worker nodes first:
docker swarm leaveOn all manager nodes (except one):
docker swarm leaveOn the last manager:
docker swarm leave --forceThen reinitialize:
docker swarm init --advertise-addr <manager-ip>This creates a fresh swarm with a new ingress network. Rejoin other nodes using the tokens from:
docker swarm join-token manager
docker swarm join-token workerHow the ingress network works: The ingress network is a special overlay network that implements Docker Swarm's routing mesh. When you publish a port on a service, Docker creates a Virtual IP (VIP) for that service. IPVS (IP Virtual Server) running on each node listens on the published port and load balances incoming connections to healthy service tasks across the swarm, routing traffic over the ingress network.
Ingress vs host mode publishing: If you need to bypass the routing mesh entirely (for example, to preserve client source IPs), you can publish ports in host mode:
services:
web:
ports:
- target: 80
published: 80
mode: hostHost mode binds directly to the host's network stack, bypassing ingress. However, this means only nodes running the service can receive traffic on that port.
Ingress network encryption: By default, ingress traffic is unencrypted. To enable encryption (at a performance cost), you must recreate the ingress network with the --opt encrypted flag:
docker network rm ingress
docker network create --driver overlay --ingress --opt encrypted ingressDebugging ingress issues: Use these commands to diagnose routing mesh problems:
# Check ingress network details
docker network inspect ingress
# View service VIP
docker service inspect <service-name> --format '{{.Endpoint.VirtualIPs}}'
# Check if IPVS rules are configured (requires ipvsadm)
sudo ipvsadm -Ln
# View docker-proxy processes for published ports
ps aux | grep docker-proxyIngress on Windows: Docker Swarm ingress on Windows uses the Host Networking Service (HNS). The error "hnsCall failed" during ingress creation typically indicates HNS issues. Restart the HNS service:
Restart-Service hnsPreventing accidental ingress deletion: The ingress network can be accidentally removed when running cleanup scripts. Always exclude it:
# Safe network cleanup - excludes ingress
docker network prune --filter "type!=ingress"unable to configure the Docker daemon with file /etc/docker/daemon.json
How to fix 'unable to configure the Docker daemon with file daemon.json' in Docker
docker: Error response from daemon: OCI runtime create failed: container_linux.go: starting container process caused: exec: "/docker-entrypoint.sh": stat /docker-entrypoint.sh: no such file or directory
How to fix 'exec: entrypoint.sh: no such file or directory' in Docker
image operating system "linux" cannot be used on this platform
How to fix 'image operating system linux cannot be used on this platform' in Docker
dockerfile parse error line 5: unknown instruction: RRUN
How to fix 'unknown instruction' Dockerfile parse error in Docker
manifest unknown: manifest unknown
How to fix 'manifest unknown' in Docker