Serialize non-atomic jump rule programming in bridge

[aboch]

Related to moby/moby/issues/25393

• The per-host same iptables rule programming done by ensureJumpRule()
  is processed for each network create.
  Concurrent networks creations sometimes exposes the non-atomicity of the
  function causing the network creation to fail.
• I opted for a minimal impact fix which serializes the function executions.

Signed-off-by: Alessandro Boch aboch@docker.com

[sanimej]

We do something similar for DOCKER-INGRESS chain in the filter table, https://github.com/docker/libnetwork/blob/master/controller.go#L744

I think this needs to be taken care of as well.

[aboch]

True, but in that case it would just log a warn log and the network creation won't fail.
Although, we may end up with a duplicate rule. I will take care of that. Thanks.

[sanimej]

LGTM. CI is complete, but the status still shows its running.. merging..

[tomwillfixit]

Thanks for this. We run 5 docker-compose ups concurrently and we hit this error intermittently "unable to remove jump to DOCKER-ISOLATION rule in FORWARD chain: (iptables failed: iptables --wait -D FORWARD -j DOCKER-ISOLATION: iptables: No chain/target/match by that name." Applied this fix and haven't encountered the issue since.

[thaJeztah]

cherry-pick for 17.03.2 #1750