Mount system modules when calling system iptables

In order to allow the system iptables to actually run from within a container,
we might need specific, per-kernel modules in order to avoid mismatches.

Currently, the only container having the system iptables mounted is the
haproxy_firewall thingy.

Change-Id: Idabc2da14413d953c8fe9effdd240dc250e7c64d
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1665598

docker/services/haproxy.yaml

@@ -227,6 +227,10 @@ outputs:
                     - /usr/libexec/iptables:/usr/libexec/iptables:ro
                     - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
                     - /var/lib/haproxy:/var/lib/haproxy:rw,z
+                    # Needed in order to call system iptables in order to ensure
+                    # we have kernel compatible modules
+                    # See https://bugzilla.redhat.com/show_bug.cgi?id=1665598
+                    - /lib/modules:/lib/modules:ro
               environment:
                 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
             haproxy:

docker/services/pacemaker/haproxy.yaml

@@ -280,6 +280,10 @@ outputs:
                   - /usr/libexec/iptables:/usr/libexec/iptables:ro
                   - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
                   - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
+                  # Needed in order to call system iptables in order to ensure
+                  # we have kernel compatible modules
+                  # See https://bugzilla.redhat.com/show_bug.cgi?id=1665598
+                  - /lib/modules:/lib/modules:ro
             environment:
               # NOTE: this should force this container to re-run on each
               # update (scale-out, etc.)