modprobe when needed

- in bridge driver modprobe for br_netfilter only if EnableIPTables==true
- move FirewalldInit() to iptables pakcage Init()
- move modprobe for nf_nat and xt_conntrack in iptables.initCheck()

Signed-off-by: Alessandro Boch <aboch@docker.com>

libnetwork/drivers/bridge/bridge.go

@@ -9,7 +9,6 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strconv"
-	"strings"
 	"sync"
 	"syscall"
 
@@ -130,21 +129,6 @@ func newDriver() *driver {
 
 // Init registers a new instance of bridge driver
 func Init(dc driverapi.DriverCallback, config map[string]interface{}) error {
-	if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
-		if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
-			logrus.Warnf("Running modprobe bridge br_netfilter failed with message: %s, error: %v", out, err)
-		}
-	}
-	if out, err := exec.Command("modprobe", "-va", "nf_nat").CombinedOutput(); err != nil {
-		logrus.Warnf("Running modprobe nf_nat failed with message: `%s`, error: %v", strings.TrimSpace(string(out)), err)
-	}
-	if out, err := exec.Command("modprobe", "-va", "xt_conntrack").CombinedOutput(); err != nil {
-		logrus.Warnf("Running modprobe xt_conntrack failed with message: `%s`, error: %v", strings.TrimSpace(string(out)), err)
-	}
-	if err := iptables.FirewalldInit(); err != nil {
-		logrus.Debugf("Fail to initialize firewalld: %v, using raw iptables instead", err)
-	}
-
 	d := newDriver()
 	if err := d.configure(config); err != nil {
 		return err
@@ -387,6 +371,11 @@ func (d *driver) configure(option map[string]interface{}) error {
 	}
 
 	if config.EnableIPTables {
+		if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
+			if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
+				logrus.Warnf("Running modprobe bridge br_netfilter failed with message: %s, error: %v", out, err)
+			}
+		}
 		removeIPChains()
 		natChain, filterChain, isolationChain, err = setupIPChains(config)
 		if err != nil {

libnetwork/iptables/iptables.go

@@ -42,6 +42,8 @@ var (
 	bestEffortLock sync.Mutex
 	// ErrIptablesNotFound is returned when the rule is not found.
 	ErrIptablesNotFound = errors.New("Iptables not found")
+	probeOnce           sync.Once
+	firewalldOnce       sync.Once
 )
 
 // ChainInfo defines the iptables chain.
@@ -61,8 +63,25 @@ func (e ChainError) Error() string {
 	return fmt.Sprintf("Error iptables %s: %s", e.Chain, string(e.Output))
 }
 
+func probe() {
+	if out, err := exec.Command("modprobe", "-va", "nf_nat").CombinedOutput(); err != nil {
+		logrus.Warnf("Running modprobe nf_nat failed with message: `%s`, error: %v", strings.TrimSpace(string(out)), err)
+	}
+	if out, err := exec.Command("modprobe", "-va", "xt_conntrack").CombinedOutput(); err != nil {
+		logrus.Warnf("Running modprobe xt_conntrack failed with message: `%s`, error: %v", strings.TrimSpace(string(out)), err)
+	}
+}
+
+func initFirewalld() {
+	if err := FirewalldInit(); err != nil {
+		logrus.Debugf("Fail to initialize firewalld: %v, using raw iptables instead", err)
+	}
+}
+
 func initCheck() error {
 	if iptablesPath == "" {
+		probeOnce.Do(probe)
+		firewalldOnce.Do(initFirewalld)
 		path, err := exec.LookPath("iptables")
 		if err != nil {
 			return ErrIptablesNotFound