From ecaf56e0a0b2717779b96e1f8300c60587461387 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Thu, 30 Apr 2026 09:01:46 +0000
Subject: [PATCH] integration: drop Force flag on docker network disconnect

Force-disconnect leaves stale routes in the container's network
namespace: libnetwork removes the host-side veth but the
namespace-internal route survives. The next ConnectNetwork on the
same network then fails with "cannot program address X/16 in sandbox
interface because it conflicts with existing route", and the route
never resolves on its own. Bounded retry around ConnectNetwork
exhausts MaxElapsedTime instead of recovering.

Without Force, libnetwork drains the namespace routes synchronously
during disconnect and ConnectNetwork sees a clean slate. Cable-pull
semantic is preserved: docker still tears down the endpoint at the
namespace level, leaving in-flight TCP half-open inside the
container's view, verified via paired probe-timeout pairs in HA
prober logs while both routers are physically disconnected.

Fixes #3234
---
 integration/dockertestutil/network.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/integration/dockertestutil/network.go b/integration/dockertestutil/network.go
index fe03fcfc..1e9915e6 100644
--- a/integration/dockertestutil/network.go
+++ b/integration/dockertestutil/network.go
@@ -132,7 +132,6 @@ func DisconnectContainerFromNetwork(
 	return retryDockerOp(context.Background(), func() error {
 		return pool.Client.DisconnectNetwork(network.Network.ID, docker.NetworkConnectionOptions{
 			Container: containers[0].ID,
-			Force:     true,
 		})
 	})
 }