<div dir="ltr">Actually, my earlier suggestion of the suid will be a bit overkill for this. <div><br></div><div>what you can do in the cmd part is insert the port and some other information(timestamp) to some database .. mysql/sqlite etc .. so that you also have a record of it .. and then run a python/shell cron or process that watches the database and runs the iptables command for you.  </div>
<div><br></div><div>Cheers,</div><div>Shashi</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 12, 2014 at 12:59 PM, 苌智 <span dir="ltr"><<a href="mailto:changzhi1990@gmail.com" target="_blank">changzhi1990@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I want to Horizon execute iptables shell. But Only root user can execute iptables command . <span style="color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;font-size:14px;line-height:18px">What should I do if I want to execute the code by user </span><code style="margin:0px;padding:1px 5px;border:0px;font-size:14px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif;white-space:pre-wrap;color:rgb(0,0,0);line-height:18px">apache</code><span style="color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;font-size:14px;line-height:18px"> rather than </span><code style="margin:0px;padding:1px 5px;border:0px;font-size:14px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif;white-space:pre-wrap;color:rgb(0,0,0);line-height:18px">root</code><span style="color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;font-size:14px;line-height:18px">? This is command to execute iptables command. Could someone give me some advice? Thanks a lot!</span><div>

<pre style="margin-top:0px;margin-bottom:10px;padding:5px;border:0px;font-size:14px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif;overflow:auto;width:auto;max-height:600px;word-wrap:normal;color:rgb(0,0,0);line-height:18px">
<code style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif;white-space:inherit"><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">import</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> subprocess

</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">def</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> check_output</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(*</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">popenargs</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">,</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">**</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">kwargs</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">):</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">if</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(128,0,0)">'stdout'</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">in</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> kwargs</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">:</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
        </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">raise</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(43,145,175)">ValueError</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(128,0,0)">'stdout argument not allowed, it will be overridden.'</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">)</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    process </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> subprocess</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">.</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(43,145,175)">Popen</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">stdout</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">subprocess</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">.</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">PIPE</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">,</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">*</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">popenargs</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">,</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">**</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">kwargs</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">)</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    output</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">,</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> unused_err </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> process</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">.</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">communicate</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">()</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    retcode </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> process</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">.</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">poll</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">()</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">if</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> retcode</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">:</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
        cmd </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> kwargs</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">.</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">get</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(128,0,0)">"args"</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">)</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
        </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">if</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> cmd </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">is</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">None</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">:</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
            cmd </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> popenargs</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">[</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(128,0,0)">0</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">]</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
        </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">raise</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> subprocess</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">.</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(43,145,175)">CalledProcessError</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">retcode</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">,</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> cmd</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">)</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">return</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> output


</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">def</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> accept_port</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">port</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">):</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">try</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">:</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
        cmd </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> r</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(128,0,0)">"iptables -A INPUT -p tcp --dport {0} -j ACCEPT && iptables -A OUTPUT -p tcp --sport {0} -j ACCEPT"</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">.</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">format</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">port</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">)</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
        output </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> check_output</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">cmd</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">,</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> shell</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">=</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">True</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">)</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
        </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">return</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">True</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">except</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(43,145,175)">Exception</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">:</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
        </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">return</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">False</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">

</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(0,0,139)">if</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> __name__ </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">==</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"> </span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(128,0,0)">"__main__"</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">:</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">
    accept_port</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">(</span><span style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;color:rgb(128,0,0)">1234)</span></code></pre>

</div></div>
<br>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div><div><br></div><br>Cheers,<br></div>Sashi Dahal <br><br><a href="http://shashi.org/" target="_blank">http://shashi.org/</a><br></div>
</div>