@selansen can you please take a look ?

Sure . will do .

I tried to reproduce this issue locally . I was successful but I dont see the error message you had mentioned. I see error like below
level=error msg="fatal task error" error="error creating overlay mount to /go/src/github.com/docker/docker/bundles/test-integration/d40ba35052eb0/root/overlay2/c853182a083420ab6d6c5192f96558b1baefcb80702bf2ae01d801b98b87cf17-init/merged: invalid argument" module=node/agent/taskmanager node.id=voqx65fq1sb4kn9na3nxlikwz service.id=w6jwwcdubpl7mqn4qgiwrowxk task.id=qwid14va6bf11qhhoz2gfbecd

I will continue to debug this issue.

The above failure is coz I run the test on my MAC. Looks like other test cases also fails on my MAC. I am trying on AWS VM and test is passing. Will see if I can reproduce it my my VM.

I tried to reproduce it on my local VM but it passes every time. I tried single test case and also tried set of test cases hoping this issue might have occurred due to cleanup issue.
with my last week CI failure testing experience, I assume this test case failure might happen due to other test case clean up issue.
Error is Ingress_sbox is already present when we create newSandBox. . From the log I Looked for if there is any delete Sandbox error or warning message but i could find none.
So I am assuming it could be due to due to clean up issue from moving from one test case to other test case. But why this is not happening consistently but seen across many CI failures , I need to dig more .

Actually, from a look at the logs cited above, the ingress creation may be a symptom of another problem. I note that the ingress network creation fails with the following error:

time="2018-03-22T17:30:58.302993358Z" level=error msg="Failed creating ingress network: subnet sandbox join failed for \"10.255.0.0/16\": error creating vxlan interface: file exists"

(https://gist.github.com/tonistiigi/6cb35ce9947cdbbcf410cf9863945220#file-docker-log-L283) You may note that this occurs shortly before the 'already present' message. It looks like the node tries to join the network, fails due the VXLAN issue, starts to tear the network down and then tries to rejoin. I can't tell yet whether the rejoin is failing due to a race with the teardown or due to an error where the teardown isn't cleaning up properly.

Regardless, there are 2 different libnetwork bugs that we happen to be paying attention to right now that relate to the Vxlan creation failure. They are moby/libnetwork#1765 and moby/libnetwork#1800. Both have PRs that are being actively reviewed. Unfortunately, we don't really have a root cause for the former. While the PR there definitely fixes issues, it isn't certain it fixes the issue causing the bug. The main difficulty is with reproducibility as @selansen is experiencing.

To be clear, even though we will address the vxlan issues, we also need to try to root cause why the teardown/setup was causing the "ingress-sbox already present" problem.

I noticed that error message too. I feel we should merge 1800 and 1765 regardless of this issue.

Ok, after some review with @selansen I think we understand the symptoms. The cause of the failure is bug moby/libnetwork#1765.

However, this bug triggers a known secondary bug in libnetwork in the network.createLoadBalancerSandbox() call. It doesn't have a PR because I found it while working on improving the load balancing scalability and included the fix in that PR. Here is the fix (does have its own commit): moby/libnetwork@4543e14 . The issue is caused by libnetwork trying to unwind a failure using defer functions that check whether an err value is non-nil, but, failing to set that err variable when subsequent operations fail. As a result:

1. libnetwork allocates an endpoint in the ingress network
2. libnetwork tries to make the endpoint join the ingress sandbox
3. join fails due to the VXLAN bug
4. improper error handling leaves the new endpoint in the network
5. a subsequent attempt to create the network finds the ingress-endpoint already present causing the log " container ingress-sbox is already present..."

As you can see, there is already a fix for the second bug but it is not yet merged. However, even if it were, all it does is hide the secondary symptom. The real problem is in moby/libnetwork#1765 for which we have not yet found a root cause (although we have found some potential ones: (moby/libnetwork#2143)). Nevertheless, if desired, I can try to expedite the patch for createLoadBalancerSandbox().

I have run CI locally from Friday to till now. Not even single time I came across Service create failure issue.

I've just upgraded from docker-ce 17.04 to 18.05 on a linux box. Has this problem. Restarting docker daemon, reinitializing swarm, removing networks, nothing helped. Only after rebooting physical machine the problem was gone.

Sorry to hear that. :( I have a PR outstanding that fixes race conditions that seem to be able to lead to this condition and adds better error handling for OS failures (moby/libnetwork#2146). However, due tripping over a deadlock in that region of the code recently (moby/libnetwork#2180), I/we have been wary of merging without more thorough review. Hopefully we can come back to it soon.

(For reference, the fixes to createLoadBalancerSandbox() mentioned above are in PR review for Moby in #37372).