Move iptables check out of runtime init() to separate function

[estesp]

Due to the iptables package being init()ed at start of the docker
runtime, this means the iptables --wait ... command listing all rules
is run, no matter if the command is simply "docker -h". It makes
more sense to both locate the iptables command lookup and check for the
wait flag support at the time iptables is actually used, as it
may not be used at all if certain network support is off/configured
differently.

Additional details:
The reason this is of interest is that on a significantly large box (many hundreds of CPU threads) and thousands of rules (e.g. few thousand docker containers up), docker -h can take significantly longer than on a standard SMP x86 box with only a few docker containers:

*** POWER8 (640 threads) w/thousands of containers

# time docker -h

real 1.648s

*** x86 VM w/10-15 containers

# time docker -h

real 0m0.027s

While a kernel issue revealed by this problem related to per-CPU counters will be fixed upstream, that may take some time to exist in distros that end users run.

Docker-DCO-1.1-Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com (github: estesp)

[jessfraz]

I am not a big fan of this but I see what you are trying to do. It just might be confusing to someone just looking at the code with no background

[jessfraz]

also it can be iptablesPath string no = "" which is a little bit better

[estesp]

good point.. I was thinking initialization to force type, but specifying type makes it cleaner, thx

[jessfraz]

can you give the time, with the patch too :) would be interesting to see the difference

[estesp]

@jfrazelle I will definitely try and get that.. I'm not the guy with the huge POWER8 box, but I can get him a binary, I think :) I left out all his perf. data that showed where iptables --wait was hanging up on the per_cpu counter loop, so this really is the time-sink in this particular case; not to mention docker -h doesn't do much more than init a bunch of packages and then dump the usage string..

[jessfraz]

oh ok no worries then :)

On Tue, Jan 20, 2015 at 4:18 PM, Phil Estes notifications@github.com
wrote:

@jfrazelle https://github.com/jfrazelle I will definitely try and get
that.. I'm not the guy with the huge POWER8 box, but I can get him a
binary, I think :) I left out all his perf. data that showed where iptables
--wait was hanging up on the per_cpu counter loop, so this really is the
time-sink in this particular case; not to mention docker -h doesn't do
much more than init a bunch of packages and then dump the usage string..

—
Reply to this email directly or view it on GitHub
#10231 (comment).

[crosbymichael]

LGTM

[jessfraz]

LGTM