Move iptables check out of runtime init() to separate function
Due to the iptables package being `init`ed at start of the docker runtime, this means the iptables --wait command listing all rules is run, no matter if the command is simply "docker -h". It makes more sense to both locate the iptables command and check for the wait flag support at the time iptables is actually used, as it may not be used at all if certain network support is off/configured differently. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This commit is contained in:
parent
bfb4954a1f
commit
3ffffc0cff
1 changed files with 17 additions and 8 deletions
|
@ -24,6 +24,7 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
iptablesPath string
|
||||||
supportsXlock = false
|
supportsXlock = false
|
||||||
ErrIptablesNotFound = errors.New("Iptables not found")
|
ErrIptablesNotFound = errors.New("Iptables not found")
|
||||||
)
|
)
|
||||||
|
@ -43,8 +44,17 @@ func (e *ChainError) Error() string {
|
||||||
return fmt.Sprintf("Error iptables %s: %s", e.Chain, string(e.Output))
|
return fmt.Sprintf("Error iptables %s: %s", e.Chain, string(e.Output))
|
||||||
}
|
}
|
||||||
|
|
||||||
func init() {
|
func initCheck() error {
|
||||||
supportsXlock = exec.Command("iptables", "--wait", "-L", "-n").Run() == nil
|
|
||||||
|
if iptablesPath == "" {
|
||||||
|
path, err := exec.LookPath("iptables")
|
||||||
|
if err != nil {
|
||||||
|
return ErrIptablesNotFound
|
||||||
|
}
|
||||||
|
iptablesPath = path
|
||||||
|
supportsXlock = exec.Command(iptablesPath, "--wait", "-L", "-n").Run() == nil
|
||||||
|
}
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewChain(name, bridge string, table Table) (*Chain, error) {
|
func NewChain(name, bridge string, table Table) (*Chain, error) {
|
||||||
|
@ -258,18 +268,17 @@ func Exists(args ...string) bool {
|
||||||
|
|
||||||
// Call 'iptables' system command, passing supplied arguments
|
// Call 'iptables' system command, passing supplied arguments
|
||||||
func Raw(args ...string) ([]byte, error) {
|
func Raw(args ...string) ([]byte, error) {
|
||||||
path, err := exec.LookPath("iptables")
|
|
||||||
if err != nil {
|
|
||||||
return nil, ErrIptablesNotFound
|
|
||||||
}
|
|
||||||
|
|
||||||
|
if err := initCheck(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
if supportsXlock {
|
if supportsXlock {
|
||||||
args = append([]string{"--wait"}, args...)
|
args = append([]string{"--wait"}, args...)
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Debugf("%s, %v", path, args)
|
log.Debugf("%s, %v", iptablesPath, args)
|
||||||
|
|
||||||
output, err := exec.Command(path, args...).CombinedOutput()
|
output, err := exec.Command(iptablesPath, args...).CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err)
|
return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue